Community Supported Boards Framework (#7114)

* Make main frigate build non rpi specific and build rpi using base image

* Add boards to sidebar

* Fix docker build

* Fix docs build

* Update pr branch for testing

* remove target from rpi build

* Remove manual build

* Add push build for rpi

* fix typos, improve wording

* Add arm build for rpi

* Cleanup and add default github ref name

* Cleanup docker build file system

* Setup to use docker bake

* Add ci/cd for bake

* Fix path

* Fix devcontainer

* Set targets

* Fix build

* Fix syntax

* Add wheels target

* Move dev container to trt

* Update key and fix rpi local

* Move requirements files and set intermediate targets

* Add back --load

* Update docs for community board development

* Update installation docs to reflect different builds available

* Update docs with official and community supported headers

* Update codeowners docs

* Update docs

* Assemble main and standard builds

* Change order of pushes

* Remove community board after successful build

* Fix rpi bake file names

docker/main/Dockerfile

@@ -0,0 +1,252 @@
+# syntax=docker/dockerfile:1.4
+
+# https://askubuntu.com/questions/972516/debian-frontend-environment-variable
+ARG DEBIAN_FRONTEND=noninteractive
+
+FROM debian:11 AS base
+
+FROM --platform=linux/amd64 debian:11 AS base_amd64
+
+FROM debian:11-slim AS slim-base
+
+FROM slim-base AS wget
+ARG DEBIAN_FRONTEND
+RUN apt-get update \
+    && apt-get install -y wget xz-utils \
+    && rm -rf /var/lib/apt/lists/*
+WORKDIR /rootfs
+
+FROM base AS nginx
+ARG DEBIAN_FRONTEND
+ENV CCACHE_DIR /root/.ccache
+ENV CCACHE_MAXSIZE 2G
+
+# bind /var/cache/apt to tmpfs to speed up nginx build
+RUN --mount=type=tmpfs,target=/tmp --mount=type=tmpfs,target=/var/cache/apt \
+    --mount=type=bind,source=docker/main/build_nginx.sh,target=/deps/build_nginx.sh \
+    --mount=type=cache,target=/root/.ccache \
+    /deps/build_nginx.sh
+
+FROM wget AS go2rtc
+ARG TARGETARCH
+WORKDIR /rootfs/usr/local/go2rtc/bin
+RUN wget -qO go2rtc "https://github.com/AlexxIT/go2rtc/releases/download/v1.6.2/go2rtc_linux_${TARGETARCH}" \
+    && chmod +x go2rtc
+
+
+####
+#
+# OpenVino Support
+#
+# 1. Download and convert a model from Intel's Public Open Model Zoo
+# 2. Build libUSB without udev to handle NCS2 enumeration
+#
+####
+# Download and Convert OpenVino model
+FROM base_amd64 AS ov-converter
+ARG DEBIAN_FRONTEND
+
+# Install OpenVino Runtime and Dev library
+COPY docker/main/requirements-ov.txt /requirements-ov.txt
+RUN apt-get -qq update \
+    && apt-get -qq install -y wget python3 python3-distutils \
+    && wget -q https://bootstrap.pypa.io/get-pip.py -O get-pip.py \
+    && python3 get-pip.py "pip" \
+    && pip install -r /requirements-ov.txt
+
+# Get OpenVino Model
+RUN mkdir /models \
+    && cd /models && omz_downloader --name ssdlite_mobilenet_v2 \
+    && cd /models && omz_converter --name ssdlite_mobilenet_v2 --precision FP16
+
+
+# libUSB - No Udev
+FROM wget as libusb-build
+ARG TARGETARCH
+ARG DEBIAN_FRONTEND
+ENV CCACHE_DIR /root/.ccache
+ENV CCACHE_MAXSIZE 2G
+
+# Build libUSB without udev.  Needed for Openvino NCS2 support
+WORKDIR /opt
+RUN apt-get update && apt-get install -y unzip build-essential automake libtool ccache
+RUN --mount=type=cache,target=/root/.ccache wget -q https://github.com/libusb/libusb/archive/v1.0.25.zip -O v1.0.25.zip && \
+    unzip v1.0.25.zip && cd libusb-1.0.25 && \
+    ./bootstrap.sh && \
+    ./configure CC='ccache gcc' CCX='ccache g++' --disable-udev --enable-shared && \
+    make -j $(nproc --all)
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libusb-1.0-0-dev && \
+    rm -rf /var/lib/apt/lists/*
+WORKDIR /opt/libusb-1.0.25/libusb
+RUN /bin/mkdir -p '/usr/local/lib' && \
+    /bin/bash ../libtool  --mode=install /usr/bin/install -c libusb-1.0.la '/usr/local/lib' && \
+    /bin/mkdir -p '/usr/local/include/libusb-1.0' && \
+    /usr/bin/install -c -m 644 libusb.h '/usr/local/include/libusb-1.0' && \
+    /bin/mkdir -p '/usr/local/lib/pkgconfig' && \
+    cd  /opt/libusb-1.0.25/ && \
+    /usr/bin/install -c -m 644 libusb-1.0.pc '/usr/local/lib/pkgconfig' && \
+    ldconfig
+
+FROM wget AS models
+
+# Get model and labels
+RUN wget -qO edgetpu_model.tflite https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess_edgetpu.tflite
+RUN wget -qO cpu_model.tflite https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess.tflite
+COPY labelmap.txt .
+# Copy OpenVino model
+COPY --from=ov-converter /models/public/ssdlite_mobilenet_v2/FP16 openvino-model
+RUN wget -q https://github.com/openvinotoolkit/open_model_zoo/raw/master/data/dataset_classes/coco_91cl_bkgr.txt -O openvino-model/coco_91cl_bkgr.txt && \
+    sed -i 's/truck/car/g' openvino-model/coco_91cl_bkgr.txt
+# Get Audio Model and labels
