This is an old revision of the document!
- Navidrome Setup
- oemb1905
- filebrowser-pub
- webmaster@gnulinux.studio
filebrowser-pub
This tutorial is for Debian Trixie users seeking to set up a secure and public-facing Filebrowser instance. This is to assist with uploading and managing music/media on Navidrome, Jellyfin, and other similar instances.
1. Install File Browser (latest)
```bash curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash ```
change the admin user's password:
sudo systemctl stop filebrowser sudo filebrowser users update admin –password yournewpassword sudo systemctl start filebrowser
this is not changing the user filebrowser's password, but rather the admin user's password in the var-based db
2. Create system user
```bash sudo adduser --system --group --no-create-home filebrowser ```
3. Install ACL tools
```bash sudo apt install acl ```
4. Systemd unit (final working version)
`/etc/systemd/system/filebrowser.service` ```ini [Unit] Description=File Browser After=network.target
[Service] User=filebrowser Group=filebrowser WorkingDirectory=/var/lib/filebrowser ExecStart=/usr/local/bin/filebrowser \ --address 127.0.0.1 \ --port 8080 \ --root /opt/navidrome/music \ --database /var/lib/filebrowser/filebrowser.db Restart=always RestartSec=5
[Install] WantedBy=multi-user.target ``` ```bash sudo systemctl daemon-reload sudo systemctl enable --now filebrowser ```
5. Give File Browser permanent write access to the existing Navidrome library
```bash sudo setfacl -R -m u:filebrowser:rwx /opt/navidrome/music sudo setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music ```
6. Apache reverse-proxy vhosts (already present)
HTTP → HTTPS redirect
`nano /etc/apache2/sites-available/upload.gnulinux.studio.conf`
```apache
<VirtualHost *:80>
ServerName upload.gnulinux.studio
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>
```
HTTPS reverse proxy
`nano /etc/apache2/sites-available/upload.gnulinux.studio-le-ssl.conf`
```apache
<VirtualHost *:443>
ServerName upload.gnulinux.studio
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/upload.gnulinux.studio/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/upload.gnulinux.studio/privkey.pem
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) ws://127.0.0.1:8080/$1 [P,L]
</VirtualHost>
```
Done. https://upload.gnulinux.studio now writes straight into the real, live Navidrome music tree at `/opt/navidrome/music`. Everything appears and plays instantly.
### One-page note to yourself (for the other Navidrome thread)
This entire setup lives on the exact same VM `gnulinux.studio` that already runs Navidrome on the main domain.
- Navidrome is reachable at https://gnulinux.studio (primary vhost) - File Browser is reachable at https://upload.gnulinux.studio (separate Apache vhost, same Let’s Encrypt cert) - File Browser’s `–root` points directly at `/opt/navidrome/music` (Navidrome’s real library – no symlinks, no extra folder) - Write access for the `filebrowser` system user is granted exclusively by two ACL commands:
```bash setfacl -R -m u:filebrowser:rwx /opt/navidrome/music setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music ``` No group membership, no setgid, no cron required for functionality.
- Navidrome continues to own most files and always has group `navidrome`, so it reads everything perfectly. - File Browser creates files as `filebrowser:navidrome` (group inheritance) → Navidrome plays them instantly.
— oemb1905 2025/12/09 03:07
