add sam2 yolo auto annotation

2026-02-04 15:29:36 +07:00
parent 7e56948ece
commit 5a951d8812
2061 changed files with 316473 additions and 0 deletions
@@ -0,0 +1,340 @@
+# syntax=docker/dockerfile:1.6
+
+# https://askubuntu.com/questions/972516/debian-frontend-environment-variable
+ARG DEBIAN_FRONTEND=noninteractive
+
+# Globally set pip break-system-packages option to avoid having to specify it every time
+ARG PIP_BREAK_SYSTEM_PACKAGES=1
+
+ARG BASE_IMAGE=debian:12
+ARG SLIM_BASE=debian:12-slim
+
+# A hook that allows us to inject commands right after the base images
+ARG BASE_HOOK=
+
+FROM ${BASE_IMAGE} AS base
+ARG PIP_BREAK_SYSTEM_PACKAGES
+ARG BASE_HOOK
+
+RUN sh -c "$BASE_HOOK"
+
+FROM --platform=${BUILDPLATFORM} debian:12 AS base_host
+ARG PIP_BREAK_SYSTEM_PACKAGES
+
+FROM ${SLIM_BASE} AS slim-base
+ARG PIP_BREAK_SYSTEM_PACKAGES
+ARG BASE_HOOK
+
+RUN sh -c "$BASE_HOOK"
+
+FROM slim-base AS wget
+ARG DEBIAN_FRONTEND
+RUN apt-get update \
+    && apt-get install -y wget xz-utils \
+    && rm -rf /var/lib/apt/lists/*
+WORKDIR /rootfs
+
+FROM base AS nginx
+ARG DEBIAN_FRONTEND
+ENV CCACHE_DIR /root/.ccache
+ENV CCACHE_MAXSIZE 2G
+
+RUN --mount=type=bind,source=docker/main/build_nginx.sh,target=/deps/build_nginx.sh \
+    /deps/build_nginx.sh
+
+FROM wget AS sqlite-vec
+ARG DEBIAN_FRONTEND
+
+# Build sqlite_vec from source
+COPY docker/main/build_sqlite_vec.sh /deps/build_sqlite_vec.sh
+RUN --mount=type=tmpfs,target=/tmp --mount=type=tmpfs,target=/var/cache/apt \
+    --mount=type=bind,source=docker/main/build_sqlite_vec.sh,target=/deps/build_sqlite_vec.sh \
+    --mount=type=cache,target=/root/.ccache \
+    /deps/build_sqlite_vec.sh
+
+FROM scratch AS go2rtc
+ARG TARGETARCH
+WORKDIR /rootfs/usr/local/go2rtc/bin
+ADD --link --chmod=755 "https://github.com/AlexxIT/go2rtc/releases/download/v1.9.10/go2rtc_linux_${TARGETARCH}" go2rtc
+
+FROM wget AS tempio
+ARG TARGETARCH
+RUN --mount=type=bind,source=docker/main/install_tempio.sh,target=/deps/install_tempio.sh \
+    /deps/install_tempio.sh
+
+####
+#
+# OpenVino Support
+#
+# 1. Download and convert a model from Intel's Public Open Model Zoo
+#
+####
+# Download and Convert OpenVino model
+FROM base_host AS ov-converter
+ARG DEBIAN_FRONTEND
+
+# Install OpenVino Runtime and Dev library
+COPY docker/main/requirements-ov.txt /requirements-ov.txt
+RUN apt-get -qq update \
+    && apt-get -qq install -y wget python3 python3-dev python3-distutils gcc pkg-config libhdf5-dev \
+    && wget -q https://bootstrap.pypa.io/get-pip.py -O get-pip.py \
+    && sed -i 's/args.append("setuptools")/args.append("setuptools==77.0.3")/' get-pip.py \
+    && python3 get-pip.py "pip" \
+    && pip3 install -r /requirements-ov.txt
+
+# Get OpenVino Model
+RUN --mount=type=bind,source=docker/main/build_ov_model.py,target=/build_ov_model.py \
+    mkdir /models && cd /models \
+    && wget http://download.tensorflow.org/models/object_detection/ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz \
+    && tar -xvf ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz \
+    && python3 /build_ov_model.py
+
+####
+#
+# Coral Compatibility
+#
+# Builds libusb without udev. Needed for synology and other devices with USB coral
+####
+# libUSB - No Udev
+FROM wget as libusb-build
+ARG TARGETARCH
+ARG DEBIAN_FRONTEND
+ENV CCACHE_DIR /root/.ccache
+ENV CCACHE_MAXSIZE 2G
+
+# Build libUSB without udev.  Needed for Openvino NCS2 support
+WORKDIR /opt
+RUN apt-get update && apt-get install -y unzip build-essential automake libtool ccache pkg-config
+RUN --mount=type=cache,target=/root/.ccache wget -q https://github.com/libusb/libusb/archive/v1.0.26.zip -O v1.0.26.zip && \
+    unzip v1.0.26.zip && cd libusb-1.0.26 && \
+    ./bootstrap.sh && \
+    ./configure CC='ccache gcc' CCX='ccache g++' --disable-udev --enable-shared && \
+    make -j $(nproc --all)
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libusb-1.0-0-dev && \
+    rm -rf /var/lib/apt/lists/*
+WORKDIR /opt/libusb-1.0.26/libusb
+RUN /bin/mkdir -p '/usr/local/lib' && \
+    /bin/bash ../libtool  --mode=install /usr/bin/install -c libusb-1.0.la '/usr/local/lib' && \
+    /bin/mkdir -p '/usr/local/include/libusb-1.0' && \
+    /usr/bin/install -c -m 644 libusb.h '/usr/local/include/libusb-1.0' && \
+    /bin/mkdir -p '/usr/local/lib/pkgconfig' && \
+    cd  /opt/libusb-1.0.26/ && \
+    /usr/bin/install -c -m 644 libusb-1.0.pc '/usr/local/lib/pkgconfig' && \
+    ldconfig
+
+FROM wget AS models
+
+# Get model and labels
+RUN wget -qO edgetpu_model.tflite https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess_edgetpu.tflite
+RUN wget -qO cpu_model.tflite https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess.tflite
+COPY labelmap.txt .
+# Copy OpenVino model
+COPY --from=ov-converter /models/ssdlite_mobilenet_v2.xml openvino-model/
+COPY --from=ov-converter /models/ssdlite_mobilenet_v2.bin openvino-model/
+RUN wget -q https://github.com/openvinotoolkit/open_model_zoo/raw/master/data/dataset_classes/coco_91cl_bkgr.txt -O openvino-model/coco_91cl_bkgr.txt && \
+    sed -i 's/truck/car/g' openvino-model/coco_91cl_bkgr.txt
+# Get Audio Model and labels
+RUN wget -qO - https://www.kaggle.com/api/v1/models/google/yamnet/tfLite/classification-tflite/1/download | tar xvz && mv 1.tflite cpu_audio_model.tflite
+COPY audio-labelmap.txt .
+
+
+FROM wget AS s6-overlay
+ARG TARGETARCH
+RUN --mount=type=bind,source=docker/main/install_s6_overlay.sh,target=/deps/install_s6_overlay.sh \
+    /deps/install_s6_overlay.sh
+
+
+FROM base AS wheels
+ARG DEBIAN_FRONTEND
+ARG TARGETARCH
+ARG DEBUG=false
+
+# Use a separate container to build wheels to prevent build dependencies in final image
+RUN apt-get -qq update \
+    && apt-get -qq install -y \
+    apt-transport-https wget unzip \
+    && apt-get -qq update \
+    && apt-get -qq install -y \
+    python3.11 \
+    python3.11-dev \
+    # opencv dependencies
+    build-essential cmake git pkg-config libgtk-3-dev \
+    libavcodec-dev libavformat-dev libswscale-dev libv4l-dev \
+    libxvidcore-dev libx264-dev libjpeg-dev libpng-dev libtiff-dev \
+    gfortran openexr libatlas-base-dev libssl-dev\
+    libtbbmalloc2 libtbb-dev libdc1394-dev libopenexr-dev \
+    libgstreamer-plugins-base1.0-dev libgstreamer1.0-dev \
+    # sqlite3 dependencies
+    tclsh \
+    # scipy dependencies
+    gcc gfortran libopenblas-dev liblapack-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1
+
+RUN wget -q https://bootstrap.pypa.io/get-pip.py -O get-pip.py \
+    && sed -i 's/args.append("setuptools")/args.append("setuptools==77.0.3")/' get-pip.py \
+    && python3 get-pip.py "pip"
+
+COPY docker/main/requirements.txt /requirements.txt
+COPY docker/main/requirements-dev.txt /requirements-dev.txt
+
+RUN pip3 install -r /requirements.txt
+
+# Build pysqlite3 from source
+COPY docker/main/build_pysqlite3.sh /build_pysqlite3.sh
+RUN /build_pysqlite3.sh
+
+COPY docker/main/requirements-wheels.txt /requirements-wheels.txt
+RUN pip3 wheel --wheel-dir=/wheels -r /requirements-wheels.txt && \
+    if [ "$DEBUG" = "true" ]; then \
+        pip3 wheel --wheel-dir=/wheels -r /requirements-dev.txt; \
+    fi
+
+# Install HailoRT & Wheels
+RUN --mount=type=bind,source=docker/main/install_hailort.sh,target=/deps/install_hailort.sh \
+    /deps/install_hailort.sh
+
+# Collect deps in a single layer
+FROM scratch AS deps-rootfs
+COPY --from=nginx /usr/local/nginx/ /usr/local/nginx/
+COPY --from=sqlite-vec /usr/local/lib/ /usr/local/lib/
+COPY --from=go2rtc /rootfs/ /
+COPY --from=libusb-build /usr/local/lib /usr/local/lib
+COPY --from=tempio /rootfs/ /
+COPY --from=s6-overlay /rootfs/ /
+COPY --from=models /rootfs/ /
+COPY --from=wheels /rootfs/ /
+COPY docker/main/rootfs/ /
+
+
+# Frigate deps (ffmpeg, python, nginx, go2rtc, s6-overlay, etc)
+FROM slim-base AS deps
+ARG TARGETARCH
+ARG BASE_IMAGE
+
+ARG DEBIAN_FRONTEND
+# http://stackoverflow.com/questions/48162574/ddg#49462622
+ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
+
+# https://github.com/NVIDIA/nvidia-docker/wiki/Installation-(Native-GPU-Support)
+ENV NVIDIA_VISIBLE_DEVICES=all
+ENV NVIDIA_DRIVER_CAPABILITIES="compute,video,utility"
+
+# Disable tokenizer parallelism warning
+# https://stackoverflow.com/questions/62691279/how-to-disable-tokenizers-parallelism-true-false-warning/72926996#72926996
+ENV TOKENIZERS_PARALLELISM=true
+# https://github.com/huggingface/transformers/issues/27214
+ENV TRANSFORMERS_NO_ADVISORY_WARNINGS=1
+
+# Set OpenCV ffmpeg loglevel to fatal: https://ffmpeg.org/doxygen/trunk/log_8h.html