+RUN wget -qO cpu_audio_model.tflite https://tfhub.dev/google/lite-model/yamnet/classification/tflite/1?lite-format=tflite
+COPY audio-labelmap.txt .
+
+
+FROM wget AS s6-overlay
+ARG TARGETARCH
+RUN --mount=type=bind,source=docker/main/install_s6_overlay.sh,target=/deps/install_s6_overlay.sh \
+    /deps/install_s6_overlay.sh
+
+
+FROM base AS wheels
+ARG DEBIAN_FRONTEND
+ARG TARGETARCH
+
+# Use a separate container to build wheels to prevent build dependencies in final image
+RUN apt-get -qq update \
+    && apt-get -qq install -y \
+    apt-transport-https \
+    gnupg \
+    wget \
+    && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 \
+    && echo "deb http://deb.debian.org/debian bullseye main contrib non-free" | tee /etc/apt/sources.list.d/raspi.list \
+    && apt-get -qq update \
+    && apt-get -qq install -y \
+    python3 \
+    python3-dev \
+    wget \
+    # opencv dependencies
+    build-essential cmake git pkg-config libgtk-3-dev \
+    libavcodec-dev libavformat-dev libswscale-dev libv4l-dev \
+    libxvidcore-dev libx264-dev libjpeg-dev libpng-dev libtiff-dev \
+    gfortran openexr libatlas-base-dev libssl-dev\
+    libtbb2 libtbb-dev libdc1394-22-dev libopenexr-dev \
+    libgstreamer-plugins-base1.0-dev libgstreamer1.0-dev \
+    # scipy dependencies
+    gcc gfortran libopenblas-dev liblapack-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN wget -q https://bootstrap.pypa.io/get-pip.py -O get-pip.py \
+    && python3 get-pip.py "pip"
+
+COPY docker/main/requirements.txt /requirements.txt
+RUN pip3 install -r requirements.txt
+
+COPY docker/main/requirements-wheels.txt /requirements-wheels.txt
+RUN pip3 wheel --wheel-dir=/wheels -r requirements-wheels.txt
+
+
+# Collect deps in a single layer
+FROM scratch AS deps-rootfs
+COPY --from=nginx /usr/local/nginx/ /usr/local/nginx/
+COPY --from=go2rtc /rootfs/ /
+COPY --from=libusb-build /usr/local/lib /usr/local/lib
+COPY --from=s6-overlay /rootfs/ /
+COPY --from=models /rootfs/ /
+COPY docker/main/rootfs/ /
+
+
+# Frigate deps (ffmpeg, python, nginx, go2rtc, s6-overlay, etc)
+FROM slim-base AS deps
+ARG TARGETARCH
+
+ARG DEBIAN_FRONTEND
+# http://stackoverflow.com/questions/48162574/ddg#49462622
+ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
+
+# https://github.com/NVIDIA/nvidia-docker/wiki/Installation-(Native-GPU-Support)
+ENV NVIDIA_VISIBLE_DEVICES=all
+ENV NVIDIA_DRIVER_CAPABILITIES="compute,video,utility"
+
+ENV PATH="/usr/lib/btbn-ffmpeg/bin:/usr/local/go2rtc/bin:/usr/local/nginx/sbin:${PATH}"
+
+# Install dependencies
+RUN --mount=type=bind,source=docker/main/install_deps.sh,target=/deps/install_deps.sh \
+    /deps/install_deps.sh
+
+RUN --mount=type=bind,from=wheels,source=/wheels,target=/deps/wheels \
+    pip3 install -U /deps/wheels/*.whl
+
+COPY --from=deps-rootfs / /
+
+RUN ldconfig
+
+EXPOSE 5000
+EXPOSE 1935
+EXPOSE 8554
+EXPOSE 8555/tcp 8555/udp
+
+# Configure logging to prepend timestamps, log to stdout, keep 0 archives and rotate on 10MB
+ENV S6_LOGGING_SCRIPT="T 1 n0 s10000000 T"
+
+ENTRYPOINT ["/init"]
+CMD []
+
+# Frigate deps with Node.js and NPM for devcontainer
+FROM deps AS devcontainer
+
+# Do not start the actual Frigate service on devcontainer as it will be started by VSCode
+# But start a fake service for simulating the logs
+COPY docker/main/fake_frigate_run /etc/s6-overlay/s6-rc.d/frigate/run
+
+# Create symbolic link to the frigate source code, as go2rtc's create_config.sh uses it
+RUN mkdir -p /opt/frigate \
+    && ln -svf /workspace/frigate/frigate /opt/frigate/frigate
+
+# Install Node 16
+RUN apt-get update \
+    && apt-get install wget -y \
+    && wget -qO- https://deb.nodesource.com/setup_16.x | bash - \
+    && apt-get install -y nodejs \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g npm@9
+
+WORKDIR /workspace/frigate
+
+RUN apt-get update \
+    && apt-get install make -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN --mount=type=bind,source=./docker/main/requirements-dev.txt,target=/workspace/frigate/requirements-dev.txt \
+    pip3 install -r requirements-dev.txt
+
+CMD ["sleep", "infinity"]
+
+
+# Frigate web build
+# This should be architecture agnostic, so speed up the build on multiarch by not using QEMU.
+FROM --platform=$BUILDPLATFORM node:16 AS web-build
+
+WORKDIR /work
+COPY web/package.json web/package-lock.json ./
+RUN npm install
+
+COPY web/ ./
+RUN npm run build \
+    && mv dist/BASE_PATH/monacoeditorwork/* dist/assets/ \
+    && rm -rf dist/BASE_PATH
+
+# Collect final files in a single layer
+FROM scratch AS rootfs
+
+WORKDIR /opt/frigate/
+COPY frigate frigate/
+COPY migrations migrations/
+COPY --from=web-build /work/dist/ web/
+
+# Frigate final container
+FROM deps AS frigate
+
+WORKDIR /opt/frigate/
+COPY --from=rootfs / /

