Unverified Commit 3086313e authored Jul 27, 2023 by Martin Weinelt

nixos/frigate: fix recording and serving of clips/recordings



Frigate does string prefix matching for paths, which isn't exactly
compatible with dynamically provisioned directories of systemd, where
/var/cache/frigate is actually a symlink to /var/cache/private/frigate.

Because we are unlikely to get this fixed upstream, this is one of the
reason we should stop using DynamicUser= here.

The other being, that nginx needs to be able to serve clips and
recordings from both the CacheDirectory and the StateDirectory, and
nginx being a member on a group that may only exist after it was started
up doesn't work reliably.

This is also why we relax the umask to allow g+r/g+rx for newly created
files. Existing installs may need the following permissions fix to get
things going.

```
find /var/lib/frigate/recordings -type d -exec chmod g+rx {} \;
find /var/lib/frigate/recordings -type f -exec chmod g+r {} \;
find /var/cache/frigate -type f -exec chmod g+r {} \;
```

Co-Authored-By: Daniel Barlow <dan@telent.net>

parent bdddb46f

nixos/modules/services/video/frigate.nix

+15 −2

Original line number	Diff line number	Diff line
		@@ -322,6 +322,16 @@ in
		'';
		};

		systemd.services.nginx.serviceConfig.SupplementaryGroups = [
		"frigate"
		];

		users.users.frigate = {
		isSystemUser = true;
		group = "frigate";
		};
		users.groups.frigate = {};

		systemd.services.frigate = {
		after = [
		"go2rtc.service"
		@@ -349,15 +359,18 @@ in
		serviceConfig = {
		ExecStart = "${cfg.package.python.interpreter} -m frigate";

		DynamicUser = true;
		User = "frigate";
		Group = "frigate";

		UMask = "0027";

		StateDirectory = "frigate";
		UMask = "0077";
		StateDirectoryMode = "0750";

		# Caches
		PrivateTmp = true;
		CacheDirectory = "frigate";
		CacheDirectoryMode = "0750";

		BindPaths = [
		"/migrations:${cfg.package}/share/frigate/migrations:ro"