+ENV OPENCV_FFMPEG_LOGLEVEL=8
+
+# Set NumPy to ignore getlimits warning
+ENV PYTHONWARNINGS="ignore:::numpy.core.getlimits"
+
+# Set HailoRT to disable logging
+ENV HAILORT_LOGGER_PATH=NONE
+
+# TensorFlow error only
+ENV TF_CPP_MIN_LOG_LEVEL=3
+
+ENV PATH="/usr/local/go2rtc/bin:/usr/local/tempio/bin:/usr/local/nginx/sbin:${PATH}"
+
+# Install dependencies
+RUN --mount=type=bind,source=docker/main/install_deps.sh,target=/deps/install_deps.sh \
+    /deps/install_deps.sh
+
+ENV DEFAULT_FFMPEG_VERSION="7.0"
+ENV INCLUDED_FFMPEG_VERSIONS="${DEFAULT_FFMPEG_VERSION}:5.0"
+
+RUN wget -q https://bootstrap.pypa.io/get-pip.py -O get-pip.py \
+    && sed -i 's/args.append("setuptools")/args.append("setuptools==77.0.3")/' get-pip.py \
+    && python3 get-pip.py "pip"
+
+RUN --mount=type=bind,from=wheels,source=/wheels,target=/deps/wheels \
+    pip3 install -U /deps/wheels/*.whl
+
+# Install MemryX runtime (requires libgomp (OpenMP) in the final docker image)
+RUN --mount=type=bind,source=docker/main/install_memryx.sh,target=/deps/install_memryx.sh \
+    bash -c "bash /deps/install_memryx.sh"
+
+COPY --from=deps-rootfs / /
+
+RUN ldconfig
+
+EXPOSE 5000
+EXPOSE 8554
+EXPOSE 8555/tcp 8555/udp
+
+# Configure logging to prepend timestamps, log to stdout, keep 0 archives and rotate on 10MB
+ENV S6_LOGGING_SCRIPT="T 1 n0 s10000000 T"
+# Do not fail on long-running download scripts
+ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
+
+ENTRYPOINT ["/init"]
+CMD []
+
+HEALTHCHECK --start-period=300s --start-interval=5s --interval=15s --timeout=5s --retries=3 \
+    CMD test -f /dev/shm/.frigate-is-stopping && exit 0; curl --fail --silent --show-error http://127.0.0.1:5000/api/version || exit 1
+
+# Frigate deps with Node.js and NPM for devcontainer
+FROM deps AS devcontainer
+
+# Do not start the actual Frigate service on devcontainer as it will be started by VS Code
+# But start a fake service for simulating the logs
+COPY docker/main/fake_frigate_run /etc/s6-overlay/s6-rc.d/frigate/run
+
+# Create symbolic link to the frigate source code, as go2rtc's create_config.sh uses it
+RUN mkdir -p /opt/frigate \
+    && ln -svf /workspace/frigate/frigate /opt/frigate/frigate
+
+# Install Node 20
+RUN curl -SLO https://deb.nodesource.com/nsolid_setup_deb.sh && \
+    chmod 500 nsolid_setup_deb.sh && \
+    ./nsolid_setup_deb.sh 20 && \
+    apt-get install nodejs -y \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g npm@10
+
+WORKDIR /workspace/frigate
+
+RUN apt-get update \
+    && apt-get install make -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN --mount=type=bind,source=./docker/main/requirements-dev.txt,target=/workspace/frigate/requirements-dev.txt \
+    pip3 install -r requirements-dev.txt
+
+HEALTHCHECK NONE
+
+CMD ["sleep", "infinity"]
+
+
+# Frigate web build
+# This should be architecture agnostic, so speed up the build on multiarch by not using QEMU.
+FROM --platform=$BUILDPLATFORM node:20 AS web-build
+
+WORKDIR /work
+COPY web/package.json web/package-lock.json ./
+RUN npm install
+
+COPY web/ ./
+RUN npm run build \
+    && mv dist/BASE_PATH/monacoeditorwork/* dist/assets/ \
+    && rm -rf dist/BASE_PATH
+
+# Collect final files in a single layer
+FROM scratch AS rootfs
+
+WORKDIR /opt/frigate/
+COPY frigate frigate/
+COPY migrations migrations/
+COPY --from=web-build /work/dist/ web/
+
+# Frigate final container
+FROM deps AS frigate
+
+WORKDIR /opt/frigate/
+COPY --from=rootfs / /
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+NGINX_VERSION="1.27.4"
+VOD_MODULE_VERSION="1.31"
+SECURE_TOKEN_MODULE_VERSION="1.5"
+SET_MISC_MODULE_VERSION="v0.33"
+NGX_DEVEL_KIT_VERSION="v0.3.3"
+
+source /etc/os-release
+
+if [[ "$VERSION_ID" == "12" ]]; then
+    sed -i '/^Types:/s/deb/& deb-src/' /etc/apt/sources.list.d/debian.sources
+else
+    cp /etc/apt/sources.list /etc/apt/sources.list.d/sources-src.list
+    sed -i 's|deb http|deb-src http|g' /etc/apt/sources.list.d/sources-src.list
+fi
+
+apt-get update
+apt-get -yqq build-dep nginx
+
+apt-get -yqq install --no-install-recommends ca-certificates wget
+update-ca-certificates -f
+apt install -y ccache
+
+export PATH="/usr/lib/ccache:$PATH"
+
+mkdir /tmp/nginx
+wget -nv https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
+tar -zxf nginx-${NGINX_VERSION}.tar.gz -C /tmp/nginx --strip-components=1
+rm nginx-${NGINX_VERSION}.tar.gz
+mkdir /tmp/nginx-vod-module
+wget -nv https://github.com/kaltura/nginx-vod-module/archive/refs/tags/${VOD_MODULE_VERSION}.tar.gz
+tar -zxf ${VOD_MODULE_VERSION}.tar.gz -C /tmp/nginx-vod-module --strip-components=1
+rm ${VOD_MODULE_VERSION}.tar.gz
+    # Patch MAX_CLIPS to allow more clips to be added than the default 128
+sed -i 's/MAX_CLIPS (128)/MAX_CLIPS (1080)/g' /tmp/nginx-vod-module/vod/media_set.h
+patch -d /tmp/nginx-vod-module/ -p1 << 'EOF'
+--- a/vod/avc_hevc_parser.c       2022-06-27 11:38:10.000000000 +0000
+++ b/vod/avc_hevc_parser.c       2023-01-16 11:25:10.900521298 +0000
+@@ -3,6 +3,9 @@
+ bool_t
+ avc_hevc_parser_rbsp_trailing_bits(bit_reader_state_t* reader)
+ {
+	// https://github.com/blakeblackshear/frigate/issues/4572
+	return TRUE;
+
+ 	uint32_t one_bit;
+
+ 	if (reader->stream.eof_reached)
+EOF
+
+
+mkdir /tmp/nginx-secure-token-module
+wget https://github.com/kaltura/nginx-secure-token-module/archive/refs/tags/${SECURE_TOKEN_MODULE_VERSION}.tar.gz
+tar -zxf ${SECURE_TOKEN_MODULE_VERSION}.tar.gz -C /tmp/nginx-secure-token-module --strip-components=1
+rm ${SECURE_TOKEN_MODULE_VERSION}.tar.gz
+
+mkdir /tmp/ngx_devel_kit
+wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/${NGX_DEVEL_KIT_VERSION}.tar.gz
+tar -zxf ${NGX_DEVEL_KIT_VERSION}.tar.gz -C /tmp/ngx_devel_kit --strip-components=1
+rm ${NGX_DEVEL_KIT_VERSION}.tar.gz
+
+mkdir /tmp/nginx-set-misc-module
+wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/${SET_MISC_MODULE_VERSION}.tar.gz
+tar -zxf ${SET_MISC_MODULE_VERSION}.tar.gz -C /tmp/nginx-set-misc-module --strip-components=1
+rm ${SET_MISC_MODULE_VERSION}.tar.gz
+
+cd /tmp/nginx
+
+./configure --prefix=/usr/local/nginx \
+    --with-file-aio \
+    --with-http_sub_module \
+    --with-http_ssl_module \
+    --with-http_auth_request_module \
+    --with-http_realip_module \
+    --with-threads \
+    --add-module=../ngx_devel_kit \
+    --add-module=../nginx-set-misc-module \
+    --add-module=../nginx-vod-module \
+    --add-module=../nginx-secure-token-module \
+    --with-cc-opt="-O3 -Wno-error=implicit-fallthrough"
+
+make CC="ccache gcc" -j$(nproc) && make install
+rm -rf /usr/local/nginx/html /usr/local/nginx/conf/*.default
@@ -0,0 +1,11 @@
+import openvino as ov
+from openvino.tools import mo
+
+ov_model = mo.convert_model(
+    "/models/ssdlite_mobilenet_v2_coco_2018_05_09/frozen_inference_graph.pb",
+    compress_to_fp16=True,
+    transformations_config="/usr/local/lib/python3.11/dist-packages/openvino/tools/mo/front/tf/ssd_v2_support.json",
+    tensorflow_object_detection_api_pipeline_config="/models/ssdlite_mobilenet_v2_coco_2018_05_09/pipeline.config",
+    reverse_input_channels=True,
+)
+ov.save_model(ov_model, "/models/ssdlite_mobilenet_v2.xml")
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SQLITE3_VERSION="3.46.1"
+PYSQLITE3_VERSION="0.5.3"
+
+# Install libsqlite3-dev if not present (needed for some base images like NVIDIA TensorRT)
+if ! dpkg -l | grep -q libsqlite3-dev; then
+  echo "Installing libsqlite3-dev for compilation..."
+  apt-get update && apt-get install -y libsqlite3-dev && rm -rf /var/lib/apt/lists/*
+fi
+
+# Fetch the pre-built sqlite amalgamation instead of building from source
+if [[ ! -d "sqlite" ]]; then
+  mkdir sqlite
+  cd sqlite
+
+  # Download the pre-built amalgamation from sqlite.org
+  # For SQLite 3.46.1, the amalgamation version is 3460100
+  SQLITE_AMALGAMATION_VERSION="3460100"
+
+  wget https://www.sqlite.org/2024/sqlite-amalgamation-${SQLITE_AMALGAMATION_VERSION}.zip -O sqlite-amalgamation.zip
+  unzip sqlite-amalgamation.zip
+  mv sqlite-amalgamation-${SQLITE_AMALGAMATION_VERSION}/* .
+  rmdir sqlite-amalgamation-${SQLITE_AMALGAMATION_VERSION}
+  rm sqlite-amalgamation.zip
+
+  cd ../
+fi
+
+# Grab the pysqlite3 source code.
+if [[ ! -d "./pysqlite3" ]]; then
+  git clone https://github.com/coleifer/pysqlite3.git
+fi
+
+cd pysqlite3/
+git checkout ${PYSQLITE3_VERSION}
+
+# Copy the sqlite3 source amalgamation into the pysqlite3 directory so we can
+# create a self-contained extension module.
+cp "../sqlite/sqlite3.c" ./
+cp "../sqlite/sqlite3.h" ./
+
+# Create the wheel and put it in the /wheels dir.
