frigate: initial setup
All checks were successful
flake / flake (push) Successful in 1m40s

This commit is contained in:
Jake Hillion 2024-11-09 22:26:10 +00:00
parent 390bdaaf51
commit cca48e267d
10 changed files with 190 additions and 11 deletions

View File

@ -132,6 +132,13 @@ in
interfaces.enp5s0.name = "eth1"; interfaces.enp5s0.name = "eth1";
interfaces.enp6s0.name = "eth2"; interfaces.enp6s0.name = "eth2";
interfaces.enp8s0.name = "eth3"; interfaces.enp8s0.name = "eth3";
vlans = {
cameras = {
id = 3;
interface = "eth0";
};
};
}; };
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers

View File

@ -290,7 +290,7 @@
subnet = "10.133.145.0/24"; subnet = "10.133.145.0/24";
interface = "cameras"; interface = "cameras";
pools = [{ pools = [{
pool = "10.133.145.64 - 10.133.145.254"; pool = "10.133.145.64 - 10.133.145.253";
}]; }];
option-data = [ option-data = [
{ {

View File

@ -10,6 +10,7 @@
node-exporter = 188; node-exporter = 188;
step-ca = 198; step-ca = 198;
isponsorblocktv = 199; isponsorblocktv = 199;
frigate = 200;
## Consistent People ## Consistent People
jake = 1000; jake = 1000;
@ -23,6 +24,7 @@
node-exporter = 188; node-exporter = 188;
step-ca = 198; step-ca = 198;
isponsorblocktv = 199; isponsorblocktv = 199;
frigate = 200;
## Consistent Groups ## Consistent Groups
mediaaccess = 1200; mediaaccess = 1200;

View File

@ -39,15 +39,18 @@ in
services = { services = {
openssh.hostKeys = [ openssh.hostKeys = [
{ path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } { path = "${cfg.base}/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
{ path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } { path = "${cfg.base}/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
]; ];
matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse"; matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
gitea.stateDir = "${cfg.base}/system/var/lib/gitea"; gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
}; };
custom.chia = lib.mkIf config.custom.chia.enable { custom.chia = lib.mkIf config.custom.chia.enable {
path = lib.mkOverride 999 "/data/chia"; path = lib.mkOverride 999 "${cfg.base}/chia";
};
custom.services.frigate = lib.mkIf config.custom.services.frigate.enable {
dataPath = lib.mkOverride 999 "${cfg.base}/frigate";
}; };
services.resilio = lib.mkIf config.services.resilio.enable { services.resilio = lib.mkIf config.services.resilio.enable {
@ -55,7 +58,7 @@ in
}; };
services.plex = lib.mkIf config.services.plex.enable { services.plex = lib.mkIf config.services.plex.enable {
dataDir = lib.mkOverride 999 "/data/plex"; dataDir = lib.mkOverride 999 "${cfg.base}/plex";
}; };
services.home-assistant = lib.mkIf config.services.home-assistant.enable { services.home-assistant = lib.mkIf config.services.home-assistant.enable {
@ -101,18 +104,18 @@ in
name = x; name = x;
value = { value = {
home = { home = {
persistence."/data/users/${x}" = { persistence."${cfg.base}/users/${x}" = {
allowOther = false; allowOther = false;
files = cfg.userExtraFiles.${x} or [ ]; files = cfg.userExtraFiles.${x} or [ ];
directories = cfg.userExtraDirs.${x} or [ ]; directories = cfg.userExtraDirs.${x} or [ ];
}; };
sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "/data/users/${x}/.local/share/zoxide"; }; sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "${cfg.base}/users/${x}/.local/share/zoxide"; };
}; };
programs = { programs = {
zsh.history.path = lib.mkOverride 999 "/data/users/${x}/.zsh_history"; zsh.history.path = lib.mkOverride 999 "${cfg.base}/users/${x}/.zsh_history";
}; };
}; };
}); });
@ -122,8 +125,8 @@ in
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
(user: (user:
let details = config.users.users.${user}; in [ let details = config.users.users.${user}; in [
"d /data/users/${user} 0700 ${user} ${details.group} - -" "d ${cfg.base}/users/${user} 0700 ${user} ${details.group} - -"
"L ${details.home}/local - ${user} ${details.group} - /data/users/${user}" "L ${details.home}/local - ${user} ${details.group} - ${cfg.base}/users/${user}"
]) ])
cfg.users); cfg.users);
}; };

