got frigate working, need to figure out roles but thats good for now

2026-01-10 01:24:05 -05:00 · 2025-12-05 13:05:19 -05:00 · 2025-12-05 13:05:19 -05:00 · b5f3463ee2
commit b5f3463ee2
parent df055ff43b
2 changed files with 14 additions and 8 deletions
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@ -122,10 +122,12 @@
          cookie insecure off
        }

-        authorization policy mypolicy {
+        authorization policy frigate {
          set auth url /caddy-security/oauth2/generic
          allow roles frigate
          inject headers with claims
+          inject header Remote-User from name
+          inject header Remote-Role from groups
        }
      }
    '';
--- a/modules/services/frigate/default.nix
+++ b/modules/services/frigate/default.nix
@ -10,19 +10,23 @@ in
 }:
 let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
-  frigateConfig = pkgs.writeText "config.yaml" (
+  frigateConfig = pkgs.writeText "frigate-config.yaml" (
    lib.generators.toYAML { } {
-      auth.reset_admin_password = true; # roll the admin password every restart, depend on user accounts for long-lived access
+      auth.enabled = false; # Proxy auth
      tls.enabled = false; # off because we're doing ssl through the proxy
+      proxy = {
+        logout_url = "https://auth.wanderingcrow.net";
+        default_role = "viewer";
+        header_map = {
+          user = "Remote-User";
+          role = "Remote-Role";
+        };
+      };
      mqtt = {
        enabled = true;
        host = "host.containers.internal";
        port = 1883;
      };
-      notifications = {
-        enabled = true;
-        email = "frigate@wanderingcrow.net";
-      };
      ui = {
        timezone = "America/New_York";
        time_format = "24hour";
@ -255,7 +259,7 @@ in
        authenticate with myportal
      }
      route /* {
-        authorize with mypolicy
+        authorize with frigate
        reverse_proxy http://10.88.0.10:8971
      }
    '';