This is an old revision of the document!
- Navidrome Setup
- oemb1905
- filebrowser-pub
- webmaster@gnulinux.studio
filebrowser-pub
This tutorial is for Debian Trixie users seeking to set up a secure and public-facing Filebrowser instance. This is to assist with uploading and managing music/media on Navidrome, Jellyfin, and other similar instances. Do not proceed with this tutorial until you've learned how to set up a public facing VM/VPS and harden it appropriately. If you have not done that, start with Apache Survival. So long as that's in place, you can safely begin. You can install Filebrowser manually, or use their automated bash script. I chose the latter. Make sure to verify the checksums and code before using the pipe-to-bash approach like me:
curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash
The system will give you an auto-generated user and password upon completion of the installer. Let's change that before we proceed:
sudo systemctl stop filebrowser sudo filebrowser users update admin –password yournewpassword sudo systemctl start filebrowser
To be clear, this is invoking the filebrowser service to update the admin user in the sql lite database it just created. The service does, however, required a dedicated simple UNIX user, which we will now create and make sure to turn off home directory and shell access for:
sudo adduser --system --group --no-create-home filebrowser
Once the dedicated user is created, let's create the systemd unit to control starting/stopping the service. Let's create a unit file here sudo nano/etc/systemd/system/filebrowser.service and drop these contents inside:
``` [Unit] Description=File Browser After=network.target
[Service] User=filebrowser Group=filebrowser WorkingDirectory=/var/lib/filebrowser ExecStart=/usr/local/bin/filebrowser \
- -address 127.0.0.1 \
- -port 8080 \
- -root /opt/navidrome/music \
- -database /var/lib/filebrowser/filebrowser.db
Restart=always RestartSec=5
[Install] WantedBy=multi-user.target ```
Once that's in place, load the unit and start the service:
sudo systemctl daemon-reload sudo systemctl enable --now filebrowser
Make sure to customize the unit file for your own use-case. For example, you might have a different startup directory, different listening port, and so on. Once the unit file is created and the service has started, let's make sure that ACL is installed so we can set a custom rule for the filebrowser UNIX user, which the filebrowser's GUI / sql lite database will send commands to via your web session, which is behind a reverse proxy in apache. Let's get that done:
sudo apt install acl sudo setfacl -R -m u:filebrowser:rwx /opt/navidrome/music sudo setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music
This gives every current file read and write access (first stanza) and all future users read and write access (second stanza). At this time, filebrowser should be running. 6. Apache reverse-proxy vhosts (already present)
HTTP → HTTPS redirect
`nano /etc/apache2/sites-available/upload.gnulinux.studio.conf`
```apache
<VirtualHost *:80>
ServerName upload.gnulinux.studio
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>
```
HTTPS reverse proxy
`nano /etc/apache2/sites-available/upload.gnulinux.studio-le-ssl.conf`
```apache
<VirtualHost *:443>
ServerName upload.gnulinux.studio
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/upload.gnulinux.studio/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/upload.gnulinux.studio/privkey.pem
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) ws://127.0.0.1:8080/$1 [P,L]
</VirtualHost>
```
Done. https://upload.gnulinux.studio now writes straight into the real, live Navidrome music tree at `/opt/navidrome/music`. Everything appears and plays instantly.
### One-page note to yourself (for the other Navidrome thread)
This entire setup lives on the exact same VM `gnulinux.studio` that already runs Navidrome on the main domain.
- Navidrome is reachable at https://gnulinux.studio (primary vhost) - File Browser is reachable at https://upload.gnulinux.studio (separate Apache vhost, same Let’s Encrypt cert) - File Browser’s `–root` points directly at `/opt/navidrome/music` (Navidrome’s real library – no symlinks, no extra folder) - Write access for the `filebrowser` system user is granted exclusively by two ACL commands:
```bash setfacl -R -m u:filebrowser:rwx /opt/navidrome/music setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music ``` No group membership, no setgid, no cron required for functionality.
- Navidrome continues to own most files and always has group `navidrome`, so it reads everything perfectly. - File Browser creates files as `filebrowser:navidrome` (group inheritance) → Navidrome plays them instantly.
— oemb1905 2025/12/09 03:07
