Editing Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software (section)

= Home surveillance camera system with alerts: =

Next up, I’m going to show you how to set up a home surveillance system. This system will send alerts to your phone whenever someone passes by the cameras around your house. These security cameras use standard protocols like <code>RTSP</code> and <code>ONVIF</code> – they are STANDARDS, and as a result, they cannot be taken away from you later. When you buy these cameras, YOU own the cameras, YOU own the video, and YOU own the alerts system. No cloud subscriptions, nobody having the ability to change the terms of the sale. No bullshit. :)

<span id="step-1-choosing-cameras"></span>
== Step 1: Choosing cameras ==

For this tutorial, I am using a Hikvision camera as an example.

<span id="why-choose-hikvision-cameras"></span>
=== Why Choose Hikvision Cameras? ===

I’m settling with Hikvision for the same reason your parents settled on each other; not because they’re the best, but because they’re good enough &amp; available. These cameras are everywhere, especially in small businesses in New York City. When businesses close and liquidate, you can find these cameras as cheap as $150 for a lot of eight, that do 2 megapixel video in good enough quality to see license plates and make out fine facial features.

You can find these cameras on eBay for as low as $30 or $40 each, and sometimes even cheaper in bulk at liquidation sales. Because they’re so popular, &amp; cheap for the quality you can get, I’m using them as an example.

<span id="alternatives-for-the-best-quality"></span>
=== Alternatives for the Best Quality ===

If you’re looking for the best of the best, I suggest cameras from a company called Axis. They make really high-quality stuff, but you’re not finding a lot of 8 for $150 in a liquidation sale.

If you want the best, there’s nothing like '''AXIS'''.

If you are concerned about Chinese equipment phoning home &amp; sending Xi Jinping photos of you pissing in your backyard at 1 AM, I’ll show you how to create a second network in '''pfSense''' at the end of this guide. Once that’s done, you can make it way more difficult for Xi to get a good view.

<span id="step-2-setting-up-the-hikvision-camera-from-scratch"></span>
== Step 2: Setting up the Hikvision Camera from Scratch ==

<span id="introduction-to-hikvision-ip-issues"></span>
==== 2.1 Introduction to Hikvision IP issues ====

When you get a good camera, it usually uses DHCP to connect to your network. This means when you hook it up, you’ll be able to see it in the ARP table on your '''pfSense''' router. It’ll grab an IP address that your router provides, and boom, it’s on the network.

…I said a GOOD camera. These are (likely grey market) Hikvisions set up into god knows what configuration being sold by a business liquidator.

Cheaper cameras might not do this. They often come with some weird static IP like <code>192.0.0.64</code>, and you have no idea what it’s trying to connect to. Hikvision cameras can be like this sometimes.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_99f3299b.png
File:lu55028jxdtp_tmp_3bd9e222.png
File:lu55028jxdtp_tmp_65220560.png
</gallery>

<span id="download-the-sadp-tool"></span>
==== 2.2 Download the SADP Tool ====

To fix this IP issue, Hikvision offers a tool called SADP. Unfortunately, this tool requires Windows. So, I’m booting up a sandboxed Windows computer here. It’s a burner computer I use for college math classes because, apparently, you can’t learn math on GNU/Linux, so I keep it around for the cancer that is Pearson Vue.

'''Download and Install SADP''': Grab it from [https://www.hikvision.com/us-en/support/tools/hitools/clea8b3e4ea7da90a9/ Hikvision’s website].

Sometimes, these cameras come with passwords that even the seller doesn’t know. You might have to reset it by hitting a button inside the camera to get it back to default settings.

'''Preparing the camera for login'''

Once SADP finds your camera, you can log in and configure it. Often, you’ll need to look up the default password online or in the manual.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_5fb1fcd0.png
File:lu55028jxdtp_tmp_5748d3c3.png
File:lu55028jxdtp_tmp_4f3a2ffe.png
File:lu55028jxdtp_tmp_9ac7122.png
</gallery>

<span id="running-sadp-to-prepare-camera-for-login"></span>
==== 2.3 Running SADP to prepare camera for login ====

Once installed, run SADP and have it find your camera. Once it finds your camera, click on that camera, set it to DHCP, and apply the configuration. You have to enter the password to do this.

The reason we are using DHCP at first rather than static IP is because this is insanely janky &amp; I want to confirm that it even works &amp; lets you log in at all before going further.

If you know the password, you’re done with 99% of the setup. If it doesn’t work, google the default password for that specific model of hikvision camera.

If that doesn’t work, you can either:

* Message the seller and ask them, but 99% of the time they know less than you about whatever they’re liquidating
* Open the camera physically &amp; find a button you can hit to reset it. At that point, the default user/pass you find on google should now work.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_a01aaa48.png
File:lu55028jxdtp_tmp_1803a7a2.png
File:lu55028jxdtp_tmp_56b379c8.png
</gallery>

<span id="logging-into-your-newfound-camera"></span>
==== 2.4 Logging into your newfound camera ====

After this, sign into your '''pfSense''' router and go to '''Status —&gt; DHCP Leases''' to find your camera. I used '''Diagnostics —&gt; ARP Table''' since I’m used to it. Once you know its IP, put it into your web browser and log right in. :)

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_8bd543f6.png
File:lu55028jxdtp_tmp_8a8974a8.png
</gallery>

<span id="configuring-a-static-ip"></span>
==== 2.5 Configuring a Static IP ====

First things first, you want to give your camera a static IP address. For instance, if you choose 192.168.5.19, you set it so you always know where to find it. This is necessary; imagine your system goes offline for a few minutes and something steals your camera’s IP address, and now your security camera recorder is trying to get a video feed from your refrigerator? Sadly, by the time this is published, your fridge might actually have a video feed…

* Configure network settings with a static IP:
** Click '''Configuration'''
** Click '''Network''' on the left side
** Uncheck '''DHCP'''
** Set an '''IPv4 Address''' on your subnet, anything from 192.168.5.5-192.168.5.254 will do here.
** Set the '''IPv4 Default Gateway''' to be your '''pfSense''' router.
** Click '''Test''' to make sure you didn’t screw something up before you save this configuration &amp; can no longer log into your camera.
* Set '''Preferred DNS server''' and '''Alternate DNS server''' to the IP address of your '''pfSense''' router, which in our case is 192.168.5.1.
* '''User management''': Set a username and password for security.

<span id="configure-a-static-mapping-in-pfsense"></span>
==== 2.6 Configure a Static Mapping in pfSense ====

Follow the same instructions from our prior static mappings to set up a static mapping for our camera so that other devices do not steal its IP address.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_f9b49c88.png
File:lu55028jxdtp_tmp_94640b52.png
File:lu55028jxdtp_tmp_8384a94b.png
</gallery>

<span id="create-a-real-password-for-the-camera"></span>
==== 2.7 Create a REAL Password for the camera ====

No, we’re not keeping the username and password to “admin/password”

# Once inside the camera’s configuration interface, go to '''Configuration''' at the top.
# Go to '''System''' on the left side.
# Go to '''User Management'''.
# Click '''Modify''' on the admin user.
# Don’t use the word “password” or “12345” as your password.
# Put this in a password manager when you’re done. Not a post-it on your monitor.
# Don’t write the password on the camera. I will come through this screen like Samara from The Ring and drag you so deep down a well you’ll end up on a ''[https://www.youtube.com/@fatal_breakdown cave diving YouTube channel]''.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_a1c6507a.png
</gallery>

<span id="change-video-codec-to-h.264"></span>
==== 2.8 Change Video Codec to H.264 ====

When it comes to video encoding, I’d use H.264 over H.265. '''Frigate''' &amp; web browsers can be fussy playing back H.265, and the quality bump is not something I notice enough to be worth the aggravation. Given this is a beginner’s guide, the safe choice is to use the codec that is less likely to cause aggravation.

