diff --git a/services/frigate.nix b/services/frigate.nix index 9e935b4..7881095 100644 --- a/services/frigate.nix +++ b/services/frigate.nix @@ -2,6 +2,13 @@ # Consumes go2rtc streams; no MQTT / Home Assistant dependency. # Authentication delegated to Authelia by hijacking the /auth location # that the upstream Frigate module bakes into every nginx location block. +# +# The Frigate NixOS module hardcodes `auth_request /auth` + `auth_request_set` +# in every nginx location, reading $upstream_http_remote_role from the auth +# subrequest response. Authelia doesn't return a Remote-Role header, so we +# use a tiny local-only nginx wrapper (port 9092) that proxies to Authelia +# and injects `Remote-Role: admin` into the response. The /auth location +# then points at the wrapper instead of Authelia directly. { config, lib, ... }: { config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { @@ -46,15 +53,34 @@ }; }; + # Local-only auth wrapper: proxies to Authelia and adds Remote-Role header + # so that auth_request_set $role $upstream_http_remote_role gets "admin". + services.nginx.virtualHosts."frigate-auth-wrapper" = { + listen = [{ addr = "127.0.0.1"; port = 9092; }]; + locations."/" = { + proxyPass = "http://127.0.0.1:9091/api/verify"; + extraConfig = '' + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URL $http_x_original_url; + proxy_set_header X-Forwarded-Method $http_x_forwarded_method; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header X-Forwarded-Host $http_x_forwarded_host; + proxy_set_header X-Forwarded-Uri $http_x_forwarded_uri; + proxy_set_header X-Forwarded-For $http_x_forwarded_for; + add_header Remote-Role admin always; + ''; + }; + }; + services.nginx.virtualHosts."frigate.nordhammer.it" = { useACMEHost = "nordhammer.it"; forceSSL = true; - # The Frigate module puts `auth_request /auth` on every location. - # Override that internal /auth location to verify via Authelia - # instead of Frigate's built-in auth, so one login covers everything. + # Point /auth at the wrapper (9092) instead of Authelia (9091) directly. + # The wrapper proxies to Authelia and injects Remote-Role: admin. locations."/auth" = lib.mkForce { - proxyPass = "http://127.0.0.1:9091/api/verify"; + proxyPass = "http://127.0.0.1:9092/"; extraConfig = '' internal; proxy_pass_request_body off; @@ -65,10 +91,6 @@ proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-For $remote_addr; - - # Inject admin role into auth response so Frigate's - # auth_request_set $role $upstream_http_remote_role picks it up - add_header Remote-Role admin; ''; };