Add reverse proxy for valetudo

See: https://old.reddit.com/r/linux_gaming/comments/11yp7ig/pipewire_audio_stuttering_when_playing_games_or/

common/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports = [
@@ -20,7 +20,7 @@
 
   system.stateVersion = "23.11";
 
-  networking.useDHCP = false;
+  networking.useDHCP = lib.mkDefault true;
 
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;

common/pc/audio.nix

@@ -19,6 +19,15 @@ in
       jack.enable = true;
     };
 
+    services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
+      context.properties = {
+        default.clock.rate = 48000;
+        default.clock.quantum = 2048;
+        default.clock.min-quantum = 512;
+        default.clock.max-quantum = 2048;
+      };
+    };
+
     users.users.googlebot.extraGroups = [ "audio" ];
 
     # bt headset support

common/pc/chromium.nix

@@ -41,7 +41,7 @@ in
         "SpellcheckLanguage" = [ "en-US" ];
       };
       defaultSearchProviderSuggestURL = null;
-      defaultSearchProviderSearchURL = " https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
+      defaultSearchProviderSearchURL = "https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
     };
 
     # hardware accelerated video playback (on intel)
@@ -52,7 +52,7 @@ in
         # ungoogled = true;
         # --enable-native-gpu-memory-buffers # fails on AMD APU
         # --enable-webrtc-vp9-support
-        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
+        commandLineArgs = "--use-vulkan";
       };
     };
     # todo vulkan in chrome

common/pc/default.nix

@@ -89,5 +89,8 @@ in
     # for luks onlock over tor
     services.tor.enable = true;
     services.tor.client.enable = true;
+
+    # Enable wayland support in various chromium based applications
+    environment.sessionVariables.NIXOS_OZONE_WL = "1";
   };
 }

common/pc/vscodium.nix

@@ -11,6 +11,8 @@ let
     golang.go
     jnoortheen.nix-ide
     ms-vscode.cpptools
+    rust-lang.rust-analyzer
+    vadimcn.vscode-lldb
   ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
     {
       name = "platformio-ide";
@@ -18,6 +20,12 @@ let
       version = "3.1.1";
       sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
     }
+    {
+      name = "wgsl-analyzer";
+      publisher = "wgsl-analyzer";
+      version = "0.8.1";
+      sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
+    }
   ];
 
   vscodium-with-extensions = pkgs.vscode-with-extensions.override {

machines/storage/s0/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./hardware-configuration.nix
+    ./frigate.nix
     ./home-automation.nix
   ];
 
@@ -193,9 +194,6 @@
         (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
         (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
         (mkVirtualHost "s0.neet.dev" "http://localhost:56815")
-        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
-        (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
-        (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
         {
           # Landing page LAN redirect
           "s0" = {
@@ -203,27 +201,20 @@
             redirectCode = 302;
             globalRedirect = "s0.neet.dev";
           };
+        }
+        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
+        (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
+        (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
+        {
           "frigate.s0.neet.dev" = {
             # Just configure SSL, frigate module configures the rest of nginx
             useACMEHost = "s0.neet.dev";
             forceSSL = true;
           };
         }
+        (mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
       ];
 
-    # Problem #1: Keeping certain programs from being accessed from certain external networks/VLANs
-    # Solution #1: Isolate that service in a container system that automatically fowards the ports to the right network interface(s)
-    # Solution #2: Don't open the firewall for these services, manually open the ports instead for the specific network interface(s) (trickier and easy to miss ports or ports can change)
-    # Untrusted network list:
-    #  - VLANs [cameras]
-
-    # Problem #2: Untrusted internal services. Prevent them from accessing certain internal services (usually key unauth'd services like frigate)
-    # Solution #1: Isolate the untrusted services into their own container
-    # Untrusted services list:
-    #  - Unifi? (it already has access to the cameras anyway?)
-    #  - torrenting, *arr (worried about vulns)
-
-
     tailscaleAuth = {
       enable = true;
       virtualHosts = [
@@ -240,6 +231,7 @@
         # "ha.s0.neet.dev" # messes up home assistant
         "esphome.s0.neet.dev"
         "zigbee.s0.neet.dev"
+        "vacuum.s0.neet.dev"
       ];
       expectedTailnet = "koi-bebop.ts.net";
     };