'''Frigate''' is going to have two streams – one that detects when something is going on (a dog, a cat, a car, a human, etc.), and another that does the recording. If we have a high-quality stream doing all of the detection work, our system is going to be killing itself all the time unnecessarily. We don’t need 12k Blackmagic Ursa quality video to tell whether we’re looking at a car’s license plate or a plastic bag in the wind. We do need good quality to record, though.

We’re going to set up one high-quality stream for recording, and another lower-quality stream for monitoring what’s going on. This way, we get high-quality video for playback, without unnecessarily blowing up the resource consumption on our computer.

* While logged into the camera interface, click '''Configuration'''.
* Click '''Video/Audio''' on the left side, and select '''Stream Type''' as '''Main Stream (Normal)'''. This is the feed we will be recording.
** For '''Main Stream (Normal)''', set '''Video Encoding''' to '''H.264'''.
** Set '''Video Quality''' to '''Highest'''.
** '''Resolution''' and '''Frame Rate''' are up to you – I like the highest resolution that gets me at least 20 frames per second. Lower than this and it starts to turn into a slideshow.
* Now, select '''Stream Type''' and click onto the 2nd stream listed.
* Set a very low '''Resolution''', something in the 600x300-ish range.
* Set the '''Video Quality''' to medium.

<span id="finding-the-url-where-we-access-the-cameras-stream"></span>
==== 2.9 Finding the URL where we access the camera’s stream ====

Before setting up your NVR software, make sure you can view the stream using a program like VLC. Here’s how you do it:

<ol style="list-style-type: decimal;">
<li><p>'''Find the stream address''': Use <code>NMap</code> to discover all streams on port 554 (RTSP port).</p>
<pre>nmap -d --script rtsp-url-brute -p 554 192.168.5.19</pre></li>
<li><p>'''Identify streams''': Look for streams ending in <code>.sdp</code>, typically <code>stream1</code> for high quality and <code>stream2</code> for lower quality.</p></li>
<li><p>'''Modify the URL''': Adjust the RTSP URL with your username and password.</p>
<pre>rtsp://username:password@&lt;camera_ip&gt;/stream1.sdp</pre></li></ol>

<blockquote>'''Hint''': You will see the high quality &amp; the low quality stream in this list. You’ll have to mess around a bit to figure out which one is which; it should be obvious when you are viewing the high quality stream &amp; when you are viewing the low quality stream, based on the video quality.
</blockquote>
<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_bf8f3071.png
</gallery>

<span id="testing-streams-in-vlc"></span>
==== 2.99 Testing Streams in VLC ====

Once you’ve got the URLs, test them in '''VLC''' to ensure they work. You can click '''Media—&gt; Open Network Stream''' and then enter the URL. If you don’t have VLC… Get VLC. It is the best multi-format video player there is.

Once you have a working &amp; properly set up camera, let’s install our NVR – that stands for '''Network Video Recorder.''' This is what will monitor the video feeds coming from our cameras &amp; record it to disk for us.

<span id="step-3-installing-docker-and-setting-up-frigate-with-specific-version-0.13.2"></span>
== Step 3: Installing Docker and Setting Up Frigate with Specific Version 0.13.2 ==

Frigate is a lovely network video recorder.

Next, we’re going to clone the Frigate repository. I’m going to download Frigate, but I’m using the old version of Frigate rather than the new version. I’ll show you why once I’m done installing. The new version, in my opinion, took a well thought through user interface and destroyed it. I don’t mean minor changes; think Amber Heard doing plastic surgery on Johnny Depp. It’s that bad.

Johnny Depp would still look better after that than Frigate looked from 0.13 —&gt; 0.14. That’s what happened to Frigate from version 0.13 to 0.14. They destroyed it. You can’t even view events for more than one day at a time. It’s horrifically bad.

I’m downloading an old version, and I’ll show you the differences so you can decide for yourself. The setup routines are IDENTICAL with regards to configuring alerts in Home Assistant, etc.

This project still deserves donations, purchases, &amp; funding for how good Frigate 0.13 is, as well as thanks &amp; praise for keeping it open source so we even HAVE the option to use older versions.

<span id="install-docker"></span>
==== 3.1 Install Docker ====

<ol style="list-style-type: decimal;">
<li><p>'''Verify Existing Docker Installation:'''</p>
<p>Run the command to check if Docker is installed: <code>docker --version</code>. Make sure the version is 24.0.0 or later. If it’s an older version, remove it by using:</p>
<pre>sudo apt remove docker docker-engine docker.io containerd runc</pre></li>
<li><p>'''Install the Latest Version of Docker:'''</p>
<p>Download and install Docker using the official installation script. Run:</p>
<pre>curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh</pre></li></ol>

<blockquote>'''Note:''' Use the official Docker installation, not the Snap version. The Snap version is [https://www.reddit.com/r/docker/comments/shztqs/wow_docker_works_a_lot_better_when_you_dont_have/ ''horrible''] &amp; causes tons of issues. If you got tricked into installing Docker at the end of the Ubuntu server installation prompts, I am sorry, but you have to remove that, it’s garbage. Run <code>sudo snap remove docker</code> and never look back.
</blockquote>
<ol start="3" style="list-style-type: decimal;">
<li><p>'''Install Docker Compose:'''</p>
<pre>sudo apt install docker-compose-plugin -y</pre></li>
<li><p>'''Verify Docker Compose Installation:'''</p></li>
<li><p>Make sure Docker Compose version is 2.0 or higher by running:</p>
<pre>docker compose version</pre></li>
<li><p>'''Set Proper Permissions for Docker:'''</p>
<ul>
<li><p>Docker typically requires root permissions, but you can add your user to the Docker group to avoid using <code>sudo</code>. Run:</p>
<pre>sudo usermod -aG docker $USER</pre></li>
<li><p>Log out and log back in, or run:</p>
<pre>newgrp docker</pre></li></ul>
</li></ol>

<span id="install-frigate"></span>
==== 3.2 Install Frigate ====

<ol style="list-style-type: decimal;">
<li><p>'''Create a Directory for Frigate:'''</p>
<ul>
<li><p>Run the following command to create a directory to store Frigate files:</p>
<pre>mkdir -p /home/$USER/Downloads/programs
cd ~/Downloads/programs</pre></li></ul>
</li>
<li><p>'''Clone the Frigate Repository:'''</p>
<ul>
<li><p>Clone the Frigate GitHub repository by running:</p>
<pre>git clone https://github.com/blakeblackshear/frigate.git
cd frigate</pre></li></ul>
</li>
<li><p>'''Set Up Docker Compose for Frigate:'''</p>
<ul>
<li><p>Create and edit the <code>docker-compose.yml</code> file. '''Make sure it specifies Frigate version 0.13.2. New versions use a horrible user interface that is [https://www.youtube.com/watch?v=uiFLqqKkj3M&t=117s rage inducing.]''' My example file below specifies version 0.13.2 for you. You’ll need to set the container name, restart policy, image version, shared memory size, devices (e.g., USB Coral, PCIe Coral, video device for Raspberry Pi), and volumes for storing local time, config files, media, and cache. Be sure to open necessary ports (e.g., 5000, 8971, 8554, 8555).</p></li>
<li><p>*'''If any of what I said''' in the last bulletpoint after the “rage inducing” part '''confuses the hell out of you''', don’t worry: you have the easiest path there is; '''JUST COPY AND PASTE BELOW WITHOUT MESSING WITH IT!'''</p></li></ul>
</li></ol>