+sed -i "s|name='pysqlite3-binary'|name=PACKAGE_NAME|g" setup.py
+python3 setup.py build_static
+pip3 wheel . -w /wheels
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SQLITE_VEC_VERSION="0.1.3"
+
+source /etc/os-release
+
+if [[ "$VERSION_ID" == "12" ]]; then
+    sed -i '/^Types:/s/deb/& deb-src/' /etc/apt/sources.list.d/debian.sources
+else
+    cp /etc/apt/sources.list /etc/apt/sources.list.d/sources-src.list
+    sed -i 's|deb http|deb-src http|g' /etc/apt/sources.list.d/sources-src.list
+fi
+
+apt-get update
+apt-get -yqq build-dep sqlite3 gettext git
+
+mkdir /tmp/sqlite_vec
+# Grab the sqlite_vec source code.
+wget -nv https://github.com/asg017/sqlite-vec/archive/refs/tags/v${SQLITE_VEC_VERSION}.tar.gz
+tar -zxf v${SQLITE_VEC_VERSION}.tar.gz -C /tmp/sqlite_vec
+
+cd /tmp/sqlite_vec/sqlite-vec-${SQLITE_VEC_VERSION}
+
+mkdir -p vendor
+wget -O sqlite-amalgamation.zip https://www.sqlite.org/2024/sqlite-amalgamation-3450300.zip
+unzip sqlite-amalgamation.zip
+mv sqlite-amalgamation-3450300/* vendor/
+rmdir sqlite-amalgamation-3450300
+rm sqlite-amalgamation.zip
+
+# build loadable module
+make loadable
+
+# install it
+cp dist/vec0.* /usr/local/lib
+
@@ -0,0 +1,13 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the fake Frigate service
+
+set -o errexit -o nounset -o pipefail
+
+# Tell S6-Overlay not to restart this service
+s6-svc -O .
+
+while true; do
+  echo "[INFO] The fake Frigate service is running..."
+  sleep 5s
+done
@@ -0,0 +1,150 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+apt-get -qq update
+
+apt-get -qq install --no-install-recommends -y \
+    apt-transport-https \
+    ca-certificates \
+    gnupg \
+    wget \
+    lbzip2 \
+    procps vainfo \
+    unzip locales tzdata libxml2 xz-utils \
+    python3.11 \
+    curl \
+    lsof \
+    jq \
+    nethogs \
+    libgl1 \
+    libglib2.0-0 \
+    libusb-1.0.0 \
+    python3-h2 \
+    libgomp1  # memryx detector
+
+update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1
+
+mkdir -p -m 600 /root/.gnupg
+
+# install coral runtime
+wget -q -O /tmp/libedgetpu1-max.deb "https://github.com/feranick/libedgetpu/releases/download/16.0TF2.17.1-1/libedgetpu1-max_16.0tf2.17.1-1.bookworm_${TARGETARCH}.deb"
+unset DEBIAN_FRONTEND
+yes | dpkg -i /tmp/libedgetpu1-max.deb && export DEBIAN_FRONTEND=noninteractive
+rm /tmp/libedgetpu1-max.deb
+
+# install mesa-teflon-delegate from bookworm-backports
+# Only available for arm64 at the moment
+if [[ "${TARGETARCH}" == "arm64" ]]; then
+    if [[ "${BASE_IMAGE}" == *"nvcr.io/nvidia/tensorrt"* ]]; then
+        echo "Info: Skipping apt-get commands because BASE_IMAGE includes 'nvcr.io/nvidia/tensorrt' for arm64."
+    else
+        echo "deb http://deb.debian.org/debian bookworm-backports main" | tee /etc/apt/sources.list.d/bookworm-backbacks.list
+        apt-get -qq update
+        apt-get -qq install --no-install-recommends --no-install-suggests -y mesa-teflon-delegate/bookworm-backports
+    fi
+fi
+
+# ffmpeg -> amd64
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    mkdir -p /usr/lib/ffmpeg/5.0
+    wget -qO ffmpeg.tar.xz "https://github.com/NickM-27/FFmpeg-Builds/releases/download/autobuild-2022-07-31-12-37/ffmpeg-n5.1-2-g915ef932a3-linux64-gpl-5.1.tar.xz"
+    tar -xf ffmpeg.tar.xz -C /usr/lib/ffmpeg/5.0 --strip-components 1 amd64/bin/ffmpeg amd64/bin/ffprobe
+    rm -rf ffmpeg.tar.xz
+    mkdir -p /usr/lib/ffmpeg/7.0
+    wget -qO ffmpeg.tar.xz "https://github.com/NickM-27/FFmpeg-Builds/releases/download/autobuild-2024-09-19-12-51/ffmpeg-n7.0.2-18-g3e6cec1286-linux64-gpl-7.0.tar.xz"
+    tar -xf ffmpeg.tar.xz -C /usr/lib/ffmpeg/7.0 --strip-components 1 amd64/bin/ffmpeg amd64/bin/ffprobe
+    rm -rf ffmpeg.tar.xz
+fi
+
+# ffmpeg -> arm64
+if [[ "${TARGETARCH}" == "arm64" ]]; then
+    mkdir -p /usr/lib/ffmpeg/5.0
+    wget -qO ffmpeg.tar.xz "https://github.com/NickM-27/FFmpeg-Builds/releases/download/autobuild-2022-07-31-12-37/ffmpeg-n5.1-2-g915ef932a3-linuxarm64-gpl-5.1.tar.xz"
+    tar -xf ffmpeg.tar.xz -C /usr/lib/ffmpeg/5.0 --strip-components 1 arm64/bin/ffmpeg arm64/bin/ffprobe
+    rm -f ffmpeg.tar.xz
+    mkdir -p /usr/lib/ffmpeg/7.0
+    wget -qO ffmpeg.tar.xz "https://github.com/NickM-27/FFmpeg-Builds/releases/download/autobuild-2024-09-19-12-51/ffmpeg-n7.0.2-18-g3e6cec1286-linuxarm64-gpl-7.0.tar.xz"
+    tar -xf ffmpeg.tar.xz -C /usr/lib/ffmpeg/7.0 --strip-components 1 arm64/bin/ffmpeg arm64/bin/ffprobe
+    rm -f ffmpeg.tar.xz
+fi
+
+# arch specific packages
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+  # Install non-free version of i965 driver
+  sed -i -E "/^Components: main$/s/main/main contrib non-free non-free-firmware/" "/etc/apt/sources.list.d/debian.sources" \
+      && apt-get -qq update \
+      && apt-get install --no-install-recommends --no-install-suggests -y i965-va-driver-shaders \
+      && sed -i -E "/^Components: main contrib non-free non-free-firmware$/s/main contrib non-free non-free-firmware/main/" "/etc/apt/sources.list.d/debian.sources" \
+      && apt-get update
+
+    # install amd / intel-i965 driver packages
+    apt-get -qq install --no-install-recommends --no-install-suggests -y \
+        intel-gpu-tools onevpl-tools \
+        libva-drm2 \
+        mesa-va-drivers radeontop
+
+    # intel packages use zst compression so we need to update dpkg
+    apt-get install -y dpkg
+
+    # use intel apt intel packages
+    wget -qO - https://repositories.intel.com/gpu/intel-graphics.key | gpg --yes --dearmor --output /usr/share/keyrings/intel-graphics.gpg
+    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-graphics.gpg] https://repositories.intel.com/gpu/ubuntu jammy client" | tee /etc/apt/sources.list.d/intel-gpu-jammy.list
+    apt-get -qq update
+    apt-get -qq install --no-install-recommends --no-install-suggests -y \
+        intel-media-va-driver-non-free libmfx1 libmfxgen1 libvpl2
+
+    apt-get -qq install -y ocl-icd-libopencl1
+
+    # install libtbb12 for NPU support
+    apt-get -qq install -y libtbb12
+
+    rm -f /usr/share/keyrings/intel-graphics.gpg
+    rm -f /etc/apt/sources.list.d/intel-gpu-jammy.list
+
+    # install legacy and standard intel icd and level-zero-gpu
+    # see https://github.com/intel/compute-runtime/blob/master/LEGACY_PLATFORMS.md for more info
+    # needed core package
+    wget https://github.com/intel/compute-runtime/releases/download/24.52.32224.5/libigdgmm12_22.5.5_amd64.deb
+    dpkg -i libigdgmm12_22.5.5_amd64.deb
+    rm libigdgmm12_22.5.5_amd64.deb
+
+    # legacy packages
+    wget https://github.com/intel/compute-runtime/releases/download/24.35.30872.36/intel-opencl-icd-legacy1_24.35.30872.36_amd64.deb
+    wget https://github.com/intel/compute-runtime/releases/download/24.35.30872.36/intel-level-zero-gpu-legacy1_1.5.30872.36_amd64.deb
+    wget https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-opencl_1.0.17537.24_amd64.deb
+    wget https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-core_1.0.17537.24_amd64.deb
+    # standard packages
+    wget https://github.com/intel/compute-runtime/releases/download/24.52.32224.5/intel-opencl-icd_24.52.32224.5_amd64.deb
+    wget https://github.com/intel/compute-runtime/releases/download/24.52.32224.5/intel-level-zero-gpu_1.6.32224.5_amd64.deb
+    wget https://github.com/intel/intel-graphics-compiler/releases/download/v2.5.6/intel-igc-opencl-2_2.5.6+18417_amd64.deb
+    wget https://github.com/intel/intel-graphics-compiler/releases/download/v2.5.6/intel-igc-core-2_2.5.6+18417_amd64.deb
+    # npu packages
+    wget https://github.com/oneapi-src/level-zero/releases/download/v1.21.9/level-zero_1.21.9+u22.04_amd64.deb
+    wget https://github.com/intel/linux-npu-driver/releases/download/v1.17.0/intel-driver-compiler-npu_1.17.0.20250508-14912879441_ubuntu22.04_amd64.deb
+    wget https://github.com/intel/linux-npu-driver/releases/download/v1.17.0/intel-fw-npu_1.17.0.20250508-14912879441_ubuntu22.04_amd64.deb
+    wget https://github.com/intel/linux-npu-driver/releases/download/v1.17.0/intel-level-zero-npu_1.17.0.20250508-14912879441_ubuntu22.04_amd64.deb
+
+    dpkg -i *.deb
+    rm *.deb
+fi
+
+if [[ "${TARGETARCH}" == "arm64" ]]; then
+    apt-get -qq install --no-install-recommends --no-install-suggests -y \
+        libva-drm2 mesa-va-drivers radeontop
+fi
+
+# install vulkan
+apt-get -qq install --no-install-recommends --no-install-suggests -y \
+    libvulkan1 mesa-vulkan-drivers
+
+apt-get purge gnupg apt-transport-https xz-utils -y
+apt-get clean autoclean -y
+apt-get autoremove --purge -y
+rm -rf /var/lib/apt/lists/*
+
+# Install yq, for frigate-prepare and go2rtc echo source
+curl -fsSL \
+    "https://github.com/mikefarah/yq/releases/download/v4.48.2/yq_linux_$(dpkg --print-architecture)" \
+    --output /usr/local/bin/yq
+chmod +x /usr/local/bin/yq
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+hailo_version="4.21.0"
+
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    arch="x86_64"
+elif [[ "${TARGETARCH}" == "arm64" ]]; then
+    arch="aarch64"
+fi
+
+wget -qO- "https://github.com/frigate-nvr/hailort/releases/download/v${hailo_version}/hailort-debian12-${TARGETARCH}.tar.gz" | tar -C / -xzf -
+wget -P /wheels/ "https://github.com/frigate-nvr/hailort/releases/download/v${hailo_version}/hailort-${hailo_version}-cp311-cp311-linux_${arch}.whl"
