introduce /etc/moonfire-nvr.json (#133)

guide/build.md

@@ -277,23 +277,19 @@ some of the shell script's subcommands that wrap Docker (`start`, `stop`, and
 If you want to deploy a non-Docker build on Linux, you may want to use
 `systemd`. Create `/etc/systemd/system/moonfire-nvr.service`:
 
-```
+```ini
 [Unit]
 Description=Moonfire NVR
 After=network-online.target
 
 [Service]
-ExecStart=/usr/local/bin/moonfire-nvr run \
-    --db-dir=/var/lib/moonfire-nvr/db \
-    --http-addr=0.0.0.0:8080 \
-    --allow-unauthenticated-permissions='view_video: true'
+ExecStart=/usr/local/bin/moonfire-nvr run
 Environment=TZ=:/etc/localtime
 Environment=MOONFIRE_FORMAT=google-systemd
 Environment=MOONFIRE_LOG=info
 Environment=RUST_BACKTRACE=1
 Type=simple
 User=moonfire-nvr
-Nice=-20
 Restart=on-failure
 CPUAccounting=true
 MemoryAccounting=true
@@ -303,10 +299,24 @@ BlockIOAccounting=true
 WantedBy=multi-user.target
 ```
 
-Note that the arguments used here are insecure. You can change that via
-replacing the `--allow-unauthenticated-permissions` argument here as
-described in [Securing Moonfire NVR and exposing it to the
-Internet](secure.md).
+You'll also need a `/etc/moonfire-nvr.json`:
+
+```json
+{
+    "binds": [
+        {
+            "ipv4": "0.0.0.0:8080",
+            "allowUnauthenticatedPermissions": {
+                "viewVideo": true
+            }
+        }
+    ]
+}
+```
+
+Note this configuration is insecure. You can change that via replacing the
+`allowUnauthenticatedPermissions` here as described in [Securing Moonfire NVR
+and exposing it to the Internet](secure.md).
 
 Some handy commands:
 

guide/install.md

@@ -71,6 +71,7 @@ image_name="scottlamb/moonfire-nvr:latest"
 container_name="moonfire-nvr"
 common_docker_run_args=(
         --mount=type=bind,source=/var/lib/moonfire-nvr,destination=/var/lib/moonfire-nvr
+        --mount=type=bind,source=/etc/moonfire-nvr.json,destination=/etc/moonfire-nvr.json
 
         # Add additional mount lines here for each sample file directory
         # outside of /var/lib/moonfire-nvr, eg:
@@ -107,12 +108,6 @@ run)
                 --name="${container_name}" \
                 "${image_name}" \
                 run \
-
-                # Add any additional `moonfire-nvr run` arguments here, eg
-                # "--rtsp-library=ffmpeg" if the default "--rtsp-library=retina"
-                # isn't working.
-                --allow-unauthenticated-permissions='view_video: true' \
-
                 "$@"
         ;;
 start|stop|logs|rm)
@@ -263,6 +258,21 @@ In the user interface,
 
 ### Starting it up
 
+You'll need to create the runtime configuration file, `/etc/moonfire-nvr.json`:
+
+```json
+{
+    "binds": [
+        {
+            "ipv4": "0.0.0.0:8080",
+            "allowUnauthenticatedPermissions": {
+                "viewVideo": true
+            }
+        }
+    ]
+}
+```
+
 Note that at this stage, Moonfire NVR's web interface is **insecure**: it
 doesn't use `https` and doesn't require you to authenticate
 to it. You might be comfortable starting it in this configuration to try it

guide/secure.md

@@ -161,31 +161,33 @@ your browser. See [How to secure Nginx with Let's Encrypt on Ubuntu
 
 ## 6. Reconfigure Moonfire NVR
 
-If you follow the recommended Docker setup, your `/usr/local/bin/nvr` script
-will contain this line:
+If you follow the recommended Docker setup, your `/etc/moonfire-nvr.json`
+will contain these lines:
 
-```
-                --allow-unauthenticated-permissions='view_video: true'
+```json
+            "allowUnauthenticatedPermissions": {
+                "viewVideo": true
+            }
 ```
 
-Replace it with the following:
+Replace them with the following:
 
-```
-                --trust-forward-hdrs
+```json
+            "trustForwardHdrs": true
 ```
 
 This change has two effects:
 
-   * No `--allow-unauthenticated-permissions` means that web users must
-     authenticate.
-   * `--trust-forward-hdrs` means that Moonfire NVR will look for `X-Real-IP`
+   * No `allowUnauthenticatePermissions` means that web users must authenticate.
+   * `trustForwardHdrs` means that Moonfire NVR will look for `X-Real-IP`
      and `X-Forwarded-Proto` headers as added by the webserver configuration
      in the next section.
 
 If the webserver is running on the same machine as Moonfire NVR, you might
-also change `--publish=8080:8080` to `--publish=127.0.0.1:8080:8080`, which
-prevents other machines on the network from impersonating the proxy,
-effectively allowing them to lie about the client's IP and protocol.
+also change `--publish=8080:8080` to `--publish=127.0.0.1:8080:8080` in your
+`/usr/local/bin/nvr` script, preventing other machines on the network from
+impersonating the proxy, effectively allowing them to lie about the client's IP
+and protocol.
 
 To make this take effect, you'll need to stop the running Docker container,
 delete it, and create/run a new one: