nixos/services/go2rtc.nix

# services/go2rtc.nix — Native go2rtc camera streaming
# RTSP credentials kept out of the nix store via runtime config templating
{ config, lib, pkgs, ... }:
let
  # Template config with placeholder — real URL injected at runtime
  configTemplate = pkgs.writeText "go2rtc-template.yaml" (builtins.toJSON {
    streams.kids_bedroom = "@RTSP_URL@";
    api.listen = ":1984";
    webrtc.listen = ":8555";
  });

  injectSecrets = pkgs.writeShellScript "go2rtc-inject-secrets" ''
    set -euo pipefail
    SECRETS="/var/secrets/go2rtc-rtsp-url"
    if [ -f "$SECRETS" ]; then
      RTSP_URL=$(tr -d '\n' < "$SECRETS")
      ${pkgs.gnused}/bin/sed "s|@RTSP_URL@|$RTSP_URL|g" ${configTemplate} > /run/go2rtc/config.yaml
    else
      echo "WARNING: $SECRETS not found, camera stream will not work" >&2
      cp ${configTemplate} /run/go2rtc/config.yaml
    fi
  '';
in
{
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.go2rtc = {
      enable = true;
      settings = {
        api.listen = ":1984";
        webrtc.listen = ":8555";
      };
    };

    # Override to use runtime-templated config with secrets
    systemd.services.go2rtc.serviceConfig = {
      RuntimeDirectory = "go2rtc";
      ExecStartPre = [ "!${injectSecrets}" ];
      ExecStart = lib.mkForce "${config.services.go2rtc.package}/bin/go2rtc -config /run/go2rtc/config.yaml";
    };

  };
}
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`# services/go2rtc.nix — Native go2rtc camera streaming`
Move go2rtc RTSP credentials out of nix store, document all secrets - go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url instead of embedding credentials in the nix store - readme.md: add Mediaserver secrets section documenting all secrets needed for a fresh deploy (Cloudflare, go2rtc, Authelia) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:49:04 +01:00			`# RTSP credentials kept out of the nix store via runtime config templating`
			`{ config, lib, pkgs, ... }:`
			`let`
			`# Template config with placeholder — real URL injected at runtime`
			`configTemplate = pkgs.writeText "go2rtc-template.yaml" (builtins.toJSON {`
			`streams.kids_bedroom = "@RTSP_URL@";`
			`api.listen = ":1984";`
			`webrtc.listen = ":8555";`
			`});`

			`injectSecrets = pkgs.writeShellScript "go2rtc-inject-secrets" ''`
			`set -euo pipefail`
			`SECRETS="/var/secrets/go2rtc-rtsp-url"`
			`if [ -f "$SECRETS" ]; then`
			`RTSP_URL=$(tr -d '\n' < "$SECRETS")`
			`${pkgs.gnused}/bin/sed "s\|@RTSP_URL@\|$RTSP_URL\|g" ${configTemplate} > /run/go2rtc/config.yaml`
			`else`
			`echo "WARNING: $SECRETS not found, camera stream will not work" >&2`
			`cp ${configTemplate} /run/go2rtc/config.yaml`
			`fi`
			`'';`
			`in`
Update go2rtc.nix 2026-01-21 09:26:45 +00:00			`{`
Update go2rtc.nix 2026-01-21 11:47:30 +00:00			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`
Update go2rtc.nix 2026-01-21 10:19:34 +00:00
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`services.go2rtc = {`
			`enable = true;`
			`settings = {`
			`api.listen = ":1984";`
			`webrtc.listen = ":8555";`
Update go2rtc.nix 2026-01-21 11:47:30 +00:00			`};`
			`};`

Move go2rtc RTSP credentials out of nix store, document all secrets - go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url instead of embedding credentials in the nix store - readme.md: add Mediaserver secrets section documenting all secrets needed for a fresh deploy (Cloudflare, go2rtc, Authelia) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:49:04 +01:00			`# Override to use runtime-templated config with secrets`
			`systemd.services.go2rtc.serviceConfig = {`
Fix go2rtc: use RuntimeDirectory instead of mkdir /run/go2rtc DynamicUser can't write to /run directly. RuntimeDirectory lets systemd create and manage the directory. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:51:22 +01:00			`RuntimeDirectory = "go2rtc";`
Move go2rtc RTSP credentials out of nix store, document all secrets - go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url instead of embedding credentials in the nix store - readme.md: add Mediaserver secrets section documenting all secrets needed for a fresh deploy (Cloudflare, go2rtc, Authelia) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:49:04 +01:00			`ExecStartPre = [ "!${injectSecrets}" ];`
			`ExecStart = lib.mkForce "${config.services.go2rtc.package}/bin/go2rtc -config /run/go2rtc/config.yaml";`
			`};`

Update go2rtc.nix 2026-01-21 11:47:30 +00:00			`};`
Update go2rtc.nix 2026-01-21 09:26:45 +00:00			`}`