Commit Graph

17 Commits

Author SHA1 Message Date
Scott Lamb
a4bc7f5218
config file reference and doc reorganization 2023-01-06 14:25:13 -06:00
Scott Lamb
abcb26b281
update some config file refs in secure.md 2023-01-06 06:49:11 -06:00
Scott Lamb
42fe054d46
make GET /api/ return current permissions
This is useful for e.g. deciding whether or not to present the user
admin UI in navigation.

As part of this change, I adjusted the casing in Permissions, and then
all the toml stuff for consistency. Noted in changelog.
2022-12-31 12:43:13 -05:00
Dima S
2b92f06152 [docs] Fix broken nginx link. 2022-05-18 22:51:59 -07:00
Scott Lamb
319d7c3e1d move perms to proper spot in config 2022-03-16 18:31:07 -07:00
Scott Lamb
892427592e tweak config format (#133)
* switch from json to toml.
  I think this will be more user-friendly. It allows comments and has
  less punctuation. Fewer surprises than yaml (which has e.g. the
  "Norway problem"). I might have stayed with JSON if I could see a
  good serde json library that allows comments, but hson is unmaintained
  and serde-json strictly follows the spec.

* switch from camelCase to snake_case. Seems more idiomatic for TOML
  and matches the Rust source.

* forbid unknown keys. Better to spot errors sooner.

* rename "trust_forward_hdrs" to "trust_forward_headers". Nothing else
  is abbreviated.
2022-03-16 12:34:39 -07:00
Scott Lamb
ceaef46ea9 introduce /etc/moonfire-nvr.json (#133) 2022-03-09 13:18:33 -08:00
Scott Lamb
30cea5cfcb several documentation improvements
*   prefix docker/nvr commands with sudo (fixes #142).
    I was just going to link to the docker documentation on setting
    up non-root access, but that's kind of a personal preference.
    I included a `<details>` about it instead and made all the commands
    work with sudo.

*   take better advantage of github markdown's code block syntax
    highlighting. Use "console" for shell session stuff, put the
    "nvr" wrapper script in its own block with "bash".

*   add some comments to nvr wrapper script where people need to
    make changes and/or will be confused.

*   add a `<details>` that talks about shutting down and restarting
    the session around `nvr config` (see #151). Still not user-friendly
    but at least it's better documented now.
2021-08-23 12:44:48 -07:00
Scott Lamb
4204d84bde
disable proxy buffering in nginx
Buffering to local disk is unnecessary and wasteful.
Moonfire connections are cheap.
2021-08-13 15:28:31 -07:00
Scott Lamb
90dd68ee7c update nginx tutorial link 2021-06-04 09:00:24 -07:00
Scott Lamb
4d4d78ba64 mass markdown reformatting
Add tables of contents (using the VS Code Markdown All-In-One extension)
and reformat lists to consistently use 4-space indents. No content
changes.
2021-04-01 12:32:31 -07:00
Scott Lamb
31801e20c3 update docs to recommend new Docker setup
and remove the old scripts, to reduce the supported ways of doing
things.
2021-01-21 16:00:38 -08:00
Scott Lamb
92266612b5 switch to websocket for live stream (#59)
The multipart stream / hanging GET approach worked in a prototype for a
single stream, but Chrome has a per-host limit of six connections. If I
try streaming all my cameras at once, I hit that limit. I can't open all
the streams, much less additional connections to load init segments and
such. Websockets apparently has a much higher limit of 256.
2020-02-29 14:39:16 -08:00
Scott Lamb
fda7e4ca2b add concept of user/session permissions
(I also considered the names "capabilities" and "scopes", but I think
"permissions" is the most widely understood.)

This is increasingly necessary as the web API becomes more capable.
Among other things, it allows:

* non-administrator users who can view but not access camera passwords
  or change any state
* workers that update signal state based on cameras' built-in motion
  detection or a security system's events but don't need to view videos
* control over what can be done without authenticating

Currently session permissions are just copied from user permissions, but
you can also imagine admin sessions vs not, as a checkbox when signing
in. This would match the standard Unix workflow of using a
non-administrative session most of the time.

Relevant to my current signals work (#28) and to the addition of an
administrative API (#35, including #66).
2019-06-19 15:34:20 -07:00
Scott Lamb
4580038013 fix --require-auth flag
Apparently with docopt, --require-auth=false doesn't work, so booleans
with a default value of true can't be turned off. Toggle the default to
false to deal with this, for now. I'd prefer the default be true, but
I also would prefer to not use a negative --no-require-auth or
--allow-unauthenticated flag. I think I'll switch from docopt to clap
in the near future; it seems to be what the cool kids use.
2018-12-28 08:39:50 -06:00
Scott Lamb
278a87d5fd tweaks to guide/secure.md
after reading the rendered version online
2018-12-27 16:29:26 -06:00
Scott Lamb
24674f5b50 document proxy setup in guide/secure.md (for #26)
The guide is not as quick to follow and amateur-friendly as I'd like. A
few things that might improve matters:

   * complete #27 (built-in https+letsencrypt), so that when not sharing
     the port, users don't need to use nginx or certbot.
   * more ubiquitous IPv6 (out of my control but should happen over
     time) to reduce need to share the port
   * embed a dynamic DNS client
   * support UPnP Internet Gateway Device Control Protocol (if common
     routers have this enabled? probably not for security reasons.)

It's progress, though. Enough that I think I'll merge the auth branch
into master shortly.
2018-12-27 16:00:15 -06:00