docker/main/build_nginx.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+NGINX_VERSION="1.25.1"
+VOD_MODULE_VERSION="1.31"
+SECURE_TOKEN_MODULE_VERSION="1.5"
+RTMP_MODULE_VERSION="1.2.2"
+
+cp /etc/apt/sources.list /etc/apt/sources.list.d/sources-src.list
+sed -i 's|deb http|deb-src http|g' /etc/apt/sources.list.d/sources-src.list
+apt-get update
+
+apt-get -yqq build-dep nginx
+
+apt-get -yqq install --no-install-recommends ca-certificates wget
+update-ca-certificates -f
+apt install -y ccache
+
+export PATH="/usr/lib/ccache:$PATH"
+
+mkdir /tmp/nginx
+wget -nv https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
+tar -zxf nginx-${NGINX_VERSION}.tar.gz -C /tmp/nginx --strip-components=1
+rm nginx-${NGINX_VERSION}.tar.gz
+mkdir /tmp/nginx-vod-module
+wget -nv https://github.com/kaltura/nginx-vod-module/archive/refs/tags/${VOD_MODULE_VERSION}.tar.gz
+tar -zxf ${VOD_MODULE_VERSION}.tar.gz -C /tmp/nginx-vod-module --strip-components=1
+rm ${VOD_MODULE_VERSION}.tar.gz
+    # Patch MAX_CLIPS to allow more clips to be added than the default 128
+sed -i 's/MAX_CLIPS (128)/MAX_CLIPS (1080)/g' /tmp/nginx-vod-module/vod/media_set.h
+patch -d /tmp/nginx-vod-module/ -p1 << 'EOF'
+--- a/vod/avc_hevc_parser.c       2022-06-27 11:38:10.000000000 +0000
++++ b/vod/avc_hevc_parser.c       2023-01-16 11:25:10.900521298 +0000
+@@ -3,6 +3,9 @@
+ bool_t
+ avc_hevc_parser_rbsp_trailing_bits(bit_reader_state_t* reader)
+ {
++	// https://github.com/blakeblackshear/frigate/issues/4572
++	return TRUE;
++
+ 	uint32_t one_bit;
+
+ 	if (reader->stream.eof_reached)
+EOF
+
+
+mkdir /tmp/nginx-secure-token-module
+wget https://github.com/kaltura/nginx-secure-token-module/archive/refs/tags/${SECURE_TOKEN_MODULE_VERSION}.tar.gz
+tar -zxf ${SECURE_TOKEN_MODULE_VERSION}.tar.gz -C /tmp/nginx-secure-token-module --strip-components=1
+rm ${SECURE_TOKEN_MODULE_VERSION}.tar.gz
+mkdir /tmp/nginx-rtmp-module
+wget -nv https://github.com/arut/nginx-rtmp-module/archive/refs/tags/v${RTMP_MODULE_VERSION}.tar.gz
+tar -zxf v${RTMP_MODULE_VERSION}.tar.gz -C /tmp/nginx-rtmp-module --strip-components=1
+rm v${RTMP_MODULE_VERSION}.tar.gz
+
+cd /tmp/nginx
+
+./configure --prefix=/usr/local/nginx \
+    --with-file-aio \
+    --with-http_sub_module \
+    --with-http_ssl_module \
+    --with-threads \
+    --add-module=../nginx-vod-module \
+    --add-module=../nginx-secure-token-module \
+    --add-module=../nginx-rtmp-module \
+    --with-cc-opt="-O3 -Wno-error=implicit-fallthrough"
+
+make CC="ccache gcc" -j$(nproc) && make install
+rm -rf /usr/local/nginx/html /usr/local/nginx/conf/*.default

docker/main/fake_frigate_run

@@ -0,0 +1,13 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the fake Frigate service
+
+set -o errexit -o nounset -o pipefail
+
+# Tell S6-Overlay not to restart this service
+s6-svc -O .
+
+while true; do
+  echo "[INFO] The fake Frigate service is running..."
+  sleep 5s
+done

