nixos/services/go2rtc.nix

{ config, pkgs, lib, ... }:

let
  sops-nix = builtins.fetchTarball {
    url = "https://github.com/Mic92/sops-nix/archive/master.tar.gz";
  };
in

{
	imports = [
		"${sops-nix}/modules/sops"
	];

	config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
		
		
		  # Configure sops
  sops = {
    defaultSopsFile = ../secrets/camera.yaml;
    age.keyFile = "/var/lib/sops-nix/key.txt";
    secrets = {
      authelia_session_secret = { };
      authelia_encryption_key = { };
      authelia_jwt_secret = { };
      camera_rtsp_url = { };
      fredrik_password_hash = { };
      kayla_password_hash = { };
    };
  };

  virtualisation.oci-containers = {
    backend = "docker";
    
    containers."go2rtc" = {
      image = "alexxit/go2rtc:latest";
      ports = [ "1984:1984" ];
      volumes = [
        "/var/lib/go2rtc:/config"
      ];
      extraOptions = [
        "--network=nginx-proxy-manager_default"
      ];
    };
    
    containers."authelia" = {
      image = "authelia/authelia:latest";
      ports = [ "9091:9091" ];
      environment = {
        TZ = "Europe/London";
      };
      volumes = [
        "/var/lib/authelia:/config"
      ];
      extraOptions = [
        "--network=nginx-proxy-manager_default"
      ];
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/go2rtc 0755 root root -"
    "d /var/lib/authelia 0755 root root -"
  ];

  # Generate go2rtc config with secrets
  systemd.services.go2rtc-config = {
    description = "Generate go2rtc config with secrets";
    wantedBy = [ "docker-go2rtc.service" ];
    before = [ "docker-go2rtc.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      mkdir -p /var/lib/go2rtc
      cat > /var/lib/go2rtc/go2rtc.yaml <<EOF
      streams:
        bedroom_cam:
          - $(cat ${config.sops.secrets.camera_rtsp_url.path})
      
      api:
        listen: ":1984"
      
      webrtc:
        listen: ":8555"
      EOF
    '';
  };

  # Generate Authelia config with secrets
  systemd.services.authelia-config = {
    description = "Generate authelia config with secrets";
    wantedBy = [ "docker-authelia.service" ];
    before = [ "docker-authelia.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      mkdir -p /var/lib/authelia
      cat > /var/lib/authelia/configuration.yml <<EOF
      ---
      theme: light
      server:
        address: 'tcp://0.0.0.0:9091/'
      
      log:
        level: info
      
      authentication_backend:
        file:
          path: /config/users_database.yml
      
      access_control:
        default_policy: deny
        rules:
          - domain: camera.nordhammer.it
            policy: one_factor
      
      session:
        secret: $(cat ${config.sops.secrets.authelia_session_secret.path})
        cookies:
          - domain: nordhammer.it
            authelia_url: https://auth.nordhammer.it
        expiration: 1h
        inactivity: 5m
      
      storage:
        encryption_key: $(cat ${config.sops.secrets.authelia_encryption_key.path})
        local:
          path: /config/db.sqlite3
      
      notifier:
        filesystem:
          filename: /config/notification.txt
      
      identity_validation:
        reset_password:
          jwt_secret: $(cat ${config.sops.secrets.authelia_jwt_secret.path})
      EOF
      
      cat > /var/lib/authelia/users_database.yml <<EOF
      ---
      users:
        fredrik:
          displayname: "Fredrik"
          password: "$(cat ${config.sops.secrets.fredrik_password_hash.path})"
          email: fredrik@nordhammer.it
          groups: []
        kayla:
          displayname: "Kayla"
          password: "$(cat ${config.sops.secrets.kayla_password_hash.path})"
          email: kaylavds@hotmail.co.uk
          groups: []
      EOF
      chmod 600 /var/lib/authelia/users_database.yml
    '';
  };
		
	};
}
Update go2rtc.nix 2026-01-21 09:26:45 +00:00			`{ config, pkgs, lib, ... }:`
Update go2rtc.nix 2026-01-21 09:39:46 +00:00
			`let`
			`sops-nix = builtins.fetchTarball {`
			`url = "https://github.com/Mic92/sops-nix/archive/master.tar.gz";`
			`};`
			`in`

Update go2rtc.nix 2026-01-21 09:26:45 +00:00			`{`
Update go2rtc.nix 2026-01-21 09:40:58 +00:00			`imports = [`
			`"${sops-nix}/modules/sops"`
			`];`

