Merge pull request #16 from Stolas/copilot/collect-all-open-issues-fixes

Fix all open issues: dead link, CompreFace, syslog support, NVR in Grafana
Cant be asked to check lets roll it.

Author: Stolas

README.md

@@ -50,13 +50,18 @@ This project was 99% developed by AI assistants (Gemini and GitHub Copilot). The
 
 * **Local Network Access:** All services communicate on the local network
 * **Port Availability:** Ensure the following ports are available:
+  * 514 (Syslog UDP/TCP for Node-RED) - for log ingestion from network devices (Fixes #14)
+  * 1880 (Node-RED, configurable)
   * 1883 (Mosquitto MQTT)
+  * 1984 (go2rtc Web UI) - for RTSP stream conversion (Fixes #15)
   * 3000 (Grafana)
   * 3001 (Double-Take) - only if NVR is enabled
   * 5000 (Frigate, configurable) - only if NVR is enabled
+  * 8000 (CompreFace) - only if NVR is enabled (Fixes #5)
   * 8080 (Zigbee2MQTT Web UI)
   * 8086 (InfluxDB)
-  * 1880 (Node-RED, configurable)
+  * 8554 (go2rtc RTSP server) - for re-streaming camera feeds (Fixes #15)
+  * 8555 (go2rtc WebRTC server) - for low-latency browser playback (Fixes #15)
 
 ## Getting Started
 
@@ -119,6 +124,34 @@ If you selected the NVR option, you need to configure Frigate:
 
 * Edit the `frigate_config.yml` file to define your cameras and settings.
 
+### 3a. Configure CompreFace and Double-Take (NVR Only - Fixes #5)
+
+CompreFace provides face recognition capabilities for Double-Take, enabling facial detection in your NVR setup.
+
+**Automatic Configuration:**
+
+The `COMPREFACE_API_KEY` is automatically generated by `create_secrets.sh`. This key is used for secure communication between Double-Take and CompreFace.
+
+**Double-Take Configuration:**
+
+After the stack is running, configure Double-Take to use CompreFace:
+
+1. Access Double-Take at `http://doubletake.<BASE_DOMAIN>` or `http://<host_ip>:3001`
+2. Navigate to Settings → Detectors
+3. Add CompreFace as a detector with:
+   - **URL:** `http://compreface:8000`
+   - **API Key:** Use the `COMPREFACE_API_KEY` from your `secrets.env` file
+4. Configure face recognition settings as needed
+
+**CompreFace Face Training:**
+
+To train CompreFace to recognize faces:
+
+1. Access CompreFace at `http://compreface.<BASE_DOMAIN>` or `http://<host_ip>:8000`
+2. Create a new application or use the existing one
+3. Upload reference images for face recognition
+4. Double-Take will automatically use these trained faces for detection
+
 ### 4. Run the Stack
 
 After completing the manual configuration in `secrets.env`, run the setup again:
@@ -416,14 +449,135 @@ For more information on Grafana security and sharing options, refer to the [offi
    - The Grafana UI will show a "Sign in" button in the top right for anonymous users
    - Admin users can still log in to create/edit dashboards
 
