From 9a044b12c679a541bafdfc3a663ec6dbacf1aead Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 21 Apr 2026 09:23:37 -0700
Subject: [PATCH] Add frigate-notify nix container build

Mirrors 0x2142/frigate-notify at v0.5.4 and builds it locally with
buildGoModule + dockerTools.buildLayeredImage for the ringtail k3s
cluster. Uses the `goolm` build tag to avoid the libolm CGO dependency
(our alerting config only uses ntfy, but the matrix notifier is
imported unconditionally).

Kustomization update (image swap to registry.ops.eblu.me) will follow
post-merge once a main-SHA tag is released.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 containers/frigate-notify/default.nix         | 57 +++++++++++++++++++
 .../+frigate-notify-local.infra.md            |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 containers/frigate-notify/default.nix
 create mode 100644 docs/changelog.d/+frigate-notify-local.infra.md

diff --git a/containers/frigate-notify/default.nix b/containers/frigate-notify/default.nix
new file mode 100644
index 0000000..1ddbe4e
--- /dev/null
+++ b/containers/frigate-notify/default.nix
@@ -0,0 +1,57 @@
+# Nix-built frigate-notify — polls Frigate webapi and pushes alerts to ntfy.
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "0.5.4";
+
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/frigate-notify.git";
+    rev = "v${version}";
+    hash = "sha256-c/QOSQNNJ+ElMDm45lBOsru/ujBhCWethiRefj3hBOk=";
+  };
+
+  frigate-notify = pkgs.buildGoModule {
+    inherit src version;
+    pname = "frigate-notify";
+
+    vendorHash = "sha256-Ho9oaK01wJDPf3ufV2klV1dG4qFNVNJkWmWvEgAy10s=";
+
+    doCheck = false;
+    subPackages = [ "." ];
+
+    # `goolm` swaps the matrix crypto backend from libolm (CGO) to pure-Go olm,
+    # avoiding the libolm.h dependency. Our deployment doesn't use matrix, but
+    # the package is imported unconditionally.
+    tags = [ "goolm" ];
+
+    ldflags = [ "-s" "-w" ];
+
+    meta = with pkgs.lib; {
+      description = "Bridge between Frigate NVR events and notification services";
+      homepage = "https://github.com/0x2142/frigate-notify";
+      license = licenses.mit;
+      mainProgram = "frigate-notify";
+    };
+  };
+in
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/frigate-notify";
+  contents = [
+    frigate-notify
+    pkgs.cacert
+    pkgs.tzdata
+  ];
+
+  config = {
+    Entrypoint = [ "${frigate-notify}/bin/frigate-notify" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+    ];
+    ExposedPorts = {
+      "8000/tcp" = { };
+    };
+    User = "65534";
+  };
+}
diff --git a/docs/changelog.d/+frigate-notify-local.infra.md b/docs/changelog.d/+frigate-notify-local.infra.md
new file mode 100644
index 0000000..120f915
--- /dev/null
+++ b/docs/changelog.d/+frigate-notify-local.infra.md
@@ -0,0 +1 @@
+Add local nix container build for `frigate-notify` (`containers/frigate-notify/default.nix`) so the Frigate→ntfy bridge is rebuilt on ringtail from the forge mirror instead of pulled from `ghcr.io/0x2142/frigate-notify`.