src

2023-02-01.html (31677B)

---

 <div class="wide64">
   <a href="/static/media/1920/dwrz_20221023T155810_edit.jpg" >
     <img class="img-center"
          src="/static/media/720/dwrz_20221023T155810_edit.jpg">
   </a>
   <p>
     I live in a ground floor apartment, and want to keep an eye on the space and
     the cats when I am away. A search for security camera systems that offered
     timelapse recording, livestream viewing, and instrusion notifications was
     unsatisfactory. Most consumer systems were either too expensive, had security
     shortcomings, or lacked sufficient user control. As a result, I endend up
     assembling a system that meets most of my needs.
   </p>
   <p>
     The solution I've settled on uses three
     <a href="https://www.raspberrypi.org/"> Raspberry Pi</a>'s, each acting as a
     server connected to a <a href="https://www.webcamerausb.com/">generic fisheye
       USB camera</a>. A mix of open-source software and scripts provides a
     password protected livestream served over HTTPS, timelapse recording, motion
     and object detection, notifications, and remote storage.
   </p>
   <p>
     The cameras come with limitations and vulnerabilties, some shared with
     consumer solutions, others unique to a home-brewed setup. But for my needs,
     they have worked well, and I have appreciate their modularity, the ability
     to repurpose hardware, and full control over the system and the data that it
     generates.
   </p>
   <p>
     I was surprised by how quickly I could stand up a system of such disparate
     parts — in terms of hardware and software — while writing little code of my
     own. Putting these cameras together seemed to confirm some of the
     <a href="https://en.wikipedia.org/wiki/Unix_philosophy#Origin">UNIX</a>
     principles. It's been possible to connect components with just a few scripts
     as glue.
   </p>
   <p>
     Any code referenced on this page should be available here:
     <a href="https://code.dwrz.net/vigil/">https://code.dwrz.net/vigil/</a>.
     I don't intend to keep code on this page up to date; it should only be used
     for example and inspiration.
   </p>
   <p>
     What follows is a rough guide covering the basic components of the system.
     It is not intended to be a step-by-step guide, though there is a chance it
     might work as one.
   </p>
   <h2>Hardware</h2>
   <a href="/static/media/1920/dwrz_20221022T213439.jpg" >
     <img class="img-center" src="/static/media/720/dwrz_20221022T213439.jpg">
   </a>
   <p>
     I've opted for the following:
     <ul>
       <li>
         <a href="https://www.raspberrypi.com/products/raspberry-pi-400/">Raspberry
 	  Pi 400</a> — easier to source and repurpose for my use cases. I would
         have preferred a smaller device with more open hardware and USB ports,
         but it was hard to find anything of comparable price.
       </li>
       <li>
         <a
 	  href="https://www.westerndigital.com/products/usb-flash-drives/sandisk-extreme-pro-usb-3-2">
 	  Sandisk SSD Flash Drive</a> — improves performance and reliability
         compared to running the Raspberry Pi off of a MicroSD card.
       </li>
       <li>
         <a
 	  href="https://www.amazon.com/s?me=AVRDPNYMU6GNM&marketplaceID=ATVPDKIKX0DER">
 	  ELP 3.6mm FHD 180° IR Fisheye Camera</a> — can cover an entire room and
         see in the dark.
       </li>
       <li><a href="https://www.amazon.com/stores/ULIBERMAGNET/page/22395264-96B4-4270-9CA4-518AED93106E">ULIBERMAGNET</a> Tripod Ball Head with Magnetic Base — used to hold and position the cameras.</li>
     </ul>
   </p>
   <h2>Server</h2>
   <img class="img-center" src="/static/media/vigil-diagram.svg">
   <p>
     I've used the default operating system for Raspberry Pi's, <a href="https://www.raspberrypi.com/software/">Raspberry Pi OS</a>, and this guide assumes that context. I won't cover the operating system installation and setup of an administrative user — documentation is available elsewhere.
   </p>
   <p>
     You should be mindful of the security of the servers themselves. This is a
     <a href="https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage" title="Anker’s Eufy lied to us about the security of its security cameras">problem</a> that even <a href="https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams" title="Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals">commercial</a> <a href="https://www.washingtonpost.com/technology/2019/04/23/how-nest-designed-keep-intruders-out-peoples-homes-effectively-allowed-hackers-get/" title="How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in">offerings</a>  <a href="https://www.consumerreports.org/home-security-cameras/wyze-didnt-completely-fix-security-camera-flaws-for-3-years-a3726294358/" title="Wyze Didn't Completely Fix Flaws in Security Cameras for 3 Years">have not handled well</a>.
     Your personal circumstances will dictate the balance of features and security.
   </p>
 
