diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-07-27 18:27:34 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-07-27 18:36:25 +0200 |
commit | 3086313e4c2acdce255315881a3e0e6a1de70e88 (patch) | |
tree | dc4beb796fbf1d17718a4c7738b5a9101883d5e9 /nixos | |
parent | bdddb46f4b058465ad53134d4a118671f9956662 (diff) | |
download | nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.tar nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.tar.gz nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.tar.bz2 nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.tar.lz nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.tar.xz nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.tar.zst nixlib-3086313e4c2acdce255315881a3e0e6a1de70e88.zip |
nixos/frigate: fix recording and serving of clips/recordings
Frigate does string prefix matching for paths, which isn't exactly compatible with dynamically provisioned directories of systemd, where /var/cache/frigate is actually a symlink to /var/cache/private/frigate. Because we are unlikely to get this fixed upstream, this is one of the reason we should stop using DynamicUser= here. The other being, that nginx needs to be able to serve clips and recordings from both the CacheDirectory and the StateDirectory, and nginx being a member on a group that may only exist after it was started up doesn't work reliably. This is also why we relax the umask to allow g+r/g+rx for newly created files. Existing installs may need the following permissions fix to get things going. ``` find /var/lib/frigate/recordings -type d -exec chmod g+rx {} \; find /var/lib/frigate/recordings -type f -exec chmod g+r {} \; find /var/cache/frigate -type f -exec chmod g+r {} \; ``` Co-Authored-By: Daniel Barlow <dan@telent.net>
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/video/frigate.nix | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix index 217637cbebcf..8db2bfae80ac 100644 --- a/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix @@ -322,6 +322,16 @@ in ''; }; + systemd.services.nginx.serviceConfig.SupplementaryGroups = [ + "frigate" + ]; + + users.users.frigate = { + isSystemUser = true; + group = "frigate"; + }; + users.groups.frigate = {}; + systemd.services.frigate = { after = [ "go2rtc.service" @@ -349,15 +359,18 @@ in serviceConfig = { ExecStart = "${cfg.package.python.interpreter} -m frigate"; - DynamicUser = true; User = "frigate"; + Group = "frigate"; + + UMask = "0027"; StateDirectory = "frigate"; - UMask = "0077"; + StateDirectoryMode = "0750"; # Caches PrivateTmp = true; CacheDirectory = "frigate"; + CacheDirectoryMode = "0750"; BindPaths = [ "/migrations:${cfg.package}/share/frigate/migrations:ro" |