frigate: Don't store plaintext passwords in config

2024-06-25 16:13:35 +00:00 · 2024-06-25 16:13:35 +00:00 · acf2853223
commit acf2853223
parent 13e602a76d
4 changed files with 16 additions and 3 deletions
--- a/roles/frigate/tasks/main.yml
+++ b/roles/frigate/tasks/main.yml
@ -71,6 +71,15 @@
    group: "{{ ansible_wheel }}"
  notify: Restart frigate

+- name: Create environment config for service
+  ansible.builtin.template:
+    dest: /etc/sysconfig/frigate-container
+    src: frigate-container.sysconfig.j2
+    mode: "0600"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart frigate
+
 - name: Enable service
  ansible.builtin.service:
    name: frigate-container
--- a/roles/frigate/templates/frigate-container.service.j2
+++ b/roles/frigate/templates/frigate-container.service.j2
@ -5,6 +5,7 @@ After=network-online.target

 [Service]
 User=frigate
+EnvironmentFile=/etc/sysconfig/frigate-container
 ExecStart=/usr/bin/podman run \
    --rm -p 127.0.0.1:8007:5000 \
    --name frigate \
@ -12,7 +13,7 @@ ExecStart=/usr/bin/podman run \
    --volume /etc/frigate.yml:/config/config.yml:ro \
    --volume /srv/frigate/media:/media/frigate:rw \
    --volume /dev/bus/usb:/dev/bus/usb:rw \
-    ghcr.io/blakeblackshear/frigate:{{ frigate_version }}
+    --env=FRIGATE_* ghcr.io/blakeblackshear/frigate:{{ frigate_version }}
 ExecStop=/usr/bin/podman stop --ignore frigate
 ExecStopPost=/usr/bin/podman rm -f --ignore frigate

--- a/roles/frigate/templates/frigate-container.sysconfig.j2
+++ b/roles/frigate/templates/frigate-container.sysconfig.j2
@ -0,0 +1,3 @@
+{% for camera in cctv_cameras %}
+FRIGATE_{{ camera.name | upper }}_PASS="{{ camera.pass }}"
+{% endfor %}
--- a/roles/frigate/templates/frigate.yml.j2
+++ b/roles/frigate/templates/frigate.yml.j2
@ -23,12 +23,12 @@ cameras:
    enabled: true
    ffmpeg:
      inputs:
-        - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_sub"
+        - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_sub"
          input_args: preset-rtsp-restream
          roles:
            - detect
            - rtmp
-        - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_main"
+        - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main"
          input_args: preset-rtsp-restream
          roles:
            - record