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e
+
+# Download the MxAccl for Frigate github release
+wget https://github.com/memryx/mx_accl_frigate/archive/refs/tags/v2.1.0.zip -O /tmp/mxaccl.zip
+unzip /tmp/mxaccl.zip -d /tmp
+mv /tmp/mx_accl_frigate-2.1.0 /opt/mx_accl_frigate
+rm /tmp/mxaccl.zip
+
+# Install Python dependencies
+pip3 install -r /opt/mx_accl_frigate/freeze
+
+# Link the Python package dynamically
+SITE_PACKAGES=$(python3 -c "import site; print(site.getsitepackages()[0])")
+ln -s /opt/mx_accl_frigate/memryx "$SITE_PACKAGES/memryx"
+
+# Copy architecture-specific shared libraries
+ARCH=$(uname -m)
+if [[ "$ARCH" == "x86_64" ]]; then
+    cp /opt/mx_accl_frigate/memryx/x86/libmemx.so* /usr/lib/x86_64-linux-gnu/
+    cp /opt/mx_accl_frigate/memryx/x86/libmx_accl.so* /usr/lib/x86_64-linux-gnu/
+elif [[ "$ARCH" == "aarch64" ]]; then
+    cp /opt/mx_accl_frigate/memryx/arm/libmemx.so* /usr/lib/aarch64-linux-gnu/
+    cp /opt/mx_accl_frigate/memryx/arm/libmx_accl.so* /usr/lib/aarch64-linux-gnu/
+else
+    echo "Unsupported architecture: $ARCH"
+    exit 1
+fi
+
+# Refresh linker cache
+ldconfig
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+s6_version="3.2.1.0"
+
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    s6_arch="x86_64"
+elif [[ "${TARGETARCH}" == "arm64" ]]; then
+    s6_arch="aarch64"
+fi
+
+mkdir -p /rootfs/
+
+wget -qO- "https://github.com/just-containers/s6-overlay/releases/download/v${s6_version}/s6-overlay-noarch.tar.xz" |
+    tar -C /rootfs/ -Jxpf -
+
+wget -qO- "https://github.com/just-containers/s6-overlay/releases/download/v${s6_version}/s6-overlay-${s6_arch}.tar.xz" |
+    tar -C /rootfs/ -Jxpf -
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+tempio_version="2021.09.0"
+
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+    arch="amd64"
+elif [[ "${TARGETARCH}" == "arm64" ]]; then
+    arch="aarch64"
+fi
+
+mkdir -p /rootfs/usr/local/tempio/bin
+
+wget -q -O /rootfs/usr/local/tempio/bin/tempio "https://github.com/home-assistant/tempio/releases/download/${tempio_version}/tempio_${arch}"
+chmod 755 /rootfs/usr/local/tempio/bin/tempio
@@ -0,0 +1,4 @@
+ruff
+
+# types
+types-peewee == 3.17.*
@@ -0,0 +1,3 @@
+numpy
+tensorflow
+openvino-dev>=2024.0.0
@@ -0,0 +1,85 @@
+aiofiles == 24.1.*
+click == 8.1.*
+# FastAPI
+aiohttp == 3.12.*
+starlette == 0.47.*
+starlette-context == 0.4.*
+fastapi[standard-no-fastapi-cloud-cli] == 0.116.*
+uvicorn == 0.35.*
+slowapi == 0.1.*
+joserfc == 1.2.*
+cryptography == 44.0.*
+pathvalidate == 3.3.*
+markupsafe == 3.0.*
+python-multipart == 0.0.20
+# Classification Model Training
+tensorflow == 2.19.* ; platform_machine == 'aarch64'
+tensorflow-cpu == 2.19.* ; platform_machine == 'x86_64'
+# General
+mypy == 1.6.1
+onvif-zeep-async == 4.0.*
+paho-mqtt == 2.1.*
+pandas == 2.2.*
+peewee == 3.17.*
+peewee_migrate == 1.14.*
+psutil == 7.1.*
+pydantic == 2.10.*
+git+https://github.com/fbcotter/py3nvml#egg=py3nvml
+pytz == 2025.*
+pyzmq == 26.2.*
+ruamel.yaml == 0.18.*
+tzlocal == 5.2
+requests == 2.32.*
+types-requests == 2.32.*
+norfair == 2.3.*
+setproctitle == 1.3.*
+ws4py == 0.5.*
+unidecode == 1.3.*
+titlecase == 2.4.*
+# Image Manipulation
+numpy == 1.26.*
+opencv-python-headless == 4.11.0.*
+opencv-contrib-python == 4.11.0.*
+scipy == 1.16.*
+# OpenVino & ONNX
+openvino == 2025.3.*
+onnxruntime == 1.22.*
+# Embeddings
+transformers == 4.45.*
+# Generative AI
+google-generativeai == 0.8.*
+ollama == 0.5.*
+openai == 1.65.*
+# push notifications
+py-vapid == 1.9.*
+pywebpush == 2.0.*
+# alpr
+pyclipper == 1.3.*
+shapely == 2.0.*
+rapidfuzz==3.12.*
+# HailoRT Wheels
+appdirs==1.4.*
+argcomplete==2.0.*
+contextlib2==0.6.*
+distlib==0.3.*
+filelock==3.8.*
+future==0.18.*
+importlib-metadata==5.1.*
+importlib-resources==5.1.*
+netaddr==0.8.*
+netifaces==0.10.*
+verboselogs==1.7.*
+virtualenv==20.17.*
+prometheus-client == 0.21.*
+# TFLite
+tflite_runtime @ https://github.com/frigate-nvr/TFlite-builds/releases/download/v2.17.1/tflite_runtime-2.17.1-cp311-cp311-linux_x86_64.whl; platform_machine == 'x86_64'
+tflite_runtime @ https://github.com/feranick/TFlite-builds/releases/download/v2.17.1/tflite_runtime-2.17.1-cp311-cp311-linux_aarch64.whl; platform_machine == 'aarch64'
+# audio transcription
+sherpa-onnx==1.12.*
+faster-whisper==1.1.*
+librosa==0.11.*
+soundfile==0.13.*
+# DeGirum detector
+degirum == 0.16.*
+# Memory profiling
+memray == 1.15.*
@@ -0,0 +1 @@
+scikit-build == 0.18.*
@@ -0,0 +1 @@
+certsync
@@ -0,0 +1 @@
+certsync-pipeline
@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/certsync
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,30 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Take down the S6 supervision tree when the service fails
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+declare exit_code_container
+exit_code_container=$(cat /run/s6-linux-init-container-results/exitcode)
+readonly exit_code_container
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="CERTSYNC"
+
+echo "[INFO] Service ${service} exited with code ${exit_code_service} (by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + exit_code_signal)) >/run/s6-linux-init-container-results/exitcode
+  fi
+  if [[ "${exit_code_signal}" -eq 15 ]]; then
+    exec /run/s6/basedir/bin/halt
+  fi
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" >/run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi
@@ -0,0 +1 @@
+certsync-log
@@ -0,0 +1,58 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the CERTSYNC service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+echo "[INFO] Starting certsync..."
+
+lefile="/etc/letsencrypt/live/frigate/fullchain.pem"
+
+tls_enabled=`python3 /usr/local/nginx/get_listen_settings.py | jq -r .tls.enabled`
+
+while true
+do
+    if [[ "$tls_enabled" == 'false' ]]; then
+        sleep 9999
+        continue
+    fi
+
+    if [ ! -e $lefile ]
+    then
+        echo "[ERROR] TLS certificate does not exist: $lefile"
+    fi
+
+    leprint=`openssl x509 -in $lefile -fingerprint -noout 2>&1 || echo 'failed'`
+
+    case "$leprint" in
+        *Fingerprint*)
+            ;;
+        *)
+            echo "[ERROR] Missing fingerprint from $lefile"
+            ;;
+    esac
+
+    liveprint=`echo | openssl s_client -showcerts -connect 127.0.0.1:8971 2>&1 | openssl x509 -fingerprint 2>&1 | grep -i fingerprint  || echo 'failed'`
+
+    case "$liveprint" in
+        *Fingerprint*)
+            ;;
+        *)
+            echo "[ERROR] Missing fingerprint from current nginx TLS cert"
+            ;;
+    esac
+
+    if [[ "$leprint" != "failed" && "$liveprint" != "failed" && "$leprint" != "$liveprint" ]]
+    then
+        echo "[INFO] Reloading nginx to refresh TLS certificate"
+        echo "$lefile: $leprint"
+        /usr/local/nginx/sbin/nginx -s reload
+    fi
+
+    sleep 60
+
+done
+
+exit 0
@@ -0,0 +1 @@
+30000
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1 @@
+frigate
@@ -0,0 +1 @@
+frigate-pipeline
@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/frigate
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,28 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Take down the S6 supervision tree when the service exits
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+declare exit_code_container
+exit_code_container=$(cat /run/s6-linux-init-container-results/exitcode)
+readonly exit_code_container
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="Frigate"
+
+echo "[INFO] Service ${service} exited with code ${exit_code_service} (by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + exit_code_signal)) >/run/s6-linux-init-container-results/exitcode
+  fi
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" >/run/s6-linux-init-container-results/exitcode
+  fi
+fi
+
+exec /run/s6/basedir/bin/halt
@@ -0,0 +1 @@
+frigate-log
@@ -0,0 +1,33 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the Frigate service
+
+set -o errexit -o nounset -o pipefail
+
+# opt out of openvino telemetry
+if [ -e /usr/local/bin/opt_in_out ]; then
+  /usr/local/bin/opt_in_out --opt_out > /dev/null 2>&1
+fi
+
+# Logs should be sent to stdout so that s6 can collect them
+
+# Tell S6-Overlay not to restart this service
+s6-svc -O .
+
+function set_libva_version() {
+    local ffmpeg_path
+    ffmpeg_path=$(python3 /usr/local/ffmpeg/get_ffmpeg_path.py)
+    LIBAVFORMAT_VERSION_MAJOR=$("$ffmpeg_path" -version | grep -Po "libavformat\W+\K\d+")
+    export LIBAVFORMAT_VERSION_MAJOR
+}
+
+echo "[INFO] Preparing Frigate..."
+set_libva_version
+
+echo "[INFO] Starting Frigate..."
+
+cd /opt/frigate || echo "[ERROR] Failed to change working directory to /opt/frigate"
+
+# Replace the bash process with the Frigate process, redirecting stderr to stdout
+exec 2>&1
+exec python3 -u -m frigate
@@ -0,0 +1 @@
+120000
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,12 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="go2rtc-healthcheck"
+
+echo "[INFO] The ${service} service exited with code ${exit_code_service} (by signal ${exit_code_signal})"
@@ -0,0 +1 @@
+go2rtc-log
@@ -0,0 +1,22 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the go2rtc-healthcheck service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+# Give some additional time for go2rtc to start before start pinging
+sleep 10s
+echo "[INFO] Starting go2rtc healthcheck service..."