+## Node-RED Configuration (Fixes #14)
+
+Node-RED provides flow-based automation for the IoT/SCADA stack. It includes support for MQTT and syslog ingestion.
+
+### MQTT Integration
+
+Node-RED can communicate with the Mosquitto MQTT broker on the internal network. To configure MQTT in your flows:
+
+1. Add an **mqtt in** or **mqtt out** node to your flow
+2. Configure the broker connection:
+   - **Server:** `mosquitto` (internal container hostname)
+   - **Port:** `1883`
+   - **Username:** Your `MQTT_USER` from `secrets.env`
+   - **Password:** Your `MQTT_PASSWORD` from `secrets.env`
+
+**Example MQTT Flow:**
+```json
+[{"id":"mqtt-broker","type":"mqtt-broker","name":"Mosquitto","broker":"mosquitto","port":"1883","clientid":"","autoConnect":true,"usetls":false,"protocolVersion":"4","keepalive":"60","cleansession":true}]
+```
+
+### Syslog Log Ingestion
+
+The stack exposes port 514 (UDP and TCP) for syslog log ingestion. This allows network devices (routers, switches, servers, etc.) to send logs to Node-RED for processing, aggregation, and visualization.
+
+**Installing node-red-contrib-syslog-input:**
+
+1. Access Node-RED at `http://nodered.<BASE_DOMAIN>` or `http://<host_ip>:1880`
+2. Go to **Menu → Manage palette → Install**
+3. Search for `node-red-contrib-syslog-input`
+4. Click **Install**
+
+**Setting up Syslog Input Flow:**
+
+1. Add a **syslog input** node to your flow
+2. Configure the node:
+   - **Port:** `514`
+   - **Protocol:** `UDP` or `TCP` (depending on your device configuration)
+3. Connect to processing nodes (function, debug, dashboard, etc.)
+
+**Example Syslog Flow:**
+```json
+[{"id":"syslog-in","type":"syslog-input","name":"Syslog Input","port":"514","protocol":"udp","wires":[["debug-node"]]},{"id":"debug-node","type":"debug","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto"}]
+```
+
+**Configuring Network Devices:**
+
+Configure your network devices to send syslog messages to the Home-IOT-SCADA-Stack host IP address on port 514. Refer to your device's documentation for specific syslog configuration instructions.
+
+## go2rtc and Camera Streams in Grafana (Fixes #15)
+
+go2rtc is included in all stack profiles (IoT/SCADA, NVR, and combined) to enable displaying camera RTSP streams in Grafana dashboards.
+
+### go2rtc Configuration
+
+1. Access go2rtc at `http://go2rtc.<BASE_DOMAIN>` or `http://<host_ip>:1984`
+2. Configure your camera streams in the go2rtc web interface or by creating a config file
+
+**Example go2rtc configuration (create in the go2rtc_data volume):**
+```yaml
+streams:
+  camera1:
+    - rtsp://user:[email protected]:554/stream1
+  camera2:
+    - rtsp://user:[email protected]:554/stream1
+```
+
+### Available go2rtc Ports
+
+* **Port 1984:** go2rtc Web UI and API
+* **Port 8554:** RTSP server (re-streams converted streams)
+* **Port 8555:** WebRTC server (for browser playback)
+
+### Embedding Camera Streams in Grafana
+
+To display camera streams in Grafana dashboards:
+
+1. **Install the HTML panel plugin:**
+   - Go to Grafana → Configuration → Plugins
+   - Search for "HTML" or "Text" panel
+   - Install a suitable HTML panel plugin (e.g., "marcusolsson-dynamictext-panel")
+
+2. **Create a dashboard panel with embedded stream:**
+   ```html
+   <iframe 
+     src="http://go2rtc.<BASE_DOMAIN>/stream.html?src=camera1" 
+     width="100%" 
+     height="400" 
+     frameborder="0">
+   </iframe>
+   ```
+
+3. **Alternative: Use WebRTC stream URL:**
+   ```
+   http://go2rtc.<BASE_DOMAIN>/api/ws?src=camera1
+   ```
+
+**Example Grafana Dashboard JSON:**
+```json
+{
+  "panels": [
+    {
+      "title": "Camera 1",
+      "type": "marcusolsson-dynamictext-panel",
+      "options": {
+        "content": "<iframe src='http://go2rtc.home.local/stream.html?src=camera1' width='100%' height='400' frameborder='0'></iframe>"
+      }
+    }
+  ]
+}
+```
+
+### Stream URLs Reference
+
+| Format | URL Pattern | Use Case |
+|--------|-------------|----------|
+| WebRTC | `http://go2rtc:1984/stream.html?src=<stream_name>` | Low latency browser playback |
+| HLS | `http://go2rtc:1984/api/stream.m3u8?src=<stream_name>` | Wide compatibility |
+| RTSP | `rtsp://go2rtc:8554/<stream_name>` | Re-stream to other applications |
+
 ## Components and Access Points
 
 | Component | Purpose | Access URL (Default Ports) | Notes |
 |-----------|---------|----------------------------|-------|
 | **Nginx** | Reverse Proxy | http://&lt;host_ip&gt; | Always included, provides hostname-based routing |
 | **Grafana** | Data Visualization (SCADA UI) | http://grafana.&lt;BASE_DOMAIN&gt; or :3000 | IoT/SCADA modes only |
+| **go2rtc** | RTSP to WebRTC/HLS Converter | http://go2rtc.&lt;BASE_DOMAIN&gt; or :1984 | All modes, for camera streams in Grafana (Fixes #15) |
 | **Frigate** | NVR and Object Detection | http://frigate.&lt;BASE_DOMAIN&gt; or :5000 | NVR modes only |
 | **Double-Take** | Facial Recognition for Frigate | http://doubletake.&lt;BASE_DOMAIN&gt; or :3001 | NVR modes only |
+| **CompreFace** | Face Recognition API | http://compreface.&lt;BASE_DOMAIN&gt; or :8000 | NVR modes only, backend for Double-Take (Fixes #5) |
 | **Node-RED** | Flow-Based Automation | http://nodered.&lt;BASE_DOMAIN&gt; or :1880 | IoT/SCADA modes only |
 | **Zigbee2MQTT** | Zigbee Device Control | http://zigbee.&lt;BASE_DOMAIN&gt; or :8080 | IoT/SCADA modes only |
 | **Cockpit** | openSUSE Web Console | http://cockpit.&lt;BASE_DOMAIN&gt; | Requires Cockpit enabled on host |
@@ -453,6 +607,33 @@ sudo systemctl enable --now cockpit.socket
 | **nginx/** | Directory for Nginx configuration files. nginx.conf is auto-generated based on stack type. |
 | **.gitignore** | Ensures secrets.env and .stack_config are never committed to Git. |
 