machines/storage/s0/frigate.nix

@@ -0,0 +1,155 @@
+{ config, pkgs, lib, ... }:
+
+let
+  frigateHostname = "frigate.s0.neet.dev";
+
+  mkGo2RtcStream = name: url: withAudio: {
+    ${name} = [
+      url
+      "ffmpeg:${name}#video=copy${if withAudio then "#audio=copy" else ""}"
+    ];
+  };
+
+  # Assumes camera is set to output:
+  # - rtsp
+  # - H.264 + AAC
+  # - a downscaled substream for detection
+  mkCamera = name: primaryUrl: detectUrl: {
+    # Reference https://docs.frigate.video/configuration/reference/
+    services.frigate.settings = {
+      cameras.${name} = {
+        ffmpeg = {
+          # Camera feeds are relayed through go2rtc
+          inputs = [
+            {
+              path = "rtsp://127.0.0.1:8554/${name}";
+              # input_args = "preset-rtsp-restream";
+              input_args = "preset-rtsp-restream-low-latency";
+              roles = [ "record" ];
+            }
+            {
+              path = detectUrl;
+              roles = [ "detect" ];
+            }
+          ];
+          output_args = {
+            record = "preset-record-generic-audio-copy";
+          };
+        };
+      };
+    };
+    services.go2rtc.settings.streams = lib.mkMerge [
+      (mkGo2RtcStream name primaryUrl false)
+
+      # Sadly having the detection stream go through go2rpc too makes the stream unreadable by frigate for some reason.
+      # It might need to be re-encoded to work.  But I am not interested in wasting the processing power if only frigate
+      # need the detection stream anyway. So just let frigate grab the stream directly since it works.
+      # (mkGo2RtcStream detectName detectUrl false)
+    ];
+  };
+
+  mkDahuaCamera = name: address:
+    let
+      # go2rtc and frigate have a slightly different syntax for inserting env vars. So the URLs are not interchangable :(
+      # - go2rtc: ${VAR}
+      # - frigate: {VAR}
+      primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
+      detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1";
+    in
+    mkCamera name primaryUrl detectUrl;
+
+  mkEsp32Camera = name: address: {
+    services.frigate.settings.cameras.${name} = {
+      ffmpeg = {
+        input_args = "";
+        inputs = [{
+          path = "http://${address}:8080";
+          roles = [ "detect" "record" ];
+        }];
+
+        output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
+      };
+    };
+  };
+in
+lib.mkMerge [
+  (mkDahuaCamera "dog-cam" "192.168.10.31")
+  # (mkEsp32Camera "dahlia-cam" "dahlia-cam.lan")
+  {
+    services.frigate = {
+      enable = true;
+      hostname = frigateHostname;
+      settings = {
+        mqtt = {
+          enabled = true;
+          host = "localhost:1883";
+        };
+        rtmp.enabled = false;
+        snapshots = {
+          enabled = true;
+          bounding_box = true;
+        };
+        record = {
+          enabled = true;
+          # sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
+          retain = {
+            days = 2; # Keep video for 2 days
+            mode = "motion";
+          };
+          events = {
+            retain = {
+              default = 10; # Keep video with detections for 10 days
+              mode = "motion";
+              # mode = "active_objects";
+            };
+          };
+        };
+        # Make frigate aware of the go2rtc streams
+        go2rtc.streams = config.services.go2rtc.settings.streams;
+        detect.enabled = true;
+        objects = {
+          track = [ "person" "dog" ];
+        };
+      };
+    };
+
+    services.go2rtc = {
+      enable = true;
+      settings = {
+        rtsp.listen = ":8554";
+        webrtc.listen = ":8555";
+      };
+    };
+
+    # Pass in env file with secrets to frigate/go2rtc
+    systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
+    systemd.services.go2rtc.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
+    age.secrets.frigate-credentials.file = ../../../secrets/frigate-credentials.age;
+  }
+  {
+    # hardware encode/decode with amdgpu vaapi
+    systemd.services.frigate = {
+      environment.LIBVA_DRIVER_NAME = "radeonsi";
+      serviceConfig = {
+        SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
+        AmbientCapabilities = "CAP_PERFMON";
+      };
+    };
+    services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
+  }
+  {
+    # Coral TPU for frigate
+    services.udev.packages = [ pkgs.libedgetpu ];
+    users.groups.apex = { };
+    systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
+    systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
+
+    # Coral PCIe driver
+    kernel.enableGasketKernelModule = true;
+
+    services.frigate.settings.detectors.coral = {
+      type = "edgetpu";
+      device = "pci";
+    };
+  }
+]

