Initial commit: Vigilar DIY home security system

Phase 1 (Foundation): project skeleton, TOML config + Pydantic validation, MQTT bus wrapper, SQLite schema (9 tables), Click CLI, process supervisor. Phase 2 (Camera): RTSP capture via OpenCV, MOG2 motion detection with configurable sensitivity/zones, adaptive FPS recording (2fps idle/30fps motion) via FFmpeg subprocess, HLS live streaming, pre-motion ring buffer. Phase 3 (Web UI): Flask + Bootstrap 5 dark theme, 6 blueprints, Jinja2 templates (dashboard, kiosk 2x2 grid, events, sensors, recordings, settings), PWA with service worker + Web Push, full admin settings UI with config persistence. Remote Access: WireGuard tunnel configs, nginx reverse proxy with HLS caching + rate limiting, bandwidth-optimized remote HLS stream (426x240 @ 500kbps), DO droplet setup script, certbot TLS. 29 tests passing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 23:11:27 -04:00
commit 845a85d618
69 changed files with 7061 additions and 0 deletions
--- a/remote/setup_droplet.sh
+++ b/remote/setup_droplet.sh
@@ -0,0 +1,187 @@
+#!/usr/bin/env bash
+# Full setup script for Digital Ocean droplet as Vigilar reverse proxy
+# Run this on a fresh Ubuntu 24.04 LTS droplet.
+#
+# What it does:
+# 1. Installs WireGuard, nginx, certbot
+# 2. Configures WireGuard tunnel (interactive key exchange)
+# 3. Deploys nginx reverse proxy config
+# 4. Sets up TLS with Let's Encrypt
+# 5. Configures firewall
+
+set -euo pipefail
+
+echo "============================================"
+echo "  Vigilar — Droplet Reverse Proxy Setup"
+echo "============================================"
+echo ""
+
+# Require root
+if [[ $EUID -ne 0 ]]; then
+    echo "Run as root: sudo bash setup_droplet.sh"
+    exit 1
+fi
+
+# --- Step 1: Install packages ---
+echo "[1/6] Installing packages..."
+apt update
+apt install -y wireguard nginx certbot python3-certbot-nginx ufw
+
+# --- Step 2: WireGuard ---
+echo ""
+echo "[2/6] Setting up WireGuard..."
+
+if [[ -f /etc/wireguard/wg0.conf ]]; then
+    echo "  WireGuard already configured. Skipping."
+else
+    # Generate keys
+    PRIV_KEY=$(wg genkey)
+    PUB_KEY=$(echo "$PRIV_KEY" | wg pubkey)
+
+    echo ""
+    echo "  Droplet PUBLIC key (give this to your home server):"
+    echo "  $PUB_KEY"
+    echo ""
+    read -p "  Enter home server's PUBLIC key: " HOME_PUB_KEY
+
+    cat > /etc/wireguard/wg0.conf <<EOF
+[Interface]
+Address = 10.99.0.1/32
+ListenPort = 51820
+PrivateKey = $PRIV_KEY
+
+[Peer]
+PublicKey = $HOME_PUB_KEY
+AllowedIPs = 10.99.0.2/32
+EOF
+
+    chmod 600 /etc/wireguard/wg0.conf
+    systemctl enable --now wg-quick@wg0
+    echo "  WireGuard started. Tunnel IP: 10.99.0.1"
+fi
+
+# --- Step 3: Firewall ---
+echo ""
+echo "[3/6] Configuring firewall..."
+ufw --force reset
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 22/tcp      # SSH
+ufw allow 80/tcp      # HTTP (certbot + redirect)
+ufw allow 443/tcp     # HTTPS
+ufw allow 51820/udp   # WireGuard
+ufw --force enable
+echo "  Firewall configured."
+
+# --- Step 4: Nginx ---
+echo ""
+echo "[4/6] Configuring nginx..."
