diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-07-27 18:27:34 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-07-27 18:36:25 +0200 |
| commit | 3086313e4c2acdce255315881a3e0e6a1de70e88 (patch) | |
| tree | dc4beb796fbf1d17718a4c7738b5a9101883d5e9 /nixos/modules/services/video | |
| parent | bdddb46f4b058465ad53134d4a118671f9956662 (diff) | |
nixos/frigate: fix recording and serving of clips/recordings
Frigate does string prefix matching for paths, which isn't exactly
compatible with dynamically provisioned directories of systemd, where
/var/cache/frigate is actually a symlink to /var/cache/private/frigate.
Because we are unlikely to get this fixed upstream, this is one of the
reason we should stop using DynamicUser= here.
The other being, that nginx needs to be able to serve clips and
recordings from both the CacheDirectory and the StateDirectory, and
nginx being a member on a group that may only exist after it was started
up doesn't work reliably.
This is also why we relax the umask to allow g+r/g+rx for newly created
files. Existing installs may need the following permissions fix to get
things going.
```
find /var/lib/frigate/recordings -type d -exec chmod g+rx {} \;
find /var/lib/frigate/recordings -type f -exec chmod g+r {} \;
find /var/cache/frigate -type f -exec chmod g+r {} \;
```
Co-Authored-By: Daniel Barlow <dan@telent.net>
Diffstat (limited to 'nixos/modules/services/video')
| -rw-r--r-- | nixos/modules/services/video/frigate.nix | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix index 217637cbebcf9..8db2bfae80ac0 100644 --- a/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix @@ -322,6 +322,16 @@ in ''; }; + systemd.services.nginx.serviceConfig.SupplementaryGroups = [ + "frigate" + ]; + + users.users.frigate = { + isSystemUser = true; + group = "frigate"; + }; + users.groups.frigate = {}; + systemd.services.frigate = { after = [ "go2rtc.service" @@ -349,15 +359,18 @@ in serviceConfig = { ExecStart = "${cfg.package.python.interpreter} -m frigate"; - DynamicUser = true; User = "frigate"; + Group = "frigate"; + + UMask = "0027"; StateDirectory = "frigate"; - UMask = "0077"; + StateDirectoryMode = "0750"; # Caches PrivateTmp = true; CacheDirectory = "frigate"; + CacheDirectoryMode = "0750"; BindPaths = [ "/migrations:${cfg.package}/share/frigate/migrations:ro" |