diff --git a/modules/homelab/arr.nix b/modules/homelab/arr.nix
index 7baad72..9aab9b2 100644
--- a/modules/homelab/arr.nix
+++ b/modules/homelab/arr.nix
@@ -35,6 +35,7 @@ in {
     oauth2-proxy.nginx.virtualHosts = {
       "radarr.nickolaj.com".allowed_groups = ["arr"];
       "sonarr.nickolaj.com".allowed_groups = ["arr"];
+      "lidarr.nickolaj.com".allowed_groups = ["arr"];
       "prowlarr.nickolaj.com".allowed_groups = ["arr"];
       "sabnzbd.nickolaj.com".allowed_groups = ["arr"];
       "bazarr.nickolaj.com".allowed_groups = ["arr"];
@@ -42,6 +43,7 @@ in {
     nginx.virtualHosts = {
       "radarr.nickolaj.com" = mkVirtualHost 7878;
       "sonarr.nickolaj.com" = mkVirtualHost 8989;
+      "lidarr.nickolaj.com" = mkVirtualHost 8686;
       "prowlarr.nickolaj.com" = mkVirtualHost 9696;
       "sabnzbd.nickolaj.com" = mkVirtualHost 8080;
       "bazarr.nickolaj.com" = mkVirtualHost config.services.bazarr.listenPort;
@@ -51,6 +53,7 @@ in {
       paths = [
         "/var/lib/radarr"
         "/var/lib/sonarr"
+        "/var/lib/lidarr"
         "/var/lib/prowlarr"
         "/var/lib/sabnzbd"
         "/var/lib/bazarr"
@@ -76,6 +79,10 @@ in {
       inherit user group;
       enable = true;
     };
+    lidarr = {
+      inherit user group;
+      enable = true;
+    };
     bazarr = {
       inherit user group;
       enable = true;
diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix
index b3dd8b6..160a477 100644
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -12,6 +12,7 @@
     ./home-assistant
     ./jellyfin.nix
     ./nextcloud.nix
+    ./navidrome.nix
     ./nginx.nix
     ./plex.nix
     ./postgres.nix
diff --git a/modules/homelab/glance.nix b/modules/homelab/glance.nix
index c3534cd..27fc3ab 100644
--- a/modules/homelab/glance.nix
+++ b/modules/homelab/glance.nix
@@ -204,6 +204,12 @@ in {
                       icon = "sh:jellyfin";
                       same-tab = true;
                     }
+                    {
+                      title = "Navidrome";
+                      url = "https://navidrome.nickolaj.com";
+                      icon = "sh:navidrome";
+                      same-tab = true;
+                    }
                     {
                       title = "Audiobookshelf";
                       url = "https://audiobookshelf.nickolaj.com";
@@ -234,6 +240,12 @@ in {
                       icon = "sh:radarr";
                       same-tab = true;
                     }
+                    {
+                      title = "Lidarr";
+                      url = "https://lidarr.nickolaj.com";
+                      icon = "sh:lidarr";
+                      same-tab = true;
+                    }
                     {
                       title = "SABnzbd";
                       url = "https://sabnzbd.nickolaj.com";
diff --git a/modules/homelab/navidrome.nix b/modules/homelab/navidrome.nix
new file mode 100644
index 0000000..7c01fcb
--- /dev/null
