diff --git a/common.nix b/common.nix index 6343c0d..bfdd715 100644 --- a/common.nix +++ b/common.nix @@ -24,6 +24,7 @@ ./services/qbittorrent-nox.nix ./services/nginx.nix ./services/go2rtc.nix + ./services/frigate.nix ./services/sonarr.nix ./services/radarr.nix ./services/prowlarr.nix diff --git a/services/frigate.nix b/services/frigate.nix new file mode 100644 index 0000000..fbf3aeb --- /dev/null +++ b/services/frigate.nix @@ -0,0 +1,79 @@ +# services/frigate.nix — Local NVR with AI object detection +# Consumes go2rtc streams; no MQTT / Home Assistant dependency. +# Authentication delegated to Authelia by hijacking the /auth location +# that the upstream Frigate module bakes into every nginx location block. +{ config, lib, ... }: +{ + config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { + + services.frigate = { + enable = true; + hostname = "frigate.nordhammer.it"; + + settings = { + mqtt.enabled = false; + + cameras.kids_bedroom = { + enabled = true; + ffmpeg.inputs = [{ + path = "rtsp://127.0.0.1:8554/kids_bedroom"; + roles = [ "detect" "record" ]; + }]; + detect = { + enabled = true; + width = 1920; + height = 1080; + }; + }; + + record = { + enabled = true; + retain = { + days = 7; + mode = "motion"; + }; + events.retain = { + default = 14; + mode = "active_objects"; + }; + }; + + snapshots = { + enabled = true; + retain.default = 14; + }; + }; + }; + + services.nginx.virtualHosts."frigate.nordhammer.it" = { + useACMEHost = "nordhammer.it"; + forceSSL = true; + + # The Frigate module puts `auth_request /auth` on every location. + # Override that internal /auth location to verify via Authelia + # instead of Frigate's built-in auth, so one login covers everything. + locations."/auth" = lib.mkForce { + proxyPass = "http://127.0.0.1:9091/api/verify"; + extraConfig = '' + internal; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + ''; + }; + + # Redirect 401 → Authelia login portal + extraConfig = lib.mkAfter '' + error_page 401 =302 https://auth.nordhammer.it/?rd=$scheme://$http_host$request_uri; + ''; + }; + + # GPU access for hardware-accelerated ffmpeg decoding + users.users.frigate.extraGroups = [ "video" "render" ]; + }; +}