This commit is contained in:
parent
390bdaaf51
commit
ab11d78ca8
@ -132,6 +132,13 @@ in
|
|||||||
interfaces.enp5s0.name = "eth1";
|
interfaces.enp5s0.name = "eth1";
|
||||||
interfaces.enp6s0.name = "eth2";
|
interfaces.enp6s0.name = "eth2";
|
||||||
interfaces.enp8s0.name = "eth3";
|
interfaces.enp8s0.name = "eth3";
|
||||||
|
|
||||||
|
vlans = {
|
||||||
|
cameras = {
|
||||||
|
id = 3;
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||||
|
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
node-exporter = 188;
|
node-exporter = 188;
|
||||||
step-ca = 198;
|
step-ca = 198;
|
||||||
isponsorblocktv = 199;
|
isponsorblocktv = 199;
|
||||||
|
frigate = 200;
|
||||||
|
|
||||||
## Consistent People
|
## Consistent People
|
||||||
jake = 1000;
|
jake = 1000;
|
||||||
@ -23,6 +24,7 @@
|
|||||||
node-exporter = 188;
|
node-exporter = 188;
|
||||||
step-ca = 198;
|
step-ca = 198;
|
||||||
isponsorblocktv = 199;
|
isponsorblocktv = 199;
|
||||||
|
frigate = 200;
|
||||||
|
|
||||||
## Consistent Groups
|
## Consistent Groups
|
||||||
mediaaccess = 1200;
|
mediaaccess = 1200;
|
||||||
|
@ -39,15 +39,18 @@ in
|
|||||||
|
|
||||||
services = {
|
services = {
|
||||||
openssh.hostKeys = [
|
openssh.hostKeys = [
|
||||||
{ path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
|
{ path = "${cfg.base}/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
|
||||||
{ path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
|
{ path = "${cfg.base}/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
|
||||||
];
|
];
|
||||||
matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
|
matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
|
||||||
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
||||||
};
|
};
|
||||||
|
|
||||||
custom.chia = lib.mkIf config.custom.chia.enable {
|
custom.chia = lib.mkIf config.custom.chia.enable {
|
||||||
path = lib.mkOverride 999 "/data/chia";
|
path = lib.mkOverride 999 "${cfg.base}/chia";
|
||||||
|
};
|
||||||
|
custom.services.frigate = lib.mkIf config.custom.services.frigate.enable {
|
||||||
|
dataPath = lib.mkOverride 999 "${cfg.base}/frigate";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.resilio = lib.mkIf config.services.resilio.enable {
|
services.resilio = lib.mkIf config.services.resilio.enable {
|
||||||
@ -55,7 +58,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.plex = lib.mkIf config.services.plex.enable {
|
services.plex = lib.mkIf config.services.plex.enable {
|
||||||
dataDir = lib.mkOverride 999 "/data/plex";
|
dataDir = lib.mkOverride 999 "${cfg.base}/plex";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.home-assistant = lib.mkIf config.services.home-assistant.enable {
|
services.home-assistant = lib.mkIf config.services.home-assistant.enable {
|
||||||
@ -101,18 +104,18 @@ in
|
|||||||
name = x;
|
name = x;
|
||||||
value = {
|
value = {
|
||||||
home = {
|
home = {
|
||||||
persistence."/data/users/${x}" = {
|
persistence."${cfg.base}/users/${x}" = {
|
||||||
allowOther = false;
|
allowOther = false;