<pre>version: &quot;3.9&quot;
services:
  frigate:
    container_name: frigate
    privileged: true # This may not be necessary for all setups
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:0.13.2 # Last good version
    shm_size: &quot;64mb&quot; # Update for your cameras based on requirements
    devices:
      - /dev/bus/usb:/dev/bus/usb # USB Coral, modify for other hardware
      - /dev/apex_0:/dev/apex_0 # PCIe Coral, modify based on your setup
      - /dev/video11:/dev/video11 # For Raspberry Pi 4B
      - /dev/dri/renderD128:/dev/dri/renderD128 # Intel hwaccel, update for your hardware
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./config:/config
      - ./storage:/media/frigate
      - ./database:/data/db
      - type: tmpfs # Optional: Reduces SSD wear
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    ports:
      - &quot;8971:8971&quot;
      - &quot;5000:5000&quot; # Internal unauthenticated access. Be careful with exposure.
      - &quot;8554:8554&quot; # RTSP feeds
      - &quot;8555:8555/tcp&quot; # WebRTC over TCP
      - &quot;8555:8555/udp&quot; # WebRTC over UDP
    environment:
      FRIGATE_RTSP_PASSWORD: &quot;password&quot;</pre>
<blockquote>'''IMPORTANT NOTE:''' This is going to record to your solid state drive for your main drive by default, which is very bad practice. The only reason it is configured this way is because we have not gotten to the zfs pool creation part of the guide, where we will create a redundant, encrypted, self-healing array of drives as a zfs pool. We want to record camera footage to large hard drives, not tiny solid state drives.

Later on in the guide, you will want to change this once ZFS is set up. The two lines of interest will be:
</blockquote>
<pre>      - ./storage:/media/frigate
      - ./database:/data/db</pre>
* This is still set to record everything to main drive: we will come back to edit this later once we have set up a ZFS pool at the end. &gt; '''DOCKER CHEAT SHEET: breaking down the <code>docker-compose.yml</code> File for Frigate'''
&gt; Every line of this <code>docker-compose.yml</code> is there for a reason. You likely have no clue what this is all for if you are reading this, so let’s go through it. &gt; &gt; '''1. <code>version: &quot;3.9&quot;</code>'''
&gt; This is the version of Docker Compose file format. Version <code>3.9</code> is compatible with new Docker setups &gt; &gt; '''2. <code>services:</code>'''
&gt; This section defines the “services” you want to run, which are containers. Here, we only have one container: <code>frigate</code>. &gt; &gt; '''3. <code>frigate:</code>'''
&gt; This is the name of the service(container). It helps you identify the container in logs or commands like <code>docker ps</code>. You can name it anything you like, but <code>frigate</code> makes sense since that’s the application we’re running. &gt; &gt; '''4. <code>container_name: frigate</code>'''
&gt; Custom name for the frigate container so it is easy to find when you type <code>docker ps -a</code> . Sometimes while debugging things that are not working you may want to enter the environment of the virtual container''(this is like sshing into your server, but into the virtual server that runs frigate)'', which you can do by typing <code>docker exec -it frigate bash</code> - but to do that you need to know which container is which! This is where using sensible names comes into play. &gt; &gt; '''5. <code>privileged: true</code>'''
&gt; Running the container in “privileged mode” allows it to access hardware devices like USB or PCIe directly. This is done because frigate can use devices you plug in(like a coral) to improve the performance of the machine learning for detecting items on camera(car, human, bird, etc) &gt; &gt; ''Warning:'' This gives the container elevated permissions, so only use it if absolutely needed (like here). &gt; &gt; '''6. <code>restart: unless-stopped</code>'''
&gt; This tells Docker to restart the container unless you stop it. If the computer reboots or the container crashes, it will turn back on automatically &gt; &gt; '''7. <code>image: ghcr.io/blakeblackshear/frigate:0.13.2</code>'''
&gt; This tells it what Docker image to use. Here, we’re pulling version <code>0.13.2</code> of Frigate from github container registry (<code>ghcr.io</code>) instead of the newest one because the user interface was tortured &amp; butchered to death with new releases. They destroyed it. It makes me sad how bad new versions are. &gt; &gt; '''8. <code>shm_size: &quot;64mb&quot;</code>'''
&gt; This sets the size of shared memory available to the container. frigate uses shared memory for hardware acceleration and video processing. frigate documentation tells you how to increase this based on how many cameras you have running. &gt; &gt; '''9. <code>devices:</code>'''
&gt; This part of the docker-compose file maps hardware devices from your host system''(the physical computer you are installing this program onto)'' into the container. Frigate needs access to specific hardware for video processing. Let’s explain each line:
&gt; &gt; - <code>/dev/bus/usb:/dev/bus/usb</code>: Maps USB devices for hardware like a USB Coral accelerator which can improve/speed up object detection &amp; take the load off of the host computer. &gt; - <code>/dev/apex_0:/dev/apex_0</code>: Maps a pci express coral thing for faster object detection.
&gt; - <code>/dev/video11:/dev/video11</code>: Maps a video input device, like a camera, for systems like Raspberry Pi.
&gt; - <code>/dev/dri/renderD128:/dev/dri/renderD128</code>: Maps Intel hardware acceleration for video encoding/decoding. &gt; &gt; '''10. <code>volumes:</code>'''
&gt; This section maps directories or volumes between the host and the container. Volumes are where we save configuration, media, and data outside the container so they continue existing even if the container is restarted/deleted/shut off. &gt; &gt; - <code>/etc/localtime:/etc/localtime:ro</code>: This maps the time of the host computer to the time of the container(“computer”) running frigate. The <code>:ro</code> means “read-only,” so the container can’t cause the host machine to time travel. Time travel is cool though. If you agree, watch the movie '''Primer''' - you won’t be disappointed. '''Triangle''' is a close second. The ending messes me up every time. &gt; - <code>./config:/config</code>: Maps the <code>config</code> directory on the host to <code>/config</code> in the container, where Frigate expects its configuration file.
&gt; - <code>./storage:/media/frigate</code>: Maps the <code>storage</code> directory on the host to <code>/media/frigate</code> in the container, where Frigate saves camera recordings.
&gt; - <code>./database:/data/db</code>: Maps the <code>database</code> directory on the host to <code>/data/db</code> in the container, where Frigate stores metadata and video analytics.
&gt; - <code>type: tmpfs</code>: Creates a temporary file system in memory. This reduces wear on SSDs by storing cache data in RAM.
&gt; - <code>target: /tmp/cache</code>: Specifies the location of the cache inside the container.
&gt; - <code>tmpfs.size: 1000000000</code>: Limits the cache size to 1 GB. &gt; &gt; '''11. <code>ports:</code>'''
&gt; This section maps network ports on the host to ports in the container. It allows you to access Frigate’s web interface and services.
&gt; - <code>&quot;8971:8971&quot;</code>: Exposes Frigate’s main web interface on port <code>8971</code>.
&gt; - <code>&quot;5000:5000&quot;</code>: Exposes an internal port for access without username/password authentication. We will fix this later using nginx &amp; an authentication setup. &gt; - <code>&quot;8554:8554&quot;</code>: Exposes Real-Time Streaming Protocol (RTSP) feeds for viewing video streams.
&gt; - <code>&quot;8555:8555/tcp&quot;</code> and <code>&quot;8555:8555/udp&quot;</code>: Expose WebRTC services over TCP and UDP, allowing low-latency streaming. &gt; &gt; '''12. <code>environment:</code>'''
&gt; This section defines environment variables, which are key-value pairs that configure the container.
&gt; &gt; - <code>FRIGATE_RTSP_PASSWORD: &quot;password&quot;</code>: Sets the password for accessing RTSP streams in Frigate. &gt; '''13. Important Warning About Default Storage'''
&gt; By default, this configuration saves camera footage (<code>./storage:/media/frigate</code>) and metadata (<code>./database:/data/db</code>) to your main drive. This is fine for testing, but long-term use will fill up and wear out your SSD. Later in the guide, you’ll learn to change these paths to a ZFS pool for redundant, self-healing storage that provides us with way more space than our operating system’d SSD.

