Initial commit: Vigilar DIY home security system

Phase 1 (Foundation): project skeleton, TOML config + Pydantic validation,
MQTT bus wrapper, SQLite schema (9 tables), Click CLI, process supervisor.

Phase 2 (Camera): RTSP capture via OpenCV, MOG2 motion detection with
configurable sensitivity/zones, adaptive FPS recording (2fps idle/30fps
motion) via FFmpeg subprocess, HLS live streaming, pre-motion ring buffer.

Phase 3 (Web UI): Flask + Bootstrap 5 dark theme, 6 blueprints, Jinja2
templates (dashboard, kiosk 2x2 grid, events, sensors, recordings, settings),
PWA with service worker + Web Push, full admin settings UI with config
persistence.

Remote Access: WireGuard tunnel configs, nginx reverse proxy with HLS
caching + rate limiting, bandwidth-optimized remote HLS stream (426x240
@ 500kbps), DO droplet setup script, certbot TLS.

29 tests passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

remote/wireguard/setup_wireguard.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+# WireGuard key generation and setup helper
+# Run this on BOTH the home server and the droplet to generate keys.
+# Then copy the public keys into the appropriate config files.
+
+set -euo pipefail
+
+echo "=== Vigilar WireGuard Setup ==="
+echo ""
+
+# Check if WireGuard is installed
+if ! command -v wg &>/dev/null; then
+    echo "Installing WireGuard..."
+    if command -v apt &>/dev/null; then
+        sudo apt update && sudo apt install -y wireguard
+    elif command -v pacman &>/dev/null; then
+        sudo pacman -S --noconfirm wireguard-tools
+    else
+        echo "ERROR: Install WireGuard manually for your OS"
+        exit 1
+    fi
+fi
+
+echo "Generating WireGuard keys..."
+PRIV_KEY=$(wg genkey)
+PUB_KEY=$(echo "$PRIV_KEY" | wg pubkey)
+
+echo ""
+echo "Private Key: $PRIV_KEY"
+echo "Public Key:  $PUB_KEY"
+echo ""
+echo "Save the private key in /etc/wireguard/ and share the PUBLIC key"
+echo "with the other end of the tunnel."
+echo ""
+
+# Detect if this is the home server or droplet
+read -p "Is this the (h)ome server or (d)roplet? [h/d]: " ROLE
+
+if [[ "$ROLE" == "d" ]]; then
+    echo ""
+    echo "=== DROPLET SETUP ==="
+    echo ""
+
+    # Save keys
+    sudo mkdir -p /etc/wireguard
+    echo "$PRIV_KEY" | sudo tee /etc/wireguard/droplet_private.key > /dev/null
+    echo "$PUB_KEY" | sudo tee /etc/wireguard/droplet_public.key > /dev/null
+    sudo chmod 600 /etc/wireguard/droplet_private.key
+
+    read -p "Home server's PUBLIC key: " HOME_PUB_KEY
+
+    # Generate config
+    sudo tee /etc/wireguard/wg0.conf > /dev/null <<EOF
+[Interface]
+Address = 10.99.0.1/32
+ListenPort = 51820
+PrivateKey = $PRIV_KEY
+
+[Peer]
+PublicKey = $HOME_PUB_KEY
+AllowedIPs = 10.99.0.2/32
+EOF
+
+    sudo chmod 600 /etc/wireguard/wg0.conf
+
+    # Open firewall
+    if command -v ufw &>/dev/null; then
+        sudo ufw allow 51820/udp
+        sudo ufw allow 443/tcp
+        sudo ufw allow 80/tcp
+        echo "Firewall rules added (51820/udp, 80/tcp, 443/tcp)"
+    fi
+
+    # Enable and start
+    sudo systemctl enable --now wg-quick@wg0
+    echo ""
+    echo "WireGuard started on droplet."
+    echo "Droplet tunnel IP: 10.99.0.1"
+    echo ""
+    echo "Share this public key with your home server: $PUB_KEY"
+
+elif [[ "$ROLE" == "h" ]]; then
+    echo ""
+    echo "=== HOME SERVER SETUP ==="
+    echo ""
+
+    # Save keys
+    sudo mkdir -p /etc/wireguard
+    echo "$PRIV_KEY" | sudo tee /etc/wireguard/home_private.key > /dev/null
+    echo "$PUB_KEY" | sudo tee /etc/wireguard/home_public.key > /dev/null
+    sudo chmod 600 /etc/wireguard/home_private.key
+
+    read -p "Droplet's PUBLIC key: " DROPLET_PUB_KEY
+    read -p "Droplet's public IP address: " DROPLET_IP
+
+    # Generate config
+    sudo tee /etc/wireguard/wg0.conf > /dev/null <<EOF
+[Interface]
+Address = 10.99.0.2/32
+PrivateKey = $PRIV_KEY
+
+[Peer]
+PublicKey = $DROPLET_PUB_KEY
+AllowedIPs = 10.99.0.1/32
+Endpoint = ${DROPLET_IP}:51820
+PersistentKeepalive = 25
+EOF
+
+    sudo chmod 600 /etc/wireguard/wg0.conf
+
+    # Enable and start
+    sudo systemctl enable --now wg-quick@wg0
+    echo ""
+    echo "WireGuard started on home server."
+    echo "Home tunnel IP: 10.99.0.2"
+    echo ""
+    echo "Share this public key with your droplet: $PUB_KEY"
+fi
+
+echo ""
+echo "Test connectivity with: ping 10.99.0.1 (from home) or ping 10.99.0.2 (from droplet)"

remote/wireguard/wg0-droplet.conf

@@ -0,0 +1,18 @@
+# WireGuard config for DIGITAL OCEAN DROPLET (reverse proxy)
+# Install: cp wg0-droplet.conf /etc/wireguard/wg0.conf
+# Start:   systemctl enable --now wg-quick@wg0
+
+[Interface]
+# Droplet's WireGuard IP on the tunnel
+Address = 10.99.0.1/32
+ListenPort = 51820
+# Generate with: wg genkey | tee /etc/wireguard/droplet_private.key | wg pubkey > /etc/wireguard/droplet_public.key
+PrivateKey = <DROPLET_PRIVATE_KEY>
+
+[Peer]
+# Home server
+PublicKey = <HOME_PUBLIC_KEY>
+# Home server's tunnel IP — traffic to this IP goes through WireGuard
+AllowedIPs = 10.99.0.2/32
+# No Endpoint needed — home server initiates the connection (NAT traversal)
+# No PersistentKeepalive needed — home server sends keepalives

remote/wireguard/wg0-home.conf

@@ -0,0 +1,21 @@
+# WireGuard config for HOME SERVER (Vigilar host)
+# Install: cp wg0-home.conf /etc/wireguard/wg0.conf
+# Start:   systemctl enable --now wg-quick@wg0
+
+[Interface]
+# Home server's WireGuard IP on the tunnel
+Address = 10.99.0.2/32
+# Generate with: wg genkey | tee /etc/wireguard/home_private.key | wg pubkey > /etc/wireguard/home_public.key
+PrivateKey = <HOME_PRIVATE_KEY>
+# Keep the tunnel alive through NAT (home router)
+# Send keepalive every 25s so the NAT mapping doesn't expire
+
+[Peer]
+# Digital Ocean droplet
+PublicKey = <DROPLET_PUBLIC_KEY>
+# Route all tunnel traffic to the droplet
+AllowedIPs = 10.99.0.1/32
+# Droplet's public IP + WireGuard port
+Endpoint = <DROPLET_PUBLIC_IP>:51820
+# Critical: keeps tunnel alive through home router NAT
+PersistentKeepalive = 25