View File

@ -21,6 +21,7 @@ in
services = { services = {
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ]; authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
downloads = "phoenix.st.ts.hillion.co.uk"; downloads = "phoenix.st.ts.hillion.co.uk";
frigate = "phoenix.st.ts.hillion.co.uk";
gitea = "boron.cx.ts.hillion.co.uk"; gitea = "boron.cx.ts.hillion.co.uk";
homeassistant = "stinger.pop.ts.hillion.co.uk"; homeassistant = "stinger.pop.ts.hillion.co.uk";
mastodon = ""; mastodon = "";

View File

@ -33,8 +33,9 @@ in
86400 NS ns1.hillion.co.uk. 86400 NS ns1.hillion.co.uk.
ca 21600 CNAME sodium.pop.ts.hillion.co.uk. ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
restic 21600 CNAME ${config.custom.locations.locations.services.restic}. frigate 21600 CNAME ${config.custom.locations.locations.services.frigate}.
prometheus 21600 CNAME ${config.custom.locations.locations.services.prometheus}. prometheus 21600 CNAME ${config.custom.locations.locations.services.prometheus}.
restic 21600 CNAME ${config.custom.locations.locations.services.restic}.
deluge.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}. deluge.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
prowlarr.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}. prowlarr.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.

View File

@ -4,6 +4,7 @@
imports = [ imports = [
./authoritative_dns.nix ./authoritative_dns.nix
./downloads.nix ./downloads.nix
./frigate.nix
./gitea/default.nix ./gitea/default.nix
./homeassistant.nix ./homeassistant.nix
./isponsorblocktv.nix ./isponsorblocktv.nix

View File

@ -0,0 +1,130 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.services.frigate;
in
{
options.custom.services.frigate = {
enable = lib.mkEnableOption "frigate";
dataPath = lib.mkOption {
type = lib.types.str;
default = "/var/lib/frigate";
};
recordingsPath = lib.mkOption {
type = lib.types.str;
default = "/practical-defiant-coffee/cctv";
};
};
config = lib.mkIf cfg.enable {
age.secrets."frigate/secrets.env".file = ../../secrets/frigate/secrets.env.age;
services.caddy = {
enable = true;
virtualHosts."frigate.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = ''
reverse_proxy unix///run/nginx-frigate/nginx.sock
tls {
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
}
'';
};
};
users.users.frigate = {
group = "frigate";
home = cfg.dataPath;
createHome = true;
uid = config.ids.uids.frigate;
};
users.groups.frigate.gid = config.ids.gids.frigate;
users.users.nginx = {
group = "nginx";
uid = config.ids.uids.nginx;
};
users.groups.nginx.gid = config.ids.gids.nginx;
systemd.tmpfiles.rules = [
"d /run/nginx-frigate 0750 nginx caddy - -"
];
containers."frigate" = {
autoStart = true;
ephemeral = true;
additionalCapabilities = [ "CAP_NET_ADMIN" ];
macvlans = [ "cameras" ];
bindMounts = {
"/run/agenix/frigate/secrets.env".hostPath = config.age.secrets."frigate/secrets.env".path;
"/run/nginx-frigate" = { hostPath = "/run/nginx-frigate"; isReadOnly = false; };
"/var/lib/frigate" = { hostPath = cfg.dataPath; isReadOnly = false; };
"/media/frigate/recordings" = { hostPath = cfg.recordingsPath; isReadOnly = false; };
};
config = (hostConfig: { config, pkgs, ... }: {
config = {
system.stateVersion = "24.05";
systemd.network = {
enable = true;
networks."10-cameras" = {
matchConfig.Name = "mv-cameras";
networkConfig.DHCP = "ipv4";
dhcpV4Config.ClientIdentifier = "mac";
linkConfig.MACAddress = "00:b7:43:f3:81:a0";
};
};
services.resolved.enable = false;
users.users.frigate.uid = hostConfig.ids.uids.frigate;
users.groups.frigate.gid = hostConfig.ids.gids.frigate;
services.nginx.virtualHosts."frigate.ts.hillion.co.uk".listen = lib.mkForce [
{ addr = "unix:/run/nginx-frigate/nginx.sock"; }
];
services.frigate = {
enable = true;
hostname = "frigate.ts.hillion.co.uk";
settings = {
record = {
enabled = true;
retain.mode = "motion";
};
cameras = {
living_room = {
enabled = true;
onvif = {
host = "10.133.145.2";
user = "admin";
password = "{FRIGATE_RTSP_PASSWORD}";
};
ffmpeg.inputs = [
{
path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/h264Preview_01_sub";
roles = [ "detect" ];
}
{
path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/";
roles = [ "record" ];
}
];
};
};
};
};
systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate/secrets.env";
};
}) config;
};
};
}

