navidrome: refactor and add last.fm and spotify secrets

2024-11-22 07:53:55 -05:00 · 2024-06-10 15:37:28 -04:00 · 2024-06-10 15:37:28 -04:00 · c22d96fc6e
parent 261d5ac74b
commit c22d96fc6e
4 changed files with 74 additions and 11 deletions
--- a/nixosModules/containers/nixos/navidrome/default.nix
+++ b/nixosModules/containers/nixos/navidrome/default.nix
@ -24,14 +24,43 @@
  config = lib.mkIf config.alyraffauf.containers.nixos.navidrome.enable {
    # Spotify secrets aren't exactly safe, because they are world-readable in the nix store.
    # But they're reasonably disposable and hidden from the public git repo.
    age.secrets.lastFMApiKey.file = ../../../../secrets/lastFM/apiKey.age;
    age.secrets.lastFMSecret.file = ../../../../secrets/lastFM/secret.age;
    age.secrets.spotifyClientId.file = ../../../../secrets/spotify/clientId.age;
    age.secrets.spotifyClientSecret.file = ../../../../secrets/spotify/clientSecret.age;
-    containers.navidrome = {
+    containers.navidrome = let
      navidromeConfig = builtins.toFile "navidrome.json" ''
        {
          "Address": "0.0.0.0",
          "DefaultTheme": "Auto",
          "MusicFolder": "/Music",
          "Port": ${toString config.alyraffauf.containers.nixos.navidrome.port},
          "SubsonicArtistParticipations": true,
          "UIWelcomeMessage": "Welcome to Navidrome! Registrations are closed.",
          "Spotify.ID": "@spotifyClientId@",
          "Spotify.Secret": "@spotifyClientSecret@",
          "LastFM.Enabled": true,
          "LastFM.ApiKey": "@lastFMApiKey@",
          "LastFM.Secret": "@lastFMSecret@",
          "LastFM.Language": "en"
        }
      '';
    in {
      autoStart = true;
-      bindMounts."/Music".hostPath = config.alyraffauf.containers.nixos.navidrome.musicDirectory;
+      bindMounts = {
        "/Music".hostPath = config.alyraffauf.containers.nixos.navidrome.musicDirectory;
        "/var/lib/navidrome/rawNavidrome.json".hostPath = navidromeConfig;
        "${config.age.secrets.lastFMApiKey.path}".isReadOnly = true;
        "${config.age.secrets.lastFMSecret.path}".isReadOnly = true;
        "${config.age.secrets.spotifyClientId.path}".isReadOnly = true;
        "${config.age.secrets.spotifyClientSecret.path}".isReadOnly = true;
      };
      config = let
-        port = config.alyraffauf.containers.nixos.navidrome.port;
+        lastFMApiKey = config.age.secrets.lastFMApiKey.path;
        lastFMSecret = config.age.secrets.lastFMSecret.path;
        spotifyClientId = config.age.secrets.spotifyClientId.path;
        spotifyClientSecret = config.age.secrets.spotifyClientSecret.path;
      in
        {
          config,
@ -40,17 +69,26 @@
          ...