|
||||||
|
|
||||||
files = cfg.userExtraFiles.${x} or [ ];
|
files = cfg.userExtraFiles.${x} or [ ];
|
||||||
directories = cfg.userExtraDirs.${x} or [ ];
|
directories = cfg.userExtraDirs.${x} or [ ];
|
||||||
};
|
};
|
||||||
|
|
||||||
sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "/data/users/${x}/.local/share/zoxide"; };
|
sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "${cfg.base}/users/${x}/.local/share/zoxide"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
zsh.history.path = lib.mkOverride 999 "/data/users/${x}/.zsh_history";
|
zsh.history.path = lib.mkOverride 999 "${cfg.base}/users/${x}/.zsh_history";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
@ -122,8 +125,8 @@ in
|
|||||||
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
|
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
|
||||||
(user:
|
(user:
|
||||||
let details = config.users.users.${user}; in [
|
let details = config.users.users.${user}; in [
|
||||||
"d /data/users/${user} 0700 ${user} ${details.group} - -"
|
"d ${cfg.base}/users/${user} 0700 ${user} ${details.group} - -"
|
||||||
"L ${details.home}/local - ${user} ${details.group} - /data/users/${user}"
|
"L ${details.home}/local - ${user} ${details.group} - ${cfg.base}/users/${user}"
|
||||||
])
|
])
|
||||||
cfg.users);
|
cfg.users);
|
||||||
};
|
};
|
||||||
|
@ -21,6 +21,7 @@ in
|
|||||||
services = {
|
services = {
|
||||||
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
||||||
downloads = "phoenix.st.ts.hillion.co.uk";
|
downloads = "phoenix.st.ts.hillion.co.uk";
|
||||||
|
frigate = "phoenix.st.ts.hillion.co.uk";
|
||||||
gitea = "boron.cx.ts.hillion.co.uk";
|
gitea = "boron.cx.ts.hillion.co.uk";
|
||||||
homeassistant = "stinger.pop.ts.hillion.co.uk";
|
homeassistant = "stinger.pop.ts.hillion.co.uk";
|
||||||
mastodon = "";
|
mastodon = "";
|
||||||
|
@ -33,8 +33,9 @@ in
|
|||||||
86400 NS ns1.hillion.co.uk.
|
86400 NS ns1.hillion.co.uk.
|
||||||
|
|
||||||
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
|
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
|
||||||
restic 21600 CNAME ${config.custom.locations.locations.services.restic}.
|
frigate 21600 CNAME ${config.custom.locations.locations.services.frigate}.
|
||||||
prometheus 21600 CNAME ${config.custom.locations.locations.services.prometheus}.
|
prometheus 21600 CNAME ${config.custom.locations.locations.services.prometheus}.
|
||||||
|
restic 21600 CNAME ${config.custom.locations.locations.services.restic}.
|
||||||
|
|
||||||
deluge.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
|
deluge.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
|
||||||
prowlarr.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
|
prowlarr.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
imports = [
|
imports = [
|
||||||
./authoritative_dns.nix
|
./authoritative_dns.nix
|
||||||
./downloads.nix
|
./downloads.nix
|
||||||
|
./frigate.nix
|
||||||
./gitea/default.nix
|
./gitea/default.nix
|
||||||
./homeassistant.nix
|
./homeassistant.nix
|