Update go2rtc.nix 2026-01-21 09:26:45 +00:00			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`
Update go2rtc.nix 2026-01-21 09:40:58 +00:00
Update go2rtc.nix 2026-01-21 09:39:46 +00:00
Update go2rtc.nix 2026-01-21 10:19:34 +00:00			`# Configure sops`
			`sops = {`
			`defaultSopsFile = ../secrets/camera.yaml;`
			`age.keyFile = "/var/lib/sops-nix/key.txt";`
			`secrets = {`
			`authelia_session_secret = { };`
			`authelia_encryption_key = { };`
			`authelia_jwt_secret = { };`
			`camera_rtsp_url = { };`
			`fredrik_password_hash = { };`
			`kayla_password_hash = { };`
			`};`
			`};`

			`virtualisation.oci-containers = {`
			`backend = "docker";`

			`containers."go2rtc" = {`
			`image = "alexxit/go2rtc:latest";`
			`ports = [ "1984:1984" ];`
			`volumes = [`
			`"/var/lib/go2rtc:/config"`
			`];`
			`extraOptions = [`
			`"--network=nginx-proxy-manager_default"`
			`];`
			`};`

			`containers."authelia" = {`
			`image = "authelia/authelia:latest";`
			`ports = [ "9091:9091" ];`
			`environment = {`
			`TZ = "Europe/London";`
			`};`
			`volumes = [`
			`"/var/lib/authelia:/config"`
			`];`
			`extraOptions = [`
			`"--network=nginx-proxy-manager_default"`
			`];`
			`};`
			`};`

			`systemd.tmpfiles.rules = [`
			`"d /var/lib/go2rtc 0755 root root -"`
			`"d /var/lib/authelia 0755 root root -"`
			`];`

			`# Generate go2rtc config with secrets`
			`systemd.services.go2rtc-config = {`
			`description = "Generate go2rtc config with secrets";`
			`wantedBy = [ "docker-go2rtc.service" ];`
			`before = [ "docker-go2rtc.service" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`};`
			`script = ''`
			`mkdir -p /var/lib/go2rtc`
			`cat > /var/lib/go2rtc/go2rtc.yaml <<EOF`
			`streams:`
			`bedroom_cam:`
			`- $(cat ${config.sops.secrets.camera_rtsp_url.path})`

			`api:`
			`listen: ":1984"`

			`webrtc:`
			`listen: ":8555"`
			`EOF`
			`'';`
			`};`

			`# Generate Authelia config with secrets`
			`systemd.services.authelia-config = {`
			`description = "Generate authelia config with secrets";`
			`wantedBy = [ "docker-authelia.service" ];`
			`before = [ "docker-authelia.service" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`};`
			`script = ''`
			`mkdir -p /var/lib/authelia`
			`cat > /var/lib/authelia/configuration.yml <<EOF`
			`---`
			`theme: light`
			`server:`
			`address: 'tcp://0.0.0.0:9091/'`

			`log:`
			`level: info`

			`authentication_backend:`
			`file:`
			`path: /config/users_database.yml`

			`access_control:`
			`default_policy: deny`
			`rules:`
			`- domain: camera.nordhammer.it`
			`policy: one_factor`

			`session:`
			`secret: $(cat ${config.sops.secrets.authelia_session_secret.path})`
			`cookies:`
			`- domain: nordhammer.it`
			`authelia_url: https://auth.nordhammer.it`
			`expiration: 1h`
			`inactivity: 5m`

			`storage:`
			`encryption_key: $(cat ${config.sops.secrets.authelia_encryption_key.path})`
			`local:`
			`path: /config/db.sqlite3`

			`notifier:`
			`filesystem:`
			`filename: /config/notification.txt`

			`identity_validation:`
			`reset_password:`
			`jwt_secret: $(cat ${config.sops.secrets.authelia_jwt_secret.path})`
			`EOF`

			`cat > /var/lib/authelia/users_database.yml <<EOF`
			`---`
			`users:`
			`fredrik:`
			`displayname: "Fredrik"`
			`password: "$(cat ${config.sops.secrets.fredrik_password_hash.path})"`
			`email: fredrik@nordhammer.it`
			`groups: []`
			`kayla:`
			`displayname: "Kayla"`
			`password: "$(cat ${config.sops.secrets.kayla_password_hash.path})"`
			`email: kaylavds@hotmail.co.uk`
			`groups: []`
			`EOF`
			`chmod 600 /var/lib/authelia/users_database.yml`
			`'';`
			`};`
Update go2rtc.nix 2026-01-21 09:28:50 +00:00
Update go2rtc.nix 2026-01-21 09:26:45 +00:00			`};`
			`}`