Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- ubuntu:navidrome [2026/04/23 10:21] – [Config erstellen oder übernehmen] Sebastian Hetzel
+++ ubuntu:navidrome [2026/04/30 20:56] (aktuell) – [Anwendung installieren] Sebastian Hetzel
@@ Zeile 52: / Zeile 52: @@
 </code>
+==== Logrotate ====
+<file bash /etc/logrotate.d/navidrome>
+/var/log/navidrome.log
+{
+        rotate 14
+        daily
+        missingok
+        notifempty
+        delaycompress
+        compress
+        create 640 navidrome navidrome
+        postrotate
+                if service navidrome status > /dev/null 2>&1; then \
+                    touch /var/log/navidrome.log; \
+                    chown navidrome:navidrome /var/log/navidrome.log; \
+                    service navidrome restart > /dev/null 2>&1; \
+                fi;
+        endscript
+        sharedscripts
+}
+</file>
 ==== Daten wiederherstellen (bei Migration) ====
@@ Zeile 79: / Zeile 101: @@
 mkdir -p /srv/LOSSY_AUDIO
 mkdir -p /srv/PLAYLISTS_NAVIDROME
+mkdir -p /srv/BACKUP_NAVIDROME
+chown -R navidrome:navidrome /srv/BACKUP_NAVIDROME
+chown -R navidrome:navidrome /srv/PLAYLISTS_NAVIDROME
+</code>
+==== Spezialfall music library ====
+Um die Bibliothek automatisiert auf dem Laufenden halten zu können, lege ich einen weiteren Service-User an und vergebe entsprechende Berechtigungen:
+  * navidrome --> lesen
+  * audioadmin --> lesen+schreiben
+=== Gruppen erstellen und berechtigen ===
+<code bash>
+adduser audioadmin
+groupadd losslessaudio
+usermod -aG losslessaudio audioadmin
+usermod -aG losslessaudio navidrome
+</code>
+<code bash>
+chown -R audioadmin:losslessaudio /srv/LOSSLESS_AUDIO
+chmod -R 750 /srv/LOSSLESS_AUDIO
+chmod g+s /srv/LOSSLESS_AUDIO
+</code>
+=== Default Berechtigungen setzen ===
+<code bash>
+apt install acl
+setfacl -d -m u::rwX,g::rX,o::--- /srv/LOSSLESS_AUDIO
+</code>
+==== Service-User der Anwendung zuweisen ====
+<code>
+vi /etc/systemd/system/navidrome.service
+</code>
+<file /etc/systemd/system/navidrome.service>
+[Unit]
+Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
+After=remote-fs.target network.target
+AssertPathExists=/var/lib/navidrome
+[Install]
+WantedBy=multi-user.target
+[Service]
+User=<user>
+Group=<group>
+Type=simple
+ExecStart=/opt/navidrome/navidrome --configfile "/etc/navidrome/navidrome.toml"
+WorkingDirectory=/var/lib/navidrome
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+DevicePolicy=closed
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+ReadWritePaths=/var/lib/navidrome
+# You can uncomment the following line if you're not using the jukebox This
+# will prevent navidrome from accessing any real (physical) devices
+#PrivateDevices=yes
+# You can change the following line to `strict` instead of `full` if you don't
+# want navidrome to be able to write anything on your filesystem outside of
+# /var/lib/navidrome.
+ProtectSystem=full
+# You can uncomment the following line if you don't have any media in /home/*.
+# This will prevent navidrome from ever reading/writing anything there.
+#ProtectHome=true
+# You can customize some Navidrome config options by setting environment variables here. Ex:
+#Environment=ND_BASEURL="/navidrome"
+</file>
+<code bash>
+systemctl daemon-reload
+systemctl start navidrome.service
+systemctl status navidrome.service
+</code>
+<code bash>
+systemctl cat navidrome|grep -i user
+User=navidrome
+WantedBy=multi-user.target
 </code>
 ===== Aktualisierung / Update der Server-Applikation =====
@@ Zeile 142: / Zeile 263: @@
 ===== Apache2 als Reverse-Proxy =====
+==== Installation der Pakete ====
-<code apache>
+<code bash>
-<IfModule mod_ssl.c>
+apt update
-<VirtualHost *:443>
+apt install apache2 libapache2-mod-security2
-    ServerName music.example.com
+</code>
-    DocumentRoot /var/www/navidrome/html
-    # Logs
+Module im Apache aktivieren:
-    ErrorLog /var/www/navidrome/logs/error.log
-    CustomLog /var/www/navidrome/logs/access.log combined
-    # Proxy Settings
+<code bash>
-    ProxyPreserveHost On
+a2enmod proxy proxy_http proxy_wstunnel headers rewrite ssl
-    Protocols http/1.1   # HTTP/1.1 erzwingen für stabile Streaming-Verbindungen
+</code>
-    # WebSocket Support (Rewrites nur für Upgrade)
+Dual Stack aktivieren --> ''/etc/apache2/ports.conf''.
