millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Compare commits

base: millironx:ffb44a20e05ca81c844aed5178fc7d01163ff4ee
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec
..
compare: millironx:41025b4b5574eb4f4df1eb831ec7441934fb2f27
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec

2 commits
ffb44a20e0 ... 41025b4b55

Author SHA1 Message Date
Thomas A. Christensen II
41025b4b55
fix: Navidrome mount point 2026-02-23 09:10:46 -06:00
Thomas A. Christensen II
cb8a0ee1f6
fix: Navidrome reverse proxy config 2026-02-23 09:10:24 -06:00
1 changed files with 32 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

35
services/navidrome.nix
View file

@ -46,6 +46,11 @@ in {
source_directories = map (d: "${stateDirectory}/${d}") [ "data" ]; source_directories = map (d: "${stateDirectory}/${d}") [ "data" ];
}; };
# Modified from
# - <https://www.navidrome.org/docs/getting-started/extauth-quickstart/#example-caddy-with-authentik>
# - <https://www.navidrome.org/docs/usage/integration/authentication/#caddy-with-forward_auth>
# Modifications are exclusively changes from Docker hostnames to 127.0.0.1 and
# port numbers
services.caddy.virtualHosts."music.millironx.com".extraConfig = '' services.caddy.virtualHosts."music.millironx.com".extraConfig = ''
# Authentik output endpoint # Authentik output endpoint
reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort} reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort}
@ -57,8 +62,31 @@ in {
copy_headers X-Authentik-Username>Remote-User copy_headers X-Authentik-Username>Remote-User
} }
# Authentik uses the Authorization header if present, so should be able to
# authenticate subsonic clients that support BasicAuth. Requests from the
# Navidrome Web App will be authenticated via the existing session cookie.
# If you want to have Navidrome authenticate subsonic requests, remove this
# forward_auth block.
@subsonic path /rest/*
forward_auth @subsonic http://127.0.0.1:${authentikPort} {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username>Remote-User
# Some clients that claim to support basicauth still expect a subsonic
# response in case of authentication failure instead of a proper basicauth
# response.
@error status 1xx 3xx 4xx 5xx
handle_response @error {
respond <<SUBSONICERR
<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
<error code="40" message="Invalid credentials or unsupported client"></error>
</subsonic-response>
SUBSONICERR 200
}
}
# Forward everything to Navidrome # Forward everything to Navidrome
reverse_proxy 127.0.0.1:${port} reverse_proxy http://127.0.0.1:${port}
''; '';
users.users."${user}" = { users.users."${user}" = {
@ -84,12 +112,13 @@ in {
image = "docker.io/deluan/navidrome:latest"; image = "docker.io/deluan/navidrome:latest";
environments = { environments = {
ND_BASEURL = "https://music.millironx.com"; ND_BASEURL = "https://music.millironx.com";
ND_EXTAUTH_TRUSTEDSOURCES = "10.0.0.0/8"; # pasta appears to use the static host IP so trust that
ND_EXTAUTH_TRUSTEDSOURCES = "23.239.13.247/24";
}; };
secrets = secrets =
map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ]; map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ];
volumes = [ volumes = [
"${s3MountDirectory}:/music:Uro" "${s3MountDirectory}:/music:ro"
"${stateDirectory}/data:/data:U" "${stateDirectory}/data:/data:U"
]; ];
publishPorts = [ "127.0.0.1:${port}:${port}" ]; publishPorts = [ "127.0.0.1:${port}:${port}" ];