diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-02-07 00:02:01 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-07 00:02:01 +0000 |
commit | 9824e51195266af2caa3fcb8db0c9328f26a6975 (patch) | |
tree | e1eccd9c53ce3440ab9107c932db2422070d7923 /nixos | |
parent | 175f7054d59fcf36430b0f8f06e9464e42f27ac1 (diff) | |
parent | 0b9427cf71692882a063a395554fe1cc5e0ede4b (diff) | |
download | nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.tar nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.tar.gz nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.tar.bz2 nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.tar.lz nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.tar.xz nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.tar.zst nixlib-9824e51195266af2caa3fcb8db0c9328f26a6975.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/video/frigate.nix | 135 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/photoprism.nix | 2 | ||||
-rw-r--r-- | nixos/tests/frigate.nix | 9 |
5 files changed, 110 insertions, 45 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b64a3360701a..23a761041bf4 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -219,6 +219,7 @@ ./programs/msmtp.nix ./programs/mtr.nix ./programs/nano.nix + ./programs/nautilus-open-any-terminal.nix ./programs/nbd.nix ./programs/neovim.nix ./programs/nethoscope.nix diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 35151ebd6bd7..4b7a86c44a0c 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -174,9 +174,8 @@ in '') (optionalString cfg.genCfsslAPIToken '' if [ ! -f "${cfsslAPITokenPath}" ]; then - head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ' >"${cfsslAPITokenPath}" + install -u cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}" fi - chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}" '')]); systemd.services.kube-certmgr-bootstrap = { @@ -194,7 +193,7 @@ in if [ -f "${cfsslAPITokenPath}" ]; then ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}" else - touch "${certmgrAPITokenPath}" && chmod 600 "${certmgrAPITokenPath}" + install -m 600 /dev/null "${certmgrAPITokenPath}" fi '' (optionalString (cfg.pkiTrustOnBootstrap) '' @@ -297,8 +296,7 @@ in exit 1 fi - echo $token > ${certmgrAPITokenPath} - chmod 600 ${certmgrAPITokenPath} + install -m 0600 <(echo $token) ${certmgrAPITokenPath} echo "Restarting certmgr..." >&1 systemctl restart certmgr diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix index b7945282ba09..0c923a20c40c 100644 --- a/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix @@ -17,7 +17,7 @@ let cfg = config.services.frigate; - format = pkgs.formats.yaml {}; + format = pkgs.formats.yaml { }; filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! lib.elem v [ null ])) cfg.settings; @@ -112,7 +112,7 @@ in }; }; }; - default = {}; + default = { }; description = mdDoc '' Frigate configuration as a nix attribute set. @@ -125,7 +125,7 @@ in config = mkIf cfg.enable { services.nginx = { - enable =true; + enable = true; additionalModules = with pkgs.nginxModules; [ secure-token rtmp @@ -133,31 +133,64 @@ in ]; recommendedProxySettings = mkDefault true; recommendedGzipSettings = mkDefault true; + mapHashBucketSize = mkDefault 128; upstreams = { frigate-api.servers = { - "127.0.0.1:5001" = {}; + "127.0.0.1:5001" = { }; }; frigate-mqtt-ws.servers = { - "127.0.0.1:5002" = {}; + "127.0.0.1:5002" = { }; }; frigate-jsmpeg.servers = { - "127.0.0.1:8082" = {}; + "127.0.0.1:8082" = { }; }; frigate-go2rtc.servers = { - "127.0.0.1:1984" = {}; + "127.0.0.1:1984" = { }; }; }; - # Based on https://github.com/blakeblackshear/frigate/blob/v0.12.0/docker/rootfs/usr/local/nginx/conf/nginx.conf + proxyCachePath."frigate" = { + enable = true; + keysZoneSize = "10m"; + keysZoneName = "frigate_api_cache"; + maxSize = "10m"; + inactive = "1m"; + levels = "1:2"; + }; + # Based on https://github.com/blakeblackshear/frigate/blob/v0.13.1/docker/main/rootfs/usr/local/nginx/conf/nginx.conf virtualHosts."${cfg.hostname}" = { locations = { "/api/" = { proxyPass = "http://frigate-api/"; + extraConfig = '' + proxy_cache frigate_api_cache; + proxy_cache_lock on; + proxy_cache_use_stale updating; + proxy_cache_valid 200 5s; + proxy_cache_bypass $http_x_cache_bypass; + proxy_no_cache $should_not_cache; + add_header X-Cache-Status $upstream_cache_status; + + location /api/vod/ { + proxy_pass http://frigate-api/vod/; + proxy_cache off; + } + + location /api/stats { + access_log off; + rewrite ^/api/(.