Move go2rtc RTSP credentials out of nix store, document all secrets

- go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url instead of embedding credentials in the nix store - readme.md: add Mediaserver secrets section documenting all secrets needed for a fresh deploy (Cloudflare, go2rtc, Authelia) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-07 20:49:04 +01:00 · 2026-04-07 20:49:04 +01:00 · 595efbb25a
commit 595efbb25a
parent 08669d7eb5
2 changed files with 60 additions and 4 deletions
--- a/services/go2rtc.nix
+++ b/services/go2rtc.nix
@ -1,18 +1,43 @@
 # services/go2rtc.nix — Native go2rtc camera streaming
-{ config, lib, ... }:
+# RTSP credentials kept out of the nix store via runtime config templating
+{ config, lib, pkgs, ... }:
+let
+  # Template config with placeholder — real URL injected at runtime
+  configTemplate = pkgs.writeText "go2rtc-template.yaml" (builtins.toJSON {
+    streams.kids_bedroom = "@RTSP_URL@";
+    api.listen = ":1984";
+    webrtc.listen = ":8555";
+  });
+
+  injectSecrets = pkgs.writeShellScript "go2rtc-inject-secrets" ''
+    set -euo pipefail
+    SECRETS="/var/secrets/go2rtc-rtsp-url"
+    mkdir -p /run/go2rtc
+    if [ -f "$SECRETS" ]; then
+      RTSP_URL=$(tr -d '\n' < "$SECRETS")
+      ${pkgs.gnused}/bin/sed "s|@RTSP_URL@|$RTSP_URL|g" ${configTemplate} > /run/go2rtc/config.yaml
+    else
+      echo "WARNING: $SECRETS not found, camera stream will not work" >&2
+      cp ${configTemplate} /run/go2rtc/config.yaml
+    fi
+  '';
+in
 {
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.go2rtc = {
      enable = true;
      settings = {
-        # NOTE: RTSP credentials end up in the nix store — same exposure as
-        # the old Docker bind-mount config. Acceptable for a local LAN camera.
-        streams.kids_bedroom = "rtsp://fredrik:12345678@192.168.4.39:554/stream1";
        api.listen = ":1984";
        webrtc.listen = ":8555";
      };
    };

+    # Override to use runtime-templated config with secrets
+    systemd.services.go2rtc.serviceConfig = {
+      ExecStartPre = [ "!${injectSecrets}" ];
+      ExecStart = lib.mkForce "${config.services.go2rtc.package}/bin/go2rtc -config /run/go2rtc/config.yaml";
+    };
+
  };
 }