Refactor frigate config to add a bunch of features

- Enable vaapi GPU video encode/decode support
- Use go2rtc. This allows for watching high resolution camera feeds
- Split nix config into pieces that are easier to understand
- Add utilities for easily adding new cameras in the future
- misc changes

common/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports = [
@@ -20,7 +20,7 @@
 
   system.stateVersion = "23.11";
 
-  networking.useDHCP = false;
+  networking.useDHCP = lib.mkDefault true;
 
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;

machines/storage/s0/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./hardware-configuration.nix
+    ./frigate.nix
     ./home-automation.nix
   ];
 

machines/storage/s0/frigate.nix

@@ -0,0 +1,155 @@
+{ config, pkgs, lib, ... }:
+
+let
+  frigateHostname = "frigate.s0.neet.dev";
+
+  mkGo2RtcStream = name: url: withAudio: {
+    ${name} = [
+      url
+      "ffmpeg:${name}#video=copy${if withAudio then "#audio=copy" else ""}"
+    ];
+  };
+
+  # Assumes camera is set to output:
+  # - rtsp
+  # - H.264 + AAC
+  # - a downscaled substream for detection
+  mkCamera = name: primaryUrl: detectUrl: {
+    # Reference https://docs.frigate.video/configuration/reference/
+    services.frigate.settings = {
+      cameras.${name} = {
+        ffmpeg = {
+          # Camera feeds are relayed through go2rtc
+          inputs = [
+            {
+              path = "rtsp://127.0.0.1:8554/${name}";
+              # input_args = "preset-rtsp-restream";
+              input_args = "preset-rtsp-restream-low-latency";
+              roles = [ "record" ];
+            }
+            {
+              path = detectUrl;
+              roles = [ "detect" ];
+            }
+          ];
+          output_args = {
+            record = "preset-record-generic-audio-copy";
+          };
+        };
+      };
+    };
+    services.go2rtc.settings.streams = lib.mkMerge [
+      (mkGo2RtcStream name primaryUrl false)
+
+      # Sadly having the detection stream go through go2rpc too makes the stream unreadable by frigate for some reason.
+      # It might need to be re-encoded to work.  But I am not interested in wasting the processing power if only frigate
+      # need the detection stream anyway. So just let frigate grab the stream directly since it works.
+      # (mkGo2RtcStream detectName detectUrl false)
+    ];
+  };
+
+  mkDahuaCamera = name: address:
+    let
+      # go2rtc and frigate have a slightly different syntax for inserting env vars. So the URLs are not interchangable :(
+      # - go2rtc: ${VAR}
+      # - frigate: {VAR}
+      primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
+      detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1";
+    in
+    mkCamera name primaryUrl detectUrl;
+
+  mkEsp32Camera = name: address: {
+    services.frigate.settings.cameras.${name} = {
+      ffmpeg = {
+        input_args = "";
+        inputs = [{
+          path = "http://${address}:8080";
+          roles = [ "detect" "record" ];
+        }];
+
+        output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
+      };
+    };
+  };
+in
+lib.mkMerge [
+  (mkDahuaCamera "dog-cam" "192.168.10.31")
+  # (mkEsp32Camera "dahlia-cam" "dahlia-cam.lan")
+  {
+    services.frigate = {
+      enable = true;
+      hostname = frigateHostname;
+      settings = {
+        mqtt = {
+          enabled = true;
+          host = "localhost:1883";
+        };
+        rtmp.enabled = false;
+        snapshots = {
+          enabled = true;
+          bounding_box = true;
+        };
+        record = {
+          enabled = true;
+          # sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
+          retain = {
+            days = 2; # Keep video for 2 days
+            mode = "motion";
+          };
+          events = {
+            retain = {
+              default = 10; # Keep video with detections for 10 days
+              mode = "motion";
+              # mode = "active_objects";
+            };
+          };
+        };
+        # Make frigate aware of the go2rtc streams
+        go2rtc.streams = config.services.go2rtc.settings.streams;
+        detect.enabled = true;
+        objects = {
+          track = [ "person" "dog" ];
+        };
+      };
+    };
+
+    services.go2rtc = {
+      enable = true;
+      settings = {
+        rtsp.listen = ":8554";
+        webrtc.listen = ":8555";
+      };
+    };
+
+    # Pass in env file with secrets to frigate/go2rtc
+    systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
+    systemd.services.go2rtc.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
+    age.secrets.frigate-credentials.file = ../../../secrets/frigate-credentials.age;
+  }
+  {
+    # hardware encode/decode with amdgpu vaapi
+    systemd.services.frigate = {
+      environment.LIBVA_DRIVER_NAME = "radeonsi";
+      serviceConfig = {
+        SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
+        AmbientCapabilities = "CAP_PERFMON";
+      };
+    };
+    services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
+  }
+  {
+    # Coral TPU for frigate
+    services.udev.packages = [ pkgs.libedgetpu ];
+    users.groups.apex = { };
+    systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
+    systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
+
+    # Coral PCIe driver
+    kernel.enableGasketKernelModule = true;
+
+    services.frigate.settings.detectors.coral = {
+      type = "edgetpu";
+      device = "pci";
+    };
+  }
+]