*)$ $1 break; + proxy_pass http://frigate-api; + } + + location /api/version { + access_log off; + rewrite ^/api/(.*)$ $1 break; + proxy_pass http://frigate-api; + } + ''; }; "~* /api/.*\.(jpg|jpeg|png)$" = { proxyPass = "http://frigate-api"; extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; rewrite ^/api/(.*)$ $1 break; ''; }; @@ -169,10 +202,6 @@ in secure_token $args; secure_token_types application/vnd.apple.mpegurl; - add_header Access-Control-Allow-Headers '*'; - add_header Access-Control-Expose-Headers 'Server,range,Content-Length,Content-Range'; - add_header Access-Control-Allow-Methods 'GET, HEAD, OPTIONS'; - add_header Access-Control-Allow-Origin '*'; add_header Cache-Control "no-store"; expires off; ''; @@ -192,27 +221,64 @@ in proxyPass = "http://frigate-go2rtc/"; proxyWebsockets = true; }; + # frigate lovelace card uses this path + "/live/mse/api/ws" = { + proxyPass = "http://frigate-go2rtc/api/ws"; + proxyWebsockets = true; + extraConfig = '' + limit_except GET { + deny all; + } + ''; + }; "/live/webrtc/" = { proxyPass = "http://frigate-go2rtc/"; proxyWebsockets = true; }; + "/live/webrtc/api/ws" = { + proxyPass = "http://frigate-go2rtc/api/ws"; + proxyWebsockets = true; + extraConfig = '' + limit_except GET { + deny all; + } + ''; + }; + # pass through go2rtc player + "/live/webrtc/webrtc.html" = { + proxyPass = "http://frigate-go2rtc/webrtc.html"; + proxyWebsockets = true; + extraConfig = '' + limit_except GET { + deny all; + } + ''; + }; + "/api/go2rtc/api" = { + proxyPass = "http://frigate-go2rtc/api"; + proxyWebsockets = true; + extraConfig = '' + limit_except GET { + deny all; + } + ''; + }; + # integrationn uses this to add webrtc candidate + "/api/go2rtc/webrtc" = { + proxyPass = "http://frigate-go2rtc/api/webrtc"; + proxyWebsockets = true; + extraConfig = '' + limit_except GET { + deny all; + } + ''; + }; "/cache/" = { alias = "/var/cache/frigate/"; }; "/clips/" = { root = "/var/lib/frigate"; extraConfig = '' - add_header 'Access-Control-Allow-Origin' "$http_origin" always; - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - types { video/mp4 mp4; image/jpeg jpg; @@ -224,17 +290,6 @@ in "/recordings/" = { root = "/var/lib/frigate"; extraConfig = '' - add_header 'Access-Control-Allow-Origin' "$http_origin" always; - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - types { video/mp4 mp4; } @@ -315,6 +370,12 @@ in } } ''; + appendHttpConfig = '' + map $sent_http_content_type $should_not_cache { + 'application/json' 0; + default 1; + } + ''; }; systemd.services.nginx.serviceConfig.SupplementaryGroups = [ @@ -325,7 +386,7 @@ in isSystemUser = true; group = "frigate"; }; - users.groups.frigate = {}; + users.groups.frigate = { }; systemd.services.frigate = { after = [ diff --git a/nixos/modules/services/web-apps/photoprism.nix b/nixos/modules/services/web-apps/photoprism.nix index 1716840e84e5..d3773cc9cf78 100644 --- a/nixos/modules/services/web-apps/photoprism.nix +++ b/nixos/modules/services/web-apps/photoprism.nix @@ -21,7 +21,7 @@ let eval "$(${config.systemd.package}/bin/systemctl show -pUID,MainPID photoprism.service | ${pkgs.gnused}/bin/sed "s/UID/ServiceUID/")" exec ${pkgs.util-linux}/bin/nsenter \ -t $MainPID -m -S $ServiceUID -G $ServiceUID --wdns=${cfg.storagePath} \ - exec ${cfg.package}/bin/photoprism "$@" + ${cfg.package}/bin/photoprism "$@" ''; in { diff --git a/nixos/tests/frigate.nix b/nixos/tests/frigate.nix index 836fe0d063f8..03bd2b89611d 100644 --- a/nixos/tests/frigate.nix +++ b/nixos/tests/frigate.nix @@ -41,6 +41,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : serviceConfig = { DynamicUser = true; ExecStart = "${lib.getBin pkgs.ffmpeg-headless}/bin/ffmpeg -re -f lavfi -i smptebars=size=800x600:rate=10 -f mpegts -listen 1 http://0.0.0.0:8080"; + Restart = "always"; }; }; }; @@ -51,10 +52,14 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : machine.wait_for_unit("frigate.service") + # Frigate startup machine.wait_for_open_port(5001) - machine.succeed("curl http://localhost:5001") + # nginx startup + machine.wait_for_open_port(80) - machine.wait_for_file("/var/cache/frigate/test-*.mp4") + machine.succeed("curl http://localhost") + + machine.wait_for_file("/var/cache/frigate/test@*.mp4") ''; }) |