+++ b/modules/homelab/navidrome.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  pkgsUnstable,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable (let
+  domain = "navidrome.nickolaj.com";
+in {
+  age.secrets.navidrome-env.rekeyFile = ../../secrets/hosts/homelab/navidrome-env.age;
+
+  services.restic.backups.homelab.paths = ["/var/lib/navidrome"];
+
+  services.oauth2-proxy.nginx.virtualHosts."${domain}".allowed_groups = ["default"];
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:4533/";
+      proxyWebsockets = true;
+      extraConfig = ''
+        auth_request_set $email  $upstream_http_x_auth_request_email;
+        proxy_set_header Remote-User $email;
+      '';
+    };
+    locations."^~ /rest" = {
+      proxyPass = "http://localhost:4533";
+      proxyWebsockets = true;
+      extraConfig = ''
+        auth_request off;
+      '';
+    };
+  };
+
+  services.navidrome = {
+    enable = true;
+    package = pkgsUnstable.navidrome;
+    user = "media";
+    group = "media";
+    environmentFile = config.age.secrets.navidrome-env.path;
+    settings = {
+      Address = "127.0.0.1";
+      Port = 4533;
+      MusicFolder = "/mnt/data/music";
+      ScanSchedule = "@every 1m";
+      LogLevel = "info";
+      "ExtAuth.Enabled" = true;
+      "ExtAuth.TrustedSources" = "127.0.0.1/32";
+      "ExtAuth.UserHeader" = "Remote-User";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /mnt/data/music 0775 media media -"
+    "Z /var/lib/navidrome 0750 media media -"
+  ];
+})
diff --git a/secrets/hosts/homelab/.rekey/c8d21a8ed0525e4c28ef8e35ecbeb72d-navidrome-env.age b/secrets/hosts/homelab/.rekey/c8d21a8ed0525e4c28ef8e35ecbeb72d-navidrome-env.age
new file mode 100644
index 0000000..b7a2e52
--- /dev/null
+++ b/secrets/hosts/homelab/.rekey/c8d21a8ed0525e4c28ef8e35ecbeb72d-navidrome-env.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 uxq+Zw G43zU8Bc1xcX4Pm/+pLT1CfhPikNtI/hMJqNh/u183o
+Y+ce9JA+bxJ22P2j+3ouAu3UGw+fEy++uuH2HStXZJM
+-> Us;4;Zi.-grease
+nMe8j9RaWaK/MB09igNgyiZ6O1E9l5DMb6/Wny1Q29f83h0zSYhpcGsUKiDNDUnT
+c21SGAjizVHu6Z8/puWRaTtwwEd89zpOUtruGNYHKgq3bXSssJFuVZlzSFno
+--- Kfq5bT2zU65mLR/e1dzjg6wbVUeAD4j4MgW41gzolKM
+*
+àœ!ßoiàõT{Èrëãu£$"E’bEØE‰M’Ê¼ÅA®Å¯KGê7tZðèùnf¹¦°Ë%yÓN»²ûHoL]á##­b<\ï­…~óN”-Pû·‹Àv_îŒŸDÙ,;&/ñØ¼ÍëÏ±9èÛŒÂ-yZ½Ó)¬ «›
\ No newline at end of file
diff --git a/secrets/hosts/homelab/navidrome-env.age b/secrets/hosts/homelab/navidrome-env.age
new file mode 100644
index 0000000..96456e0
--- /dev/null
+++ b/secrets/hosts/homelab/navidrome-env.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 bPfMaICL+3Yo+CuDJPjQN7TJ5qZeeLwnl1TUATu4oxQ
+VN1N3/VVa7IFr63gch6cnWhFYKYiyxyXW0G6bPJvdGY
+-> piv-p256 q3LNVw AyGL7IbZcedMl+eLiFbI3/5PHPwNm7OHFP1xfVYDnbG2
+uncsFtZHyg5fJi2CEZQkMqE8uiXi732Hesznxaip1f4
+-> ]~7j|W-grease
+t5BfDdAbHkgAWJ56ip2t4plT6BdWd3h81jOU
+--- 8K3WaiKk00MQ46kuRagBUq5WXprPc0L8yxCzSXZX8VI
+‹8×yh8-6I\õPâo!ÌæÔíÒla²œpqe¾6¾ø+[Ábj±ü³–ô{1ÉÅ¡$ûïß­œ'Zéoá‘=Ž0šœ;©Ê»—¢ø,ù»7³®§Ú;•J’N[íÒ®Ê£ÞÌpbâï-"p,3vuÒíˆNƒ;8H‰±Qž
\ No newline at end of file