+## Security
+
+This stack implements multiple security layers to protect your home IoT infrastructure:
+
+### Credential Management
+* **Automatic Secret Generation:** The `create_secrets.sh` script generates unique, random, 64-character passwords/tokens for all sensitive environment variables (MQTT, InfluxDB, Grafana, SMB).
+* **Secrets File Protection:** The `secrets.env` file is excluded from version control via `.gitignore` to prevent accidental credential exposure.
+
+### Network Security
+* **Container Isolation:** All services run in isolated Podman containers on a dedicated internal network (`iot_net`).
+* **Hostname-Based Routing:** Nginx reverse proxy provides hostname-based access to services, reducing direct port exposure.
+* **Rootless Containers:** The stack is designed to run with rootless Podman for enhanced security isolation.
+
+### Access Control
+* **Grafana Authentication:** By default, Grafana requires authentication. Anonymous access can be optionally enabled for trusted networks only.
+* **MQTT Authentication:** Mosquitto broker supports username/password authentication for MQTT clients.
+* **Service Segmentation:** Services are organized by stack type (IoT/SCADA, NVR) allowing deployment of only necessary components.
+
+### Best Practices
+* Keep your `secrets.env` file secure and never commit it to version control.
+* Regularly update container images for security patches.
+* Use network-level security (firewall, VPN) to restrict external access.
+* Review Grafana dashboard permissions when enabling public access.
+* Monitor container logs for suspicious activity.
+
+For more information on specific service security configurations, see the [Grafana Configuration](#grafana-configuration) section.
+
 ## Troubleshooting
 
 * **openSUSE Leap Micro Updates:** Use `sudo transactional-update` for package management and system upgrades, followed by a reboot.

create_secrets.sh

@@ -41,6 +41,7 @@ sed -e "
     /^INFLUXDB_ADMIN_TOKEN=/c\INFLUXDB_ADMIN_TOKEN=$(generate_random_string)
     /^GRAFANA_ADMIN_PASSWORD=/c\GRAFANA_ADMIN_PASSWORD=$(generate_random_string)
     /^GRAFANA_SECRET_KEY=/c\GRAFANA_SECRET_KEY=$(generate_random_string)
+    /^COMPREFACE_API_KEY=/c\COMPREFACE_API_KEY=$(generate_random_string)
     /^SMB_PASS=/c\SMB_PASS=$(generate_random_string)
 " "$ENV_EXAMPLE_FILE" > "$TEMP_FILE"
 

nginx/index.html.template

@@ -44,7 +44,7 @@
                 <div class="info-card">
                     <h3>🛡️ Security</h3>
                     <p>Powered by Podman with automatic secret generation and hostname-based routing</p>
-                    <a href="https://github.com/Stolas/Home-IOT-SCADA-Stack#features" target="_blank" class="doc-link">Security Details</a>
+                    <a href="https://github.com/Stolas/Home-IOT-SCADA-Stack#security" target="_blank" class="doc-link">Security Details</a>
                 </div>
             </section>
         </main>

secrets.env-example

@@ -77,11 +77,22 @@ ZIGBEE2MQTT_HOSTNAME=zigbee
 COCKPIT_HOSTNAME=cockpit
 DOUBLETAKE_HOSTNAME=doubletake
 
+# GO2RTC CONFIGURATION (RTSP to WebRTC/HLS converter for Grafana) - Fixes #15
+# go2rtc allows displaying camera RTSP streams in Grafana dashboards
+# Available for all stack profiles (IoT/SCADA, NVR, and combined)
+GO2RTC_HOSTNAME=go2rtc
+
 # FRIGATE CONFIGURATION
 FRIGATE_PORT=5000
 FRIGATE_RTSP_PORT=8554
 FRIGATE_RECORDINGS_HOST_PATH=/home/stolas/frigate_recordings
 
+# COMPREFACE CONFIGURATION (Face Recognition API for Double-Take) - Fixes #5
+# CompreFace provides facial recognition capabilities for Double-Take
+# Generate a unique API key for secure communication between Double-Take and CompreFace
+COMPREFACE_API_KEY=your_compreface_api_key
+COMPREFACE_HOSTNAME=compreface
+
 # SMB CONFIGURATION
 SMB_SERVER=my.smbserver.home
 SMB_SHARE=frigate_share