+
+while sleep 30s; do
+    # Check if the service is running
+    if ! curl --connect-timeout 10 --fail --silent --show-error --output /dev/null http://127.0.0.1:1984/api/streams 2>&1; then
+        echo "[ERROR] The go2rtc service is not responding to ping, restarting..."
+        # We can also use -r instead of -t to send kill signal rather than term
+        s6-svc -t /var/run/service/go2rtc 2>&1
+        # Give some additional time to go2rtc to restart before start pinging again
+        sleep 10s
+    fi
+done
@@ -0,0 +1 @@
+5000
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,2 @@
+go2rtc
+go2rtc-healthcheck
@@ -0,0 +1 @@
+go2rtc-pipeline
@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/go2rtc
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,12 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="go2rtc"
+
+echo "[INFO] The ${service} service exited with code ${exit_code_service} (by signal ${exit_code_signal})"
@@ -0,0 +1 @@
+go2rtc-log
@@ -0,0 +1,124 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the go2rtc service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+function get_ip_and_port_from_supervisor() {
+    local ip_address
+    # Example: 192.168.1.10/24
+    local ip_regex='^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/[0-9]{1,2}$'
+    if ip_address=$(
+        curl -fsSL \
+            -H "Authorization: Bearer ${SUPERVISOR_TOKEN}" \
+            -H "Content-Type: application/json" \
+            http://supervisor/network/interface/default/info |
+            jq --exit-status --raw-output '.data.ipv4.address[0]'
+    ) && [[ "${ip_address}" =~ ${ip_regex} ]]; then
+        ip_address="${BASH_REMATCH[1]}"
+        echo "[INFO] Got IP address from supervisor: ${ip_address}"
+    else
+        echo "[WARN] Failed to get IP address from supervisor"
+        return 0
+    fi
+
+    local webrtc_port
+    local port_regex='^([0-9]{1,5})$'
+    if webrtc_port=$(
+        curl -fsSL \
+            -H "Authorization: Bearer ${SUPERVISOR_TOKEN}" \
+            -H "Content-Type: application/json" \
+            http://supervisor/addons/self/info |
+            jq --exit-status --raw-output '.data.network["8555/tcp"]'
+    ) && [[ "${webrtc_port}" =~ ${port_regex} ]]; then
+        webrtc_port="${BASH_REMATCH[1]}"
+        echo "[INFO] Got WebRTC port from supervisor: ${webrtc_port}"
+    else
+        echo "[WARN] Failed to get WebRTC port from supervisor"
+        return 0
+    fi
+
+    export FRIGATE_GO2RTC_WEBRTC_CANDIDATE_INTERNAL="${ip_address}:${webrtc_port}"
+}
+
+function set_libva_version() {
+    local ffmpeg_path
+    ffmpeg_path=$(python3 /usr/local/ffmpeg/get_ffmpeg_path.py)
+    LIBAVFORMAT_VERSION_MAJOR=$("$ffmpeg_path" -version | grep -Po "libavformat\W+\K\d+")
+    export LIBAVFORMAT_VERSION_MAJOR
+}
+
+function setup_homekit_config() {
+    local config_path="$1"
+
+    if [[ ! -f "${config_path}" ]]; then
+        echo "[INFO] Creating empty HomeKit config file..."
+        echo '{}' > "${config_path}"
+    fi
+
+    # Convert YAML to JSON for jq processing
+    local temp_json="/tmp/cache/homekit_config.json"
+    yq eval -o=json "${config_path}" > "${temp_json}" 2>/dev/null || {
+        echo "[WARNING] Failed to convert HomeKit config to JSON, skipping cleanup"
+        return 0
+    }
+
+    # Use jq to filter and keep only the homekit section
+    local cleaned_json="/tmp/cache/homekit_cleaned.json"
+    jq '
+        # Keep only the homekit section if it exists, otherwise empty object
+        if has("homekit") then {homekit: .homekit} else {homekit: {}} end
+    ' "${temp_json}" > "${cleaned_json}" 2>/dev/null || echo '{"homekit": {}}' > "${cleaned_json}"
+
+    # Convert back to YAML and write to the config file
+    yq eval -P "${cleaned_json}" > "${config_path}" 2>/dev/null || {
+        echo "[WARNING] Failed to convert cleaned config to YAML, creating minimal config"
+        echo '{"homekit": {}}' > "${config_path}"
+    }
+
+    # Clean up temp files
+    rm -f "${temp_json}" "${cleaned_json}"
+}
+
+set_libva_version
+
+if [[ -f "/dev/shm/go2rtc.yaml" ]]; then
+    echo "[INFO] Removing stale config from last run..."
+    rm /dev/shm/go2rtc.yaml
+fi
+
+if [[ ! -f "/dev/shm/go2rtc.yaml" ]]; then
+    echo "[INFO] Preparing new go2rtc config..."
+
+    if [[ -n "${SUPERVISOR_TOKEN:-}" ]]; then
+        # Running as a Home Assistant Add-on, infer the IP address and port
+        get_ip_and_port_from_supervisor
+    fi
+
+    python3 /usr/local/go2rtc/create_config.py
+else
+    echo "[WARNING] Unable to remove existing go2rtc config. Changes made to your frigate config file may not be recognized. Please remove the /dev/shm/go2rtc.yaml from your docker host manually."
+fi
+
+# HomeKit configuration persistence setup
+readonly homekit_config_path="/config/go2rtc_homekit.yml"
+setup_homekit_config "${homekit_config_path}"
+
+readonly config_path="/config"
+
+if [[ -x "${config_path}/go2rtc" ]]; then
+  readonly binary_path="${config_path}/go2rtc"
+  echo "[WARN] Using go2rtc binary from '${binary_path}' instead of the embedded one"
+else
+  readonly binary_path="/usr/local/go2rtc/bin/go2rtc"
+fi
+
+echo "[INFO] Starting go2rtc..."
+
+# Replace the bash process with the go2rtc process, redirecting stderr to stdout
+# Use HomeKit config as the primary config so writebacks go there
+# The main config from Frigate will be loaded as a secondary config
+exec 2>&1
+exec "${binary_path}" -config="${homekit_config_path}" -config=/dev/shm/go2rtc.yaml
@@ -0,0 +1 @@
+30000
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,11 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Prepare the logs folder for s6-log
+
+set -o errexit -o nounset -o pipefail
+
+dirs=(/dev/shm/logs/frigate /dev/shm/logs/go2rtc /dev/shm/logs/nginx /dev/shm/logs/certsync)
+
+mkdir -p "${dirs[@]}"
+chown nobody:nogroup "${dirs[@]}"
+chmod 02755 "${dirs[@]}"
@@ -0,0 +1 @@
+oneshot
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/log-prepare/run
@@ -0,0 +1 @@
+nginx
@@ -0,0 +1 @@
+nginx-pipeline
@@ -0,0 +1,4 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+exec logutil-service /dev/shm/logs/nginx
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+# Wait for PID file to exist.
+while ! test -f /run/nginx.pid; do sleep 1; done
@@ -0,0 +1,30 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Take down the S6 supervision tree when the service fails
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+declare exit_code_container
+exit_code_container=$(cat /run/s6-linux-init-container-results/exitcode)
+readonly exit_code_container
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="NGINX"
+
+echo "[INFO] Service ${service} exited with code ${exit_code_service} (by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + exit_code_signal)) >/run/s6-linux-init-container-results/exitcode
+  fi
+  if [[ "${exit_code_signal}" -eq 15 ]]; then
+    exec /run/s6/basedir/bin/halt
+  fi
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" >/run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi
@@ -0,0 +1 @@
+3
@@ -0,0 +1 @@
+nginx-log
@@ -0,0 +1,96 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Start the NGINX service
+
+set -o errexit -o nounset -o pipefail
+
+# Logs should be sent to stdout so that s6 can collect them
+
+echo "[INFO] Starting NGINX..."
+
+# Taken from https://github.com/felipecrs/cgroup-scripts/commits/master/get_cpus.sh
+function get_cpus() {
+    local quota=""
+    local period=""
+
+    if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
+        if [ -f /sys/fs/cgroup/cpu.max ]; then
+            read -r quota period </sys/fs/cgroup/cpu.max
+            if [ "$quota" = "max" ]; then
+                quota=""
+                period=""
+            fi
+        else
+            echo "[WARN] /sys/fs/cgroup/cpu.max not found. Falling back to /proc/cpuinfo." >&2
+        fi
+    else
+        if [ -f /sys/fs/cgroup/cpu/cpu.cfs_quota_us ] && [ -f /sys/fs/cgroup/cpu/cpu.cfs_period_us ]; then
+            quota=$(cat /sys/fs/cgroup/cpu/cpu.cfs_quota_us)
+            period=$(cat /sys/fs/cgroup/cpu/cpu.cfs_period_us)
+
+            if [ "$quota" = "-1" ]; then
+                quota=""
+                period=""
+            fi
+        else
+            echo "[WARN] /sys/fs/cgroup/cpu/cpu.cfs_quota_us or /sys/fs/cgroup/cpu/cpu.cfs_period_us not found. Falling back to /proc/cpuinfo." >&2
+        fi
+    fi
+
+    local cpus
+    if [ "${period}" != "0" ] && [ -n "${quota}" ] && [ -n "${period}" ]; then
+        cpus=$((quota / period))
+        if [ "$cpus" -eq 0 ]; then
+            cpus=1
+        fi
+    else
+        cpus=$(grep -c ^processor /proc/cpuinfo)
+    fi
+
+    printf '%s' "$cpus"
+}
+
+function set_worker_processes() {
+    # Capture number of assigned CPUs to calculate worker processes
+    local cpus
+
+    cpus=$(get_cpus)
+    if [[ "${cpus}" -gt 4 ]]; then
+        cpus=4
+    fi
+
+    # we need to catch any errors because sed will fail if user has bind mounted a custom nginx file
+    sed -i "s/worker_processes auto;/worker_processes ${cpus};/" /usr/local/nginx/conf/nginx.conf || true
+}
+
+set_worker_processes
+
+# ensure the directory for ACME challenges exists
+mkdir -p /etc/letsencrypt/www
+
+# Create self signed certs if needed
+letsencrypt_path=/etc/letsencrypt/live/frigate
+mkdir -p $letsencrypt_path
+
+if [ ! \( -f "$letsencrypt_path/privkey.pem" -a -f "$letsencrypt_path/fullchain.pem" \) ]; then
+    echo "[INFO] No TLS certificate found. Generating a self signed certificate..."
