add Frigate NVR service behind Authelia
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
8560c11afa
commit
426d86645f
2 changed files with 80 additions and 0 deletions
|
|
@ -24,6 +24,7 @@
|
|||
./services/qbittorrent-nox.nix
|
||||
./services/nginx.nix
|
||||
./services/go2rtc.nix
|
||||
./services/frigate.nix
|
||||
./services/sonarr.nix
|
||||
./services/radarr.nix
|
||||
./services/prowlarr.nix
|
||||
|
|
|
|||
79
services/frigate.nix
Normal file
79
services/frigate.nix
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
# services/frigate.nix — Local NVR with AI object detection
|
||||
# Consumes go2rtc streams; no MQTT / Home Assistant dependency.
|
||||
# Authentication delegated to Authelia by hijacking the /auth location
|
||||
# that the upstream Frigate module bakes into every nginx location block.
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
services.frigate = {
|
||||
enable = true;
|
||||
hostname = "frigate.nordhammer.it";
|
||||
|
||||
settings = {
|
||||
mqtt.enabled = false;
|
||||
|
||||
cameras.kids_bedroom = {
|
||||
enabled = true;
|
||||
ffmpeg.inputs = [{
|
||||
path = "rtsp://127.0.0.1:8554/kids_bedroom";
|
||||
roles = [ "detect" "record" ];
|
||||
}];
|
||||
detect = {
|
||||
enabled = true;
|
||||
width = 1920;
|
||||
height = 1080;
|
||||
};
|
||||
};
|
||||
|
||||
record = {
|
||||
enabled = true;
|
||||
retain = {
|
||||
days = 7;
|
||||
mode = "motion";
|
||||
};
|
||||
events.retain = {
|
||||
default = 14;
|
||||
mode = "active_objects";
|
||||
};
|
||||
};
|
||||
|
||||
snapshots = {
|
||||
enabled = true;
|
||||
retain.default = 14;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."frigate.nordhammer.it" = {
|
||||
useACMEHost = "nordhammer.it";
|
||||
forceSSL = true;
|
||||
|
||||
# The Frigate module puts `auth_request /auth` on every location.
|
||||
# Override that internal /auth location to verify via Authelia
|
||||
# instead of Frigate's built-in auth, so one login covers everything.
|
||||
locations."/auth" = lib.mkForce {
|
||||
proxyPass = "http://127.0.0.1:9091/api/verify";
|
||||
extraConfig = ''
|
||||
internal;
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
'';
|
||||
};
|
||||
|
||||
# Redirect 401 → Authelia login portal
|
||||
extraConfig = lib.mkAfter ''
|
||||
error_page 401 =302 https://auth.nordhammer.it/?rd=$scheme://$http_host$request_uri;
|
||||
'';
|
||||
};
|
||||
|
||||
# GPU access for hardware-accelerated ffmpeg decoding
|
||||
users.users.frigate.extraGroups = [ "video" "render" ];
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue