diff --git a/cfg/jobs/navidrome.run b/cfg/jobs/navidrome.run
index e52bf85..80715b9 100755
--- a/cfg/jobs/navidrome.run
+++ b/cfg/jobs/navidrome.run
@@ -7,7 +7,7 @@ DIST="${IMAGE%%/*}"
 VER="${IMAGE#*/}"
 VER="${VER%/*}"
 VER="${VER//./-}"
-UPSTREAM_VER="0.53.3"
+UPSTREAM_VER="0.54.4"
 UPSTREAM_VER_DASH="${UPSTREAM_VER//./-}"
 UPSTREAM_NAME="navidrome"
 SERIAL="1benoitjpnet"
@@ -19,26 +19,31 @@ incus launch images:$IMAGE "$CNAME" --quiet
 
 wait_network "$CNAME"
 
+incus config set "$CNAME" environment.DEBIAN_FRONTEND=noninteractive
+incus config set "$CNAME" environment.DEBCONF_NONINTERACTIVE_SEEN=true
+incus config set "$CNAME" environment.LC_ALL=C
+
 # Navidrome
-incus exec "$CNAME" -- bash -c "apt update && \
-  apt upgrade -y && \
-  apt install -y --no-install-recommends ffmpeg wget && \
-  useradd -m -s /sbin/nologin -d /var/lib/navidrome navidrome && \
-  install -d -o navidrome -g navidrome /opt/navidrome && \
-  wget -q https://github.com/navidrome/navidrome/releases/download/v${UPSTREAM_VER}/navidrome_${UPSTREAM_VER}_linux_amd64.tar.gz \
-    -O /tmp/Navidrome.tar.gz && \
-  tar -xvzf /tmp/Navidrome.tar.gz -C /opt/navidrome/ && \
-  chown -R navidrome:navidrome /opt/navidrome
-"
+incus exec "$CNAME" -- apt update
+incus exec "$CNAME" -- apt upgrade -y
+incus exec "$CNAME" -- apt install -y --no-install-recommends ffmpeg wget
+incus exec "$CNAME" -- useradd -m -s /sbin/nologin -d /var/lib/navidrome navidrome
+incus exec "$CNAME" -- install -d -o navidrome -g navidrome /opt/navidrome
+incus exec "$CNAME" -- wget -q https://github.com/navidrome/navidrome/releases/download/v${UPSTREAM_VER}/navidrome_${UPSTREAM_VER}_linux_amd64.tar.gz -O /tmp/Navidrome.tar.gz
+incus exec "$CNAME" -- tar -xvzf /tmp/Navidrome.tar.gz -C /opt/navidrome/
+incus exec "$CNAME" -- chown -R navidrome:navidrome /opt/navidrome
+incus file push "$WORKSPACE"/navidrome.service \
+  "$CNAME"/etc/systemd/system/
+incus file push "$WORKSPACE"/navidrome.toml \
+  "$CNAME"/etc/
 
 # Syncthing
 incus exec "$CNAME" -- apt install -y --no-install-recommends syncthing
-incus exec "$CNAME" -- cp /lib/systemd/system/syncthing\@.service /etc/systemd/system/
-incus exec "$CNAME" -- sed -i \
-  's/\(ExecStart=\/usr\/bin\/syncthing serve --no-browser --no-restart --logflags=0\)/\1 --gui-address=0.0.0.0:8384/' \
-  /etc/systemd/system/syncthing\@.service
+incus file push "$WORKSPACE"/syncthing.service \
+  "$CNAME"/etc/systemd/system/
 
-# Next manual steps https://www.navidrome.org/docs/installation/linux/#create-configuration-file
+incus exec "$CNAME" -- systemctl daemon-reload
+incus exec "$CNAME" -- systemctl enable syncthing photoprism
 
 laminarc run incus_publish \
   CNAME="$CNAME" \
diff --git a/run/navidrome/workspace/navidrome.service b/run/navidrome/workspace/navidrome.service
new file mode 100644
index 0000000..b34cc09
--- /dev/null
+++ b/run/navidrome/workspace/navidrome.service
@@ -0,0 +1,47 @@
+[Unit]
+Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
+After=remote-fs.target network.target
+AssertPathExists=/var/lib/navidrome
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+User=navidrome
+Group=navidrom
+Type=simple
+ExecStart=/opt/navidrome/navidrome --configfile "/etc/navidrome.toml"
+WorkingDirectory=/var/lib/navidrome
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+DevicePolicy=closed
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+ReadWritePaths=/var/lib/navidrome
+
+# You can uncomment the following line if you're not using the jukebox This
+# will prevent navidrome from accessing any real (physical) devices
+#PrivateDevices=yes
+
+# You can change the following line to `strict` instead of `full` if you don't
+# want navidrome to be able to write anything on your filesystem outside of
+# /var/lib/navidrome.
+ProtectSystem=full
+
+# You can uncomment the following line if you don't have any media in /home/*.
+# This will prevent navidrome from ever reading/writing anything there.
+#ProtectHome=true
+
+# You can customize some Navidrome config options by setting environment variables here. Ex:
+#Environment=ND_BASEURL="/navidrome"
diff --git a/run/navidrome/workspace/navidrome.toml b/run/navidrome/workspace/navidrome.toml
new file mode 100644
index 0000000..3b64a10
--- /dev/null
+++ b/run/navidrome/workspace/navidrome.toml
@@ -0,0 +1,5 @@
+MusicFolder = "/var/lib/navidrome/music"
+DataFolder = "/var/lib/navidrome/data"
+Address = "::"
+BaseUrl = "http://localhost"
+# https://www.navidrome.org/docs/usage/configuration-options/#available-options
diff --git a/run/navidrome/workspace/syncthing.service b/run/navidrome/workspace/syncthing.service
new file mode 100644
index 0000000..a6ebef9
--- /dev/null
+++ b/run/navidrome/workspace/syncthing.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Syncthing - Open Source Continuous File Synchronization for photoprism
+Documentation=man:syncthing(1)
+After=network.target
+StartLimitIntervalSec=60
+StartLimitBurst=4
+
+[Service]
+User=navidrome
+ExecStart=/usr/bin/syncthing serve --no-browser --no-restart --logflags=0 --home /var/lib/navidrome/syncthing --no-default-folder --gui-address=":8384"
+Restart=on-failure
+RestartSec=1
+SuccessExitStatus=3 4
+RestartForceExitStatus=3 4
+
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
+# Elevated permissions to sync ownership (disabled by default),
+# see https://docs.syncthing.net/advanced/folder-sync-ownership
+#AmbientCapabilities=CAP_CHOWN CAP_FOWNER
+
+[Install]
+WantedBy=multi-user.target