+    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
+        -subj "/O=FRIGATE DEFAULT CERT/CN=*" \
+        -keyout "$letsencrypt_path/privkey.pem" -out "$letsencrypt_path/fullchain.pem" 2>/dev/null
+fi
+
+# build templates for optional FRIGATE_BASE_PATH environment variable
+python3 /usr/local/nginx/get_base_path.py | \
+    tempio -template /usr/local/nginx/templates/base_path.gotmpl \
+       -out /usr/local/nginx/conf/base_path.conf
+
+# build templates for optional TLS support
+python3 /usr/local/nginx/get_listen_settings.py | \
+    tempio  -template /usr/local/nginx/templates/listen.gotmpl \
+            -out /usr/local/nginx/conf/listen.conf
+
+# Replace the bash process with the NGINX process, redirecting stderr to stdout
+exec 2>&1
+exec \
+    s6-notifyoncheck -t 30000 -n 1 \
+    nginx
@@ -0,0 +1 @@
+30000
@@ -0,0 +1 @@
+longrun
@@ -0,0 +1,146 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+# Do preparation tasks before starting the main services
+
+set -o errexit -o nounset -o pipefail
+
+function migrate_addon_config_dir() {
+    local home_assistant_config_dir="/homeassistant"
+
+    if ! mountpoint --quiet "${home_assistant_config_dir}"; then
+        # Not running as a Home Assistant Add-on
+        return 0
+    fi
+
+    local config_dir="/config"
+    local new_config_file="${config_dir}/config.yml"
+    local new_config_file_yaml="${new_config_file//.yml/.yaml}"
+    if [[ -f "${new_config_file_yaml}" || -f "${new_config_file}" ]]; then
+        # Already migrated
+        return 0
+    fi
+
+    local old_config_file="${home_assistant_config_dir}/frigate.yml"
+    local old_config_file_yaml="${old_config_file//.yml/.yaml}"
+    if [[ -f "${old_config_file}" ]]; then
+        :
+    elif [[ -f "${old_config_file_yaml}" ]]; then
+        old_config_file="${old_config_file_yaml}"
+        new_config_file="${new_config_file_yaml}"
+    else
+        # Nothing to migrate
+        return 0
+    fi
+    unset old_config_file_yaml new_config_file_yaml
+
+    echo "[INFO] Starting migration from Home Assistant config dir to Add-on config dir..." >&2
+
+    local db_path
+    db_path=$(yq -r '.database.path' "${old_config_file}")
+    if [[ "${db_path}" == "null" ]]; then
+        db_path="${config_dir}/frigate.db"
+    fi
+    if [[ "${db_path}" == "${config_dir}/"* ]]; then
+        # replace /config/ prefix with /homeassistant/
+        local old_db_path="${home_assistant_config_dir}/${db_path:8}"
+
+        if [[ -f "${old_db_path}" ]]; then
+            local new_db_dir
+            new_db_dir="$(dirname "${db_path}")"
+            echo "[INFO] Migrating database from '${old_db_path}' to '${new_db_dir}' dir..." >&2
+            mkdir -vp "${new_db_dir}"
+            mv -vf "${old_db_path}" "${new_db_dir}"
+            local db_file
+            for db_file in "${old_db_path}"-shm "${old_db_path}"-wal; do
+                if [[ -f "${db_file}" ]]; then
+                    mv -vf "${db_file}" "${new_db_dir}"
+                fi
+            done
+            unset db_file
+        fi
+    fi
+
+    local config_entry
+    for config_entry in .model.path .model.labelmap_path .ffmpeg.path .mqtt.tls_ca_certs .mqtt.tls_client_cert .mqtt.tls_client_key; do
+        local config_entry_path
+        config_entry_path=$(yq -r "${config_entry}" "${old_config_file}")
+        if [[ "${config_entry_path}" == "${config_dir}/"* ]]; then
+            # replace /config/ prefix with /homeassistant/
+            local old_config_entry_path="${home_assistant_config_dir}/${config_entry_path:8}"
+
+            if [[ -f "${old_config_entry_path}" ]]; then
+                local new_config_entry_entry
+                new_config_entry_entry="$(dirname "${config_entry_path}")"
+                echo "[INFO] Migrating ${config_entry} from '${old_config_entry_path}' to '${config_entry_path}'..." >&2
+                mkdir -vp "${new_config_entry_entry}"
+                mv -vf "${old_config_entry_path}" "${config_entry_path}"
+            fi
+        fi
+    done
+
+    local old_model_cache_path="${home_assistant_config_dir}/model_cache"
+    if [[ -d "${old_model_cache_path}" ]]; then
+        echo "[INFO] Migrating '${old_model_cache_path}' to '${config_dir}'..." >&2
+        mv -f "${old_model_cache_path}" "${config_dir}"
+    fi
+
+    echo "[INFO] Migrating other files from '${home_assistant_config_dir}' to '${config_dir}'..." >&2
+    local file
+    for file in .exports .jwt_secret .timeline .vacuum go2rtc; do
+        file="${home_assistant_config_dir}/${file}"
+        if [[ -f "${file}" ]]; then
+            mv -vf "${file}" "${config_dir}"
+        fi
+    done
+
+    echo "[INFO] Migrating config file from '${old_config_file}' to '${new_config_file}'..." >&2
+    mv -vf "${old_config_file}" "${new_config_file}"
+
+    echo "[INFO] Migration from Home Assistant config dir to Add-on config dir completed." >&2
+}
+
+function migrate_db_from_media_to_config() {
+    # Find config file in yml or yaml, but prefer yml
+    local config_file="${CONFIG_FILE:-"/config/config.yml"}"
+    local config_file_yaml="${config_file//.yml/.yaml}"
+    if [[ -f "${config_file}" ]]; then
+        :
+    elif [[ -f "${config_file_yaml}" ]]; then
+        config_file="${config_file_yaml}"
+    else
+        # Frigate will create the config file on startup
+        return 0
+    fi
+    unset config_file_yaml
+
+    local user_db_path
+    user_db_path=$(yq -r '.database.path' "${config_file}")
+    if [[ "${user_db_path}" == "null" ]]; then
+        local old_db_path="/media/frigate/frigate.db"
+        local new_db_dir="/config"
+        if [[ -f "${old_db_path}" ]]; then
+            echo "[INFO] Migrating database from '${old_db_path}' to '${new_db_dir}' dir..." >&2
+            if mountpoint --quiet "${new_db_dir}"; then
+                # /config is a mount point, move the db
+                mv -vf "${old_db_path}" "${new_db_dir}"
+                local db_file
+                for db_file in "${old_db_path}"-shm "${old_db_path}"-wal; do
+                    if [[ -f "${db_file}" ]]; then
+                        mv -vf "${db_file}" "${new_db_dir}"
+                    fi
+                done
+                unset db_file
+            else
+                echo "[ERROR] Trying to migrate the database path from '${old_db_path}' to '${new_db_dir}' dir, but '${new_db_dir}' is not a mountpoint, please mount the '${new_db_dir}' dir" >&2
+                return 1
+            fi
+        fi
+    fi
+}
+
+# remove leftover from last run, not normally needed, but just in case
+# used by the docker healthcheck
+rm -f /dev/shm/.frigate-is-stopping
+
+migrate_addon_config_dir
+migrate_db_from_media_to_config
@@ -0,0 +1 @@
+oneshot
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/prepare/run
@@ -0,0 +1,80 @@
+0  person
+1  bicycle
+2  car
+3  motorcycle
+4  airplane
+5  car
+6  train
+7  car
+8  boat
+9  traffic light
+10  fire hydrant
+11  stop sign
+12  parking meter
+13  bench
+14  bird
+15  cat
+16  dog
+17  horse
+18  sheep
+19  cow
+20  elephant
+21  bear
+22  zebra
+23  giraffe
+24  backpack
+25  umbrella
+26  handbag
+27  tie
+28  suitcase
+29  frisbee
+30  skis
+31  snowboard
+32  sports ball
+33  kite
+34  baseball bat
+35  baseball glove
+36  skateboard
+37  surfboard
+38  tennis racket
+39  bottle
+40  wine glass
+41  cup
+42  fork
+43  knife
+44  spoon
+45  bowl
+46  banana
+47  apple
+48  sandwich
+49  orange
+50  broccoli
+51  carrot
+52  hot dog
+53  pizza
+54  donut
+55  cake
+56  chair
+57  couch
+58  potted plant
+59  bed
+60  dining table
+61  toilet
+62  tv
+63  laptop
+64  mouse
+65  remote
+66  keyboard
+67  cell phone
+68  microwave
+69  oven
+70  toaster
+71  sink
+72  refrigerator
+73  book
+74  clock
+75  vase
+76  scissors
+77  teddy bear
+78  hair drier
+79  toothbrush
@@ -0,0 +1,91 @@
+0  person
+1  bicycle
+2  car
+3  motorcycle
+4  airplane
+5  bus
+6  train
+7  car
+8  boat
+9  traffic light
+10  fire hydrant
+11  street sign
+12  stop sign
+13  parking meter
+14  bench
+15  bird
+16  cat
+17  dog
+18  horse
+19  sheep
+20  cow
+21  elephant
+22  bear
+23  zebra
+24  giraffe
+25  hat
+26  backpack
+27  umbrella
+28  shoe
+29  eye glasses
+30  handbag
+31  tie
+32  suitcase
+33  frisbee
+34  skis
+35  snowboard
+36  sports ball
+37  kite
+38  baseball bat
+39  baseball glove
+40  skateboard
+41  surfboard
+42  tennis racket
+43  bottle
+44  plate
+45  wine glass
+46  cup
+47  fork
+48  knife
+49  spoon
+50  bowl
+51  banana
+52  apple
+53  sandwich
+54  orange
+55  broccoli
+56  carrot
+57  hot dog
+58  pizza
+59  donut
+60  cake
+61  chair
+62  couch
+63  potted plant
+64  bed
+65  mirror
+66  dining table
+67  window
+68  desk
+69  toilet
+70  door
+71  tv
+72  laptop
+73  mouse
+74  remote
+75  keyboard
+76  cell phone
+77  microwave
+78  oven
+79  toaster
+80  sink
+81  refrigerator
+82  blender
+83  book
+84  clock
+85  vase
+86  scissors
+87  teddy bear
+88  hair drier
+89  toothbrush
+90  hair brush
@@ -0,0 +1,37 @@
+import json
+import sys
+from typing import Any
+
+from ruamel.yaml import YAML
+
+sys.path.insert(0, "/opt/frigate")
+from frigate.const import (
+    DEFAULT_FFMPEG_VERSION,
+    INCLUDED_FFMPEG_VERSIONS,
+)
+from frigate.util.config import find_config_file
+
+sys.path.remove("/opt/frigate")
+
+yaml = YAML()
+
+config_file = find_config_file()
+
+try:
+    with open(config_file) as f:
+        raw_config = f.read()
+
+    if config_file.endswith((".yaml", ".yml")):
+        config: dict[str, Any] = yaml.load(raw_config)
+    elif config_file.endswith(".json"):
+        config: dict[str, Any] = json.loads(raw_config)
+except FileNotFoundError:
+    config: dict[str, Any] = {}
+
+path = config.get("ffmpeg", {}).get("path", "default")
+if path == "default":
+    print(f"/usr/lib/ffmpeg/{DEFAULT_FFMPEG_VERSION}/bin/ffmpeg")
+elif path in INCLUDED_FFMPEG_VERSIONS:
+    print(f"/usr/lib/ffmpeg/{path}/bin/ffmpeg")
+else:
+    print(f"{path}/bin/ffmpeg")
@@ -0,0 +1,150 @@
+"""Creates a go2rtc config file."""