<span id="create-frigate-configuration-file"></span>
==== 3.3 Create Frigate Configuration File ====

<ol style="list-style-type: decimal;">
<li>'''Create and Edit the <code>config.yml</code> File:'''
<ul>
<li><p>Create a <code>config/config.yml</code> file to define your cameras &amp; MQTT setup.</p></li>
<li><p>''I have provided a template below. Creating yml files is painful and very easy to mess up. So I provided a known-working file for you to start with.''</p></li>
<li><p>'''YOU WILL HAVE TO EDIT THE IP ADDRESSES, USERNAMES, AND PASSWORDS IN EACH PATH LINE TO THE URL OF YOUR ACTUAL CAMERA. YOUR CAMERAS WILL ALSO HAVE DIFFERENT URLS THAN MINE. I DID MOST OF THE WORK FOR YOU, BUT DON’T BE SO LAZY THAT YOU DON’T EVEN CHANGE THE CAMERA IPs &amp; USERNAMES &amp; PASSWORDS TO YOURS!'''</p></li>
<li><p>To find the RTSP URLs of your camera, you can install <code>nmap</code> on Ubuntu with:</p>
<pre>sudo apt install nmap -y</pre></li>
<li><p>Then you go to your terminal and type the following, replacing the IP address of <code>192.168.3.120</code> with the IP address of your camera:</p>
<pre>sudo nmap --script rtsp-url-brute -p 554 192.168.5.19
sudo nmap --script rtsp-url-brute -p 8554 192.168.5.19</pre></li>
<li><p>You will receive a list of stream URLs. Let’s say one of them is <code>&quot;rtsp://192.168.5.19/Streaming/Channels/101&quot;</code>.</p></li></ul>
</li></ol>

* You need to add your username &amp; password here. So <code>rtsp://192.168.5.19/Streaming/Channels/101</code> will become <code>rtsp://username:password@192.168.5.19/Streaming/Channels/101</code>.
* Test that this works in a video player like VLC. In VLC, go '''Media''' → '''Open Network Stream''' → '''Network URL''' → enter the URL → click '''Play'''.
* If it works, it can be entered into the <code>path</code> line and replace my URLs in the config file below.
* The first four lines are going to be for MQTT, which sends messages to Home Assistant so that Home Assistant can send alerts to your phone when someone tries to steal your catalytic converter.

<pre>mqtt:
  host: homeassistant.home.arpa  
  port: 1883
  user: louis
  password: passwordman

cameras:
  front_door_closeup:
    ffmpeg:
      inputs:
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.101:554/Streaming/Channels/101
          roles:
            - record
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.101:554/Streaming/Channels/102
          roles:
            - detect
      output_args:
        record: -f segment -segment_time 60 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy
    detect:
      width: 640
      height: 360
      fps: 20
    objects:
      track:
        - person
        - car
        - motorcycle
        - bird
        - cat
        - dog
        - horse
        - sheep
        - cow
        - bear
        - zebra
        - giraffe
        - elephant
        - mouse
      filters:
        person:
          mask: 570,299,545,0
        cat:
          min_score: 0.01
          threshold: 0.02
        dog:
          min_score: 0.01
          threshold: 0.02
        bird:
          min_score: 0.01
          threshold: 0.02
    motion:
      mask:
        - 473,0,21,156,53,317,140,312
    record:
      enabled: true
      events:
        pre_capture: 5
        post_capture: 5
        objects:
          - person
          - car
          - motorcycle
          - bird
          - cat
          - dog
          - horse
          - sheep
          - cow
          - bear
          - zebra
          - giraffe
          - elephant
          - mouse

  driveway:
    ffmpeg:
      inputs:
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.102:554/Streaming/Channels/101
          roles:
            - record
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.102:554/Streaming/Channels/102
          roles:
            - detect
      output_args:
        record: -f segment -segment_time 60 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy
    detect:
      width: 640
      height: 360
      fps: 20
    objects:
      track:
        - person
        - car
        - motorcycle
        - bird
        - cat
        - dog
        - horse
        - sheep
        - cow
        - bear
        - zebra
        - giraffe
        - elephant
        - mouse
      filters:
        car:
          min_score: 0.01
          threshold: 0.03
        cat:
          min_score: 0.01
          threshold: 0.02
        dog:
          min_score: 0.01
          threshold: 0.02
        bird:
          min_score: 0.01
          threshold: 0.02
    record:
      enabled: true
      events:
        pre_capture: 5
        post_capture: 5
        objects:
          - person
          - car
          - motorcycle
          - bird
          - cat
          - dog
          - horse
          - sheep
          - cow
          - bear
          - zebra
          - giraffe
          - elephant
          - mouse

  side_door_closeup:
    ffmpeg:
      inputs:
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.104:554/Streaming/Channels/101
          roles:
            - record
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.104:554/Streaming/Channels/102
          roles:
            - detect
      output_args:
        record: -f segment -segment_time 60 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy
    detect:
      width: 640
      height: 360
      fps: 20
    objects:
      track:
        - person
        - bird
        - cat
        - dog
        - horse
        - sheep
        - cow
        - bear
        - zebra
        - giraffe
        - elephant
        - mouse
      filters:
        car:
          min_score: 0.01
          threshold: 0.03
        cat:
          min_score: 0.01
          threshold: 0.02
        dog:
          min_score: 0.01
          threshold: 0.02
        bird:
          min_score: 0.70
          threshold: 0.75
    record:
      enabled: true
      events:
        pre_capture: 5
        post_capture: 5
        objects:
          - person
          - car
          - bird
          - cat
          - dog
          - horse
          - sheep
          - cow
          - bear
          - zebra
          - giraffe
          - elephant
          - mouse

