Basic oauth proxy for frigate

machines/ephemeral/sdimg.nix

@@ -0,0 +1,57 @@
+{ config, modulesPath, pkgs, lib, ... }:
+
+let
+  pinecube-uboot = pkgs.buildUBoot {
+    defconfig = "pinecube_defconfig";
+    extraMeta.platforms = [ "armv7l-linux" ];
+    filesToInstall = [ "u-boot-sunxi-with-spl.bin" ];
+  };
+in
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image.nix")
+    ./minimal.nix
+  ];
+
+  sdImage.populateFirmwareCommands = "";
+  sdImage.populateRootCommands = ''
+    mkdir -p ./files/boot
+    ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
+  '';
+  sdImage.postBuildCommands = ''
+    dd if=${pinecube-uboot}/u-boot-sunxi-with-spl.bin of=$img bs=1024 seek=8 conv=notrunc
+  '';
+
+  ###
+
+  networking.hostName = "pinecube";
+
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+  boot.consoleLogLevel = 7;
+
+  # cma is 64M by default which is waay too much and we can't even unpack initrd
+  boot.kernelParams = [ "console=ttyS0,115200n8" "cma=32M" ];
+
+  boot.kernelModules = [ "spi-nor" ]; # Not sure why this doesn't autoload. Provides SPI NOR at /dev/mtd0
+  boot.extraModulePackages = [ config.boot.kernelPackages.rtl8189es ];
+
+  zramSwap.enable = true; # 128MB is not much to work with
+
+  sound.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    ffmpeg
+    (v4l_utils.override { withGUI = false; })
+    usbutils
+  ];
+
+  services.getty.autologinUser = lib.mkForce "googlebot";
+  users.users.googlebot = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "networkmanager" "video" ];
+    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
+  };
+
+  networking.wireless.enable = true;
+}

machines/storage/s0/default.nix

@@ -220,4 +220,6 @@
     enable = true;
     configFile = ./dashy.yaml;
   };
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }

machines/storage/s0/home-automation.nix

@@ -1,14 +1,20 @@
 { config, lib, pkgs, ... }:
 
+let
+  frigateHostname = "frigate.s0";
+  frigatePort = 61617;
+in
 {
   networking.firewall.allowedTCPPorts = [
     # 1883 # mqtt
     55834 # mqtt zigbee frontend
+    frigatePort
+    4180 # oauth proxy
   ];
 
   services.frigate = {
     enable = true;
-    hostname = "frigate.s0";
+    hostname = frigateHostname;
     settings = {
       mqtt = {
         enabled = true;
@@ -73,6 +79,11 @@
   # Coral PCIe driver
   kernel.enableGasketKernelModule = true;
 
+  # Allow accessing frigate UI on a specific port in addition to by hostname
+  services.nginx.virtualHosts.${frigateHostname} = {
+    listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
+  };
+
   services.esphome = {
     enable = true;
     address = "0.0.0.0";
@@ -133,4 +144,42 @@
       default_config = { };
     };
   };
+
+  services.oauth2_proxy =
+    let
+      nextcloudServer = "https://neet.cloud/";
+    in
+    {
+      enable = true;
+
+      httpAddress = "http://0.0.0.0:4180";
+
+      nginx.virtualHosts = [
+        frigateHostname
+      ];
+
+      email.domains = [ "*" ];
+
+      cookie.secure = false;
+
+      provider = "nextcloud";
+
+      # redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
+      clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
+      keyFile = "/run/agenix/oauth2-proxy-env";
+
+      loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
+      redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
+      validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
+
+      # todo --cookie-refresh
+
+      extraConfig = {
+        # cookie-csrf-per-request = true;
+        # cookie-csrf-expire = "5m";
+        # user-id-claim = "preferred_username";
+      };
+    };
+
+  age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
 }

secrets/secrets.nix

@@ -32,6 +32,7 @@ with roles;
   # cloud
   "nextcloud-pw.age".publicKeys = nextcloud;
   "smb-secrets.age".publicKeys = personal ++ media-center;
+  "oauth2-proxy-env.age".publicKeys = server;
 
   # services
   "searx.age".publicKeys = nobody;