View File

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-rsa JSzstA
UxtA9OeecK4nVLsDq1BVy1NnWzf4ITfGqQdd31u1iTDhKhPmg8bvu4TuiVn+hD7/
B2Ar0GOHXH/JB882Q8o2D2DlkVYfwkGmtSxnw/p/um05+l59JGi6zAkw3uSAGrMF
rdte3EdlRrxCImxJVp6AvXEH3kXjT1BtDVBwARpLBGAONc++rwDIFeP56ras4hIa
H2JReFBethNMMZCOa0jH1nUDoRVohdt2wD2KO4LuOxTK0qkRxky4Pwt/+MP26X4j
Uo2FRLrgBb4DlqeNz9EQEnJeRS1Pz6GbzfqZi7f1LUoa5ifKuBobPe2sDBDvE0RR
jFAHZp1Nir/FXEkfjPw2uOfdCUZRLQ2OQ5JLlb0BKo5hV202eGCTY3Fhf34JYkE2
n++1I5oX2dX1qY9KDpj+LMASKWHtC7ayei9Mcr4Ee7m/dGq9y7Ipjw5aliFJd74n
23idt0MgZbM6GPcqig/Mbz1EQTGwu99HN5wAp8jxusjAkMfmmqosLtkUii4hvKCa
7YnbOJT/6AofZucuylfrJpD3uzkEyaKVlNeZUU82ROSKZK6VdILLB8WfWAMPAsH9
bLXHtcUo3nF/eQ4P8DZhJM/8tUdg0at4LW4Rb/wQX72xMB2l0F6sqS741f5jjqN3
gL0tSpYQXtB3ni1mBbj2jKq8+UUP6NpDwOU5p5pfK+I
-> ssh-rsa GxPFJQ
cNBRc51b5Pw2KQq+EHQ4tCGSQQu+JMZHpJjoSAPx5sLd1DgGhE1x1F9h9CuSRFZh
J6fh5xtr9l0rzae/IgSQgfaaq4KVgIC/TIiyLX1VN1MSgbrisMAFA1fu0N/mTJGJ
XEiZI3RebiBxnfS3yJpBAdsFvZDw6o0xD2d1rSzN2dKFKNr9XGPNX1wUqERnWVQF
B5fRpNiWygGPdBaXYDc5OC49vlCAkldaU2EvA1wEuesdTDDn9nisqAlgBBYXEDWq
EBGgiITNyz+wI7ncSVW6JWr5TFfDNEtqGo1JS8nYnpVNHTgU4PbTpqq5fvlAy+hI
gyIR51YZaJZNQhrQ/N4KYw
-> ssh-rsa K9mW1w
c9vvvWH+MrbfNifQYOsfhiw1Ie6npjBVCMrx8YZJwtVmRy3RYjXYn6zcFH+xzSGr
tC0WPwyQ1dqgUNTUdvxaGrSayo5WF2CNosjc66eMrqyG72pcpJwAqlNbWbDNHbm9
nE3c6XBv0WnEq7G+nkRx0luD96twkor4LVzDa37MUtljNqJo1Puv2AcEylEqXCUX
bKN78TlUOhCpec93ZIxQoE71+26qqpGNnwyTQkHII/RzMKZGQjtmdRtQiUPzVmxT
/3WjnQm4vbeKjOeBjjIdV1Wc7dykBRE7rq/Oe8AGl/7FAnbe6c2Bav50OOL5/Tbo
Fe5TZbOwFDc1ob3IezRI5Q
-> ssh-ed25519 RR/L5A Mvv5Y3bd2IqR1cffLQbJ3WuJCoGMpJaqf/TvV0kcYQs
jRBAHCUuW6hBsuv0VjR+uSKmmqK5rsU4vUIuNHQyAiE
--- /Xx07JneqPgZUC0LrtSMMHAt9eSoB0KUHxQ+j8mkr6c
).<2E><><EFBFBD>*<2A><><EFBFBD>?$M<15><>e1<65><31>"v84<38><34><EFBFBD><EFBFBD><EFBFBD> <<3C>ގJ+<2B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ۃ<EFBFBD>Q<EFBFBD>"ӵz<D3B5>"<22><>ǠB,<2C><><EFBFBD><EFBFBD><01><>^k<><6B>I<EFBFBD>,<2C>B

View File

@ -143,4 +143,7 @@ in
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ]; "certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ]; "certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ]; "certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
# Frigate secrets
"frigate/secrets.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
} }