        }: {
          system.stateVersion = "24.05";
          system.activationScripts."navidrome-secrets" = ''
            lastFMApiKey=$(cat "${lastFMApiKey}")
            lastFMSecret=$(cat "${lastFMSecret}")
            spotifyClientId=$(cat "${spotifyClientId}")
            spotifyClientSecret=$(cat "${spotifyClientSecret}")
            ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \
              -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
              /var/lib/navidrome/rawNavidrome.json > /var/lib/navidrome/navidrome.json
          '';
          systemd.services.navidrome.serviceConfig = {
            ExecStart = lib.mkForce ''
              ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \
                --datafolder /var/lib/navidrome/
            '';
            BindReadOnlyPaths = "/Music";
          };
          services.navidrome = {
            enable = true;
            openFirewall = true;
            settings = {
              Address = "0.0.0.0";
              DefaultTheme = "Auto";
              MusicFolder = "/Music";
              Port = port;
              SubsonicArtistParticipations = true;
              UIWelcomeMessage = "Welcome to Navidrome! Registrations are closed.";
            };
          };
        };
    };
--- a/secrets/lastFM/apiKey.age
+++ b/secrets/lastFM/apiKey.age
--- a/secrets/lastFM/secret.age
+++ b/secrets/lastFM/secret.age
@ -0,0 +1,23 @@
 age-encryption.org/v1
 -> ssh-ed25519 c7E/gQ 8NGq05DvAkx/REYRnrHFwyBlviyJrdScI85xQ3qaWFA
 nceRgKIZ9+JP1w7sriFudW2adJDCqk4Dmj3pvLNvgCE
 -> ssh-ed25519 d4UErQ vH47+GmgCWWckZfjIbzfbkpKMmCplGIOyun8D8oIF28
 A+XmBXDe9+9ibrDOuBT/MO+/E2vmvECLqTDzRvMH+5A
 -> ssh-ed25519 1mX44w ANkgb0X0YvDk6ikbQwZHefeGUH2ZjHCiPgcGMmNWDSU
 58OwddbNLtALKAQEzgvibroZXR7Dyu3UB30g+lCZm0o
 -> ssh-ed25519 nrny8w ltF+TS1bsUBzaX6UypyX3bnqkHp7G9a2U5mMjgKAG3k
 9hGvMrpaX5L/zqqE91+N+U7DQYv0TfSOef7tpzClUOQ
 -> ssh-ed25519 W5caqg TTY8YX3rzMmzGFrVk7lBWeGmop4PWz9lqSkgVBEVkEg
 H/0/fXNEYPFLfBIp5eo4fEln58HYcdi6GpuY7trD6Hc
 -> ssh-ed25519 xIeYNQ RAzvu54SuABfIrqzhzvI+Uf6dNyQfVfW+znzXUwsiCk
 /wPqVRNBh492rw8BMl/Sr3HIcHKSx3cRGtGzsE7Wy7E
 -> ssh-ed25519 g+apXg LS280whEsL2630qxpiUOGOGIW6M4che/bEzRS7/YMUc
 PWkBHsJ8SlmLxthcY6LovIAz35IyLgyIMnpw76MRd4g
 -> ssh-ed25519 osHDzw bzrBaq5lbfgjpQ69Uv65XXwDOYdltoDdKzr6fusu+Rs
 ZnXhrj1JEicA5XP3XWMXaz7KnV00oFGLzQM18e04Pd0
 -> ssh-ed25519 GrlIbA bN8aFEAy9asUxTtVkjQUhghfK+RqNOpwaZ71kx5fYTg
 Pmj5d91rQ4XDUN+IC7Bm3PW//7aJUu0dfoWWe5+dYt4
 -> ssh-ed25519 N/8bSg EDMQEcuGAxJLbDFeFRuwpC2j/ot5bchOCTpD8XrzAFc
 Gzihvp6FgAruy1w9WtlXpgUyWmGSx1wALKSxO+8Uh5s
 --- S7bluPkKaT1A3gRrEnvPeuVkf/N8SNzTEpk3CF/ihqU
 6‰É"ËïŠu$—žF<>¥€l¦f×ho·~U~öðfÝë<06>ÖÙø9ØZ«¾ã›SÎërµÛ£4‹JŠÜr
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -33,6 +33,8 @@ in {
  "hosts/rustboro/syncthing/key.age".publicKeys = users ++ systems;
  "spotify/clientId.age".publicKeys = users ++ systems;
  "spotify/clientSecret.age".publicKeys = users ++ systems;
  "lastFM/apiKey.age".publicKeys = users ++ systems;
  "lastFM/secret.age".publicKeys = users ++ systems;
  "tailscale/authKeyFile.age".publicKeys = users ++ systems;
  "wifi.age".publicKeys = users ++ systems;
 }