||||||
./isponsorblocktv.nix
|
./isponsorblocktv.nix
|
||||||
|
115
modules/services/frigate.nix
Normal file
115
modules/services/frigate.nix
Normal file
@ -0,0 +1,115 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.custom.services.frigate;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.custom.services.frigate = {
|
||||||
|
enable = lib.mkEnableOption "frigate";
|
||||||
|
|
||||||
|
dataPath = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "/var/lib/frigate";
|
||||||
|
};
|
||||||
|
recordingsPath = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "/practical-defiant-coffee/cctv";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
age.secrets."frigate/secrets.env".file = ../../secrets/frigate/secrets.env.age;
|
||||||
|
|
||||||
|
services.caddy = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
virtualHosts."frigate.ts.hillion.co.uk" = {
|
||||||
|
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||||
|
extraConfig = ''
|
||||||
|
reverse_proxy unix///run/nginx-frigate/nginx.sock
|
||||||
|
|
||||||
|
tls {
|
||||||
|
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.frigate = {
|
||||||
|
group = "frigate";
|
||||||
|
home = cfg.dataPath;
|
||||||
|
createHome = true;
|
||||||
|
uid = config.ids.uids.frigate;
|
||||||
|
};
|
||||||
|
users.groups.frigate.gid = config.ids.gids.frigate;
|
||||||
|
|
||||||
|
users.users.nginx = {
|
||||||
|
group = "nginx";
|
||||||
|
uid = config.ids.uids.nginx;
|
||||||
|
};
|
||||||
|
users.groups.nginx.gid = config.ids.gids.nginx;
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /run/nginx-frigate 0750 nginx caddy - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
containers."frigate" = {
|
||||||
|
autoStart = true;
|
||||||
|
ephemeral = true;
|
||||||
|
|
||||||
|
macvlans = [ "cameras" ];
|
||||||
|
bindMounts = {
|
||||||
|
"/run/agenix/frigate/secrets.env".hostPath = config.age.secrets."frigate/secrets.env".path;
|
||||||
|
"/run/nginx-frigate" = { hostPath = "/run/nginx-frigate"; isReadOnly = false; };
|
||||||
|
|
||||||
|
"/var/lib/frigate" = { hostPath = cfg.dataPath; isReadOnly = false; };
|
||||||
|
"/media/frigate/recordings" = { hostPath = cfg.recordingsPath; isReadOnly = false; };
|
||||||
|
};
|
||||||
|
|
||||||
|
config = (hostConfig: { config, pkgs, ... }: {
|
||||||
|
config = {
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
|
||||||
|
networking.interfaces.mv-cameras.useDHCP = true;
|
||||||
|
|
||||||
|
users.users.frigate.uid = hostConfig.ids.uids.frigate;
|
||||||
|
users.groups.frigate.gid = hostConfig.ids.gids.frigate;
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."frigate.ts.hillion.co.uk".listen = lib.mkForce [
|
||||||
|
{ addr = "unix:/run/nginx-frigate/nginx.sock"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
services.frigate = {
|
||||||
|
enable = true;
|
||||||
|
hostname = "frigate.ts.hillion.co.uk";
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
record = {
|
||||||
|
enabled = true;
|
||||||
|
retain.mode = "motion";
|
||||||
|
};
|
||||||
