diff --git a/jobs/forgejo.run b/cfg/jobs/forgejo.run similarity index 100% rename from jobs/forgejo.run rename to cfg/jobs/forgejo.run diff --git a/cfg/jobs/navidrome.run b/cfg/jobs/navidrome.run new file mode 100644 index 0000000..8b25b1b --- /dev/null +++ b/cfg/jobs/navidrome.run @@ -0,0 +1,69 @@ +#!/bin/env bash +# Upstream doc: https://www.navidrome.org/docs/installation/linux/ +set -euxo pipefail + +IMAGE="ubuntu/24.04" +DIST="${IMAGE%%/*}" +VER="${IMAGE#*/}" +VER="${VER%/*}" +VER="${VER//./-}" +UPSTREAM_VER="0.53.3" +UPSTREAM_VER_DASH="${UPSTREAM_VER//./-}" +UPSTREAM_NAME="navidrome" +SERIAL="1benoitjpnet" +CNAME="$UPSTREAM_NAME-$UPSTREAM_VER_DASH-$SERIAL-$DIST-$VER" +ALIAS="$UPSTREAM_NAME-$UPSTREAM_VER-$SERIAL" + +cd $WORKSPACE +incus launch images:$IMAGE $CNAME --quiet + +# Wait network +sleep 5 + +# Navidrome +incus exec $CNAME -- mkdir /etc/esh +incus exec $CNAME -- apt update +incus exec $CNAME -- apt upgrade -y +incus exec $CNAME -- apt install -y --no-install-recommends ffmpeg wget +incus exec $CNAME -- useradd -m -s /sbin/nologin -d /var/lib/navidrome navidrome +incus exec $CNAME -- install -d -o navidrome -g navidrome /opt/navidrome +incus exec $CNAME -- wget "https://github.com/navidrome/navidrome/releases/download/v${UPSTREAM_VER}/navidrome_${UPSTREAM_VER}_linux_amd64.tar.gz" -O /tmp/Navidrome.tar.gz +incus exec $CNAME -- tar -xvzf /tmp/Navidrome.tar.gz -C /opt/navidrome/ +incus exec $CNAME -- chown -R navidrome:navidrome /opt/navidrome +incus file push navidrome.toml $CNAME/etc/esh/ +incus file push setup.sh $CNAME/usr/local/bin/ +incus file push navidrome.service $CNAME/etc/systemd/system/ + +# Syncthing +incus exec $CNAME -- apt install syncthing +incus exec $CNAME -- cp /lib/systemd/system/syncthing\@.service /etc/systemd/system/ +incus exec $CNAME -- sed -i \ + 's/\(ExecStart=\/usr\/bin\/syncthing serve --no-browser --no-restart --logflags=0\)/\1 --gui-address=0.0.0.0:8384/' \ + /etc/systemd/system/syncthing\@.service + +# Clean +incus exec $CNAME -- \ + rm -rf \ + /etc/machine-id \ + /var/cache/apt \ + /var/log/journal + +# Publish +incus stop $CNAME +incus config metadata show $CNAME > metadata.yaml +# Get the current Unix timestamp +current_timestamp=$(date +%s) +# Calculate expiry date as current timestamp + 1 week (604800 seconds) +expiry_date=$(($current_timestamp + 604800)) +# Update metadata values +sed -i \ + -e "s/creation_date: .*/creation_date: $current_timestamp/" \ + -e "s/expiry_date: .*/expiry_date: $expiry_date/" \ + -e "s#description: .*#description: $UPSTREAM_NAME v$UPSTREAM_VER on $IMAGE release $SERIAL#" \ + -e "s/name: .*/name: $CNAME/" \ + -e "s/serial: .*/serial: $SERIAL/" \ + metadata.yaml + +incus config metadata edit $CNAME < metadata.yaml +incus publish $CNAME --alias $ALIAS --public +incus rm $CNAME diff --git a/run/navidrome/workspace/navidrome.service b/run/navidrome/workspace/navidrome.service new file mode 100644 index 0000000..fd01ee2 --- /dev/null +++ b/run/navidrome/workspace/navidrome.service @@ -0,0 +1,47 @@ +[Unit] +Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic +After=remote-fs.target network.target +AssertPathExists=/var/lib/navidrome + +[Install] +WantedBy=multi-user.target + +[Service] +User=navidrome +Group=navidrome +Type=simple +ExecStart=/opt/navidrome/navidrome --configfile "/var/lib/navidrome/navidrome.toml" +WorkingDirectory=/var/lib/navidrome +TimeoutStopSec=20 +KillMode=process +Restart=on-failure + +# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html +DevicePolicy=closed +NoNewPrivileges=yes +PrivateTmp=yes +PrivateUsers=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +ReadWritePaths=/var/lib/navidrome + +# You can uncomment the following line if you're not using the jukebox This +# will prevent navidrome from accessing any real (physical) devices +PrivateDevices=yes + +# You can change the following line to `strict` instead of `full` if you don't +# want navidrome to be able to write anything on your filesystem outside of +# /var/lib/navidrome. +ProtectSystem=strict + +# You can uncomment the following line if you don't have any media in /home/*. +# This will prevent navidrome from ever reading/writing anything there. +ProtectHome=true + +# You can customize some Navidrome config options by setting environment variables here. Ex: +#Environment=ND_BASEURL="/navidrome" diff --git a/run/navidrome/workspace/navidrome.toml b/run/navidrome/workspace/navidrome.toml new file mode 100644 index 0000000..cc5e4f0 --- /dev/null +++ b/run/navidrome/workspace/navidrome.toml @@ -0,0 +1,2 @@ +# For more options, check doc: https://www.navidrome.org/docs/usage/configuration-options/#available-options +MusicFolder = "/var/lib/music"