  back_door_closeup:
    ffmpeg:
      inputs:
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.103:554/Streaming/Channels/101
          roles:
            - record
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.103:554/Streaming/Channels/102
          roles:
            - detect
      output_args:
        record: -f segment -segment_time 60 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy
    detect:
      width: 640
      height: 360
      fps: 20
    objects:
      track:
        - person
        - car
        - bird
        - cat
        - dog
        - horse
        - sheep
        - cow
        - bear
        - zebra
        - giraffe
        - elephant
        - mouse
      filters:
        car:
          min_score: 0.75
          threshold: 0.75
        cat:
          min_score: 0.01
          threshold: 0.02
        dog:
          min_score: 0.01
          threshold: 0.02
        bird:
          min_score: 0.01
          threshold: 0.02
    record:
      enabled: true
      events:
        pre_capture: 5
        post_capture: 5
        objects:
          - person
          - car
          - bird
          - cat
          - dog
          - horse
          - sheep
          - cow
          - bear
          - zebra
          - giraffe
          - elephant
          - mouse

  front_porch_wide_angle:
    ffmpeg:
      inputs:
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.106:554/Streaming/Channels/101
          roles:
            - record
        - path: rtsp://CAMERAUSERNAMEGOESHERE:CAMERAPASSWORDGOESHERE@192.168.3.106:554/Streaming/Channels/102
          roles:
            - detect
      output_args:
        record: -f segment -segment_time 60 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy
    detect:
      width: 640
      height: 360
      fps: 20
    objects:
      track:
        - person
        - car
        - motorcycle
        - bird
        - cat
        - dog
        - horse
        - sheep
        - cow
        - bear
        - zebra
        - giraffe
        - elephant
        - mouse
      filters:
        person:
          min_score: 0.8
          threshold: 0.8
        car:
          min_score: 0.6
          threshold: 0.7
        cat:
          min_score: 0.01
          threshold: 0.02
        dog:
          min_score: 0.01
          threshold: 0.02
        bird:
          min_score: 0.6
          threshold: 0.65
    record:
      enabled: true
      events:
        pre_capture: 5
        post_capture: 5
        objects:
          - person
          - car
          - motorcycle
          - bird
          - cat
          - dog
          - horse
          - sheep
          - cow
          - bear
          - zebra
          - giraffe
          - elephant
          - mouse

  fishcam:
    ffmpeg:
      inputs:
        - path: rtsp://louis:passwordroflcopter@192.168.3.120:554/stream1
          roles:
            - record
        - path: rtsp://louis:passwordroflcopter@192.168.3.120:554/stream1
          roles:
            - detect
      output_args:
        record: -f segment -segment_time 60 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy
    detect:
      width: 640
      height: 360
      fps: 20
    objects:
      track:
        - person
      filters:
        person:
          min_score: 0.3
          threshold: 0.3
    record:
      enabled: true
      events:
        pre_capture: 15
        post_capture: 15
        objects:
          - fish

database:
  path: /data/db/frigate.db
#version: 0.14</pre>
<blockquote>'''Note:''' For each camera, configure the RTSP inputs for recording and detection streams. Define output arguments, detection settings (e.g., width, height, fps), and tracked objects (e.g., person, car, bird, dog). You can set filters for specific objects, mask areas for motion detection, and enable event recording with pre-capture and post-capture times. Repeat for additional cameras as needed.
</blockquote>
<span id="running-frigate"></span>
==== 3.4 Running Frigate ====

# '''Start Frigate:'''
#* Start Frigate by running: <code>docker compose up -d</code>.
# '''Access the Frigate Web Interface:'''
#* Open your web browser and navigate to <code>http://192.168.5.2:5000</code>.
# '''Configure Additional Settings:'''
#* Edit the <code>config.yml</code> file as needed to add or modify cameras, object tracking settings, or motion detection masks.
# '''Note on Storage:'''
#* It’s recommended to use a separate storage device for Frigate’s media to avoid unnecessary wear on your primary SSD. We’ll go into detail about setting up ZFS pools &amp; external storage later.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_54097ca6.png
</gallery>

<span id="enjoy-frigate"></span>
==== 3.5 Enjoy Frigate! ====

You have the best NVR software there is, and no cancerous hideous modern UI. Enjoy!

<span id="step-4-make-sure-it-all-works."></span>
== Step 4: Make sure it all works. ==

There’s nothing worse than someone kidnapping your kid or killing your dog &amp; not being able to see who did it because you set your threshold too low in a yaml file. Extensively test everything. Assume it won’t work later, because often with camera systems, it doesn’t.

<span id="step-5-get-instant-camera-alerts-on-your-phone"></span>
== Step 5: Get Instant Camera Alerts On Your Phone ==

Now you have a camera you can see when you log into it, but don’t you want to get an alert if some weirdo is walking through your backyard? Home Assistant and Frigate can talk to each other to make this happen.

Home Assistant needs two things:

* To receive communication from Frigate
* A client and a broker that understand that communication.

We are going to go over how to set all of this up – and use a handy extension that allows us to avoid miserable YAML files for setting this all up, that is simple, point, and click.

<span id="switch-gears-go-back-to-home-assistant"></span>
==== 5.1 Switch gears &amp; go back to Home Assistant ====

# Open web browser
# Go to http://192.168.1.7:8123 or http://homeassistant.home.arpa:8123

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_73352a27.png
File:lu55028jxdtp_tmp_fc4eb41f.png
File:lu55028jxdtp_tmp_12b8030b.png
File:lu55028jxdtp_tmp_deda9e79.png
File:lu55028jxdtp_tmp_598cb682.png
File:lu55028jxdtp_tmp_68982d5e.png
File:lu55028jxdtp_tmp_d991780a.png
File:lu55028jxdtp_tmp_b201bbe8.png
File:lu55028jxdtp_tmp_272b62c8.png
File:lu55028jxdtp_tmp_16db9dd9.png
File:lu55028jxdtp_tmp_50c0fdd2.png
File:lu55028jxdtp_tmp_f69d8e0e.png
File:lu55028jxdtp_tmp_88fe4866.png
File:lu55028jxdtp_tmp_ee1dcb43.png
File:lu55028jxdtp_tmp_904be7b9.png
File:lu55028jxdtp_tmp_21da8192.png
File:lu55028jxdtp_tmp_55120826.png
File:lu55028jxdtp_tmp_7c2ff154.png
File:lu55028jxdtp_tmp_b0c46153.png
File:lu55028jxdtp_tmp_44a26f8c.png
File:lu55028jxdtp_tmp_e003f8b9.png
File:lu55028jxdtp_tmp_78a73239.png
File:lu55028jxdtp_tmp_aff05f0f.png
File:lu55028jxdtp_tmp_cf418dfc.png
File:lu55028jxdtp_tmp_584df2f7.png
File:lu55028jxdtp_tmp_e3b61efd.png
File:lu55028jxdtp_tmp_8749f406.png
File:lu55028jxdtp_tmp_99985c72.png
</gallery>

<span id="download-and-install-hacs"></span>
==== 5.2 Download and Install HACS ====

