Removed and revoked exposed spotify id

modules/navidrome/default.nix

@@ -24,28 +24,6 @@ in
     };
 
 
-    settings = mkOption rec {
-        type = settingsFormat.type;
-        apply = recursiveUpdate default;
-        default = {
-          Address = "127.0.0.1";
-          Port = port;
-          MusicFolder = "/home/mediaserver/music";
-          EnableGravatar = true;
-          ListenBrainz.Enabled = false;
-          LastFM.Language = "fr";
-          Spotify.ID = "34b7b2f28ac0490bb320073ac3123cd0";
-          Spotify.Secret = "4a5ee0a0f4524f25b8645018f8aee48e";
-          DefaultTheme = "Spotify-ish";
-        };
-        example = {
-          MusicFolder = "/mnt/music";
-        };
-        description = ''
-          Configuration for Navidrome, see <link xlink:href="https://www.navidrome.org/docs/usage/configuration-options/"/> for supported values.
-        '';
-      };
-
     nginx.enable = mkEnableOption "activate nginx";
     nginx.subdomain = mkOption {
       type = types.str;
@@ -55,20 +33,27 @@ in
   config = mkIf cfg.enable (
     mkMerge [{
 
+  sops.secrets."navidrome.json" = {
+        owner = cfg.user;
+        format = "binary";
+        sopsFile = ../../secrets/navidrome-config;
+      };
+
+
+
       systemd.services.navidrome = {
+        
         description = "Navidrome Media Server";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
-#          User = cfg.user;
-#          Group = cfg.group;
+          User = cfg.user;
+          Group = cfg.group;
           ExecStart = ''
-            ${pkgs.navidrome}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
+            ${pkgs.navidrome}/bin/navidrome --configfile /run/secrets/navidrome.json
           '';
           StateDirectory = "navidrome";
           WorkingDirectory = "/var/lib/navidrome";
-          #RuntimeDirectory = "navidrome";
-          #RootDirectory = "/run/navidrome";
         };
       };
 

