diff --git a/machines/default.nix b/machines/default.nix index 3b49a2f..fe993f2 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -12,6 +12,15 @@ inputs: { system = "aarch64-linux"; config = import ./eitri/configuration.nix inputs; }; + frigate = { + config = import ./frigate/configuration.nix inputs; + deploy = { + host = "10.0.0.205"; + sshUser = "erwin"; + buildOn = "local"; + substituteOnTarget = true; + }; + }; gitea = { config = import ./gitea/configuration.nix inputs; deploy = { diff --git a/machines/frigate/configuration.nix b/machines/frigate/configuration.nix new file mode 100644 index 0000000..9d947e6 --- /dev/null +++ b/machines/frigate/configuration.nix @@ -0,0 +1,57 @@ +{ self, ... }: +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ../../users/root + ../../users/erwin + ]; + + eboskma = { + users.erwin.enable = true; + services = { + frigate.enable = true; + }; + nix-common = { + enable = true; + remote-builders = true; + }; + }; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; + + networking = { + # hostName = "gitea"; + # useDHCP = false; + + # interfaces = { + # eth0 = { + # ipv4.addresses = [ + # { + # address = "10.0.0.204"; + # prefixLength = 24; + # } + # ]; + # }; + # }; + + # defaultGateway = "10.0.0.1"; + nameservers = [ "10.0.0.254" ]; + }; + + proxmoxLXC = { + privileged = true; + }; + + security.sudo.execWheelOnly = true; + + # services.openssh.enable = true; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + frigate = { }; + }; + + system.stateVersion = "23.05"; +} diff --git a/machines/frigate/main.tf b/machines/frigate/main.tf new file mode 100644 index 0000000..24306f5 --- /dev/null +++ b/machines/frigate/main.tf @@ -0,0 +1,46 @@ +terraform { + required_providers { + proxmox = { + source = "Telmate/proxmox" + version = "2.9.11" + } + } +} + +provider "proxmox" { + pm_api_url = var.proxmox_api_url + pm_api_token_id = var.proxmox_token_id + pm_api_token_secret = var.proxmox_token_secret + pm_tls_insecure = true +} + +resource "proxmox_lxc" "minio" { + target_node = "pve" + hostname = "frigate" + ostemplate = "loki:vztmpl/nixos-23.05-default_20230318_amd64.tar.xz" + unprivileged = false + onboot = true + + memory = 2048 + swap = 2048 + + rootfs { + storage = "local-lvm" + size = "32G" + } + + mountpoint { + key = "0" + slot = 0 + storage = "local-lvm" + mp = "/data" + size = "256G" + } + + network { + name = "eth0" + bridge = "vmbr0" + ip = "10.0.0.205/24" + gw = "10.0.0.1" + } +} diff --git a/machines/frigate/secrets.yaml b/machines/frigate/secrets.yaml new file mode 100644 index 0000000..c5f4807 --- /dev/null +++ b/machines/frigate/secrets.yaml @@ -0,0 +1,30 @@ +frigate: ENC[AES256_GCM,data:IpnLY4KUpPs4PFlIDbH6Q+pvsRIUvvEbF5v0Vuwg9/acoHPaV2GlaSTQjIe/zLIWnIwFEWlnxSlXrcrE2QzMaYBKaAm27sxIMqA3Ga6J1u8afQccpq4sZXHC+oAEDyfwPvhMLly10xKaH/0okkfNxPc/xWmh5Q==,iv:ZUCdbYURgkr8sj0pa0iLkf2JSWefhArj7TTMZ2wvbtA=,tag:kLxf0tprebU7D8XUVmWQUQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRmRpM0JFWjJBamt2ZzJr + aTJJQkJhZTdKaUJId050aW1QeFVGVEZsb0JBCkdRLzVBNnV2YU5mYUh0MnJJeGZM + bWo4RG9OK3Flc3RncTlmK21pbkFDRG8KLS0tIGVzSnVaRHpva3p2dTJkMkRuaURB + cnNZU2sxcTF5MkdROWV5aFlOQTFrU28Kr6eeqJcW8HnbwHJQIERwqrLkczONwRTZ + jXnnDjAn9Jm1gzLNyKRNTwUwQN8ax4oIZ7RYvWQZqFDwGcaJkWJNDQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pjfysx68zqhlhc5nnyesytgjzkqgdnflve49al6uzs2wtlhadehq4naggq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYzdpeU9ta3JwSGYxWHhz + N3g2Z0U0S3lQYUhNVU11TFRKTGVOSkFuV2xJCnhZY1pldG1vSjV6NkVXdXVSN1R5 + cStZd2lIdXQydUMyQWtTMzFTOEFCSFkKLS0tIFl5RjdCRVRjSGhFbTQwOTZMc3pw + U0F4c2RNdVdBcXBPRFIxbkRrTzRlaTQKoNF6VemvxCrsqv+nh8GD3V2gC+K7GOT0 + FreCqv6TskUWLbFbMSh6uPq9NlQfkQ2EbZjnS61TCh81ivkuzdqXTQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-20T11:13:16Z" + mac: ENC[AES256_GCM,data:CrounB6Xsme6h2JVjW9lN5/2CGxr1jj7VVDM5Ge79/SF0TY5OQen1Fghyhdj+RnHVm2ylJbgBUtKidUDR1jakxQ0PjA9dZ63NuKIQQv1wogQIiKO4OVNqmk04IxRfs1wxKxXtiy2K89E1+fsDlDbmZt592AvyF6WKeAK5rHx0yE=,iv:j8kpMF/LaoCpfHavI3Pip9ldlR4HeNBcWhLZp5HkiVM=,tag:9+6ZA98O5AJRPIjN18ymiA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/frigate/variables.tf b/machines/frigate/variables.tf new file mode 100644 index 0000000..e974186 --- /dev/null +++ b/machines/frigate/variables.tf @@ -0,0 +1,17 @@ +variable "proxmox_token_id" { + description = "Proxmox API token ID" + type = string + sensitive = true +} + +variable "proxmox_token_secret" { + description = "Proxmox API token secret" + type = string + sensitive = true +} + +variable "proxmox_api_url" { + description = "Proxmox API URL" + type = string + sensitive = true +} diff --git a/modules/frigate/config.yml b/modules/frigate/config.yml new file mode 100644 index 0000000..fb31fe8 --- /dev/null +++ b/modules/frigate/config.yml @@ -0,0 +1,35 @@ +mqtt: + host: mqtt.datarift.nl + port: 8883 + user: frigate + password: "{FRIGATE_MQTT_PASSWORD}" + +logger: + default: info + +record: + enabled: true + retain: + days: 7 + +snapshots: + enabled: true + +detect: + enabled: False + +# ffmpeg: +# hwaccel_args: -hwaccel vaapi -hwaccel_device /dev/dri/renderD128 -hwaccel_output_format yuv420p + +cameras: + hobby: + ffmpeg: + inputs: + - path: http://10.0.0.161:8080/ + roles: + - record + - rtmp + input_args: -avoid_negative_ts make_zero -fflags nobuffer -flags low_delay -strict experimental -fflags +genpts+discardcorrupt -use_wallclock_as_timestamps 1 -c:v mjpeg + output_args: + record: -f segment -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -an + rtmp: -c:v libx264 -an -f flv diff --git a/modules/frigate/default.nix b/modules/frigate/default.nix new file mode 100644 index 0000000..12267aa --- /dev/null +++ b/modules/frigate/default.nix @@ -0,0 +1,51 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.eboskma.services.frigate; +in +{ + options.eboskma.services.frigate = { enable = mkEnableOption "frigate"; }; + + config = mkIf cfg.enable { + # docker run -d \ + # --name frigate \ + # --restart=unless-stopped \ + # --mount type=tmpfs,target=/tmp/cache,tmpfs-size=1000000000 \ + # --device /dev/bus/usb:/dev/bus/usb \ + # --device /dev/dri/renderD128 \ + # --shm-size=64m \ + # -v /path/to/your/storage:/media/frigate \ + # -v /path/to/your/config.yml:/config/config.yml:ro \ + # -v /etc/localtime:/etc/localtime:ro \ + # -e FRIGATE_RTSP_PASSWORD='password' \ + # -p 5000:5000 \ + # -p 1935:1935 \ + # blakeblackshear/frigate:stable + + virtualisation.oci-containers.containers = { + frigate = { + autoStart = true; + image = "blakeblackshear/frigate:0.11.1"; + ports = [ + "5000:5000" + ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${./config.yml}:/config/config.yml:ro" + "/data/frigate:/media/frigate" + ]; + extraOptions = [ + # "--device" "/dev/bus/usb:/dev/bus/usb" + "--device" + "/dev/dri/renderD128" + "--shm-size=128m" + "--mount" + "type=tmpfs,target=/tmp/cache,tmpfs-size=1G" + ]; + environmentFiles = [ + config.sops.secrets.frigate.path + ]; + }; + }; + }; +}