docker/main/install_deps.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+apt-get -qq update
+
+apt-get -qq install --no-install-recommends -y \
+    apt-transport-https \
+    gnupg \
+    wget \
+    procps vainfo \
+    unzip locales tzdata libxml2 xz-utils \
+    python3-pip \
+    curl \
+    jq \
+    nethogs
+
+mkdir -p -m 600 /root/.gnupg
+
+# add coral repo
+curl -fsSLo - https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
+    gpg --dearmor -o /etc/apt/trusted.gpg.d/google-cloud-packages-archive-keyring.gpg
+echo "deb https://packages.cloud.google.com/apt coral-edgetpu-stable main" | tee /etc/apt/sources.list.d/coral-edgetpu.list
+echo "libedgetpu1-max libedgetpu/accepted-eula select true" | debconf-set-selections
+
+# enable non-free repo
+sed -i -e's/ main/ main contrib non-free/g' /etc/apt/sources.list
+
+# coral drivers
+apt-get -qq update
+apt-get -qq install --no-install-recommends --no-install-suggests -y \
+    libedgetpu1-max python3-tflite-runtime python3-pycoral
+
+# btbn-ffmpeg -> amd64
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    mkdir -p /usr/lib/btbn-ffmpeg
+    wget -qO btbn-ffmpeg.tar.xz "https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2022-07-31-12-37/ffmpeg-n5.1-2-g915ef932a3-linux64-gpl-5.1.tar.xz"
+    tar -xf btbn-ffmpeg.tar.xz -C /usr/lib/btbn-ffmpeg --strip-components 1
+    rm -rf btbn-ffmpeg.tar.xz /usr/lib/btbn-ffmpeg/doc /usr/lib/btbn-ffmpeg/bin/ffplay
+fi
+
+# ffmpeg -> arm64
+if [[ "${TARGETARCH}" == "arm64" ]]; then
+    mkdir -p /usr/lib/btbn-ffmpeg
+    wget -qO btbn-ffmpeg.tar.xz "https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2022-07-31-12-37/ffmpeg-n5.1-2-g915ef932a3-linuxarm64-gpl-5.1.tar.xz"
+    tar -xf btbn-ffmpeg.tar.xz -C /usr/lib/btbn-ffmpeg --strip-components 1
+    rm -rf btbn-ffmpeg.tar.xz /usr/lib/btbn-ffmpeg/doc /usr/lib/btbn-ffmpeg/bin/ffplay
+fi
+
+# arch specific packages
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    # Use debian testing repo only for hwaccel packages
+    echo 'deb http://deb.debian.org/debian testing main non-free' >/etc/apt/sources.list.d/debian-testing.list
+    apt-get -qq update
+    # intel-opencl-icd specifically for GPU support in OpenVino
+    apt-get -qq install --no-install-recommends --no-install-suggests -y \
+        intel-opencl-icd \
+        mesa-va-drivers libva-drm2 intel-media-va-driver-non-free i965-va-driver libmfx1 radeontop intel-gpu-tools
+    # something about this dependency requires it to be installed in a separate call rather than in the line above
+    apt-get -qq install --no-install-recommends --no-install-suggests -y \
+        i965-va-driver-shaders
+    rm -f /etc/apt/sources.list.d/debian-testing.list
+fi
+
+if [[ "${TARGETARCH}" == "arm64" ]]; then
+    apt-get -qq install --no-install-recommends --no-install-suggests -y \
+        libva-drm2 mesa-va-drivers
+fi
+
+apt-get purge gnupg apt-transport-https xz-utils -y
+apt-get clean autoclean -y
+apt-get autoremove --purge -y
+rm -rf /var/lib/apt/lists/*
+
+# Install yq, for frigate-prepare and go2rtc echo source
+curl -fsSL \
+    "https://github.com/mikefarah/yq/releases/download/v4.33.3/yq_linux_$(dpkg --print-architecture)" \
+    --output /usr/local/bin/yq
+chmod +x /usr/local/bin/yq

docker/main/install_s6_overlay.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+s6_version="3.1.4.1"
+
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    s6_arch="x86_64"
+elif [[ "${TARGETARCH}" == "arm64" ]]; then
+    s6_arch="aarch64"
+fi
+
+mkdir -p /rootfs/
+
+wget -qO- "https://github.com/just-containers/s6-overlay/releases/download/v${s6_version}/s6-overlay-noarch.tar.xz" |
+    tar -C /rootfs/ -Jxpf -
+
+wget -qO- "https://github.com/just-containers/s6-overlay/releases/download/v${s6_version}/s6-overlay-${s6_arch}.tar.xz" |
+    tar -C /rootfs/ -Jxpf -

docker/main/requirements-dev.txt

@@ -0,0 +1,3 @@
+black == 23.3.*
+isort
+ruff

docker/main/requirements-ov.txt

@@ -0,0 +1,3 @@
+numpy == 1.23.*
+openvino == 2022.*
+openvino-dev[tensorflow2] == 2022.*

docker/main/requirements-wheels.txt

@@ -0,0 +1,28 @@
+click == 8.1.*
+Flask == 2.3.*
+imutils == 0.5.*
+matplotlib == 3.7.*
+mypy == 1.4.1
+numpy == 1.23.*
+onvif_zeep == 0.2.12
+opencv-python-headless == 4.7.0.*
+paho-mqtt == 1.6.*
+peewee == 3.16.*
+peewee_migrate == 1.11.*
+psutil == 5.9.*
+pydantic == 1.10.*
+git+https://github.com/fbcotter/py3nvml#egg=py3nvml
+PyYAML == 6.0
+pytz == 2023.3
+ruamel.yaml == 0.17.*
+tzlocal == 5.0.*
+types-PyYAML == 6.0.*
+requests == 2.31.*
+types-requests == 2.31.*
+scipy == 1.10.*
+norfair == 2.2.*
+setproctitle == 1.3.*
+ws4py == 0.5.*
+# Openvino Library - Custom built with MYRIAD support
+openvino @ https://github.com/NateMeyer/openvino-wheels/releases/download/multi-arch_2022.2.0/openvino-2022.2.0-000-cp39-cp39-manylinux_2_31_x86_64.whl; platform_machine == 'x86_64'
+openvino @ https://github.com/NateMeyer/openvino-wheels/releases/download/multi-arch_2022.2.0/openvino-2022.2.0-000-cp39-cp39-linux_aarch64.whl; platform_machine == 'aarch64'

docker/main/requirements.txt

@@ -0,0 +1,2 @@
+scikit-build == 0.17.*
+nvidia-pyindex

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/consumer-for

@@ -0,0 +1 @@
+frigate

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/pipeline-name

@@ -0,0 +1 @@
+frigate-pipeline

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/run

@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/frigate

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate/finish

@@ -0,0 +1,28 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Take down the S6 supervision tree when the service exits
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+declare exit_code_container
+exit_code_container=$(cat /run/s6-linux-init-container-results/exitcode)
+readonly exit_code_container
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="Frigate"
+
+echo "[INFO] Service ${service} exited with code ${exit_code_service} (by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + exit_code_signal)) >/run/s6-linux-init-container-results/exitcode
+  fi
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" >/run/s6-linux-init-container-results/exitcode
+  fi
+fi
+
+exec /run/s6/basedir/bin/halt