secrets/navidrome-config

@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:AVLaQ8e++FuwZVLJi6lNxiFb51na2LGhO2Ei+JJENavwKelQtJltP90enRRsTcbKFymBGeD5DaMT0dzXZNy92W4LIlCXasUA5e8X/aJts6s5U7sxJTuf69ceiML1+iqC1Qf+Zxb13lFnCKAACH/87Sa0iC2IFDYuj7vMVa0yObkPP9zc3BWlUWZGu2isf3cCugYHCSmoX0ejoHTOINwoBXZtDMIS0tvF4nZJnQJMrteh/L4MCHje9gcNep/+hetvvIl8gFZ17QJ10YY2SKBTESN4n96Gf+ySkT3Cd7OAaJYdYitNK1ZWeNRbiV70y3GAa6N8HsDYOLJKZvCjDTf4UykQScZ1bEjbOlP+/LITfL5r8lzcX8j0MsdjRsSC+Zb6oUj9celMw4n5e316VdZyqifuJe28KaAmOvujdI44GKrkafqnNYtunp3ks9i/c61avwSbRsNnT4XkQcGmUw==,iv:ttNPe7iu8sauN+3l5xRpHuTQM3/H81kCML4bHmuA15s=,tag:G7M+9+KUy/EJQYmG3b7dOA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ac9aek30209ppmxxxpfc65wet344u57pdy3zmk3whjlta38m6q9s9m666g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMnRRV3FHeUZiT0phcjVw\nZkY2SDQzQy8vVUlzZmZjQzM2VlhoL2FIWmk0ClBXZWRPVjZDaWlmMmdpR01vbDlV\nVEpPL0Q3WjJwUFBvNGk4eEdySXY5MFUKLS0tIGQ4QlUwSmExVEV3SE1aT3B1QWUv\nbGN3aG1FamdiNGR2QWVMdm5qUVBRQmsKcujlvoJn4BbcbFKlUfhonURjuEOllsr6\nRegLMdaBUikq1dyZYlsiF9rvtVVYPwVwFJm+lEYWawFh5Ppdbb46vA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age162v5365xrnzm9tlxy4w3e6fqds7k3h029qezvl73z6rs5skcn9hs7vml45",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ3FnZE45ZFdPSUhjdkc3\nY1h1aVZ4VElvOGNiV2lremRZYXMxWExMYkJZCmVDUHNocnBXaFdVZlZONHdoNVJ2\nSnIzazN3V0ZGMmVhZW1jSmZJeXJWSjQKLS0tIGh6aGVlb0M3bGVJQ0Z1TjkvRUgr\nMEJUblRrcjNZQmIzVGhvU1JXbnFONU0KnfKGvmUScr6qdI4L5eM9IJ79L5mxrZKA\npTOy5eeoUFUv/vnJOR8SOlbFHUx2ZppANNIOCwJE6HsKjNdeFcXgyw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15uzmt3utvm3vvmy79yk754cvwdxl0gkhqhjfy05qed0nhrpqjf0q0yh5mj",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWVJsVUhkNDlMcllPMzZX\nVmg3c1ZncWhzVVVGdlIxbDNzak5wSU0wclZvClc0WTZ6U2dFeGMwT0xjaHBuMmhs\nU0FFY1Z6dk44d0tWYzhQM1JGYko5MVkKLS0tIC9seUdYelFoREhPZlNKYUZxbmRK\nREhzK21oNFFoOG1NYlh3TUttSHhxOWsKgP8OT1hrtqRY6Ep6F9E4h8gVVpjOXkcJ\nTGxD5ERdtn/0ctsNIkc27Gydi0R3+lLejMw+kOaShXh3RtgRCW6c8g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-02-19T22:11:23Z",
+		"mac": "ENC[AES256_GCM,data:L4DNRzwXQZesV8Bnkh69HtFc9JilwZ/Di2iW+cv7B5PPmztDvaFnNdHUt2xxJ0AASIOSk6zLd7wUjx91DzQ17z3aNfQZFuk172cgi2tJTtod/X8SrPFoELJtKjzDW0hTdPGZQZQepwqxBi17hJ5iOmWTZyh+B4trQHo3zxyVDng=,iv:BC+L+0lB/cuBokqLfbpUdM5p5JKGzLr47CSifJsE7j0=,tag:cRWla88EDwQhMyQRMiSRTg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}

secrets/secrets.yaml

@@ -42,8 +42,8 @@ sops:
             RHY4SzV0RlF2SEMySEF0S0VCYi9OVkEK9hFLmy8TbXwf5QFQJsYv2Fz+4xsda49W
             Q8ayRVYsKCJAhrw1qcwJ6mCbk0uHZXR2Dyp/utz7ELAmEynA6+N2aw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-02-01T12:21:08Z"
-    mac: ENC[AES256_GCM,data:I9fO2w1EDTfoirP/aqTt8Cg1H+JL7C0krdu/Fx5RobQ6xHU9UIUjpkNiCrSQZt3P1SUGmx6DLCj6niS5//hiijcuGgsLRnMJ72oQVzN4Ruzm86jrF2Ho70ZMUJK0NLDPiYhCpGJPE0XB4QTX7osn6UEDj9oYpjfa++bv1YDb+OU=,iv:/7AIt0wx7Q1AJh6nZpxn+FMzaVv9OI0HIpzk5FYfMeA=,tag:06aBjxAzrgwalU2/XSpRYw==,type:str]
+    lastmodified: "2022-02-19T22:11:38Z"
+    mac: ENC[AES256_GCM,data:3uq3k46aA3l3xPH8g5VWKmBqw+apB5Z+fk8/DNDKirfsZ9hJc0jbJwh8/8YmyVHGMr3oCH7goEJYyuOO1gv5B8AajQk1TnBVyxj6mxXaUmrvm7pv52FbuX9zxtsJoc1jzYJXFWgICEkhMXhDPmqI1EXA8VXGYb8/RPGASLV9nVo=,iv:0RFai6c7D14LN+0ygyfmootJGAUvz/m8blJIaH9cMdo=,tag:45NVeVixmqFpFkjniuiFlg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.1