|
|
||||||
|
cameras = {
|
||||||
|
living_room = {
|
||||||
|
enabled = true;
|
||||||
|
ffmpeg.inputs = [
|
||||||
|
{
|
||||||
|
path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/h264Preview_01_sub";
|
||||||
|
roles = [ "detect" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/";
|
||||||
|
roles = [ "record" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.frigate.unitConfig.EnvironmentFile = "/run/agenix/frigate/secrets.env";
|
||||||
|
};
|
||||||
|
}) config;
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
31
secrets/frigate/secrets.env.age
Normal file
31
secrets/frigate/secrets.env.age
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa JSzstA
|
||||||
|
UxtA9OeecK4nVLsDq1BVy1NnWzf4ITfGqQdd31u1iTDhKhPmg8bvu4TuiVn+hD7/
|
||||||
|
B2Ar0GOHXH/JB882Q8o2D2DlkVYfwkGmtSxnw/p/um05+l59JGi6zAkw3uSAGrMF
|
||||||
|
rdte3EdlRrxCImxJVp6AvXEH3kXjT1BtDVBwARpLBGAONc++rwDIFeP56ras4hIa
|
||||||
|
H2JReFBethNMMZCOa0jH1nUDoRVohdt2wD2KO4LuOxTK0qkRxky4Pwt/+MP26X4j
|
||||||
|
Uo2FRLrgBb4DlqeNz9EQEnJeRS1Pz6GbzfqZi7f1LUoa5ifKuBobPe2sDBDvE0RR
|
||||||
|
jFAHZp1Nir/FXEkfjPw2uOfdCUZRLQ2OQ5JLlb0BKo5hV202eGCTY3Fhf34JYkE2
|
||||||
|
n++1I5oX2dX1qY9KDpj+LMASKWHtC7ayei9Mcr4Ee7m/dGq9y7Ipjw5aliFJd74n
|
||||||
|
23idt0MgZbM6GPcqig/Mbz1EQTGwu99HN5wAp8jxusjAkMfmmqosLtkUii4hvKCa
|
||||||
|
7YnbOJT/6AofZucuylfrJpD3uzkEyaKVlNeZUU82ROSKZK6VdILLB8WfWAMPAsH9
|
||||||
|
bLXHtcUo3nF/eQ4P8DZhJM/8tUdg0at4LW4Rb/wQX72xMB2l0F6sqS741f5jjqN3
|
||||||
|
gL0tSpYQXtB3ni1mBbj2jKq8+UUP6NpDwOU5p5pfK+I
|
||||||
|
-> ssh-rsa GxPFJQ
|
||||||
|
cNBRc51b5Pw2KQq+EHQ4tCGSQQu+JMZHpJjoSAPx5sLd1DgGhE1x1F9h9CuSRFZh
|
||||||
|
J6fh5xtr9l0rzae/IgSQgfaaq4KVgIC/TIiyLX1VN1MSgbrisMAFA1fu0N/mTJGJ
|
||||||
|
XEiZI3RebiBxnfS3yJpBAdsFvZDw6o0xD2d1rSzN2dKFKNr9XGPNX1wUqERnWVQF
|
||||||
|
B5fRpNiWygGPdBaXYDc5OC49vlCAkldaU2EvA1wEuesdTDDn9nisqAlgBBYXEDWq
|
||||||
|
EBGgiITNyz+wI7ncSVW6JWr5TFfDNEtqGo1JS8nYnpVNHTgU4PbTpqq5fvlAy+hI
|
||||||
|
gyIR51YZaJZNQhrQ/N4KYw
|
||||||
|
-> ssh-rsa K9mW1w
|
||||||
|
c9vvvWH+MrbfNifQYOsfhiw1Ie6npjBVCMrx8YZJwtVmRy3RYjXYn6zcFH+xzSGr
|
||||||
|
tC0WPwyQ1dqgUNTUdvxaGrSayo5WF2CNosjc66eMrqyG72pcpJwAqlNbWbDNHbm9
|
||||||
|
nE3c6XBv0WnEq7G+nkRx0luD96twkor4LVzDa37MUtljNqJo1Puv2AcEylEqXCUX
|
||||||
|
bKN78TlUOhCpec93ZIxQoE71+26qqpGNnwyTQkHII/RzMKZGQjtmdRtQiUPzVmxT
|
||||||
|
/3WjnQm4vbeKjOeBjjIdV1Wc7dykBRE7rq/Oe8AGl/7FAnbe6c2Bav50OOL5/Tbo
|
||||||
|
Fe5TZbOwFDc1ob3IezRI5Q
|
||||||
|
-> ssh-ed25519 RR/L5A Mvv5Y3bd2IqR1cffLQbJ3WuJCoGMpJaqf/TvV0kcYQs
|
||||||
|
jRBAHCUuW6hBsuv0VjR+uSKmmqK5rsU4vUIuNHQyAiE
|
||||||
|
--- /Xx07JneqPgZUC0LrtSMMHAt9eSoB0KUHxQ+j8mkr6c
|
||||||
|
).<2E><><EFBFBD>*<2A><><EFBFBD>?$M<15><>e1<65><31>"v84<38><34><EFBFBD><EFBFBD><EFBFBD><<3C>ގJ+<2B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ۃ<EFBFBD>Q<EFBFBD>"ӵz<D3B5>"<22><>ǠB,<2C><><EFBFBD><EFBFBD><01><>^k<><6B>I<EFBFBD>,<2C>B
|
@ -143,4 +143,7 @@ in
|
|||||||
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
|
|
||||||
|
# Frigate secrets
|
||||||
|
"frigate/secrets.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user