This commit is contained in:
parent
390bdaaf51
commit
fa3eff11a8
@ -132,6 +132,13 @@ in
|
||||
interfaces.enp5s0.name = "eth1";
|
||||
interfaces.enp6s0.name = "eth2";
|
||||
interfaces.enp8s0.name = "eth3";
|
||||
|
||||
vlans = {
|
||||
cameras = {
|
||||
id = 3;
|
||||
interface = "eth0";
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
|
||||
|
@ -290,7 +290,7 @@
|
||||
subnet = "10.133.145.0/24";
|
||||
interface = "cameras";
|
||||
pools = [{
|
||||
pool = "10.133.145.64 - 10.133.145.254";
|
||||
pool = "10.133.145.64 - 10.133.145.253";
|
||||
}];
|
||||
option-data = [
|
||||
{
|
||||
|
@ -10,6 +10,7 @@
|
||||
node-exporter = 188;
|
||||
step-ca = 198;
|
||||
isponsorblocktv = 199;
|
||||
frigate = 200;
|
||||
|
||||
## Consistent People
|
||||
jake = 1000;
|
||||
@ -23,6 +24,7 @@
|
||||
node-exporter = 188;
|
||||
step-ca = 198;
|
||||
isponsorblocktv = 199;
|
||||
frigate = 200;
|
||||
|
||||
## Consistent Groups
|
||||
mediaaccess = 1200;
|
||||
|
@ -39,15 +39,18 @@ in
|
||||
|
||||
services = {
|
||||
openssh.hostKeys = [
|
||||
{ path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
|
||||
{ path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
|
||||
{ path = "${cfg.base}/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
|
||||
{ path = "${cfg.base}/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
|
||||
];
|
||||
matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
|
||||
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
||||
};
|
||||
|
||||
custom.chia = lib.mkIf config.custom.chia.enable {
|
||||
path = lib.mkOverride 999 "/data/chia";
|
||||
path = lib.mkOverride 999 "${cfg.base}/chia";
|
||||
};
|
||||
custom.services.frigate = lib.mkIf config.custom.services.frigate.enable {
|
||||
dataPath = lib.mkOverride 999 "${cfg.base}/frigate";
|
||||
};
|
||||
|
||||
services.resilio = lib.mkIf config.services.resilio.enable {
|
||||
@ -55,7 +58,7 @@ in
|
||||
};
|
||||
|
||||
services.plex = lib.mkIf config.services.plex.enable {
|
||||
dataDir = lib.mkOverride 999 "/data/plex";
|
||||
dataDir = lib.mkOverride 999 "${cfg.base}/plex";
|
||||
};
|
||||
|
||||
services.home-assistant = lib.mkIf config.services.home-assistant.enable {
|
||||
@ -101,18 +104,18 @@ in
|
||||
name = x;
|
||||
value = {
|
||||
home = {
|
||||
persistence."/data/users/${x}" = {
|
||||
persistence."${cfg.base}/users/${x}" = {
|
||||
allowOther = false;
|
||||
|
||||
files = cfg.userExtraFiles.${x} or [ ];
|
||||
directories = cfg.userExtraDirs.${x} or [ ];
|
||||
};
|
||||
|
||||
sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "/data/users/${x}/.local/share/zoxide"; };
|
||||
sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "${cfg.base}/users/${x}/.local/share/zoxide"; };
|
||||
};
|
||||
|
||||
programs = {
|
||||
zsh.history.path = lib.mkOverride 999 "/data/users/${x}/.zsh_history";
|
||||
zsh.history.path = lib.mkOverride 999 "${cfg.base}/users/${x}/.zsh_history";
|
||||
};
|
||||
};
|
||||
});
|
||||
@ -122,8 +125,8 @@ in
|
||||
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
|
||||
(user:
|
||||
let details = config.users.users.${user}; in [
|
||||
"d /data/users/${user} 0700 ${user} ${details.group} - -"
|
||||
"L ${details.home}/local - ${user} ${details.group} - /data/users/${user}"
|
||||
"d ${cfg.base}/users/${user} 0700 ${user} ${details.group} - -"
|
||||
"L ${details.home}/local - ${user} ${details.group} - ${cfg.base}/users/${user}"
|
||||
])
|
||||
cfg.users);
|
||||
};
|
||||
|
@ -21,6 +21,7 @@ in
|
||||
services = {
|
||||
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
||||
downloads = "phoenix.st.ts.hillion.co.uk";
|
||||
frigate = "phoenix.st.ts.hillion.co.uk";
|
||||
gitea = "boron.cx.ts.hillion.co.uk";
|
||||
homeassistant = "stinger.pop.ts.hillion.co.uk";
|
||||
mastodon = "";
|
||||
|
@ -33,8 +33,9 @@ in
|
||||
86400 NS ns1.hillion.co.uk.
|
||||
|
||||
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
|
||||
restic 21600 CNAME ${config.custom.locations.locations.services.restic}.