# '''Download HACS (Home Assistant Community Store):'''
#* Go to [https://www.hacs.xyz/docs/use/download/download/ HACS → Download] on their website.
#* Click onto the '''OS/supervised''' version, as that’s the version of Home Assistant we have installed.
# '''Open the HACS Add-on Repository:'''
#* Click the link provided to add the HACS repository to your Home Assistant instance. It’ll ask you to '''Add missing'''.
# '''Enter Home Assistant URL:'''
#* It will ask for your Home Assistant link.
#* By default, Home Assistant may attempt to use <code>homeassistant.local:8123</code>, which will fail.
#* If you are following this guide’s setup, use one of the following URLs:
#** Local Domain: <code>http://homeassistant.home.arpa:8123</code>
#** Direct IP: <code>http://192.168.5.4:8123</code>
#* Replace these with your actual Home Assistant domain or IP address if different.
# '''Install HACS:'''
#* Follow the prompts to install HACS in Home Assistant.
#* ''BE PATIENT!'' Click on the LOGS tab and wait for it to be '''''DONE!!!''''' before you try to start adding things, or nothing will work.
# '''Restart Home Assistant:'''
#* After installation, restart your Home Assistant instance for the changes to take effect.
#* Go to settings → system → power button icon in the upper right-hand corner, click the power button, and click “restart home assistant.” '''''DO NOT DO THIS UNTIL THE LOGS TAB FOR HACS SAYS EVERYTHING IS DONE'''''
# '''Clear your browser cache, cookies, etc.'''
# '''Log back into Home Assistant.'''
# '''Go to Settings → Devices &amp; Services → Add Integration &amp; Search for HACS'''
#* If it doesn’t show up, do not pass go, do not collect $200 – re-follow the instructions [https://www.hacs.xyz/docs/use/download/download/ here] and [https://www.hacs.xyz/docs/use/configuration/basic/#setting-up-the-hacs-integration here]. Clear your browser cache/cookies, choose the option to reboot Home Assistant rather than restart Home Assistant when you go to settings → system → power button icon in the upper right-hand corner, clear cache/cookies in the browser, go to settings → addons → get HACS → CLICK START.
# '''Go to logs'''

<ul>
<li><p>''Wait! Don’t be impatient!'' Wait for it to be done. You will see the following at the end of the log when it is done:</p>
<pre>INFO: Installation complete.
INFO: Remember to restart Home Assistant before you configure it.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped</pre></li></ul>

<ol start="10" style="list-style-type: decimal;">
<li><p>'''Add Integration Properly:'''</p>
<ul>
<li><p>Go to '''Settings –&gt; Devices → Devices &amp; Integrations → Add Integration''' &amp; search for HACS.</p></li>
<li><p>Check the boxes.</p></li>
<li><p>Click submit.</p></li>
<li><p>It will ask you to open a link to log into GitHub, and insert a code. Click it.</p></li>
<li><p>Go to GitHub. If you lack an account, make one. If you have a GitHub account, log in.</p></li>
<li><p>Enter code.</p></li>
<li><p>Authorize HACS.</p></li>
<li><p>Add HACS to an “area.”</p></li>
<li><p>Click finish.</p></li>
<li><p>Next step!</p></li></ul>
</li></ol>

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_4a627a28.png
File:lu55028jxdtp_tmp_6e463f1.png
File:lu55028jxdtp_tmp_25f1321.png
File:lu55028jxdtp_tmp_bd48c948.png
File:lu55028jxdtp_tmp_7d0028c9.png
File:lu55028jxdtp_tmp_136e049.png
File:lu55028jxdtp_tmp_ce8689b1.png
File:lu55028jxdtp_tmp_c6badc81.png
File:lu55028jxdtp_tmp_d4c54e09.png
File:lu55028jxdtp_tmp_69f853e4.png
File:lu55028jxdtp_tmp_c6c7c21e.png
File:lu55028jxdtp_tmp_d892307f.png
File:lu55028jxdtp_tmp_e2f2eaf6.png
File:lu55028jxdtp_tmp_b15f4ff6.png
File:lu55028jxdtp_tmp_f2ef1560.png
File:lu55028jxdtp_tmp_408094f6.png
</gallery>

<span id="add-frigate-add-ons-to-home-assistant"></span>
==== 5.3 Add Frigate Add-ons to Home Assistant ====

# Visit [http://homeassistant.home.arpa:8123/hacs/repository/311536795 '''Frigate Home Assistant Add-ons page''']
# '''Log back into Home Assistant when it prompts you to.'''
# '''Add Frigate Repository:'''
#* Click the bright blue '''“Add-on repository to my Home Assistant”''' button.
# '''Download and Install Frigate:'''
#* You’ll see two buttons. One is a blue button that says “Open with Home Assistant Store,” and the other is for downloading the add-on.
#* '''Important:''' The blue button in the middle refreshes the page without installing anything.
#* To download and install Frigate, make sure to click the Download button at the bottom.
# '''Access Home Assistant Again:'''
#* You’ll be prompted again to enter your Home Assistant domain with <code>:8123</code>.
#* Remember, the default URL <code>homeassistant.local:8123</code> won’t work. HomeAssistant assumes you’re using a standard router where the domain is <code>.local</code> - but with pfsense, it is <code>.home.arpa</code> Use one of the following:
#** '''Local Domain:''' [http://homeassistant.home.arpa:8123/ http://homeassistant.home.arpa:8123]
#** '''Direct IP:''' [http://192.168.5.4:8123/ http://192.168.5.4:8123]
# Click '''“Download”''' in the lower left corner.
# Continue with installing, wait for it to install — it should be quick.
# Go to '''Home Assistant Settings''' in the lower left corner.
# It will say '''“1 repair, restart required”''' with the little Frigate logo at the top, or just '''restart required''' at the top.
# Click this, follow prompts, and restart Home Assistant.

<span id="add-frigate-integration"></span>
==== 5.4 Add Frigate Integration ====

<ol style="list-style-type: decimal;">
<li><p>'''Add Frigate integration to Home Assistant'''</p>
<ol style="list-style-type: lower-alpha;">
<li><p>Go to '''Settings''' in the Home Assistant menu.</p></li>
<li><p>Navigate to '''Devices &amp; Integrations'''.</p></li>
<li><p>Click Add Integration, and search for Frigate in the list. Follow the prompts to add it.</p></li></ol>
</li>
<li><p>'''Enter Frigate URL:'''</p>
<ol style="list-style-type: lower-alpha;">
<li>The URL will be the IP address you chose for the server you installed Frigate on, or its hostname: in my case <code>http://192.168.5.2:5000</code>, OR [http://happycloud.home.arpa:5000/ http://happycloud.home.arpa:5000] with the examples I have provided.</li></ol>
</li>
<li><p>Once Frigate is integrated, you’ll be asked to assign cameras to specific areas within Home Assistant. Select the appropriate areas for your cameras.</p></li></ol>

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_11421791.png
File:lu55028jxdtp_tmp_b46921b6.png
File:lu55028jxdtp_tmp_20eefd9e.png
File:lu55028jxdtp_tmp_240785dd.png
File:lu55028jxdtp_tmp_21cd7be8.png
File:lu55028jxdtp_tmp_63ccf803.png
File:lu55028jxdtp_tmp_6c42c4c.png
File:lu55028jxdtp_tmp_a1ab324e.png
File:lu55028jxdtp_tmp_37888578.png
File:lu55028jxdtp_tmp_4d8907f9.png
File:lu55028jxdtp_tmp_61ecad83.png
File:lu55028jxdtp_tmp_20c1c405.png
</gallery>

<span id="configure-mosquito-broker-mqtt-in-that-order"></span>
==== 5.5: Configure Mosquito Broker &amp; MQTT (in that order) ====