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate/producer-for

@@ -0,0 +1 @@
+frigate-log

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate/run

@@ -0,0 +1,55 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the Frigate service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+# Tell S6-Overlay not to restart this service
+s6-svc -O .
+
+function migrate_db_path() {
+    # Find config file in yaml or yml, but prefer yaml
+    local config_file="${CONFIG_FILE:-"/config/config.yml"}"
+    local config_file_yaml="${config_file//.yml/.yaml}"
+    if [[ -f "${config_file_yaml}" ]]; then
+        config_file="${config_file_yaml}"
+    elif [[ ! -f "${config_file}" ]]; then
+        echo "[ERROR] Frigate config file not found"
+        return 1
+    fi
+    unset config_file_yaml
+
+    # Use yq to check if database.path is set
+    local user_db_path
+    user_db_path=$(yq eval '.database.path' "${config_file}")
+
+    if [[ "${user_db_path}" == "null" ]]; then
+        local previous_db_path="/media/frigate/frigate.db"
+        local new_db_dir="/config"
+        if [[ -f "${previous_db_path}" ]]; then
+            if mountpoint --quiet "${new_db_dir}"; then
+                # /config is a mount point, move the db
+                echo "[INFO] Moving db from '${previous_db_path}' to the '${new_db_dir}' dir..."
+                # Move all files that starts with frigate.db to the new directory
+                mv -vf "${previous_db_path}"* "${new_db_dir}"
+            else
+                echo "[ERROR] Trying to migrate the db path from '${previous_db_path}' to the '${new_db_dir}' dir, but '${new_db_dir}' is not a mountpoint, please mount the '${new_db_dir}' dir"
+                return 1
+            fi
+        fi
+    fi
+}
+
+echo "[INFO] Preparing Frigate..."
+migrate_db_path
+export LIBAVFORMAT_VERSION_MAJOR=$(ffmpeg -version | grep -Po 'libavformat\W+\K\d+')
+
+echo "[INFO] Starting Frigate..."
+
+cd /opt/frigate || echo "[ERROR] Failed to change working directory to /opt/frigate"
+
+# Replace the bash process with the Frigate process, redirecting stderr to stdout
+exec 2>&1
+exec python3 -u -m frigate

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate/timeout-kill

@@ -0,0 +1 @@
+120000

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-healthcheck/finish

@@ -0,0 +1,12 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="go2rtc-healthcheck"
+
+echo "[INFO] The ${service} service exited with code ${exit_code_service} (by signal ${exit_code_signal})"

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-healthcheck/producer-for

@@ -0,0 +1 @@
+go2rtc-log

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-healthcheck/run

@@ -0,0 +1,22 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the go2rtc-healthcheck service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+# Give some additional time for go2rtc to start before start pinging
+sleep 10s
+echo "[INFO] Starting go2rtc healthcheck service..."
+
+while sleep 30s; do
+    # Check if the service is running
+    if ! curl --connect-timeout 10 --fail --silent --show-error --output /dev/null http://127.0.0.1:1984/api/streams 2>&1; then
+        echo "[ERROR] The go2rtc service is not responding to ping, restarting..."
+        # We can also use -r instead of -t to send kill signal rather than term
+        s6-svc -t /var/run/service/go2rtc 2>&1
+        # Give some additional time to go2rtc to restart before start pinging again
+        sleep 10s
+    fi
+done

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-healthcheck/timeout-kill

@@ -0,0 +1 @@
+5000

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-healthcheck/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/consumer-for

@@ -0,0 +1,2 @@
+go2rtc
+go2rtc-healthcheck

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/pipeline-name

@@ -0,0 +1 @@
+go2rtc-pipeline

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/run

@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/go2rtc

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc/finish

@@ -0,0 +1,12 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="go2rtc"
+
+echo "[INFO] The ${service} service exited with code ${exit_code_service} (by signal ${exit_code_signal})"

