nixos/services/frigate.nix

85 lines
2.6 KiB
Nix
Raw Normal View History

# services/frigate.nix — Local NVR with AI object detection
# Consumes go2rtc streams; no MQTT / Home Assistant dependency.
# Authentication delegated to Authelia by hijacking the /auth location
# that the upstream Frigate module bakes into every nginx location block.
{ config, lib, ... }:
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
services.frigate = {
enable = true;
hostname = "frigate.nordhammer.it";
checkConfig = false;
settings = {
mqtt.enabled = false;
proxy.header_map = {
user = "Remote-User";
role = "Remote-Role";
};
cameras.kids_bedroom = {
enabled = true;
ffmpeg.inputs = [{
path = "rtsp://127.0.0.1:8554/kids_bedroom";
roles = [ "detect" "record" ];
}];
detect = {
enabled = true;
width = 1920;
height = 1080;
};
};
record = {
enabled = true;
retain = {
days = 7;
mode = "motion";
};
};
snapshots = {
enabled = true;
retain.default = 14;
};
};
};
services.nginx.virtualHosts."frigate.nordhammer.it" = {
useACMEHost = "nordhammer.it";
forceSSL = true;
# The Frigate module puts `auth_request /auth` on every location.
# Override that internal /auth location to verify via Authelia
# instead of Frigate's built-in auth, so one login covers everything.
locations."/auth" = lib.mkForce {
proxyPass = "http://127.0.0.1:9091/api/verify";
extraConfig = ''
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
# Inject admin role into auth response so Frigate's
# auth_request_set $role $upstream_http_remote_role picks it up
add_header Remote-Role admin;
'';
};
# Redirect 401 → Authelia login portal
extraConfig = lib.mkAfter ''
error_page 401 =302 https://auth.nordhammer.it/?rd=$scheme://$http_host$request_uri;
'';
};
# GPU access for hardware-accelerated ffmpeg decoding
users.users.frigate.extraGroups = [ "video" "render" ];
};
}