meow

2025-01-31 18:40:25 +01:00 · 2025-01-31 18:40:25 +01:00 · c6fad213b4
commit c6fad213b4
parent 61b4ceedfa
3 changed files with 105 additions and 77 deletions
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@ -125,19 +125,31 @@ in
    ];
  };
  # navidrome
-  virtualisation.oci-containers.containers.navidrome = {
-    user = "1000:100";
-    image = "deluan/navidrome:latest";
+  virtualisation.oci-containers.containers.lms = {
+    # don't tell mom
+    # user = "1000:100";
+    image = "epoupon/lms:latest";
+    cmd = ["/lms.conf"];
    extraOptions = [ "--network=podman" ];
-    volumes = [
-      "navidrome-data:/data"
-      "/data/media/music:/music:ro"
+    volumes =
+      let
+        lmsConfig = pkgs.writeText "lms-config" ''
+          original-ip-header = "X-Forwarded-For";
+          behind-reverse-proxy = true;
+          trusted-proxies =
+          (
+          	"10.88.0.1"
+          );
+          authentication-backend = "http-headers";
+          http-headers-login-field = "X-Webauth-User";
+        '';
+      in
+      [
+        "lightweight-music-server-data:/var/lms:rw"
+        "${lmsConfig}:/lms.conf"
+        "/data/media/beets/music:/music:ro"
      ];
-    environment = {
-      ND_SCANSCHEDULE = "1h";
-      ND_SESSIONTIMEOUT = "900h";
-      ND_BASEURL = "https://nd.hailsatan.eu";
-    };
+    environment = { };
  };

  # changedetection
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -120,6 +120,8 @@ in
    ZED_SCRUB_AFTER_RESILVER = true;
  };

+  services.tailscaleAuth.enable = true;
+  services.tailscaleAuth.group = config.services.caddy.group;
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
  services.caddy = {
    # ragon.services.caddy is enabled
@ -154,9 +156,23 @@ in
                }
              }
            }
-      @nd host nd.hailsatan.eu
-      handle @nd {
-        reverse_proxy http://navidrome:4533 {
+            @lms host lms.hailsatan.eu
+            handle @lms {
+              forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
+      	        uri /auth
+      	        header_up Remote-Addr {remote_host}
+      	        header_up Remote-Port {remote_port}
+      	        header_up Original-URI {uri}
+      	        copy_headers {
+      	        	Tailscale-User>X-Webauth-User
+      	        	Tailscale-Name>X-Webauth-Name
+      	        	Tailscale-Login>X-Webauth-Login
+      	        	Tailscale-Tailnet>X-Webauth-Tailnet
+      	        	Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+      	        }
+              } 
+
+              reverse_proxy http://lms:5082 {
                transport http {
                  resolvers 10.88.0.1 # podman dns
                }
--- a/hosts/theseus/default.nix
+++ b/hosts/theseus/default.nix
@ -306,7 +306,7 @@
        location.extraConfig.before_backup = [ "notify-send -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ];
        location.extraConfig.after_backup = [ "notify-send -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ];
        location.extraConfig.on_error = [ "notify-send -u critical -a borgmatic borgmatic \"backup failed\"" ];
-        location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
+        # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
        location.extraConfig.one_file_system = true;
        retention = {
          keepHourly = 24;