|
||||
frigate 21600 CNAME ${config.custom.locations.locations.services.frigate}.
|
||||
prometheus 21600 CNAME ${config.custom.locations.locations.services.prometheus}.
|
||||
restic 21600 CNAME ${config.custom.locations.locations.services.restic}.
|
||||
|
||||
deluge.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
|
||||
prowlarr.downloads 21600 CNAME ${config.custom.locations.locations.services.downloads}.
|
||||
|
@ -4,6 +4,7 @@
|
||||
imports = [
|
||||
./authoritative_dns.nix
|
||||
./downloads.nix
|
||||
./frigate.nix
|
||||
./gitea/default.nix
|
||||
./homeassistant.nix
|
||||
./isponsorblocktv.nix
|
||||
|
131
modules/services/frigate.nix
Normal file
131
modules/services/frigate.nix
Normal file
@ -0,0 +1,131 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.frigate;
|
||||
in
|
||||
{
|
||||
options.custom.services.frigate = {
|
||||
enable = lib.mkEnableOption "frigate";
|
||||
|
||||
dataPath = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/frigate";
|
||||
};
|
||||
recordingsPath = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/practical-defiant-coffee/cctv";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."frigate/secrets.env".file = ../../secrets/frigate/secrets.env.age;
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."frigate.ts.hillion.co.uk" = {
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = ''
|
||||
reverse_proxy unix///run/nginx-frigate/nginx.sock
|
||||
|
||||
tls {
|
||||
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
users.users.frigate = {
|
||||
group = "frigate";
|
||||
home = cfg.dataPath;
|
||||
createHome = true;
|
||||
uid = config.ids.uids.frigate;
|
||||
};
|
||||
users.groups.frigate.gid = config.ids.gids.frigate;
|
||||
|
||||
users.users.nginx = {
|
||||
group = "nginx";
|
||||
uid = config.ids.uids.nginx;
|
||||
};
|
||||
users.groups.nginx.gid = config.ids.gids.nginx;
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /run/nginx-frigate 0750 nginx caddy - -"
|
||||
];
|
||||
|
||||
containers."frigate" = {
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
additionalCapabilities = [ "CAP_NET_ADMIN" ];
|
||||
|
||||
macvlans = [ "cameras" ];
|
||||
bindMounts = {
|
||||
"/run/agenix/frigate/secrets.env".hostPath = config.age.secrets."frigate/secrets.env".path;
|
||||
"/run/nginx-frigate" = { hostPath = "/run/nginx-frigate"; isReadOnly = false; };
|
||||
|
||||
"/var/lib/frigate" = { hostPath = cfg.dataPath; isReadOnly = false; };
|
||||
"/media/frigate/recordings" = { hostPath = cfg.recordingsPath; isReadOnly = false; };
|
||||
};
|
||||
|
||||
config = (hostConfig: { config, pkgs, ... }: {
|
||||
config = {
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks."10-cameras" = {
|
||||
matchConfig.Name = "mv-cameras";
|
||||
networkConfig.DHCP = "ipv4";
|
||||
dhcpV4Config.ClientIdentifier = "mac";
|
||||
linkConfig.MACAddress = "00:b7:43:f3:81:a0";
|
||||
};
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
|
||||
users.users.frigate.uid = hostConfig.ids.uids.frigate;
|
||||
users.groups.frigate.gid = hostConfig.ids.gids.frigate;
|
||||
|
||||
services.nginx.virtualHosts."frigate.ts.hillion.co.uk".listen = lib.mkForce [
|
||||
{ addr = "unix:/run/nginx-frigate/nginx.sock"; }
|
||||
