Skip to content

Navidrome Syncloud app#1

Open
cyberb wants to merge 9 commits into
masterfrom
wip
Open

Navidrome Syncloud app#1
cyberb wants to merge 9 commits into
masterfrom
wip

Conversation

@cyberb

@cyberb cyberb commented Jun 28, 2026

Copy link
Copy Markdown
Member

Packages Navidrome (music streaming, Subsonic/OpenSubsonic compatible) as a Syncloud app. Implements syncloud/platform#741 (supersedes Koel #301).

Auth model

Navidrome has no native OIDC/LDAP — only built-in users and reverse-proxy header auth. A small Go gateway (backend/) bridges Syncloud auth to it:

Path Auth Result
Web UI /… OIDC → Authelia Seamless Syncloud SSO
Subsonic /rest/* LDAP bind of client creds → platform slapd Android logs in with Syncloud username+password

Navidrome runs on a unix socket with ND_EXTAUTH_USERHEADER=Remote-User / ND_EXTAUTH_TRUSTEDSOURCES=@; the gateway is the only client and injects a trusted Remote-User after authenticating.

Caveat: Subsonic's default token auth (md5(password+salt)) can't be verified against LDAP; mobile clients must send the password as plaintext/BasicAuth (safe over the platform's HTTPS) to use Syncloud credentials. Token-only clients fall through to navidrome native auth.

Packaging

Follows the modern reference apps (files/audiobookshelf): meta/snap.yaml, cobra CLI hooks, static nginx on web.socket, store-publisher publish, bookworm+buster × amd64/arm64 matrix.

Tests

  • pytest integration: sockets up, web redirects to SSO, Subsonic ping authenticated via LDAP with Syncloud credentials, wrong-password rejected, reinstall.
  • Playwright: full Authelia SSO browser login landing in Navidrome.

Upstream pinned to v0.62.0.

cyberb added 9 commits June 28, 2026 22:26
@cyberb
Package Navidrome as a Syncloud app
0349239 
Navidrome music streaming server (Subsonic/OpenSubsonic compatible), tracking
syncloud/platform#741.

A Go gateway (backend/) fronts navidrome and bridges Syncloud auth to
navidrome's externalized (Remote-User header) auth:
- Web UI: OIDC against the platform Authelia, signed session cookie.
- Subsonic /rest/*: LDAP bind of the client-supplied credentials against the
  platform slapd, so mobile clients log in with Syncloud credentials; token-auth
  clients fall through to navidrome native auth.

navidrome listens on a unix socket with ND_EXTAUTH_USERHEADER=Remote-User and
ND_EXTAUTH_TRUSTEDSOURCES=@; only the gateway talks to it.

Packaging follows the modern reference apps (files/audiobookshelf): meta/snap.yaml,
cobra cli hooks, static nginx, store-publisher publish, bookworm+buster matrix,
pytest integration tests and a Playwright SSO test. Upstream pinned to v0.62.0.
@cyberb
ci: trigger build
83c3b54
@cyberb
ci: allow custom event to trigger builds (manual/API runs while inbou…
eeb37dc 
…nd webhooks are down)
@cyberb
test: drop requests pin conflicting with syncloud-lib (requests==2.30.0)
cbb3aa4
@cyberb
test: add selenium (syncloudlib conftest imports it)
f2a7ccb
@cyberb
test: dump backend/navidrome journals + direct socket probes on teard…
22fd3a1 
…own for diagnosis
@cyberb
backend: provision navidrome user via index GET before Subsonic proxy
a3a1763 
Navidrome auto-creates reverse-proxy users only on the web index (serveIndex ->
handleLoginFromHeaders), not on the Subsonic endpoint, which returns 'data not
found' for unknown users. After a successful LDAP bind, GET /app/ with the
Remote-User header once per user to provision them, then proxy /rest.
@cyberb
ci: temporarily build amd64 only (arm64 build runner offline)
5b4ea2e
@cyberb
test: remove debugging diagnostics, keep artifact-based log collection
deab691
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cyberb