machines/storage/s0/hardware-configuration.nix

@@ -8,6 +8,7 @@
 
   # boot
   boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.memtest86.enable = true;
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
@@ -58,8 +59,16 @@
     };
   swapDevices = [ ];
 
-  networking.interfaces.eth0.useDHCP = true;
+  networking.vlans = {
-  networking.interfaces.eth1.useDHCP = true;
+    default = {
+      id = 1;
+      interface = "eth1";
+    };
+    iot = {
+      id = 2;
+      interface = "eth1";
+    };
+  };
 
   powerManagement.cpuFreqGovernor = "powersave";
 }

machines/storage/s0/home-automation.nix

@@ -1,81 +1,6 @@
 { config, lib, pkgs, ... }:
 
-let
-  frigateHostname = "frigate.s0.neet.dev";
-
-  mkEsp32Cam = address: {
-    ffmpeg = {
-      input_args = "";
-      inputs = [{
-        path = address;
-        roles = [ "detect" "record" ];
-      }];
-
-      output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
-    };
-    rtmp.enabled = false;
-    snapshots = {
-      enabled = true;
-      bounding_box = true;
-    };
-    record = {
-      enabled = true;
-      retain.days = 10; # Keep video for 10 days
-      events.retain = {
-        default = 30; # Keep video with detections for 30 days
-        mode = "active_objects";
-      };
-    };
-    detect = {
-      enabled = true;
-      width = 800;
-      height = 600;
-      fps = 10;
-    };
-    objects = {
-      track = [ "person" ];
-    };
-  };
-in
 {
-  networking.firewall.allowedTCPPorts = [
-    # 1883 # mqtt
-  ];
-
-  services.frigate = {
-    enable = true;
-    hostname = frigateHostname;
-    settings = {
-      mqtt = {
-        enabled = true;
-        host = "localhost:1883";
-      };
-      cameras = {
-        dahlia-cam = mkEsp32Cam "http://dahlia-cam.lan:8080";
-      };
-      # ffmpeg = {
-      #   hwaccel_args = "preset-vaapi";
-      # };
-      detectors.coral = {
-        type = "edgetpu";
-        device = "pci";
-      };
-    };
-  };
-
-  # AMD GPU for vaapi
-  systemd.services.frigate.environment.LIBVA_DRIVER_NAME = "radeonsi";
-
-  # Coral TPU for frigate
-  services.udev.packages = [ pkgs.libedgetpu ];
-  users.groups.apex = { };
-  systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
-  systemd.services.frigate.serviceConfig = {
-    SupplementaryGroups = "apex";
-  };
-  # Coral PCIe driver
-  kernel.enableGasketKernelModule = true;
-
   services.esphome.enable = true;
 
   # TODO lock down
@@ -137,6 +62,9 @@ in
       "weather"
       "whois"
       "youtube"
+      "homekit_controller"
+      "zha"
+      "bluetooth"
     ];
     # config = null;
     config = {

machines/storage/s0/properties.nix

@@ -11,6 +11,7 @@
     "pia"
     "binary-cache"
     "gitea-actions-runner"
+    "frigate"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

secrets/frigate-credentials.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA
+jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y
+-> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA
+OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE
+--- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M
+£³$šO†ÈIß/À//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRº’Ñ°E5¥ÍçÜ9

secrets/secrets.nix

@@ -54,4 +54,7 @@ with roles;
 
   # For ACME DNS Challenge
   "digitalocean-dns-credentials.age".publicKeys = server;
+
+  # Frigate (DVR)
+  "frigate-credentials.age".publicKeys = frigate;
 }