wip: app/frigate: Deploy Caddy

Running Caddy in front of Frigate to provide HTTPS and authentication.

app/frigate/schema/schema.cue

@@ -4,6 +4,17 @@ package schema
 	env?: [string]: string
 
 	config: #FrigateConfig
+
+	caddy: {
+		server_name: string
+		forward_auth: {
+			url:  string
+			path: string | *"/api/verify"
+		}
+		acme: {
+			email: string
+		}
+	}
 }
 
 #FrigateConfig: {

app/frigate/templates.cue

@@ -2,6 +2,8 @@ package frigate
 
 import "du5t1n.me/cfg/base/schema/instructions"
 
+import "du5t1n.me/cfg/app/caddy"
+
 templates: [...instructions.#RenderInstruction] & [
 	{
 		template: "frigate/frigate.sysusers"
@@ -65,4 +67,11 @@ templates: [...instructions.#RenderInstruction] & [
 			]
 		}
 	},
-]
+	{
+		template: "frigate/Caddyfile"
+		dest:     "/etc/caddy/Caddyfile"
+		hooks: {
+			changed: [{run: "systemctl restart caddy"}]
+		}
+	},
+]+caddy.templates

env/prod/frigate.cue

@@ -274,11 +274,22 @@ _frigate: config: cameras: {
 	}
 }
 
+_frigate: caddy: {
+	server_name: "frigate.pyrocufflink.blue"
+	forward_auth: {
+		url: "https://auth.pyrocufflink.blue"
+	}
+	acme: {
+		email: "frigate@pyrocufflink.blue"
+	}
+}
+
 let Marshal = yaml.Marshal
 
 frigate: {
 	env:    _frigate.env
 	config: _frigate.config
+	caddy:  _frigate.caddy
 
 	yaml: Marshal(config)
 }

host/nvr2.pyrocufflink.blue.cue

@@ -17,3 +17,5 @@ nut: monitor: prod.#nut_monitor & {
 }
 
 frigate: prod.frigate
+
+caddy: prod.caddy

templates/frigate/Caddyfile

@@ -0,0 +1,20 @@
+{# vim: set ft=jinja : -#}
+{{ frigate.caddy.server_name }} {
+	forward_auth {{ frigate.caddy.forward_auth.url }} {
+		uri {{ frigate.caddy.forward_auth.path }}
+		header_up Host {upstream_hostport}
+
+		@unauthorized status 401
+		handle_response @unauthorized {
+			respond "" 302
+			header Location {{ frigate.caddy.forward_auth.url }}?rd=https://{{ frigate.caddy.server_name }}
+		}
+	}
+
+	reverse_proxy localhost:5000
+
+	tls {{ frigate.caddy.acme.email }} {
+		ca {{ caddy.acme.url }}
+		ca_root /etc/caddy/acme-ca.crt
+	}
+}