blumeops/containers/frigate-notify/default.nix

# Nix-built frigate-notify — polls Frigate webapi and pushes alerts to ntfy.
{ pkgs ? import <nixpkgs> { } }:

let
  version = "0.5.4";

  src = pkgs.fetchgit {
    url = "https://forge.ops.eblu.me/mirrors/frigate-notify.git";
    rev = "v${version}";
    hash = "sha256-c/QOSQNNJ+ElMDm45lBOsru/ujBhCWethiRefj3hBOk=";
  };

  frigate-notify = pkgs.buildGoModule {
    inherit src version;
    pname = "frigate-notify";

    vendorHash = "sha256-Ho9oaK01wJDPf3ufV2klV1dG4qFNVNJkWmWvEgAy10s=";

    doCheck = false;
    subPackages = [ "." ];

    # `goolm` swaps the matrix crypto backend from libolm (CGO) to pure-Go olm,
    # avoiding the libolm.h dependency. Our deployment doesn't use matrix, but
    # the package is imported unconditionally.
    tags = [ "goolm" ];

    ldflags = [ "-s" "-w" ];

    meta = with pkgs.lib; {
      description = "Bridge between Frigate NVR events and notification services";
      homepage = "https://github.com/0x2142/frigate-notify";
      license = licenses.mit;
      mainProgram = "frigate-notify";
    };
  };
in

pkgs.dockerTools.buildLayeredImage {
  name = "blumeops/frigate-notify";
  contents = [
    frigate-notify
    pkgs.cacert
    pkgs.tzdata
  ];

  # Upstream Dockerfile expects WORKDIR=/app (config at ./config.yml, logfile at
  # ./log/app.log via lumberjack). Create /app world-writable so nonroot can
  # write logs; the config is mounted in from a ConfigMap.
  extraCommands = ''
    mkdir -p app
    chmod 1777 app
  '';

  config = {
    Entrypoint = [ "${frigate-notify}/bin/frigate-notify" ];
    WorkingDir = "/app";
    Env = [
      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
    ];
    ExposedPorts = {
      "8000/tcp" = { };
    };
    User = "65534";
  };
}
Add frigate-notify nix container build (#339) ## Summary - Mirrors `github.com/0x2142/frigate-notify` at `v0.5.4` to `forge.ops.eblu.me/mirrors/frigate-notify`. - Adds `containers/frigate-notify/default.nix` — `buildGoModule` + `dockerTools.buildLayeredImage`, following the `ntfy` pattern. - Uses `-tags goolm` to avoid the libolm CGO dependency (matrix notifier is imported unconditionally in the upstream but we only use ntfy alerts). - Runs as nonroot (UID 65534), exposes port 8000, bundles `cacert`/`tzdata`. ## Why Move `ghcr.io/0x2142/frigate-notify:v0.5.4` (ringtail-deployed) under local control. Aligns with the [[indri → ringtail migration plan]] and the `default.nix` convention for ringtail-targeted containers documented in [[build-container-image]]. ## Verification - `dagger call build-nix --src=. --container-name=frigate-notify export --path=./out.tar.gz` produces a valid 20MB docker archive (10 layers) with `blumeops/frigate-notify` tag locally. - Hashes pinned for `fetchgit` (src) and `vendorHash` (go modules). ## Follow-up (post-merge) 1. `mise run container-build-and-release frigate-notify` — release from main SHA. 2. C0 follow-up: update `argocd/manifests/frigate/kustomization.yaml` image ref to `registry.ops.eblu.me/blumeops/frigate-notify:v0.5.4-<sha>-nix`. 3. ArgoCD auto-syncs the deployment. ## Test plan - [ ] `dagger call build-nix` succeeds from a clean checkout. - [ ] `mise run container-build-and-release frigate-notify --dry-run` looks correct. - [ ] After release + kustomization swap: frigate-notify pod comes up healthy on ringtail; ntfy alerts still fire on Frigate events. Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/339 2026-04-21 09:28:02 -07:00			`# Nix-built frigate-notify — polls Frigate webapi and pushes alerts to ntfy.`
			`{ pkgs ? import <nixpkgs> { } }:`

			`let`
			`version = "0.5.4";`

			`src = pkgs.fetchgit {`
			`url = "https://forge.ops.eblu.me/mirrors/frigate-notify.git";`
			`rev = "v${version}";`
			`hash = "sha256-c/QOSQNNJ+ElMDm45lBOsru/ujBhCWethiRefj3hBOk=";`
			`};`

			`frigate-notify = pkgs.buildGoModule {`
			`inherit src version;`
			`pname = "frigate-notify";`

			`vendorHash = "sha256-Ho9oaK01wJDPf3ufV2klV1dG4qFNVNJkWmWvEgAy10s=";`

			`doCheck = false;`
			`subPackages = [ "." ];`

			# `goolm` swaps the matrix crypto backend from libolm (CGO) to pure-Go olm,
			`# avoiding the libolm.h dependency. Our deployment doesn't use matrix, but`
			`# the package is imported unconditionally.`
			`tags = [ "goolm" ];`

			`ldflags = [ "-s" "-w" ];`

			`meta = with pkgs.lib; {`
			`description = "Bridge between Frigate NVR events and notification services";`
			`homepage = "https://github.com/0x2142/frigate-notify";`
			`license = licenses.mit;`
			`mainProgram = "frigate-notify";`
			`};`
			`};`
			`in`

