diff --git a/readme.md b/readme.md index 19e3d1e..f79c4f3 100644 --- a/readme.md +++ b/readme.md @@ -165,6 +165,37 @@ After this succeeds, the plain `update` alias works from then on. | nix-flatpak | `github:gmodena/nix-flatpak` | | nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` | +## Mediaserver secrets + +Several services on FredOS-Mediaserver require secrets that are stored on the machine (not in the repo). After a fresh deploy, create these before running `update`: + +```bash +# Cloudflare API token (used by DDNS and ACME wildcard cert) +# See services/cloudflare-ddns.md for token permissions +echo -n 'your-cloudflare-api-token' | sudo tee /var/secrets/cloudflare-token +sudo chmod 600 /var/secrets/cloudflare-token + +# go2rtc RTSP camera URL +echo -n 'rtsp://username:password@camera-ip:554/stream1' | sudo tee /var/secrets/go2rtc-rtsp-url +sudo chmod 600 /var/secrets/go2rtc-rtsp-url + +# Authelia secrets — auto-migrated from Docker on first deploy +# If migrating from Docker, ensure these exist at /home/fred/docker/authelia/: +# - configuration.yml (jwt_secret, session secret, storage key are extracted) +# - users_database.yml (copied to /var/lib/authelia-main/) +# For a fresh install, create manually: +sudo mkdir -p /var/secrets/authelia +echo -n 'random-jwt-secret' | sudo tee /var/secrets/authelia/jwt_secret +echo -n 'random-session-secret' | sudo tee /var/secrets/authelia/session_secret +echo -n 'random-storage-encryption-key' | sudo tee /var/secrets/authelia/storage_encryption_key +sudo chmod 600 /var/secrets/authelia/* + +# Authelia user database (for a fresh install) +sudo mkdir -p /var/lib/authelia-main +sudo cp users_database.yml /var/lib/authelia-main/ +sudo chown authelia-main:authelia-main /var/lib/authelia-main/users_database.yml +``` + ## Notes - `hosts/hardware/` files are committed to the repo — they contain UUIDs and disk layout but no sensitive credentials diff --git a/services/go2rtc.nix b/services/go2rtc.nix index 6644b2d..72be359 100644 --- a/services/go2rtc.nix +++ b/services/go2rtc.nix @@ -1,18 +1,43 @@ # services/go2rtc.nix — Native go2rtc camera streaming -{ config, lib, ... }: +# RTSP credentials kept out of the nix store via runtime config templating +{ config, lib, pkgs, ... }: +let + # Template config with placeholder — real URL injected at runtime + configTemplate = pkgs.writeText "go2rtc-template.yaml" (builtins.toJSON { + streams.kids_bedroom = "@RTSP_URL@"; + api.listen = ":1984"; + webrtc.listen = ":8555"; + }); + + injectSecrets = pkgs.writeShellScript "go2rtc-inject-secrets" '' + set -euo pipefail + SECRETS="/var/secrets/go2rtc-rtsp-url" + mkdir -p /run/go2rtc + if [ -f "$SECRETS" ]; then + RTSP_URL=$(tr -d '\n' < "$SECRETS") + ${pkgs.gnused}/bin/sed "s|@RTSP_URL@|$RTSP_URL|g" ${configTemplate} > /run/go2rtc/config.yaml + else + echo "WARNING: $SECRETS not found, camera stream will not work" >&2 + cp ${configTemplate} /run/go2rtc/config.yaml + fi + ''; +in { config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { services.go2rtc = { enable = true; settings = { - # NOTE: RTSP credentials end up in the nix store — same exposure as - # the old Docker bind-mount config. Acceptable for a local LAN camera. - streams.kids_bedroom = "rtsp://fredrik:12345678@192.168.4.39:554/stream1"; api.listen = ":1984"; webrtc.listen = ":8555"; }; }; + # Override to use runtime-templated config with secrets + systemd.services.go2rtc.serviceConfig = { + ExecStartPre = [ "!${injectSecrets}" ]; + ExecStart = lib.mkForce "${config.services.go2rtc.package}/bin/go2rtc -config /run/go2rtc/config.yaml"; + }; + }; }