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc/producer-for

@@ -0,0 +1 @@
+go2rtc-log

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc/run

@@ -0,0 +1,72 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the go2rtc service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+function get_ip_and_port_from_supervisor() {
+    local ip_address
+    # Example: 192.168.1.10/24
+    local ip_regex='^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/[0-9]{1,2}$'
+    if ip_address=$(
+        curl -fsSL \
+            -H "Authorization: Bearer ${SUPERVISOR_TOKEN}" \
+            -H "Content-Type: application/json" \
+            http://supervisor/network/interface/default/info |
+            jq --exit-status --raw-output '.data.ipv4.address[0]'
+    ) && [[ "${ip_address}" =~ ${ip_regex} ]]; then
+        ip_address="${BASH_REMATCH[1]}"
+        echo "[INFO] Got IP address from supervisor: ${ip_address}"
+    else
+        echo "[WARN] Failed to get IP address from supervisor"
+        return 0
+    fi
+
+    local webrtc_port
+    local port_regex='^([0-9]{1,5})$'
+    if webrtc_port=$(
+        curl -fsSL \
+            -H "Authorization: Bearer ${SUPERVISOR_TOKEN}" \
+            -H "Content-Type: application/json" \
+            http://supervisor/addons/self/info |
+            jq --exit-status --raw-output '.data.network["8555/tcp"]'
+    ) && [[ "${webrtc_port}" =~ ${port_regex} ]]; then
+        webrtc_port="${BASH_REMATCH[1]}"
+        echo "[INFO] Got WebRTC port from supervisor: ${webrtc_port}"
+    else
+        echo "[WARN] Failed to get WebRTC port from supervisor"
+        return 0
+    fi
+
+    export FRIGATE_GO2RTC_WEBRTC_CANDIDATE_INTERNAL="${ip_address}:${webrtc_port}"
+}
+
+export LIBAVFORMAT_VERSION_MAJOR=$(ffmpeg -version | grep -Po 'libavformat\W+\K\d+')
+
+if [[ ! -f "/dev/shm/go2rtc.yaml" ]]; then
+    echo "[INFO] Preparing go2rtc config..."
+
+    if [[ -n "${SUPERVISOR_TOKEN:-}" ]]; then
+        # Running as a Home Assistant add-on, infer the IP address and port
+        get_ip_and_port_from_supervisor
+    fi
+
+    python3 /usr/local/go2rtc/create_config.py
+fi
+
+readonly config_path="/config"
+
+if [[ -x "${config_path}/go2rtc" ]]; then
+  readonly binary_path="${config_path}/go2rtc"
+  echo "[WARN] Using go2rtc binary from '${binary_path}' instead of the embedded one"
+else
+  readonly binary_path="/usr/local/go2rtc/bin/go2rtc"
+fi
+
+echo "[INFO] Starting go2rtc..."
+
+# Replace the bash process with the go2rtc process, redirecting stderr to stdout
+exec 2>&1
+exec "${binary_path}" -config=/dev/shm/go2rtc.yaml

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc/timeout-kill

@@ -0,0 +1 @@
+30000

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run

@@ -0,0 +1,11 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Prepare the logs folder for s6-log
+
+set -o errexit -o nounset -o pipefail
+
+dirs=(/dev/shm/logs/frigate /dev/shm/logs/go2rtc /dev/shm/logs/nginx)
+
+mkdir -p "${dirs[@]}"
+chown nobody:nogroup "${dirs[@]}"
+chmod 02755 "${dirs[@]}"

docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/type

@@ -0,0 +1 @@
+oneshot

docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/log-prepare/run

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/consumer-for

@@ -0,0 +1 @@
+nginx

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/pipeline-name

@@ -0,0 +1 @@
+nginx-pipeline

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run

@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/nginx

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/finish

@@ -0,0 +1,30 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Take down the S6 supervision tree when the service fails
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+declare exit_code_container
+exit_code_container=$(cat /run/s6-linux-init-container-results/exitcode)
+readonly exit_code_container
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="NGINX"
+
+echo "[INFO] Service ${service} exited with code ${exit_code_service} (by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + exit_code_signal)) >/run/s6-linux-init-container-results/exitcode
+  fi
+  if [[ "${exit_code_signal}" -eq 15 ]]; then
+    exec /run/s6/basedir/bin/halt
+  fi
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" >/run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/producer-for

@@ -0,0 +1 @@
+nginx-log

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run

@@ -0,0 +1,13 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the NGINX service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+echo "[INFO] Starting NGINX..."
+
+# Replace the bash process with the NGINX process, redirecting stderr to stdout
+exec 2>&1
+exec nginx