+
+import json
+import os
+import sys
+from pathlib import Path
+from typing import Any
+
+from ruamel.yaml import YAML
+
+sys.path.insert(0, "/opt/frigate")
+from frigate.const import (
+    BIRDSEYE_PIPE,
+    DEFAULT_FFMPEG_VERSION,
+    INCLUDED_FFMPEG_VERSIONS,
+    LIBAVFORMAT_VERSION_MAJOR,
+)
+from frigate.ffmpeg_presets import parse_preset_hardware_acceleration_encode
+from frigate.util.config import find_config_file
+
+sys.path.remove("/opt/frigate")
+
+yaml = YAML()
+
+FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
+# read docker secret files as env vars too
+if os.path.isdir("/run/secrets"):
+    for secret_file in os.listdir("/run/secrets"):
+        if secret_file.startswith("FRIGATE_"):
+            FRIGATE_ENV_VARS[secret_file] = (
+                Path(os.path.join("/run/secrets", secret_file)).read_text().strip()
+            )
+
+config_file = find_config_file()
+
+try:
+    with open(config_file) as f:
+        raw_config = f.read()
+
+    if config_file.endswith((".yaml", ".yml")):
+        config: dict[str, Any] = yaml.load(raw_config)
+    elif config_file.endswith(".json"):
+        config: dict[str, Any] = json.loads(raw_config)
+except FileNotFoundError:
+    config: dict[str, Any] = {}
+
+go2rtc_config: dict[str, Any] = config.get("go2rtc", {})
+
+# Need to enable CORS for go2rtc so the frigate integration / card work automatically
+if go2rtc_config.get("api") is None:
+    go2rtc_config["api"] = {"origin": "*"}
+elif go2rtc_config["api"].get("origin") is None:
+    go2rtc_config["api"]["origin"] = "*"
+
+# Need to set default location for HA config
+if go2rtc_config.get("hass") is None:
+    go2rtc_config["hass"] = {"config": "/homeassistant"}
+
+# we want to ensure that logs are easy to read
+if go2rtc_config.get("log") is None:
+    go2rtc_config["log"] = {"format": "text"}
+elif go2rtc_config["log"].get("format") is None:
+    go2rtc_config["log"]["format"] = "text"
+
+# ensure there is a default webrtc config
+if go2rtc_config.get("webrtc") is None:
+    go2rtc_config["webrtc"] = {}
+
+if go2rtc_config["webrtc"].get("candidates") is None:
+    default_candidates = []
+    # use internal candidate if it was discovered when running through the add-on
+    internal_candidate = os.environ.get("FRIGATE_GO2RTC_WEBRTC_CANDIDATE_INTERNAL")
+    if internal_candidate is not None:
+        default_candidates.append(internal_candidate)
+    # should set default stun server so webrtc can work
+    default_candidates.append("stun:8555")
+
+    go2rtc_config["webrtc"]["candidates"] = default_candidates
+
+if go2rtc_config.get("rtsp", {}).get("username") is not None:
+    go2rtc_config["rtsp"]["username"] = go2rtc_config["rtsp"]["username"].format(
+        **FRIGATE_ENV_VARS
+    )
+
+if go2rtc_config.get("rtsp", {}).get("password") is not None:
+    go2rtc_config["rtsp"]["password"] = go2rtc_config["rtsp"]["password"].format(
+        **FRIGATE_ENV_VARS
+    )
+
+# ensure ffmpeg path is set correctly
+path = config.get("ffmpeg", {}).get("path", "default")
+if path == "default":
+    ffmpeg_path = f"/usr/lib/ffmpeg/{DEFAULT_FFMPEG_VERSION}/bin/ffmpeg"
+elif path in INCLUDED_FFMPEG_VERSIONS:
+    ffmpeg_path = f"/usr/lib/ffmpeg/{path}/bin/ffmpeg"
+else:
+    ffmpeg_path = f"{path}/bin/ffmpeg"
+
+if go2rtc_config.get("ffmpeg") is None:
+    go2rtc_config["ffmpeg"] = {"bin": ffmpeg_path}
+elif go2rtc_config["ffmpeg"].get("bin") is None:
+    go2rtc_config["ffmpeg"]["bin"] = ffmpeg_path
+
+# need to replace ffmpeg command when using ffmpeg4
+if LIBAVFORMAT_VERSION_MAJOR < 59:
+    rtsp_args = "-fflags nobuffer -flags low_delay -stimeout 10000000 -user_agent go2rtc/ffmpeg -rtsp_transport tcp -i {input}"
+    if go2rtc_config.get("ffmpeg") is None:
+        go2rtc_config["ffmpeg"] = {"rtsp": rtsp_args}
+    elif go2rtc_config["ffmpeg"].get("rtsp") is None:
+        go2rtc_config["ffmpeg"]["rtsp"] = rtsp_args
+
+for name in go2rtc_config.get("streams", {}):
+    stream = go2rtc_config["streams"][name]
+
+    if isinstance(stream, str):
+        try:
+            go2rtc_config["streams"][name] = go2rtc_config["streams"][name].format(
+                **FRIGATE_ENV_VARS
+            )
+        except KeyError as e:
+            print(
+                "[ERROR] Invalid substitution found, see https://docs.frigate.video/configuration/restream#advanced-restream-configurations for more info."
+            )
+            sys.exit(e)
+
+    elif isinstance(stream, list):
+        for i, stream in enumerate(stream):
+            try:
+                go2rtc_config["streams"][name][i] = stream.format(**FRIGATE_ENV_VARS)
+            except KeyError as e:
+                print(
+                    "[ERROR] Invalid substitution found, see https://docs.frigate.video/configuration/restream#advanced-restream-configurations for more info."
+                )
+                sys.exit(e)
+
+# add birdseye restream stream if enabled
+if config.get("birdseye", {}).get("restream", False):
+    birdseye: dict[str, Any] = config.get("birdseye")
+
+    input = f"-f rawvideo -pix_fmt yuv420p -video_size {birdseye.get('width', 1280)}x{birdseye.get('height', 720)} -r 10 -i {BIRDSEYE_PIPE}"
+    ffmpeg_cmd = f"exec:{parse_preset_hardware_acceleration_encode(ffmpeg_path, config.get('ffmpeg', {}).get('hwaccel_args', ''), input, '-rtsp_transport tcp -f rtsp {output}')}"
+
+    if go2rtc_config.get("streams"):
+        go2rtc_config["streams"]["birdseye"] = ffmpeg_cmd
+    else:
+        go2rtc_config["streams"] = {"birdseye": ffmpeg_cmd}
+
+# Write go2rtc_config to /dev/shm/go2rtc.yaml
+with open("/dev/shm/go2rtc.yaml", "w") as f:
+    yaml.dump(go2rtc_config, f)
@@ -0,0 +1,43 @@
+set $upstream_auth http://127.0.0.1:5001/auth;
+
+## Virtual endpoint created by nginx to forward auth requests.
+location /auth {
+    ## Essential Proxy Configuration
+    internal;
+    proxy_pass $upstream_auth;
+
+    ## Headers
+
+    # First strip out all the request headers
+    # Note: This is important to ensure that upgrade requests for secure
+    #       websockets dont cause the backend to fail
+    proxy_pass_request_headers off;
+    # Pass info about the request
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Server-Port $server_port;
+    proxy_set_header Content-Length "";
+    # Pass along auth related info
+    proxy_set_header Authorization $http_authorization;
+    proxy_set_header Cookie $http_cookie;
+    proxy_set_header X-CSRF-TOKEN "1";
+
+    # include headers from common auth proxies
+    include proxy_trusted_headers.conf;
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}
@@ -0,0 +1,24 @@
+## Send a subrequest to verify if the user is authenticated and has permission to access the resource.
+auth_request /auth;
+
+## Save the upstream metadata response headers from the auth request to variables
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $role $upstream_http_remote_role;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+
+## Inject the metadata response headers from the variables into the request made to the backend.
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Role $role;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Name $name;
+
+## Refresh the cookie as needed
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $auth_cookie;
+
+## Pass the location header back up if it exists
+auth_request_set $redirection_url $upstream_http_location;
+add_header Location $redirection_url;
@@ -0,0 +1,4 @@
+upstream go2rtc {
+    server 127.0.0.1:1984;
+    keepalive 1024;
+}
@@ -0,0 +1,362 @@
+daemon off;
+user root;
+worker_processes auto;
+
+error_log /dev/stdout warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    map_hash_bucket_size 256;
+
+    include mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for" '
+                        'request_time="$request_time" upstream_response_time="$upstream_response_time"';
+
+
+    access_log /dev/stdout main;
+
+    # send headers in one piece, it is better than sending them one by one
+    tcp_nopush on;
+
+    sendfile on;
+
+    keepalive_timeout 65;
+
+    gzip on;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/javascript image/svg+xml image/x-icon image/bmp;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_vary on;
+
+    proxy_cache_path /dev/shm/nginx_cache levels=1:2 keys_zone=api_cache:10m max_size=10m inactive=1m use_temp_path=off;
+
+    map $sent_http_content_type $should_not_cache {
+        'application/json' 0;
+        default 1;
+    }
+
+    upstream frigate_api {
+        server 127.0.0.1:5001;
+        keepalive 1024;
+    }
+
+    upstream mqtt_ws {
+        server 127.0.0.1:5002;
+        keepalive 1024;
+    }
+
+    upstream jsmpeg {
+        server 127.0.0.1:8082;
+        keepalive 1024;
+    }
+
+    include go2rtc_upstream.conf;
+
+    server {
+        include listen.conf;
+
+        # vod settings
+        vod_base_url '';
+        vod_segments_base_url '';
+        vod_mode mapped;
+        vod_max_mapping_response_size 1m;
+        vod_upstream_location /api;
+        vod_align_segments_to_key_frames on;
+        vod_manifest_segment_durations_mode accurate;
+        vod_ignore_edit_list on;
+        vod_segment_duration 10000;
+
+        # MPEG-TS settings (not used when fMP4 is enabled, kept for reference)
+        vod_hls_mpegts_align_frames off;
+        vod_hls_mpegts_interleave_frames on;
+
+        # file handle caching / aio
+        open_file_cache max=1000 inactive=5m;
+        open_file_cache_valid 2m;
+        open_file_cache_min_uses 1;
+        open_file_cache_errors on;
+        aio on;
+
+        # file upload size
+        client_max_body_size 20M;
+
+        # https://github.com/kaltura/nginx-vod-module#vod_open_file_thread_pool
+        vod_open_file_thread_pool default;
+
+        # vod caches
+        vod_metadata_cache metadata_cache 512m;
+        vod_mapping_cache mapping_cache 5m 10m;
+
+        # gzip manifests
+        gzip on;
+        gzip_types application/vnd.apple.mpegurl;
+
+        include auth_location.conf;
+        include base_path.conf;
+
+        location /vod/ {
+            include auth_request.conf;
+            aio threads;
+            vod hls;
+
+            # Use fMP4 (fragmented MP4) instead of MPEG-TS for better performance
+            # Smaller segments, faster generation, better browser compatibility
+            vod_hls_container_format fmp4;
+
+            secure_token $args;
+            secure_token_types application/vnd.apple.mpegurl;
+
+            add_header Cache-Control "no-store";
+            expires off;
+
+            keepalive_disable safari;
+
+            # vod module returns 502 for non-existent media
+            # https://github.com/kaltura/nginx-vod-module/issues/468
+            error_page 502 =404 /vod-not-found;
+        }
+
+        location = /vod-not-found {
+            return 404;
+        }
+
+        location /stream/ {
+            include auth_request.conf;
+            add_header Cache-Control "no-store";
+            expires off;
+
+            types {
+                application/dash+xml mpd;
+                application/vnd.apple.mpegurl m3u8;
+                video/mp2t ts;
+                image/jpeg jpg;
+            }
+
+            root /tmp;
+        }
+
+        location /clips/ {
+            include auth_request.conf;
+            types {
+                video/mp4 mp4;
+                image/jpeg jpg;
