diff --git a/.sops.yaml b/.sops.yaml
index dd882ca..649c351 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,6 +11,7 @@ keys:
   - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
   - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
   - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
+  - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
 creation_rules:
   - path_regex: hosts/toaster/[^/]+\.yaml$
     key_groups:
@@ -66,3 +67,9 @@ creation_rules:
         - *admin_oxa
         age:
         - *conduwuit
+  - path_regex: hosts/stream/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *stream
diff --git a/flake.nix b/flake.nix
index ddde63b..2b085bc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,6 +71,7 @@
             "forgejo"
             "miniflux"
             "radicale"
+            "stream"
           ];
           microvm-unstable-list = [
             "auth"
diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
index 9994da4..6cf0151 100644
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@@ -60,5 +60,37 @@ in
     '';
 
     virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
+
+        virtualHosts."music.oxapentane.com".extraConfig = ''
+      route {
+          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
+
+          @protected not path /share/* /rest/*
+          forward_auth @protected 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+
+
+          @subsonic path /rest/*
+          forward_auth @subsonic 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              @error status 1xx 3xx 4xx 5xx
+              handle_response @error {
+                  respond <<SUBSONICERR
+                  <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
+                    <error code="40" message="Invalid credentials or unsupported client"></error>
+                  </subsonic-response>
+                  SUBSONICERR 200
+              }
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+      }
+      reverse_proxy 10.89.88.17:4533
+
+    '';
+
   };
 }
diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix
new file mode 100644
index 0000000..4543466
--- /dev/null
+++ b/hosts/stream/default.nix
@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+let
+  mac = "02:00:00:00:00:07";
+in
+{
+  imports = [
+    ./navidrome.nix
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-proxy" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+
+  microvm = {
+    hypervisor = "qemu";
+    mem = 4 * 1024;
+    vcpu = 3;
+    interfaces = [
+      {
+        type = "tap";
+        id = "uvm-stream";
+        mac = mac;
+      }
+    ];
+    shares =
+      [
+        {
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "store";
+          proto = "virtiofs";
+        }
+      ]
+      ++ map
+        (dir: {
+          source = dir;
+          mountPoint = "/${dir}";
+          tag = dir;
+          proto = "virtiofs";
+        })
+        [
+          "etc"
+          "var"
+          "home"
+        ];
+  };
+
+  networking.useNetworkd = true;
+  networking.firewall.enable = lib.mkForce false; # firewalling done by the host
+
+  systemd.network = {
+    enable = true;
+    networks."11-host" = {
+      matchConfig.MACAddress = mac;
+      networkConfig = {
+        Address = "10.99.99.17/24";
+        DHCP = "no";
+      };
+      routes = [
+        {
+          Gateway = "10.99.99.1";
+          Destination = "0.0.0.0/0";
+          Metric = 1024;
+        }
+      ];
+    };
+  };
+
+  networking.hostName = "stream";
+  system.stateVersion = "25.05";
+}
diff --git a/hosts/stream/navidrome.nix b/hosts/stream/navidrome.nix
new file mode 100644
index 0000000..0b1cd07
--- /dev/null
+++ b/hosts/stream/navidrome.nix
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.navidrome = {
+    enable = true;
+    settings = {
+      Address = "10.89.88.17";
+      BaseUrl = "/";
+      EnableExternalServices = false;
+      MusicFolder = "/var/lib/navidrome/music";
+      Port = 4533;
+      ScanSchedule = "@every 11m";
+      TranscodingCacheSize = "11GiB";
+      ReverseProxyWhitelist = "10.89.88.1/24";
+    };
+  };
+}
diff --git a/hosts/stream/secrets.yaml b/hosts/stream/secrets.yaml
new file mode 100644
index 0000000..a75b120
--- /dev/null
+++ b/hosts/stream/secrets.yaml
@@ -0,0 +1,38 @@
+wg:
+    0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
+sops:
+    age:
+        - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
+            QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
+            S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
+            K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
+            WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-12T22:54:11Z"
+    mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
+    pgp:
+        - created_at: "2025-06-12T22:51:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
+            th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
+            HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
+            vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
+            WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
+            uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
+            DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
+            bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
+            lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
+            A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
+            GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
+            XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
+            ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
+            =fEVm
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix
index 3b92b8d..7427829 100644
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@@ -71,6 +71,14 @@
           publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
           privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
         };
+        "stream" = {
+          address = [
+            "10.89.88.17/24"
+            "fd31:185d:722f::17/48"
+          ];
+          publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
+          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
+        };
       };
     }
   ];