Applications AWS

Navidrome on AWS User Guide

Last updated: 2026-06-12

Navidrome on AWS

This image delivers Navidrome 0.62, the popular open source self-hosted music streaming server, fully installed and reverse-proxied with nginx. Navidrome streams your own music collection from anywhere through a fast, modern web player or any Subsonic-compatible mobile and desktop app, with on-the-fly transcoding provided by ffmpeg.

The Navidrome server is a single self-contained Go binary with an embedded SQLite datastore and a bundled web player. It runs under systemd, listening on the loopback interface, with nginx in front on port 80 (and 443 once you add TLS). The music library, database and transcoding cache live on a dedicated, independently-resizable EBS data volume mounted at /var/lib/navidrome, separate from the operating system disk.

Secure by default - you create the admin account

Navidrome has no default administrator, and this image does not bake one in. The AMI ships at Navidrome's built-in first-visit create-admin form. The very first time you browse to your instance you create your own admin account with your own username and password. No shared credentials, no database rows and no media files ship in the image - every instance starts as a clean slate that only you secure.

Navidrome first-visit create-admin form

Connecting to your instance

Connect over SSH on port 22 using the default login user for your operating system variant and the EC2 key pair you launched with.

OS variant	SSH login user	Example
Ubuntu 24.04	`ubuntu`	`ssh -i your-key.pem ubuntu@<instance-public-ip>`

Replace <instance-public-ip> with your instance's public IPv4 address (or its private address if you reach it over a VPN or Direct Connect).

First visit - create your admin account

Open Navidrome in your browser:

http://<instance-public-ip>/

You are taken to the create an admin user form. Enter a username (letters and numbers only), choose a strong password and click Create Admin. Because the database is empty, this first account is the administrator.

That single step secures your instance. You are signed straight in, and the create-admin form will never appear again for this instance - subsequent visits show the sign-in page.

Enable HTTPS before exposing the instance to the public internet (see the TLS section below). Until then, treat the password you set here as you would any credential sent over plain HTTP.

Uploading your music library

Navidrome serves the music it finds under /var/lib/navidrome/music on the dedicated data volume. Copy your collection in over SSH from your workstation - for example with rsync (replace the placeholders with your own paths and address):

rsync -av --chown=navidrome:navidrome -e "ssh -i your-key.pem" /path/to/your/music/ ubuntu@<instance-public-ip>:/tmp/music-upload/

Then move it into the library and hand ownership to the service account:

sudo rsync -a --chown=navidrome:navidrome /tmp/music-upload/ /var/lib/navidrome/music/ && rm -rf /tmp/music-upload

Navidrome watches the library and picks up new files automatically; it also performs a scan at startup, so sudo systemctl restart navidrome after a large import gives you an immediate full scan. Organise files as Artist/Album/track.ext for the cleanest results - Navidrome reads the embedded tags (ID3, Vorbis, MP4) for artist, album, artwork and more. MP3, FLAC, OGG, OPUS, AAC/M4A, WMA and WAV are all supported, and ffmpeg transcodes anything a client cannot play natively.

The web player

Once your library is scanned, the Albums view shows your collection with cover art, ready to filter, search, rate and shuffle:

The Navidrome album library with cover art

Open an album and press Play to start streaming - the player bar at the bottom carries the queue, seek bar, volume, repeat and shuffle controls, and a Love (favourite) button:

The Navidrome web player streaming a track

Build playlists from any selection of songs, browse by artist or genre, and use Sharing options to publish individual albums or playlists. User management (for adding family members or friends, each with their own account) is under Settings - Users in the top-right menu.

Subsonic-compatible apps

Navidrome implements the Subsonic API, so dozens of mobile and desktop clients work out of the box - point the app at http://<instance-public-ip>/ (or your HTTPS domain once TLS is enabled) and sign in with your Navidrome username and password. The Subsonic endpoint responds at /rest/ping.view.

Managing the services

Navidrome runs as two systemd units - the Go server and nginx:

systemctl status navidrome nginx

The Navidrome server listens only on the loopback interface; nginx is the only service bound to a public port:

ss -tlnp | grep -E ':80 |:4533 '

LISTEN 0 4096 127.0.0.1:4533 0.0.0.0:* users:(("navidrome",...))
LISTEN 0 511  0.0.0.0:80     0.0.0.0:* users:(("nginx",...))

A health endpoint is served (and proxied by nginx) for monitoring:

curl -s -o /dev/null -w '%{http_code}\n' http://localhost/ping

Configuration is supplied through ND_* environment variables in /etc/systemd/system/navidrome.service (address, port, music folder, data folder, cache folder). The full option reference is in the Navidrome documentation; after editing the unit run sudo systemctl daemon-reload && sudo systemctl restart navidrome.

The data volume

The music library (music/), Navidrome's SQLite database (data/navidrome.db) and the transcoding cache (cache/) live on a dedicated EBS volume mounted at /var/lib/navidrome, which is independently resizable and kept separate from the OS disk:

df -h /var/lib/navidrome

Filesystem      Size  Used Avail Use% Mounted on
/dev/nvme1n1     49G  ...        ...% /var/lib/navidrome

The volume is mounted by its filesystem UUID in /etc/fstab, so the mount is stable across reboots and instance re-launches. To grow it as your collection grows, resize the EBS volume in the AWS console, then run sudo resize2fs /dev/nvme1n1 (substitute the device shown by lsblk). Snapshot the EBS volume (or back up /var/lib/navidrome) to protect your library and play history.

Enabling HTTPS with Let's Encrypt

For production use, terminate TLS at nginx. Point a DNS A record at the instance's public IP, then install certbot:

sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx

Run certbot interactively and follow its prompts (it edits the nginx site for you). Replace the placeholders with your own domain and email:

sudo certbot --nginx -d your-domain.example.com -m you@example.com --agree-tos

certbot configures the HTTPS server block and sets up automatic renewal. After it completes, Navidrome is available at https://your-domain.example.com/ - use that address in your Subsonic apps too. Make sure your security group allows inbound TCP 443.

Upgrading Navidrome

Navidrome is installed as a single Go binary at /usr/local/bin/navidrome. To upgrade, download the new release's navidrome_<version>_linux_amd64.tar.gz from the official GitHub releases, replace the binary and restart the service. Always snapshot the data volume first, as the database schema migrates on start. cloudimg support can assist with planning and performing upgrades.

Support

This Amazon Machine Image is provided by cloudimg with 24/7 technical support covering deployment, upgrades, library migration, transcoding configuration and TLS termination. Contact us through your AWS Marketplace seller support channel.

Navidrome is a trademark of its respective owner. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.