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/timeout-kill

@@ -0,0 +1 @@
+30000

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/type

@@ -0,0 +1 @@
+longrun

docker/main/rootfs/usr/local/go2rtc/create_config.py

@@ -0,0 +1,120 @@
+"""Creates a go2rtc config file."""
+
+import json
+import os
+import sys
+
+import yaml
+
+sys.path.insert(0, "/opt/frigate")
+from frigate.const import BIRDSEYE_PIPE  # noqa: E402
+from frigate.ffmpeg_presets import (  # noqa: E402
+    parse_preset_hardware_acceleration_encode,
+)
+
+sys.path.remove("/opt/frigate")
+
+
+FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
+config_file = os.environ.get("CONFIG_FILE", "/config/config.yml")
+
+# Check if we can use .yaml instead of .yml
+config_file_yaml = config_file.replace(".yml", ".yaml")
+if os.path.isfile(config_file_yaml):
+    config_file = config_file_yaml
+
+with open(config_file) as f:
+    raw_config = f.read()
+
+if config_file.endswith((".yaml", ".yml")):
+    config: dict[str, any] = yaml.safe_load(raw_config)
+elif config_file.endswith(".json"):
+    config: dict[str, any] = json.loads(raw_config)
+
+go2rtc_config: dict[str, any] = config.get("go2rtc", {})
+
+# Need to enable CORS for go2rtc so the frigate integration / card work automatically
+if go2rtc_config.get("api") is None:
+    go2rtc_config["api"] = {"origin": "*"}
+elif go2rtc_config["api"].get("origin") is None:
+    go2rtc_config["api"]["origin"] = "*"
+
+# we want to ensure that logs are easy to read
+if go2rtc_config.get("log") is None:
+    go2rtc_config["log"] = {"format": "text"}
+elif go2rtc_config["log"].get("format") is None:
+    go2rtc_config["log"]["format"] = "text"
+
+if not go2rtc_config.get("webrtc", {}).get("candidates", []):
+    default_candidates = []
+    # use internal candidate if it was discovered when running through the add-on
+    internal_candidate = os.environ.get(
+        "FRIGATE_GO2RTC_WEBRTC_CANDIDATE_INTERNAL", None
+    )
+    if internal_candidate is not None:
+        default_candidates.append(internal_candidate)
+    # should set default stun server so webrtc can work
+    default_candidates.append("stun:8555")
+
+    go2rtc_config["webrtc"] = {"candidates": default_candidates}
+else:
+    print(
+        "[INFO] Not injecting WebRTC candidates into go2rtc config as it has been set manually",
+    )
+
+# sets default RTSP response to be equivalent to ?video=h264,h265&audio=aac
+# this means user does not need to specify audio codec when using restream
+# as source for frigate and the integration supports HLS playback
+if go2rtc_config.get("rtsp") is None:
+    go2rtc_config["rtsp"] = {"default_query": "mp4"}
+else:
+    if go2rtc_config["rtsp"].get("default_query") is None:
+        go2rtc_config["rtsp"]["default_query"] = "mp4"
+
+    if go2rtc_config["rtsp"].get("username") is not None:
+        go2rtc_config["rtsp"]["username"] = go2rtc_config["rtsp"]["username"].format(
+            **FRIGATE_ENV_VARS
+        )
+
+    if go2rtc_config["rtsp"].get("password") is not None:
+        go2rtc_config["rtsp"]["password"] = go2rtc_config["rtsp"]["password"].format(
+            **FRIGATE_ENV_VARS
+        )
+
+# need to replace ffmpeg command when using ffmpeg4
+if int(os.environ["LIBAVFORMAT_VERSION_MAJOR"]) < 59:
+    if go2rtc_config.get("ffmpeg") is None:
+        go2rtc_config["ffmpeg"] = {
+            "rtsp": "-fflags nobuffer -flags low_delay -stimeout 5000000 -user_agent go2rtc/ffmpeg -rtsp_transport tcp -i {input}"
+        }
+    elif go2rtc_config["ffmpeg"].get("rtsp") is None:
+        go2rtc_config["ffmpeg"][
+            "rtsp"
+        ] = "-fflags nobuffer -flags low_delay -stimeout 5000000 -user_agent go2rtc/ffmpeg -rtsp_transport tcp -i {input}"
+
+for name in go2rtc_config.get("streams", {}):
+    stream = go2rtc_config["streams"][name]
+
+    if isinstance(stream, str):
+        go2rtc_config["streams"][name] = go2rtc_config["streams"][name].format(
+            **FRIGATE_ENV_VARS
+        )
+    elif isinstance(stream, list):
+        for i, stream in enumerate(stream):
+            go2rtc_config["streams"][name][i] = stream.format(**FRIGATE_ENV_VARS)
+
+# add birdseye restream stream if enabled
+if config.get("birdseye", {}).get("restream", False):
+    birdseye: dict[str, any] = config.get("birdseye")
+
+    input = f"-f rawvideo -pix_fmt yuv420p -video_size {birdseye.get('width', 1280)}x{birdseye.get('height', 720)} -r 10 -i {BIRDSEYE_PIPE}"
+    ffmpeg_cmd = f"exec:{parse_preset_hardware_acceleration_encode(config.get('ffmpeg', {}).get('hwaccel_args'), input, '-rtsp_transport tcp -f rtsp {output}')}"
+
+    if go2rtc_config.get("streams"):
+        go2rtc_config["streams"]["birdseye"] = ffmpeg_cmd
+    else:
+        go2rtc_config["streams"] = {"birdseye": ffmpeg_cmd}
+
+# Write go2rtc_config to /dev/shm/go2rtc.yaml
+with open("/dev/shm/go2rtc.yaml", "w") as f:
+    yaml.dump(go2rtc_config, f)