+
+read -p "  Enter your domain (e.g., vigilar.yourdomain.com): " DOMAIN
+
+# Create cache directory
+mkdir -p /var/cache/nginx/vigilar_hls
+
+# Deploy config
+NGINX_CONF="/etc/nginx/sites-available/vigilar"
+if [[ -f "$NGINX_CONF" ]]; then
+    cp "$NGINX_CONF" "${NGINX_CONF}.bak.$(date +%s)"
+fi
+
+# Copy template and replace domain
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+if [[ -f "$SCRIPT_DIR/nginx/vigilar.conf" ]]; then
+    sed "s/vigilar.yourdomain.com/$DOMAIN/g" "$SCRIPT_DIR/nginx/vigilar.conf" > "$NGINX_CONF"
+else
+    echo "  ERROR: nginx/vigilar.conf not found in $SCRIPT_DIR"
+    echo "  Copy it manually to /etc/nginx/sites-available/vigilar"
+    exit 1
+fi
+
+# Enable site
+ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/vigilar
+rm -f /etc/nginx/sites-enabled/default
+
+# Test config (will fail on TLS certs — that's OK, certbot fixes it)
+echo "  Testing nginx config (cert errors expected before certbot)..."
+nginx -t 2>/dev/null || true
+
+# --- Step 5: TLS with Let's Encrypt ---
+echo ""
+echo "[5/6] Setting up TLS..."
+echo "  Running certbot for $DOMAIN"
+echo "  Note: DNS must already point $DOMAIN to this droplet's IP."
+echo ""
+
+# Temporarily remove SSL directives so nginx starts
+# Create a minimal config for certbot
+cat > /etc/nginx/sites-available/vigilar-temp <<EOF
+server {
+    listen 80;
+    server_name $DOMAIN;
+    location / {
+        proxy_pass http://10.99.0.2:49735;
+    }
+}
+EOF
+ln -sf /etc/nginx/sites-available/vigilar-temp /etc/nginx/sites-enabled/vigilar-temp
+rm -f /etc/nginx/sites-enabled/vigilar
+nginx -t && systemctl reload nginx
+
+# Run certbot
+certbot --nginx -d "$DOMAIN" --non-interactive --agree-tos --register-unsafely-without-email || {
+    echo ""
+    echo "  Certbot failed. Make sure DNS for $DOMAIN points to this server."
+    echo "  You can retry manually: certbot --nginx -d $DOMAIN"
+}
+
+# Remove temp config, restore full config
+rm -f /etc/nginx/sites-enabled/vigilar-temp /etc/nginx/sites-available/vigilar-temp
+ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/vigilar
+
+# Update the config with certbot's cert paths
+sed -i "s|ssl_certificate .*|ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;|" "$NGINX_CONF"
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;|" "$NGINX_CONF"
+
+nginx -t && systemctl reload nginx
+
+# --- Step 6: Verify ---
+echo ""
+echo "[6/6] Verifying setup..."
+echo ""
+
+# Check WireGuard
+if wg show wg0 &>/dev/null; then
+    echo "  [OK] WireGuard interface wg0 is up"
+else
+    echo "  [!!] WireGuard not running"
+fi
+
+# Check nginx
+if systemctl is-active --quiet nginx; then
+    echo "  [OK] nginx is running"
+else
+    echo "  [!!] nginx is not running"
+fi
+
+# Check cert
+if [[ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then
+    echo "  [OK] TLS certificate present"
+else
+    echo "  [!!] TLS certificate missing — run certbot manually"
+fi
+
+echo ""
+echo "============================================"
+echo "  Setup complete!"
+echo ""
+echo "  Droplet WireGuard IP: 10.99.0.1"
+echo "  Home server should be: 10.99.0.2"
+echo "  Web URL: https://$DOMAIN"
+echo ""
+echo "  Next steps:"
+echo "  1. Configure WireGuard on your home server"
+echo "  2. Test: ping 10.99.0.2 (from this droplet)"
+echo "  3. Start Vigilar on home server"
+echo "  4. Access https://$DOMAIN"
+echo "============================================"