];
|
||||
|
||||
services.frigate = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.frigate;
|
||||
hostname = "frigate.ts.hillion.co.uk";
|
||||
|
||||
settings = {
|
||||
record = {
|
||||
enabled = true;
|
||||
retain.mode = "motion";
|
||||
};
|
||||
|
||||
cameras = {
|
||||
living_room = {
|
||||
enabled = true;
|
||||
onvif = {
|
||||
host = "10.133.145.2";
|
||||
user = "admin";
|
||||
password = "{FRIGATE_RTSP_PASSWORD}";
|
||||
};
|
||||
ffmpeg.inputs = [
|
||||
{
|
||||
path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/h264Preview_01_sub";
|
||||
roles = [ "detect" ];
|
||||
}
|
||||
{
|
||||
path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/";
|
||||
roles = [ "record" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate/secrets.env";
|
||||
};
|
||||
}) config;
|
||||
};
|
||||
|
||||
};
|
||||
}
|
31
secrets/frigate/secrets.env.age
Normal file
31
secrets/frigate/secrets.env.age
Normal file
@ -0,0 +1,31 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa JSzstA
|
||||
UxtA9OeecK4nVLsDq1BVy1NnWzf4ITfGqQdd31u1iTDhKhPmg8bvu4TuiVn+hD7/
|
||||
B2Ar0GOHXH/JB882Q8o2D2DlkVYfwkGmtSxnw/p/um05+l59JGi6zAkw3uSAGrMF
|
||||
rdte3EdlRrxCImxJVp6AvXEH3kXjT1BtDVBwARpLBGAONc++rwDIFeP56ras4hIa
|
||||
H2JReFBethNMMZCOa0jH1nUDoRVohdt2wD2KO4LuOxTK0qkRxky4Pwt/+MP26X4j
|
||||
Uo2FRLrgBb4DlqeNz9EQEnJeRS1Pz6GbzfqZi7f1LUoa5ifKuBobPe2sDBDvE0RR
|
||||
jFAHZp1Nir/FXEkfjPw2uOfdCUZRLQ2OQ5JLlb0BKo5hV202eGCTY3Fhf34JYkE2
|
||||
n++1I5oX2dX1qY9KDpj+LMASKWHtC7ayei9Mcr4Ee7m/dGq9y7Ipjw5aliFJd74n
|
||||
23idt0MgZbM6GPcqig/Mbz1EQTGwu99HN5wAp8jxusjAkMfmmqosLtkUii4hvKCa
|
||||
7YnbOJT/6AofZucuylfrJpD3uzkEyaKVlNeZUU82ROSKZK6VdILLB8WfWAMPAsH9
|
||||
bLXHtcUo3nF/eQ4P8DZhJM/8tUdg0at4LW4Rb/wQX72xMB2l0F6sqS741f5jjqN3
|
||||
gL0tSpYQXtB3ni1mBbj2jKq8+UUP6NpDwOU5p5pfK+I
|
||||
-> ssh-rsa GxPFJQ
|
||||
cNBRc51b5Pw2KQq+EHQ4tCGSQQu+JMZHpJjoSAPx5sLd1DgGhE1x1F9h9CuSRFZh
|
||||
J6fh5xtr9l0rzae/IgSQgfaaq4KVgIC/TIiyLX1VN1MSgbrisMAFA1fu0N/mTJGJ
|
||||
XEiZI3RebiBxnfS3yJpBAdsFvZDw6o0xD2d1rSzN2dKFKNr9XGPNX1wUqERnWVQF
|
||||
B5fRpNiWygGPdBaXYDc5OC49vlCAkldaU2EvA1wEuesdTDDn9nisqAlgBBYXEDWq
|
||||
EBGgiITNyz+wI7ncSVW6JWr5TFfDNEtqGo1JS8nYnpVNHTgU4PbTpqq5fvlAy+hI
|
||||
gyIR51YZaJZNQhrQ/N4KYw
|
||||
-> ssh-rsa K9mW1w
|
||||
c9vvvWH+MrbfNifQYOsfhiw1Ie6npjBVCMrx8YZJwtVmRy3RYjXYn6zcFH+xzSGr
|
||||
tC0WPwyQ1dqgUNTUdvxaGrSayo5WF2CNosjc66eMrqyG72pcpJwAqlNbWbDNHbm9
|
||||
nE3c6XBv0WnEq7G+nkRx0luD96twkor4LVzDa37MUtljNqJo1Puv2AcEylEqXCUX
|
||||
bKN78TlUOhCpec93ZIxQoE71+26qqpGNnwyTQkHII/RzMKZGQjtmdRtQiUPzVmxT
|
||||
/3WjnQm4vbeKjOeBjjIdV1Wc7dykBRE7rq/Oe8AGl/7FAnbe6c2Bav50OOL5/Tbo
|
||||
Fe5TZbOwFDc1ob3IezRI5Q
|
||||
-> ssh-ed25519 RR/L5A Mvv5Y3bd2IqR1cffLQbJ3WuJCoGMpJaqf/TvV0kcYQs
|
||||
jRBAHCUuW6hBsuv0VjR+uSKmmqK5rsU4vUIuNHQyAiE
|
||||
--- /Xx07JneqPgZUC0LrtSMMHAt9eSoB0KUHxQ+j8mkr6c
|
||||
).<2E><><EFBFBD>*<2A><><EFBFBD>?$M<15><>e1<65><31>"v84<38><34><EFBFBD><EFBFBD><EFBFBD><<3C>ގJ+<2B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ۃ<EFBFBD>Q<EFBFBD>"ӵz<D3B5>"<22><>ǠB,<2C><><EFBFBD><EFBFBD><01><>^k<><6B>I<EFBFBD>,<2C>B
|
@ -143,4 +143,7 @@ in
|
||||
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
|
||||
# Frigate secrets
|
||||
"frigate/secrets.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user