Move go2rtc RTSP credentials out of nix store, document all secrets

- go2rtc.nix: template config at runtime from /var/secrets/go2rtc-rtsp-url
  instead of embedding credentials in the nix store
- readme.md: add Mediaserver secrets section documenting all secrets
  needed for a fresh deploy (Cloudflare, go2rtc, Authelia)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

readme.md

@@ -165,6 +165,37 @@ After this succeeds, the plain `update` alias works from then on.
 | nix-flatpak | `github:gmodena/nix-flatpak` |
 | nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
 
+## Mediaserver secrets
+
+Several services on FredOS-Mediaserver require secrets that are stored on the machine (not in the repo). After a fresh deploy, create these before running `update`:
+
+```bash
+# Cloudflare API token (used by DDNS and ACME wildcard cert)
+# See services/cloudflare-ddns.md for token permissions
+echo -n 'your-cloudflare-api-token' | sudo tee /var/secrets/cloudflare-token
+sudo chmod 600 /var/secrets/cloudflare-token
+
+# go2rtc RTSP camera URL
+echo -n 'rtsp://username:password@camera-ip:554/stream1' | sudo tee /var/secrets/go2rtc-rtsp-url
+sudo chmod 600 /var/secrets/go2rtc-rtsp-url
+
+# Authelia secrets — auto-migrated from Docker on first deploy
+# If migrating from Docker, ensure these exist at /home/fred/docker/authelia/:
+#   - configuration.yml (jwt_secret, session secret, storage key are extracted)
+#   - users_database.yml (copied to /var/lib/authelia-main/)
+# For a fresh install, create manually:
+sudo mkdir -p /var/secrets/authelia
+echo -n 'random-jwt-secret'              | sudo tee /var/secrets/authelia/jwt_secret
+echo -n 'random-session-secret'          | sudo tee /var/secrets/authelia/session_secret
+echo -n 'random-storage-encryption-key'  | sudo tee /var/secrets/authelia/storage_encryption_key
+sudo chmod 600 /var/secrets/authelia/*
+
+# Authelia user database (for a fresh install)
+sudo mkdir -p /var/lib/authelia-main
+sudo cp users_database.yml /var/lib/authelia-main/
+sudo chown authelia-main:authelia-main /var/lib/authelia-main/users_database.yml
+```
+
 ## Notes
 
 - `hosts/hardware/` files are committed to the repo — they contain UUIDs and disk layout but no sensitive credentials

services/go2rtc.nix

@@ -1,18 +1,43 @@
 # services/go2rtc.nix — Native go2rtc camera streaming
-{ config, lib, ... }:
+# RTSP credentials kept out of the nix store via runtime config templating
+{ config, lib, pkgs, ... }:
+let
+  # Template config with placeholder — real URL injected at runtime
+  configTemplate = pkgs.writeText "go2rtc-template.yaml" (builtins.toJSON {
+    streams.kids_bedroom = "@RTSP_URL@";
+    api.listen = ":1984";
+    webrtc.listen = ":8555";
+  });
+
+  injectSecrets = pkgs.writeShellScript "go2rtc-inject-secrets" ''
+    set -euo pipefail
+    SECRETS="/var/secrets/go2rtc-rtsp-url"
+    mkdir -p /run/go2rtc
+    if [ -f "$SECRETS" ]; then
+      RTSP_URL=$(tr -d '\n' < "$SECRETS")
+      ${pkgs.gnused}/bin/sed "s|@RTSP_URL@|$RTSP_URL|g" ${configTemplate} > /run/go2rtc/config.yaml
+    else
+      echo "WARNING: $SECRETS not found, camera stream will not work" >&2
+      cp ${configTemplate} /run/go2rtc/config.yaml
+    fi
+  '';
+in
 {
   config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
 
     services.go2rtc = {
       enable = true;
       settings = {
-        # NOTE: RTSP credentials end up in the nix store — same exposure as
-        # the old Docker bind-mount config. Acceptable for a local LAN camera.
-        streams.kids_bedroom = "rtsp://fredrik:12345678@192.168.4.39:554/stream1";
         api.listen = ":1984";
         webrtc.listen = ":8555";
       };
     };
 
+    # Override to use runtime-templated config with secrets
+    systemd.services.go2rtc.serviceConfig = {
+      ExecStartPre = [ "!${injectSecrets}" ];
+      ExecStart = lib.mkForce "${config.services.go2rtc.package}/bin/go2rtc -config /run/go2rtc/config.yaml";
+    };
+
   };
 }