-    RewriteEngine On
-    RewriteCond %{HTTP:Upgrade} =websocket [NC]
-    RewriteRule /(.*) ws://127.0.0.1:4533/$1 [P,L]
-    # Normaler Proxy für alle anderen Requests
+<code apache>
-    ProxyPass / http://127.0.0.1:4533/ nocanon
+Listen 80
-    ProxyPassReverse / http://127.0.0.1:4533/
+Listen [::]:80
+Listen 443
+Listen [::]:443
+</code>
-    # Forwarded Headers
+Apache-Version nicht bekannt geben --> ''/etc/apache2/conf-enabled/security.conf''
-    RequestHeader set X-Forwarded-Proto "https"
-    RequestHeader set X-Forwarded-Port "443"
-    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
-    # Connection / Timeout Optimierungen
+<code apache>
-    KeepAlive On
+# ServerTokens
-    MaxKeepAliveRequests 100
+# This directive configures what you return as the Server HTTP response
-    KeepAliveTimeout 5
+# Header. The default is 'Full' which sends information about the OS-Type
-    ProxyTimeout 300
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-    # Security Headers
+# where Full conveys the most information, and Prod the least.
-    # X-XSS-Protection ist veraltet, kann optional drinbleiben oder entfernt werden
+#ServerTokens Minimal
-    # Header always set X-XSS-Protection "1; mode=block"
+ServerTokens Prod
-    Header always set X-Content-Type-Options "nosniff"
+#ServerTokens Full
-    Header always set Strict-Transport-Security "max-age=31536000"
-    # SSL Certs
-    Include /etc/letsencrypt/options-ssl-apache.conf
-    SSLCertificateFile /etc/letsencrypt/live/music.example.com/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/music.example.com/privkey.pem
-</VirtualHost>
-</IfModule>
 </code>
 ===== ModSecurity-Konfiguration für Apache2 Reverse Proxy vor Navidrome =====
@@ Zeile 208: / Zeile 315: @@
 </code>
+Einbindung in Apache unter ''vi /etc/apache2/mods-enabled/security2.conf''
+<file apache /etc/apache2/mods-enabled/security2.conf>
+<IfModule security2_module>
+        # Default Debian dir for modsecurity's persistent data
+        SecDataDir /var/cache/modsecurity
+        # Include all the *.conf files in /etc/modsecurity.
+        # Keeping your local configuration in that directory
+        # will allow for an easy upgrade of THIS file and
+        # make your life easier
+        IncludeOptional /etc/modsecurity/modsecurity.conf
+        #IncludeOptional /etc/modsecurity/other-rules.conf
+        IncludeOptional /etc/modsecurity/crs/crs-setup.conf
+        IncludeOptional /etc/modsecurity/crs/rules/*.conf
+        # Include OWASP ModSecurity CRS rules if installed
+        # IncludeOptional /usr/share/modsecurity-crs/*.load
+        # Defense against CVE-2021-44228
+        SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:User-Agent"
+        SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:Referer"
+</IfModule>
+</file>
 ==== 2. Hauptkonfiguration ====
@@ Zeile 406: / Zeile 538: @@
 <code apache>
-<VirtualHost *:80>
+<IfModule mod_ssl.c>
-    ServerName music.example.com
+<VirtualHost *:443>
+        ServerName music.example.de
+        ServerAlias music.example.net
+        DocumentRoot /var/www/navidrome/html
-    ProxyPreserveHost On
+        ErrorLog /var/www/navidrome/logs/error.log
-    ProxyPass / http://127.0.0.1:4533/
+        CustomLog /var/www/navidrome/logs/access.log combined
-    ProxyPassReverse / http://127.0.0.1:4533/
-    # Sicherheit
+        ProxyPreserveHost On
-    Header always set X-Frame-Options SAMEORIGIN
+        Protocols http/1.1
-    Header always set X-Content-Type-Options nosniff
+        #ProxyPass "/.well-known/" "!"
-    Header always set X-XSS-Protection "1; mode=block"
-    # Logging
+        # WebSocket-Unterstützung
-    ErrorLog ${APACHE_LOG_DIR}/navidrome_error.log
+        RewriteEngine On
-    CustomLog ${APACHE_LOG_DIR}/navidrome_access.log combined
+        RewriteCond %{HTTP:Upgrade} =websocket [NC]
+        RewriteRule /(.*)           ws://127.0.0.1:4533/$1 [P,L]
+        # Alles andere Proxy
+        ProxyPass / http://127.0.0.1:4533/ nocanon
+        ProxyPassReverse / http://127.0.0.1:4533/
+        RequestHeader set X-Forwarded-Proto "https"
+        RequestHeader set X-Forwarded-Port "443"
+        RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
+        Header always set X-XSS-Protection "1; mode=block"
+        KeepAlive On
+        MaxKeepAliveRequests 100
+        KeepAliveTimeout 5
+        ProxyTimeout 300
+        Include /etc/letsencrypt/options-ssl-apache.conf
+        Include /etc/modsecurity/navidrome-exclusions.conf
+        SSLCertificateFile  /etc/letsencrypt/live/music.example.de/fullchain.pem
+        SSLCertificateKeyFile  /etc/letsencrypt/live/music.example.de/privkey.pem
+        Header always set Strict-Transport-Security "max-age=31536000"
 </VirtualHost>
+</IfModule>
 </code>
 ==== 7. Test & Debug ====