docker/main/rootfs/usr/local/nginx/conf/nginx.conf

@@ -0,0 +1,302 @@
+daemon off;
+user root;
+worker_processes auto;
+
+error_log /dev/stdout warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /dev/stdout main;
+
+    # send headers in one piece, it is better than sending them one by one
+    tcp_nopush on;
+
+    sendfile on;
+
+    keepalive_timeout 65;
+
+    gzip on;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/javascript image/svg+xml image/x-icon image/bmp image/png image/gif image/jpeg image/jpg;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_vary on;
+
+    upstream frigate_api {
+        server 127.0.0.1:5001;
+        keepalive 1024;
+    }
+
+    upstream mqtt_ws {
+        server 127.0.0.1:5002;
+        keepalive 1024;
+    }
+
+    upstream jsmpeg {
+        server 127.0.0.1:8082;
+        keepalive 1024;
+    }
+
+    upstream go2rtc {
+        server 127.0.0.1:1984;
+        keepalive 1024;
+    }
+
+    server {
+        listen 5000;
+
+        # vod settings
+        vod_base_url '';
+        vod_segments_base_url '';
+        vod_mode mapped;
+        vod_max_mapping_response_size 1m;
+        vod_upstream_location /api;
+        vod_align_segments_to_key_frames on;
+        vod_manifest_segment_durations_mode accurate;
+        vod_ignore_edit_list on;
+        vod_segment_duration 10000;
+        vod_hls_mpegts_align_frames off;
+        vod_hls_mpegts_interleave_frames on;
+
+        # file handle caching / aio
+        open_file_cache max=1000 inactive=5m;
+        open_file_cache_valid 2m;
+        open_file_cache_min_uses 1;
+        open_file_cache_errors on;
+        aio on;
+
+        # https://github.com/kaltura/nginx-vod-module#vod_open_file_thread_pool
+        vod_open_file_thread_pool default;
+
+        # vod caches
+        vod_metadata_cache metadata_cache 512m;
+        vod_mapping_cache mapping_cache 5m 10m;
+
+        # gzip manifests
+        gzip on;
+        gzip_types application/vnd.apple.mpegurl;
+
+        location /vod/ {
+            aio threads;
+            vod hls;
+
+            secure_token $args;
+            secure_token_types application/vnd.apple.mpegurl;
+
+            add_header Access-Control-Allow-Headers '*';
+            add_header Access-Control-Expose-Headers 'Server,range,Content-Length,Content-Range';
+            add_header Access-Control-Allow-Methods 'GET, HEAD, OPTIONS';
+            add_header Access-Control-Allow-Origin '*';
+            add_header Cache-Control "no-store";
+            expires off;
+        }
+
+        location /stream/ {
+            add_header Cache-Control "no-store";
+            expires off;
+            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Expose-Headers' 'Content-Length';
+            if ($request_method = 'OPTIONS') {
+                add_header 'Access-Control-Allow-Origin' "$http_origin";
+                add_header 'Access-Control-Max-Age' 1728000;
+                add_header 'Content-Type' 'text/plain charset=UTF-8';
+                add_header 'Content-Length' 0;
+                return 204;
+            }
+
+            types {
+                application/dash+xml mpd;
+                application/vnd.apple.mpegurl m3u8;
+                video/mp2t ts;
+                image/jpeg jpg;
+            }
+
+            root /tmp;
+        }
+
+        location /clips/ {
+            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Expose-Headers' 'Content-Length';
+            if ($request_method = 'OPTIONS') {
+                add_header 'Access-Control-Allow-Origin' "$http_origin";
+                add_header 'Access-Control-Max-Age' 1728000;
+                add_header 'Content-Type' 'text/plain charset=UTF-8';
+                add_header 'Content-Length' 0;
+                return 204;
+            }
+
+            types {
+                video/mp4 mp4;
+                image/jpeg jpg;
+            }
+
+            autoindex on;
+            root /media/frigate;
+        }
+
+        location /cache/ {
+            internal; # This tells nginx it's not accessible from the outside
+            alias /tmp/cache/;
+        }
+
+        location /recordings/ {
+            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Expose-Headers' 'Content-Length';
+            if ($request_method = 'OPTIONS') {
+                add_header 'Access-Control-Allow-Origin' "$http_origin";
+                add_header 'Access-Control-Max-Age' 1728000;
+                add_header 'Content-Type' 'text/plain charset=UTF-8';
+                add_header 'Content-Length' 0;
+                return 204;
+            }
+
+            types {
+                video/mp4 mp4;
+            }
+
+            autoindex on;
+            autoindex_format json;
+            root /media/frigate;
+        }
+
+        location /exports/ {
+            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Expose-Headers' 'Content-Length';
+            if ($request_method = 'OPTIONS') {
+                add_header 'Access-Control-Allow-Origin' "$http_origin";
+                add_header 'Access-Control-Max-Age' 1728000;
+                add_header 'Content-Type' 'text/plain charset=UTF-8';
+                add_header 'Content-Length' 0;
+                return 204;
+            }
+
+            types {
+                video/mp4 mp4;
+            }
+
+            autoindex on;
+            autoindex_format json;
+            root /media/frigate;
+        }
+
+        location /ws {
+            proxy_pass http://mqtt_ws/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host $host;
+        }
+
+        location /live/jsmpeg/ {
+            proxy_pass http://jsmpeg/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host $host;
+        }
+
+        location /live/mse/ {
+            proxy_pass http://go2rtc/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host $host;
+        }
+
+        location /live/webrtc/ {
+            proxy_pass http://go2rtc/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host $host;
+        }
+
+        location ~* /api/go2rtc([/]?.*)$ {
+            proxy_pass http://go2rtc;
+            rewrite ^/api/go2rtc(.*)$ /api$1 break;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host $host;
+        }
+
+        location ~* /api/.*\.(jpg|jpeg|png)$ {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+            rewrite ^/api/(.*)$ $1 break;
+            proxy_pass http://frigate_api;
+            proxy_pass_request_headers on;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location /api/ {
+            add_header Cache-Control "no-store";
+            expires off;
+
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+            proxy_pass http://frigate_api/;
+            proxy_pass_request_headers on;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location / {
+            add_header Cache-Control "no-store";
+            expires off;
+
+            location /assets/ {
+                access_log off;
+                expires 1y;
+                add_header Cache-Control "public";
+            }
+
+            sub_filter 'href="/BASE_PATH/' 'href="$http_x_ingress_path/';
+            sub_filter 'url(/BASE_PATH/' 'url($http_x_ingress_path/';
+            sub_filter '"/BASE_PATH/dist/' '"$http_x_ingress_path/dist/';
+            sub_filter '"/BASE_PATH/js/' '"$http_x_ingress_path/js/';
+            sub_filter '"/BASE_PATH/assets/' '"$http_x_ingress_path/assets/';
+            sub_filter '"/BASE_PATH/monacoeditorwork/' '"$http_x_ingress_path/assets/';
+            sub_filter 'return"/BASE_PATH/"' 'return window.baseUrl';
+            sub_filter '<body>' '<body><script>window.baseUrl="$http_x_ingress_path/";</script>';
+            sub_filter_types text/css application/javascript;
+            sub_filter_once off;
+
+            root /opt/frigate/web;
+            try_files $uri $uri/ /index.html;
+        }
+    }
+}
+
+rtmp {
+    server {
+        listen 1935;
+        chunk_size 4096;
+        allow publish 127.0.0.1;
+        deny publish all;
+        allow play all;
+        application live {
+            live on;
+            record off;
+            meta copy;
+        }
+    }
+}