From acf2853223f58e1881a1c72b76a05677f4791428 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Tue, 25 Jun 2024 16:13:35 +0000
Subject: [PATCH] frigate: Don't store plaintext passwords in config

---
 roles/frigate/tasks/main.yml                           | 9 +++++++++
 roles/frigate/templates/frigate-container.service.j2   | 3 ++-
 roles/frigate/templates/frigate-container.sysconfig.j2 | 3 +++
 roles/frigate/templates/frigate.yml.j2                 | 4 ++--
 4 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 roles/frigate/templates/frigate-container.sysconfig.j2

diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml
index 7f5e321..a897972 100644
--- a/roles/frigate/tasks/main.yml
+++ b/roles/frigate/tasks/main.yml
@@ -71,6 +71,15 @@
     group: "{{ ansible_wheel }}"
   notify: Restart frigate
 
+- name: Create environment config for service
+  ansible.builtin.template:
+    dest: /etc/sysconfig/frigate-container
+    src: frigate-container.sysconfig.j2
+    mode: "0600"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart frigate
+
 - name: Enable service
   ansible.builtin.service:
     name: frigate-container
diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2
index edb295e..e835cf6 100644
--- a/roles/frigate/templates/frigate-container.service.j2
+++ b/roles/frigate/templates/frigate-container.service.j2
@@ -5,6 +5,7 @@ After=network-online.target
 
 [Service]
 User=frigate
+EnvironmentFile=/etc/sysconfig/frigate-container
 ExecStart=/usr/bin/podman run \
     --rm -p 127.0.0.1:8007:5000 \
     --name frigate \
@@ -12,7 +13,7 @@ ExecStart=/usr/bin/podman run \
     --volume /etc/frigate.yml:/config/config.yml:ro \
     --volume /srv/frigate/media:/media/frigate:rw \
     --volume /dev/bus/usb:/dev/bus/usb:rw \
-    ghcr.io/blakeblackshear/frigate:{{ frigate_version }}
+    --env=FRIGATE_* ghcr.io/blakeblackshear/frigate:{{ frigate_version }}
 ExecStop=/usr/bin/podman stop --ignore frigate
 ExecStopPost=/usr/bin/podman rm -f --ignore frigate
 
diff --git a/roles/frigate/templates/frigate-container.sysconfig.j2 b/roles/frigate/templates/frigate-container.sysconfig.j2
new file mode 100644
index 0000000..c6b07ef
--- /dev/null
+++ b/roles/frigate/templates/frigate-container.sysconfig.j2
@@ -0,0 +1,3 @@
+{% for camera in cctv_cameras %}
+FRIGATE_{{ camera.name | upper }}_PASS="{{ camera.pass }}"
+{% endfor %}
diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2
index 7ceb0c7..433dfa0 100644
--- a/roles/frigate/templates/frigate.yml.j2
+++ b/roles/frigate/templates/frigate.yml.j2
@@ -23,12 +23,12 @@ cameras:
     enabled: true
     ffmpeg:
       inputs:
-        - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_sub"
+        - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_sub"
           input_args: preset-rtsp-restream
           roles:
             - detect
             - rtmp
-        - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_main"
+        - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main"
           input_args: preset-rtsp-restream
           roles:
             - record