From 3086313e4c2acdce255315881a3e0e6a1de70e88 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 27 Jul 2023 18:27:34 +0200 Subject: [PATCH] nixos/frigate: fix recording and serving of clips/recordings Frigate does string prefix matching for paths, which isn't exactly compatible with dynamically provisioned directories of systemd, where /var/cache/frigate is actually a symlink to /var/cache/private/frigate. Because we are unlikely to get this fixed upstream, this is one of the reason we should stop using DynamicUser= here. The other being, that nginx needs to be able to serve clips and recordings from both the CacheDirectory and the StateDirectory, and nginx being a member on a group that may only exist after it was started up doesn't work reliably. This is also why we relax the umask to allow g+r/g+rx for newly created files. Existing installs may need the following permissions fix to get things going. ``` find /var/lib/frigate/recordings -type d -exec chmod g+rx {} \; find /var/lib/frigate/recordings -type f -exec chmod g+r {} \; find /var/cache/frigate -type f -exec chmod g+r {} \; ``` Co-Authored-By: Daniel Barlow --- nixos/modules/services/video/frigate.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix index 217637cbebcf..8db2bfae80ac 100644 --- a/nixos/modules/services/video/frigate.nix +++ b/nixos/modules/services/video/frigate.nix @@ -322,6 +322,16 @@ in ''; }; + systemd.services.nginx.serviceConfig.SupplementaryGroups = [ + "frigate" + ]; + + users.users.frigate = { + isSystemUser = true; + group = "frigate"; + }; + users.groups.frigate = {}; + systemd.services.frigate = { after = [ "go2rtc.service" @@ -349,15 +359,18 @@ in serviceConfig = { ExecStart = "${cfg.package.python.interpreter} -m frigate"; - DynamicUser = true; User = "frigate"; + Group = "frigate"; + + UMask = "0027"; StateDirectory = "frigate"; - UMask = "0077"; + StateDirectoryMode = "0750"; # Caches PrivateTmp = true; CacheDirectory = "frigate"; + CacheDirectoryMode = "0750"; BindPaths = [ "/migrations:${cfg.package}/share/frigate/migrations:ro"