# '''Check if MQTT Broker (Mosquitto) is Installed:''' Go to '''Settings &gt; Add-ons''' and find the blue '''add-on Store button''' at the bottom right.
# '''Look for Mosquitto Broker.'''
# '''Click Install.'''
# Once installed, start the add-on and make sure Start on Boot is enabled, and hit start.
# '''Configure MQTT Broker in Home Assistant:'''
#* Go to '''Settings &gt; Devices &amp; Services &gt; Add Integration'''.
#* Search for '''MQTT''' and select it. Go into MQTT by clicking it and add it.
# '''Autoconfigure Prompt:'''
#* It should prompt you to autoconfigure it with the mosquito broker you just installed.
#* Remember the order – install mosquito broker from addons FIRST, THEN install MQTT from '''Settings &gt; Devices &amp; Services &gt; Add Integration''', or MQTT may not auto-configure itself the same way.
#** Broker: <code>core-mosquitto</code> (since Mosquitto is running on Home Assistant OS). This will auto configure by default.
#** Don’t worry if the MQTT thing has no working configure buttons, those are as optional as the JTAG connector on a MacBook motherboard.
#** Port: 1883 (default MQTT port). This will auto configure by default.
#** Username and Password: Mosquitto broker allows Home Assistant users to log in so you don’t have to worry about this. When we enter this information into Frigate, we will be using the username &amp; password we use to log into home assistant.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_ca1b97c5.png
File:lu55028jxdtp_tmp_b6564f8b.png
File:lu55028jxdtp_tmp_c414c9.png
File:lu55028jxdtp_tmp_21dbe66b.png
File:lu55028jxdtp_tmp_1008176c.png
File:lu55028jxdtp_tmp_a1f44605.png
</gallery>

<span id="set-up-frigate-mobile-app-notifications"></span>
==== 5.6 Set Up Frigate Mobile App Notifications ====

* '''Download Notification Blueprint:'''
** Go to the [https://community.home-assistant.io/t/frigate-mobile-app-notifications-2-0/559732 Frigate Mobile App Notifications] 2.0 page.
** Follow the instructions on this page to download the notification blueprint into your Home Assistant.
* '''You need this unless you want to be in hell writing YAML files yourself. You don’t want to do that, right? I thought so.'''

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdtp_tmp_cf0e970f.png
File:lu55028jxdtp_tmp_b21d7dac.png
File:lu55028jxdtp_tmp_34426308.png
File:lu55028jxdtp_tmp_3ddaeebf.png
File:lu55028jxdtp_tmp_240dc338.png
File:lu55028jxdtp_tmp_bed46eef.png
File:lu55028jxdtp_tmp_ab6084f9.png
File:lu55028jxdtp_tmp_837df932.png
File:lu55028jxdtp_tmp_6e9bae11.png
File:lu55028jxdtp_tmp_d45994a6.png
File:lu55028jxdtp_tmp_a8dc04b5.png
File:lu55028jxdtp_tmp_bd7663b7.png
File:lu55028jxdtp_tmp_e21b65cd.png
File:lu55028jxdtp_tmp_cf25be7a.png
File:lu55028jxdtp_tmp_7ad3f32e.png
</gallery>

<span id="configure-automations-for-camera-and-notifications"></span>
==== 5.7 Configure Automations for Camera and Notifications ====

<ol style="list-style-type: decimal;">
<li><p>'''Access Automation Editor:'''</p>
<ul>
<li>Go to your automation editor at: <code>http://192.168.5.4:8123/config/automation/dashboard</code></li></ul>
</li>
<li><p>'''Use Frigate Notifications Blueprint:'''</p>
<ul>
<li>Click '''“Blueprints”''' at the top right.</li>
<li>Click '''“Frigate Notifications”''' which is what you want.</li></ul>
</li>
<li><p>'''Configure Automation:'''</p>
<ul>
<li><p>Here you scroll down to choose your camera, and your mobile device, the name of the automation, etc.</p></li>
<li><p>Most important thing to get right is the name of the camera &amp; the mobile device, everything else you can customize and it’s not for me to tell you how to.</p>
<blockquote><p>'''NOTE:''' If your mobile device does not show up, log into Home Assistant on your phone and add it as a device to Home Assistant. It will prompt you to do this by default when you first set up the app. Then go back here and redo this step (you will have to close out of the window you just opened after clicking '''Blueprints → Frigate Notifications''' &amp; reclick it so the dialog box for your phone will show your phone)</p></blockquote></li></ul>
</li>
<li><p>'''Make sure MQTT is set up in the <code>frigate config.yml</code> file:'''</p>
<ul>
<li>Make sure in Frigate’s '''Config''' menu, in the <code>config.yml</code> file, MQTT is set up as follows, with the username &amp; password matching your homeassistant login, and your host matching the IP address of the home assistant server:</li></ul>
</li></ol>

<pre>mqtt:
  host: homeassistant.home.arpa
  port: 1883
  user: louis
  password: passwordman</pre>
<ol start="6" style="list-style-type: decimal;">
<li>'''Enjoy Your New Frigate Integration with Home Assistant!'''</li></ol>

<span id="step-6-making-frigate-secure"></span>
== Step 6: Making Frigate Secure ==

<blockquote>'''NOTE:''' (if the complexities of docker networking confuse you, skip ahead to “steps”)
</blockquote>
Newer frigate has username/password authentication, but it is so useless you will not want to ever log into it. That isn’t helpful.

Older frigate has no authentication, so anyone who goes to <code>http://192.168.5.2:5000</code> on your local network has admin access to everything. They can stop recording, delete recordings, have your setup record [https://en.wikipedia.org/wiki/Goatse.cx goatse], etc. '''VERY BAD'''.

Further complicating things, our Frigate plugin on Home Assistant, at <code>192.168.5.4</code>, needs to communicate with <code>192.168.5.2</code> in order to grab Frigate’s camera setup, on port 5000 – WITHOUT authentication. The communication to grab the camera setup is separate from the mqtt traffic. :( This makes it difficult to secure versions of Frigate that have a functioning UI.

We can set up <code>nginx</code> as a reverse proxy – this directs all traffic that is received on port 80 &amp; 443 to <code>https://</code> traffic that directs to Frigate on port 5000. We can add username/password authentication using <code>nginx</code> here, so that people need a password to view it. Then, we can block port 5000 by binding Frigate to only work on localhost.

But this means that Home Assistant won’t be able to connect to it – since it’s running on another machine. '''F&amp;^!'''

* Plan to set up username/password authentication for Frigate:
** Use <code>iptables</code> to allow all traffic to port 5000 from <code>127.0.0.1</code> (localhost, the computer running Frigate), so that <code>nginx</code> can connect to Frigate.
** Allow all traffic from <code>192.168.5.4</code>, our Home Assistant virtual machine, to connect to port 5000 Frigate.
** Block EVERYTHING ELSE on port 5000.
** Set up <code>nginx</code> as a webserver on port 443 with https &amp; ssl.
** Tell <code>nginx</code> anyone accessing the <code>nginx</code> webserver they need to submit a username &amp; password to get in.
** Tell <code>nginx</code> to show anyone who enters that user/pass when showing up on port 443 to be able to see Frigate on port 5000.

'''TL;DR'''

* We’re telling everyone who wants to view the cameras they have to enter a username &amp; password.
* This allows you to view your cameras just fine.
* This tells anyone who tries to get into your system without a password to gargle your balls.
* This allows homeassistant to connect without being blocked.