			`pkgs.dockerTools.buildLayeredImage {`
			`name = "blumeops/frigate-notify";`
			`contents = [`
			`frigate-notify`
			`pkgs.cacert`
			`pkgs.tzdata`
			`];`

fix(frigate-notify): set WorkingDir=/app and create writable /app The upstream binary expects CWD=/app (relative config.yml lookup, lumberjack logfile at ./log/app.log). Without this, the pod crashed on startup — the ConfigMap-mounted /app/config.yml wasn't found and zerolog spammed "mkdir log: permission denied" as it tried to create ./log at / as nonroot. Creates /app as 1777 (tmp-style) so nonroot can write logs; WorkingDir set to /app so the default config path resolves correctly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-21 09:43:00 -07:00			`# Upstream Dockerfile expects WORKDIR=/app (config at ./config.yml, logfile at`
			`# ./log/app.log via lumberjack). Create /app world-writable so nonroot can`
			`# write logs; the config is mounted in from a ConfigMap.`
			`extraCommands = ''`
			`mkdir -p app`
			`chmod 1777 app`
			`'';`

Add frigate-notify nix container build (#339) ## Summary - Mirrors `github.com/0x2142/frigate-notify` at `v0.5.4` to `forge.ops.eblu.me/mirrors/frigate-notify`. - Adds `containers/frigate-notify/default.nix` — `buildGoModule` + `dockerTools.buildLayeredImage`, following the `ntfy` pattern. - Uses `-tags goolm` to avoid the libolm CGO dependency (matrix notifier is imported unconditionally in the upstream but we only use ntfy alerts). - Runs as nonroot (UID 65534), exposes port 8000, bundles `cacert`/`tzdata`. ## Why Move `ghcr.io/0x2142/frigate-notify:v0.5.4` (ringtail-deployed) under local control. Aligns with the [[indri → ringtail migration plan]] and the `default.nix` convention for ringtail-targeted containers documented in [[build-container-image]]. ## Verification - `dagger call build-nix --src=. --container-name=frigate-notify export --path=./out.tar.gz` produces a valid 20MB docker archive (10 layers) with `blumeops/frigate-notify` tag locally. - Hashes pinned for `fetchgit` (src) and `vendorHash` (go modules). ## Follow-up (post-merge) 1. `mise run container-build-and-release frigate-notify` — release from main SHA. 2. C0 follow-up: update `argocd/manifests/frigate/kustomization.yaml` image ref to `registry.ops.eblu.me/blumeops/frigate-notify:v0.5.4-<sha>-nix`. 3. ArgoCD auto-syncs the deployment. ## Test plan - [ ] `dagger call build-nix` succeeds from a clean checkout. - [ ] `mise run container-build-and-release frigate-notify --dry-run` looks correct. - [ ] After release + kustomization swap: frigate-notify pod comes up healthy on ringtail; ntfy alerts still fire on Frigate events. Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/339 2026-04-21 09:28:02 -07:00			`config = {`
			`Entrypoint = [ "${frigate-notify}/bin/frigate-notify" ];`
fix(frigate-notify): set WorkingDir=/app and create writable /app The upstream binary expects CWD=/app (relative config.yml lookup, lumberjack logfile at ./log/app.log). Without this, the pod crashed on startup — the ConfigMap-mounted /app/config.yml wasn't found and zerolog spammed "mkdir log: permission denied" as it tried to create ./log at / as nonroot. Creates /app as 1777 (tmp-style) so nonroot can write logs; WorkingDir set to /app so the default config path resolves correctly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-21 09:43:00 -07:00			`WorkingDir = "/app";`
Add frigate-notify nix container build (#339) ## Summary - Mirrors `github.com/0x2142/frigate-notify` at `v0.5.4` to `forge.ops.eblu.me/mirrors/frigate-notify`. - Adds `containers/frigate-notify/default.nix` — `buildGoModule` + `dockerTools.buildLayeredImage`, following the `ntfy` pattern. - Uses `-tags goolm` to avoid the libolm CGO dependency (matrix notifier is imported unconditionally in the upstream but we only use ntfy alerts). - Runs as nonroot (UID 65534), exposes port 8000, bundles `cacert`/`tzdata`. ## Why Move `ghcr.io/0x2142/frigate-notify:v0.5.4` (ringtail-deployed) under local control. Aligns with the [[indri → ringtail migration plan]] and the `default.nix` convention for ringtail-targeted containers documented in [[build-container-image]]. ## Verification - `dagger call build-nix --src=. --container-name=frigate-notify export --path=./out.tar.gz` produces a valid 20MB docker archive (10 layers) with `blumeops/frigate-notify` tag locally. - Hashes pinned for `fetchgit` (src) and `vendorHash` (go modules). ## Follow-up (post-merge) 1. `mise run container-build-and-release frigate-notify` — release from main SHA. 2. C0 follow-up: update `argocd/manifests/frigate/kustomization.yaml` image ref to `registry.ops.eblu.me/blumeops/frigate-notify:v0.5.4-<sha>-nix`. 3. ArgoCD auto-syncs the deployment. ## Test plan - [ ] `dagger call build-nix` succeeds from a clean checkout. - [ ] `mise run container-build-and-release frigate-notify --dry-run` looks correct. - [ ] After release + kustomization swap: frigate-notify pod comes up healthy on ringtail; ntfy alerts still fire on Frigate events. Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/339 2026-04-21 09:28:02 -07:00			`Env = [`
			`"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`
			`"TZDIR=${pkgs.tzdata}/share/zoneinfo"`
			`];`
			`ExposedPorts = {`
			`"8000/tcp" = { };`
			`};`
			`User = "65534";`
			`};`
			`}`