machines/storage/s0/hardware-configuration.nix

@@ -8,6 +8,7 @@
 
   # boot
   boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.memtest86.enable = true;
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
@@ -58,8 +59,12 @@
     };
   swapDevices = [ ];
 
-  networking.interfaces.eth0.useDHCP = true;
-  networking.interfaces.eth1.useDHCP = true;
+  networking.vlans = {
+    iot = {
+      id = 2;
+      interface = "eth1";
+    };
+  };
 
   powerManagement.cpuFreqGovernor = "powersave";
 }

machines/storage/s0/home-automation.nix

@@ -1,81 +1,6 @@
 { config, lib, pkgs, ... }:
 
-let
-  frigateHostname = "frigate.s0.neet.dev";
-
-  mkEsp32Cam = address: {
-    ffmpeg = {
-      input_args = "";
-      inputs = [{
-        path = address;
-        roles = [ "detect" "record" ];
-      }];
-
-      output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
-    };
-    rtmp.enabled = false;
-    snapshots = {
-      enabled = true;
-      bounding_box = true;
-    };
-    record = {
-      enabled = true;
-      retain.days = 10; # Keep video for 10 days
-      events.retain = {
-        default = 30; # Keep video with detections for 30 days
-        mode = "active_objects";
-      };
-    };
-    detect = {
-      enabled = true;
-      width = 800;
-      height = 600;
-      fps = 10;
-    };
-    objects = {
-      track = [ "person" ];
-    };
-  };
-in
 {
-  networking.firewall.allowedTCPPorts = [
-    # 1883 # mqtt
-  ];
-
-  services.frigate = {
-    enable = true;
-    hostname = frigateHostname;
-    settings = {
-      mqtt = {
-        enabled = true;
-        host = "localhost:1883";
-      };
-      cameras = {
-        dahlia-cam = mkEsp32Cam "http://dahlia-cam.lan:8080";
-      };
-      # ffmpeg = {
-      #   hwaccel_args = "preset-vaapi";
-      # };
-      detectors.coral = {
-        type = "edgetpu";
-        device = "pci";
-      };
-    };
-  };
-
-  # AMD GPU for vaapi
-  systemd.services.frigate.environment.LIBVA_DRIVER_NAME = "radeonsi";
-
-  # Coral TPU for frigate
-  services.udev.packages = [ pkgs.libedgetpu ];
-  users.groups.apex = { };
-  systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
-  systemd.services.frigate.serviceConfig = {
-    SupplementaryGroups = "apex";
-  };
-  # Coral PCIe driver
-  kernel.enableGasketKernelModule = true;
-
   services.esphome.enable = true;
 
   # TODO lock down
@@ -137,6 +62,9 @@ in
       "weather"
       "whois"
       "youtube"
+      "homekit_controller"
+      "zha"
+      "bluetooth"
     ];
     # config = null;
     config = {

machines/storage/s0/properties.nix

@@ -11,6 +11,7 @@
     "pia"
     "binary-cache"
     "gitea-actions-runner"
+    "frigate"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

secrets/frigate-credentials.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA
+jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y
+-> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA
+OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE
+--- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M
+£³$šO†ÈIß/À//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRº’Ñ°E5¥ÍçÜ9

secrets/secrets.nix

@@ -54,4 +54,7 @@ with roles;
 
   # For ACME DNS Challenge
   "digitalocean-dns-credentials.age".publicKeys = server;
+
+  # Frigate (DVR)
+  "frigate-credentials.age".publicKeys = frigate;
 }