diff --git a/secrets.nix b/secrets.nix
index ffbb9ab..ce66958 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -38,6 +38,10 @@ in {
     ++ [ mcentire-host ];
   "secrets/millironx-books-s3.age".publicKeys = system-administrators
     ++ [ mcentire-host ];
+  "secrets/millironx-music-s3.age".publicKeys = system-administrators
+    ++ [ mcentire-host ];
+  "secrets/navidrome.toml.age".publicKeys = system-administrators
+    ++ [ mcentire-host ];
   "secrets/network-information.age".publicKeys = system-administrators
     ++ [ bosephus-host ];
 }
diff --git a/secrets/millironx-music-s3.age b/secrets/millironx-music-s3.age
new file mode 100644
index 0000000..14e9b64
Binary files /dev/null and b/secrets/millironx-music-s3.age differ
diff --git a/secrets/navidrome.toml.age b/secrets/navidrome.toml.age
new file mode 100644
index 0000000..2331985
Binary files /dev/null and b/secrets/navidrome.toml.age differ
diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix
index c4f5070..c81b0dd 100644
--- a/services/audiobookshelf.nix
+++ b/services/audiobookshelf.nix
@@ -21,6 +21,9 @@ in {
       "use_path_request_style"
       "url=https://us-east-1.linodeobjects.com/"
       "passwd_file=${config.age.secrets.millironx-books-s3-token.path}"
+      "uid=${user}"
+      "gid=${user}"
+      "umask=0022"
     ];
   };
 
diff --git a/services/navidrome.nix b/services/navidrome.nix
new file mode 100644
index 0000000..bd8bc94
--- /dev/null
+++ b/services/navidrome.nix
@@ -0,0 +1,104 @@
+{ config, pkgs, home-manager-quadlet-nix, ... }:
+let
+  user = "navidrome";
+  port = "4533";
+  authentikPort = "9000";
+  stateDirectory = "/var/lib/${user}";
+  s3BucketName = "millironx-music";
+  s3MountDirectory = "/mount/s3/${s3BucketName}";
+in {
+  age.secrets = {
+    millironx-music-s3-token.file = ./../secrets/millironx-music-s3.age;
+    "navidrome.toml" = {
+      file = ./../secrets/navidrome.toml.age;
+      owner = user;
+    };
+  };
+
+  millironx.podman-secrets.navidrome = {
+    inherit user;
+    secrets-files = [ config.age.secrets."navidrome.toml".path ];
+  };
+
+  environment.systemPackages = [ pkgs.s3fs ];
+
+  fileSystems."${s3BucketName}" = {
+    device = s3BucketName;
+    mountPoint = s3MountDirectory;
+    fsType = "fuse./run/current-system/sw/bin/s3fs";
+    noCheck = true;
+    options = [
+      "_netdev"
+      "allow_other"
+      "use_path_request_style"
+      "url=https://us-east-1.linodeobjects.com/"
+      "passwd_file=${config.age.secrets.millironx-music-s3-token.path}"
+      "uid=${user}"
+      "gid=${user}"
+      "umask=0022"
+    ];
+  };
+
+  systemd.tmpfiles.rules =
+    map (d: "d ${stateDirectory}/${d} 1775 ${user} ${user} -") [ "" "data" ];
+
+  services.borgmatic.configurations."${config.networking.hostName}" = {
+    source_directories = map (d: "${stateDirectory}/${d}") [ "data" ];
+  };
+
+  services.caddy.virtualHosts."music.millironx.com".extraConfig = ''
+    # Authentik output endpoint
+    reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort}
+
+    # Protect everything except share and subsonic endpoints
+    @protected not path /share/* /rest/*
+    forward_auth @protected http://127.0.0.1:${authentikPort} {
+       uri /outpost.goauthentik.io/auth/caddy
+       copy_headers X-Authentik-Username>Remote-User
+    }
+
+    # Forward everything to Navidrome
+    reverse_proxy 127.0.0.1:${port}
+  '';
+
+  users.users."${user}" = {
+    group = "${user}";
+    isNormalUser = true;
+    home = stateDirectory;
+    createHome = true;
+    linger = true;
+    autoSubUidGidRange = true;
+  };
+  users.groups."${user}" = { };
+
+  home-manager.users."${user}" = { config, osConfig, ... }: {
+    imports = [ home-manager-quadlet-nix ];
+
+    home.stateVersion = "25.05";
+
+    virtualisation.quadlet = {
+      autoUpdate.enable = true;
+      containers.navidrome = {
+        autoStart = true;
+        containerConfig = {
+          image = "docker.io/deluan/navidrome:latest";
+          environments = {
+            ND_BASEURL = "https://music.millironx.com";
+            ND_EXTAUTH_TRUSTEDSOURCES = "10.0.0.0/8";
+          };
+          secrets =
+            map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ];
+          volumes = [
+            "${s3MountDirectory}:/music:Uro"
+            "${stateDirectory}/data:/data:U"
+          ];
+          publishPorts = [ "127.0.0.1:${port}:${port}" ];
+          unitConfig.Requires =
+            [ osConfig.millironx.podman-secrets.navidrome.ref ];
+          unitConfig.After =
+            [ osConfig.millironx.podman-secrets.navidrome.ref ];
+        };
+      };
+    };
+  };
+}