We have to do this on the machine itself, since people on our LAN are not going to have to talk to the router in order to log into Frigate, since they are on the same network. These rules will be added on <code>192.168.5.2</code>, aka <code>happycloud.home.arpa</code>, our machine that is running Frigate.

<span id="making-iptables-rules"></span>
==== 6.1 Making iptables rules ====

Allow established connections (makes https more stable, [https://www.reddit.com/r/radiohead/comments/ovvkrg/understanding_ok_computers_fitter_happier/ fitter, happier, more productive]. Not eating too much)

<pre>sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</pre>
<blockquote>Allow localhost access to port 5000:
</blockquote>
<pre>sudo iptables -A INPUT -i lo -p tcp --dport 5000 -j ACCEPT</pre>
<blockquote>Allow Home Assistant access to port 5000
</blockquote>
<pre>sudo iptables -A INPUT -s 192.168.5.4 -p tcp --dport 5000 -j ACCEPT</pre>
<blockquote>Block all other access to port 5000
</blockquote>
<pre>sudo iptables -A INPUT -p tcp --dport 5000 -j DROP</pre>
<blockquote>Make sure Docker respects these rules
</blockquote>
<pre>sudo iptables -I DOCKER-USER -j RETURN</pre>
<blockquote>Install the <code>iptables-persistent</code> package:
</blockquote>
<pre>sudo apt install iptables-persistent</pre>
# During installation, you’ll be asked if you want to save the current iptables rules. Choose Yes.
# If you’re not prompted, you can manually save the rules by running: <code>sudo netfilter-persistent save</code>
# YOU NEED TO INSTALL <code>IPTABLES-PERSISTENT</code> AND TELL IT TO SAVE YOUR RULES OR ELSE YOU HAVE TO RUN THIS EVERY TIME YOU BOOT!

<span id="installing-nginx"></span>
==== 6.2 Installing nginx ====

Next up, it’s time to install nginx &amp; everything necessary for us to have it ask for a username and a password to log in.

<ol style="list-style-type: decimal;">
<li><p>'''Install Nginx:'''</p>
<pre>sudo apt install nginx</pre></li>
<li><p>'''Run the following commands:'''</p>
<pre>sudo apt update
sudo apt install nginx -y</pre></li>
<li><p>'''Create a Self-Signed SSL Certificate'''
Generate the certificate:</p>
<pre>sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt</pre></li></ol>

<blockquote>'''Note:''' For the Common Name (CN), use your local domain (e.g., happycloud.home.arpa).
</blockquote>
<ol start="4" style="list-style-type: decimal;">
<li><p>'''Create Strong Diffie-Hellman Group''', makes security and https better, because we totally need more security on a LAN connection nobody else will be able to connect to besides your kid who’s trying to troll you with</p>
<pre>sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</pre></li>
<li><p>'''Create Password File for Basic Auth'''
Install apache2-utils and create the password file:</p>
<pre>sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd your_username</pre></li>
<li><p>Replace your_username with your desired username.</p></li></ol>

<span id="configure-nginx"></span>
==== 6.3 Configure Nginx ====

Create a new Nginx configuration file:

<pre>sudo nano /etc/nginx/sites-available/frigate</pre>
If this directory does not exist, you might be using a newer version of nginx, which places configuration files in <code>/etc/nginx/conf.d</code> instead. Running <code>nginx -v</code> will tell you whether you are using an older version that defaults to [https://www.reddit.com/r/nginx/comments/re8ksm/why_is_sitesenabled_and_sitesavailable_deprecated/ <code>/etc/nginx/sites-available</code> and <code>/etc/nginx/sites-enabled</code>] or a newer version that uses <code>/etc/nginx/conf.d/</code> in that case:

<pre>sudo nano /etc/nginx/sites-available/frigate</pre>
Add the following configuration: remember to replace '''“happycloud.home.arpa”''' as well as '''“192.168.5.2”''' with the hostname &amp; IP address of YOUR server!

<pre>server {
    listen 80;
    server_name happycloud.home.arpa 192.168.5.2;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name happycloud.home.arpa 192.168.5.2;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    auth_basic &quot;Restricted Access&quot;;
    auth_basic_user_file /etc/nginx/.htpasswd;
    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /ws {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection &quot;upgrade&quot;;
        proxy_set_header Host $host;
    }
}</pre>
<blockquote>'''NOTE''': Many open source projects suggest using nginx as a reverse proxy. They are kind &amp; cordial enough to provide their own configuration files for you so you don’t have to write everything above &amp; configure it yourself.

While well meaning, many of them set the cipher(security thingie) manually, a throwback tot he days when nginx used to default to insecure ciphers. So you may see old docs by developers that MEANT WELL to provide you a helping hand with stuff like this in their nginx configuration files:
</blockquote>
<pre>    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384;</pre>
<blockquote>This is bad. Remove things like this as long as you are using a modern version of nginx. These change often and if you are manually setting it, that is not a great thing to be doing. Also consider politely''(POLITELY)'' mentioning to the devs who had that in there that this isn’t necessary anymore since nginx no longer defaults to insecure ciphers.
</blockquote>
<span id="enable-the-nginx-configuration"></span>
==== 6.4 Enable the Nginx Configuration ====

Enable the configuration and reload Nginx. The commands below do the following:

<code>sudo ln -s /etc/nginx/sites-available/frigate /etc/nginx/sites-enabled/</code> This takes our configuration file out of the “chamber” (sites-available) and into the breech (sites-enabled). Your configuration file you place in sites-available will not work unless it is in sites-enabled. <code>ln -s</code> creates a symlink, similar to how a shortcut works in Windows. <code>nginx -t</code> checks our configuration file for errors. <code>sudo systemctl reload nginx</code> allows nginx to load a new configuration file ''without'' shutting down.

<pre>sudo ln -s /etc/nginx/sites-available/frigate /etc/nginx/sites-enabled/ 
sudo nginx -t # This checks if config is bad &amp; tells us what we did wrong
sudo systemctl reload nginx</pre>
<span id="test-frigate-does-it-require-userpass"></span>
==== 6.5 Test Frigate; does it require user/pass? ====

* Log into <code>http://192.168.5.2:5000</code> from other computers on your LAN. If it doesn’t work, you did good.
* Your nephew can no longer replace your cameras with goatse.

<span id="make-sure-home-assistant-still-connects-to-frigate."></span>
==== 6.6 Make sure Home Assistant still connects to Frigate. ====

# Go over to Home Assistant at <code>http://192.168.5.4:8123</code> or <code>http://homeassistant.home.arpa</code>
# Go to '''Settings → Devices &amp; Integrations → Frigate'''
# Click '''“ADD DEVICE”''' blue button on bottom right
# Enter the IP or hostname, along with port, of the machine running Frigate on port 5000 like such: <code>http://192.168.5.2:5000</code> or <code>http://happycloud.home.arpa:5000</code>
# Click '''SUBMIT'''.
# If Home Assistant’s Frigate plugin can find your cameras by connecting to Frigate on port 5000, but no other computer on your LAN can, YOU DID GOOD.
# Go to http://192.168.5.2 – it should auto-redirect you to SSL https://192.168.5.2 &amp; then ask for username &amp; password.
# Enter your username &amp; password.
# If you are now in Frigate, you done good.

<span id="replacing-google-drive-photos-docs-sheets-keep"></span>