+            }
+
+            expires 7d;
+            add_header Cache-Control "public";
+            autoindex on;
+            root /media/frigate;
+        }
+
+        location /cache/ {
+            internal; # This tells nginx it's not accessible from the outside
+            alias /tmp/cache/;
+        }
+
+        location /recordings/ {
+            include auth_request.conf;
+            types {
+                video/mp4 mp4;
+            }
+
+            autoindex on;
+            autoindex_format json;
+            root /media/frigate;
+        }
+
+        location /exports/ {
+            include auth_request.conf;
+            types {
+                video/mp4 mp4;
+            }
+
+            autoindex on;
+            autoindex_format json;
+            root /media/frigate;
+        }
+
+        location /ws {
+            include auth_request.conf;
+            proxy_pass http://mqtt_ws/;
+            include proxy.conf;
+        }
+
+        location /live/jsmpeg/ {
+            include auth_request.conf;
+            proxy_pass http://jsmpeg/;
+            include proxy.conf;
+        }
+
+        # frigate lovelace card uses this path
+        location /live/mse/api/ws {
+            include auth_request.conf;
+            limit_except GET {
+                deny  all;
+            }
+            proxy_pass http://go2rtc/api/ws;
+            include proxy.conf;
+        }
+
+        location /live/webrtc/api/ws {
+            include auth_request.conf;
+            limit_except GET {
+                deny  all;
+            }
+            proxy_pass http://go2rtc/api/ws;
+            include proxy.conf;
+        }
+
+        # pass through go2rtc player
+        location /live/webrtc/webrtc.html {
+            include auth_request.conf;
+            limit_except GET {
+                deny  all;
+            }
+            proxy_pass http://go2rtc/webrtc.html;
+            include proxy.conf;
+        }
+
+        # frontend uses this to fetch the version
+        location /api/go2rtc/api {
+            include auth_request.conf;
+            limit_except GET {
+                deny  all;
+            }
+            proxy_pass http://go2rtc/api;
+            include proxy.conf;
+        }
+
+        # integration uses this to add webrtc candidate
+        location /api/go2rtc/webrtc {
+            include auth_request.conf;
+            limit_except POST {
+                deny  all;
+            }
+            proxy_pass http://go2rtc/api/webrtc;
+            include proxy.conf;
+        }
+
+        location ~* /api/.*\.(jpg|jpeg|png|webp|gif)$ {
+            include auth_request.conf;
+            rewrite ^/api/(.*)$ /$1 break;
+            proxy_pass http://frigate_api;
+            include proxy.conf;
+        }
+
+        location /api/ {
+            include auth_request.conf;
+            add_header Cache-Control "no-store";
+            expires off;
+            proxy_pass http://frigate_api/;
+            include proxy.conf;
+
+            proxy_cache api_cache;
+            proxy_cache_lock on;
+            proxy_cache_use_stale updating;
+            proxy_cache_valid 200 5s;
+            proxy_cache_bypass $http_x_cache_bypass;
+            proxy_no_cache $should_not_cache;
+            add_header X-Cache-Status $upstream_cache_status;
+
+            location /api/vod/ {
+                include auth_request.conf;
+                proxy_pass http://frigate_api/vod/;
+                include proxy.conf;
+                proxy_cache off;
+            }
+
+            location /api/login {
+                auth_request off;
+                rewrite ^/api(/.*)$ $1 break;
+                proxy_pass http://frigate_api;
+                include proxy.conf;
+            }
+
+            # Allow unauthenticated access to the first_time_login endpoint
+            # so the login page can load help text before authentication.
+            location /api/auth/first_time_login {
+                auth_request off;
+                limit_except GET {
+                    deny all;
+                }
+                rewrite ^/api(/.*)$ $1 break;
+                proxy_pass http://frigate_api;
+                include proxy.conf;
+            }
+
+            location /api/stats {
+                include auth_request.conf;
+                access_log off;
+                rewrite ^/api(/.*)$ $1 break;
+                proxy_pass http://frigate_api;
+                include proxy.conf;
+            }
+
+            location /api/version {
+                include auth_request.conf;
+                access_log off;
+                rewrite ^/api(/.*)$ $1 break;
+                proxy_pass http://frigate_api;
+                include proxy.conf;
+            }
+        }
+
+        location / {
+            # do not require auth for static assets
+            add_header Cache-Control "no-store";
+            expires off;
+
+            location /assets/ {
+                access_log off;
+                expires 1y;
+                add_header Cache-Control "public";
+            }
+
+            location /fonts/ {
+                access_log off;
+                expires 1y;
+                add_header Cache-Control "public";
+            }
+
+            location /locales/ {
+                access_log off;
+                add_header Cache-Control "public";
+            }
+
+            location ~ ^/.*-([A-Za-z0-9]+)\.webmanifest$ {
+                access_log off;
+                expires 1y;
+                add_header Cache-Control "public";
+                default_type application/json;
+                proxy_set_header Accept-Encoding "";
+                sub_filter_once off;
+                sub_filter_types application/json;
+                sub_filter '"start_url": "/BASE_PATH/"' '"start_url" : "$http_x_ingress_path/"';
+                sub_filter '"src": "/BASE_PATH/' '"src": "$http_x_ingress_path/';
+            }
+
+            sub_filter 'href="/BASE_PATH/' 'href="$http_x_ingress_path/';
+            sub_filter 'url(/BASE_PATH/' 'url($http_x_ingress_path/';
+            sub_filter '"/BASE_PATH/dist/' '"$http_x_ingress_path/dist/';
+            sub_filter '"/BASE_PATH/js/' '"$http_x_ingress_path/js/';
+            sub_filter '"/BASE_PATH/assets/' '"$http_x_ingress_path/assets/';
+            sub_filter '"/BASE_PATH/locales/' '"$http_x_ingress_path/locales/';
+            sub_filter '"/BASE_PATH/monacoeditorwork/' '"$http_x_ingress_path/assets/';
+            sub_filter 'return"/BASE_PATH/"' 'return window.baseUrl';
+            sub_filter '<body>' '<body><script>window.baseUrl="$http_x_ingress_path/";</script>';
+            sub_filter_types text/css application/javascript;
+            sub_filter_once off;
+
+            root /opt/frigate/web;
+            try_files $uri $uri.html $uri/ /index.html;
+        }
+    }
+}
@@ -0,0 +1,26 @@
+## Headers
+proxy_set_header Host $host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "Upgrade";
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-URI $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+
+## Basic Proxy Configuration
+client_body_buffer_size 128k;
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+## Advanced Proxy Configuration
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;
@@ -0,0 +1,25 @@
+# Header used to validate reverse proxy trust
+proxy_set_header X-Proxy-Secret $http_x_proxy_secret;
+
+# these headers will be copied to the /auth request and are available
+# to be mapped in the config to Frigate's remote-user header
+
+# List of headers sent by common authentication proxies:
+# - Authelia
+# - Traefik forward auth
+# - oauth2_proxy
+# - Authentik
+
+proxy_set_header Remote-User $http_remote_user;
+proxy_set_header Remote-Groups $http_remote_groups;
+proxy_set_header Remote-Email $http_remote_email;
+proxy_set_header Remote-Name $http_remote_name;
+proxy_set_header X-Forwarded-User $http_x_forwarded_user;
+proxy_set_header X-Forwarded-Groups $http_x_forwarded_groups;
+proxy_set_header X-Forwarded-Email $http_x_forwarded_email;
+proxy_set_header X-Forwarded-Preferred-Username $http_x_forwarded_preferred_username;
+proxy_set_header X-authentik-username $http_x_authentik_username;
+proxy_set_header X-authentik-groups $http_x_authentik_groups;
+proxy_set_header X-authentik-email $http_x_authentik_email;
+proxy_set_header X-authentik-name $http_x_authentik_name;
+proxy_set_header X-authentik-uid $http_x_authentik_uid;
@@ -0,0 +1,11 @@
+"""Prints the base path as json to stdout."""
+
+import json
+import os
+from typing import Any
+
+base_path = os.environ.get("FRIGATE_BASE_PATH", "")
+
+result: dict[str, Any] = {"base_path": base_path}
+
+print(json.dumps(result))
@@ -0,0 +1,35 @@
+"""Prints the tls config as json to stdout."""
+
+import json
+import sys
+from typing import Any
+
+from ruamel.yaml import YAML
+
+sys.path.insert(0, "/opt/frigate")
+from frigate.util.config import find_config_file
+
+sys.path.remove("/opt/frigate")
+
+yaml = YAML()
+
+config_file = find_config_file()
+
+try:
+    with open(config_file) as f:
+        raw_config = f.read()
+
+    if config_file.endswith((".yaml", ".yml")):
+        config: dict[str, Any] = yaml.load(raw_config)
+    elif config_file.endswith(".json"):
+        config: dict[str, Any] = json.loads(raw_config)
+except FileNotFoundError:
+    config: dict[str, Any] = {}
+
+tls_config: dict[str, any] = config.get("tls", {"enabled": True})
+networking_config = config.get("networking", {})
+ipv6_config = networking_config.get("ipv6", {"enabled": False})
+
+output = {"tls": tls_config, "ipv6": ipv6_config}
+
+print(json.dumps(output))
@@ -0,0 +1,19 @@
+{{ if .base_path }}
+location = {{ .base_path }} {
+    return 302 {{ .base_path }}/;
+}
+
+location ^~ {{ .base_path }}/ {
+    # remove base_url from the path before passing upstream
+    rewrite ^{{ .base_path }}/(.*) /$1 break;
+
+    proxy_pass $scheme://127.0.0.1:8971;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_set_header X-Ingress-Path {{ .base_path }};
+
+    access_log off;
+}
+{{ end }}
@@ -0,0 +1,45 @@
+
+# Internal (IPv4 always; IPv6 optional)
+listen 5000;
+{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:5000;{{ end }}{{ end }}
+
+
+# intended for external traffic, protected by auth
+{{ if .tls }}
+    {{ if .tls.enabled }}
+        # external HTTPS (IPv4 always; IPv6 optional)
+        listen 8971 ssl;
+        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971 ssl;{{ end }}{{ end }}
+
+        ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
+
+        # generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
+        # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+        ssl_session_tickets off;
+
+        # modern configuration
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers off;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        # ACME challenge location
+        location /.well-known/acme-challenge/ {
+                default_type "text/plain";
+                root /etc/letsencrypt/www;
+        }
+    {{ else }}
+        # external HTTP (IPv4 always; IPv6 optional)
+        listen 8971;
+        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
+    {{ end }}
+{{ else }}
+    # (No tls section) default to HTTP (IPv4 always; IPv6 optional)
+    listen 8971;
+    {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
+{{ end }}
+