TLS support (#11678)

* implement self signed cert and monitor/reload

* move go2rtc upstream to separate file

* add directory for ACME challenges

* make certsync more resilient

* add TLS docs

* add jwt secret info to docs

docs/docs/configuration/authentication.md

@@ -52,6 +52,27 @@ auth:
     - 172.18.0.0/16 # <---- this is the subnet for the internal docker compose network
 ```
 
+#### JWT Token Secret
+
+The JWT token secret needs to be kept secure. Anyone with this secret can generate valid JWT tokens to authenticate with Frigate. This should be a cryptographically random string of at least 64 characters.
+
+You can generate a token using the Python secret library with the following command:
+
+```shell
+python3 -c 'import secrets; print(secrets.token_hex(64))'
+```
+
+Frigate looks for a JWT token secret in the following order:
+
+1. An environment variable named `FRIGATE_JWT_SECRET`
+2. A docker secret named `FRIGATE_JWT_SECRET` in `/run/secrets/`
+3. A `jwt_secret` option from the Home Assistant Addon options
+4. A `.jwt_secret` file in the config directory
+
+If no secret is found on startup, Frigate generates one and stores it in a `.jwt_secret` file in the config directory.
+
+Changing the secret will invalidate current tokens.
+
 ### Proxy mode
 
 Proxy mode is designed to complement common upstream authentication proxies such as Authelia, Authentik, oauth2_proxy, or traefik-forward-auth.

docs/docs/configuration/tls.md

@@ -0,0 +1,34 @@
+---
+id: tls
+title: TLS
+---
+
+# TLS
+
+Frigate's integrated NGINX server supports TLS certificates. By default Frigate will generate a self signed certificate that will be used for port 443. Frigate is designed to make it easy to use whatever tool you prefer to manage certificates.
+
+Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. However, if you are running on a device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS.
+
+## Certificates
+
+TLS certificates can be mounted at `/etc/letsencrypt/live/frigate` using a bind mount or docker volume.
+
+```yaml
+frigate:
+  ...
+  volumes:
+    - /path/to/your/certificate_folder:/etc/letsencrypt/live/frigate
+  ...
+```
+
+Within the folder, the private key is expected to be named `privkey.pem` and the certificate is expected to be named `fullchain.pem`.
+
+Frigate automatically compares the fingerprint of the certificate at `/etc/letsencrypt/live/frigate/fullchain.pem` against the fingerprint of the TLS cert in NGINX every minute. If these differ, the NGINX config is reloaded to pick up the updated certificate.
+
+## ACME Challenge
+
+Frigate also supports hosting the acme challenge files for the HTTP challenge method if needed. The challenge files should be mounted at `/etc/letsencrypt/www`.
+
+## Advanced customization
+
+If you would like to customize the TLS configuration, you can do so by using a bind mount to override `/usr/local/nginx/conf/tls.conf`. Check the source code for the default configuration and modify from there.

docs/docs/frigate/installation.md

@@ -34,7 +34,8 @@ The following ports are used by Frigate and can be mapped via docker as required
 
 | Port   | Description                                                                                                                                                                |
 | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `8080` | Authenticated UI and API access. Reverse proxies should use this port.                                                                                                     |
+| `8080` | Authenticated UI and API access without TLS. Reverse proxies should use this port.                                                                                         |
+| `443`  | Authenticated UI and API access with TLS. See the [TLS configuration](/configuration/tls) for more details.                                                                |
 | `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
 | `8554` | RTSP restreaming. By default, these streams are unauthenticated. Authentication can be configured in go2rtc section of config.                                             |
 | `8555` | WebRTC connections for low latency live views.                                                                                                                             |
@@ -44,7 +45,6 @@ The following ports are used by Frigate and can be mapped via docker as required
 Writing to a local disk or external USB drive:
 
 ```yaml
-version: "3.9"
 services:
   frigate:
     ...

docs/package.json

@@ -14,9 +14,9 @@
     "write-heading-ids": "docusaurus write-heading-ids"
   },
   "dependencies": {
-    "@docusaurus/core": "^3.3.2",
-    "@docusaurus/preset-classic": "^3.3.2",
-    "@docusaurus/theme-mermaid": "^3.3.2",
+    "@docusaurus/core": "^3.4.0",
+    "@docusaurus/preset-classic": "^3.4.0",
+    "@docusaurus/theme-mermaid": "^3.4.0",
     "@mdx-js/react": "^3.0.0",
     "clsx": "^2.0.0",
     "prism-react-renderer": "^2.1.0",
@@ -37,8 +37,8 @@
     ]
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.3.2",
-    "@docusaurus/types": "^3.3.2",
+    "@docusaurus/module-type-aliases": "^3.4.0",
+    "@docusaurus/types": "^3.4.0",
     "@types/react": "^18.2.79"
   },
   "engines": {

docs/sidebars.js

@@ -52,6 +52,7 @@ module.exports = {
         "configuration/authentication",
         "configuration/hardware_acceleration",
         "configuration/ffmpeg_presets",
+        "configuration/tls",
         "configuration/advanced",
       ],
     },