millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Compare commits

base: millironx:41025b4b5574eb4f4df1eb831ec7441934fb2f27
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec
..
compare: millironx:ffb44a20e05ca81c844aed5178fc7d01163ff4ee
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec

No commits in common. "41025b4b5574eb4f4df1eb831ec7441934fb2f27" and "ffb44a20e05ca81c844aed5178fc7d01163ff4ee" have entirely different histories.
41025b4b55 ... ffb44a20e0

1 changed files with 3 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

35
services/navidrome.nix
View file

@ -46,11 +46,6 @@ in {
source_directories = map (d: "${stateDirectory}/${d}") [ "data" ]; source_directories = map (d: "${stateDirectory}/${d}") [ "data" ];
}; };
# Modified from
# - <https://www.navidrome.org/docs/getting-started/extauth-quickstart/#example-caddy-with-authentik>
# - <https://www.navidrome.org/docs/usage/integration/authentication/#caddy-with-forward_auth>
# Modifications are exclusively changes from Docker hostnames to 127.0.0.1 and
# port numbers
services.caddy.virtualHosts."music.millironx.com".extraConfig = '' services.caddy.virtualHosts."music.millironx.com".extraConfig = ''
# Authentik output endpoint # Authentik output endpoint
reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort} reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort}
@ -62,31 +57,8 @@ in {
copy_headers X-Authentik-Username>Remote-User copy_headers X-Authentik-Username>Remote-User
} }
# Authentik uses the Authorization header if present, so should be able to
# authenticate subsonic clients that support BasicAuth. Requests from the
# Navidrome Web App will be authenticated via the existing session cookie.
# If you want to have Navidrome authenticate subsonic requests, remove this
# forward_auth block.
@subsonic path /rest/*
forward_auth @subsonic http://127.0.0.1:${authentikPort} {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username>Remote-User
# Some clients that claim to support basicauth still expect a subsonic
# response in case of authentication failure instead of a proper basicauth
# response.
@error status 1xx 3xx 4xx 5xx
handle_response @error {
respond <<SUBSONICERR
<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
<error code="40" message="Invalid credentials or unsupported client"></error>
</subsonic-response>
SUBSONICERR 200
}
}
# Forward everything to Navidrome # Forward everything to Navidrome
reverse_proxy http://127.0.0.1:${port} reverse_proxy 127.0.0.1:${port}
''; '';
users.users."${user}" = { users.users."${user}" = {
@ -112,13 +84,12 @@ in {
image = "docker.io/deluan/navidrome:latest"; image = "docker.io/deluan/navidrome:latest";
environments = { environments = {
ND_BASEURL = "https://music.millironx.com"; ND_BASEURL = "https://music.millironx.com";
# pasta appears to use the static host IP so trust that ND_EXTAUTH_TRUSTEDSOURCES = "10.0.0.0/8";
ND_EXTAUTH_TRUSTEDSOURCES = "23.239.13.247/24";
}; };
secrets = secrets =
map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ]; map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ];
volumes = [ volumes = [
"${s3MountDirectory}:/music:ro" "${s3MountDirectory}:/music:Uro"
"${stateDirectory}/data:/data:U" "${stateDirectory}/data:/data:U"
]; ];
publishPorts = [ "127.0.0.1:${port}:${port}" ]; publishPorts = [ "127.0.0.1:${port}:${port}" ];