   <aside class="bordered br-yellow">
     <p>
       When installing the operating system, you'll have to decide whether to
       encrypt the filesystem (or a partition). Encryption makes it harder to
       extract data if someone is able to gain physical access to the
       storage device. However, entering the decryption passwords requires you to
       be physically present at the machine. This can be a problem if, e.g., a
       transient power outage happens while you are away from the cameras; they
       would cease to function until you are on premises again. It's possible to
       use something like <code><a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp)">dropbear</a></code> for boot-time SSH,
       to enter the decryption password. But I've opted to use the servers without
       encryption, and transfer photos and videos off of the servers as soon as
       possible. The downside is that any secrets on the device can be
       compromised, requiring remediation in the event of a breach.
     </p>
   </aside>
   <p>
     Once you are up and running with Raspberry Pi OS, ensure you are
     using the latest software and security updates:
   </p>
   <pre><code>$ sudo apt-get -y update && sudo apt-get -y dist-upgrade</code></pre>
   <p>
     Install any dependencies necessary to get work done, e.g.:
   </p>
   <pre><code>$ sudo apt-get install curl git mg</code></pre>
   <p>
     Consider enabling <a href="https://wiki.debian.org/UnattendedUpgrades">unattended
     security upgrades</a>:
   </p>
   <pre><code>$ sudo apt-get install unattended-upgrades apt-listchanges</code></pre>
   <p>
     To receive email reports for unattended upgrades, a
     <a href="https://en.wikipedia.org/wiki/Message_transfer_agent">
       Message Transfer Agent
     </a> (MTA) and the <code>mailx</code> command are required. This guide
     assumes the use of <code><a href="https://marlam.de/msmtp/">msmtp</a></code>:
   </p>
   <pre><code>$ sudo apt-get install bsd-mailx msmtp msmtp-mta</code></pre>
   <p>
     Setup the <code>msmtp</code>
     <a href="https://marlam.de/msmtp/msmtp.html#Configuration-files">configuration</a>
     file for the <code>root</code> user:
   </p>
   <pre><code>$ sudo mg /root/.msmtprc</code></pre>
   <pre><code>defaults
 auth            on
 tls             on
 tls_trust_file  /etc/ssl/certs/ca-certificates.crt
 logfile         /root/.msmtp.log
 
 account         gmail
 host            smtp.gmail.com
 port            587
 from            user@example.com
 user            user@example.com
 password        ${PASSWORD}
 # Alternatively, a command may be used to retrieve the password:
 # passwordeval   pass google/gmail/app
 # See: https://marlam.de/msmtp/msmtp.html#passwordeval.
 
 account default : gmail</code></pre>
   <p>
     This configuration assumes a Gmail or Google Workspace account; you will
     need to specify appropriate settings for your own mail provider. If you are
     using Gmail or Google Workspaces, you will need to set up an "app password"
     for programmatic access.
   </p>
   <p>
     Test that <code>msmtp</code> is working:
   </p>
   <pre><code>echo "Test" | mailx -s "Test" user@example.com</code></pre>
   <p>
     Edit the <code>unattended-upgrades</code> configuration to send email
     notifications:
   </p>
   <pre><code>$ sudo mg /etc/apt/apt.conf.d/50unattended-upgrades</code></pre>
   <pre><code>Unattended-Upgrade::Mail "user@example.com";</code></pre>
   <h2>Networking</h2>
   <p>
     I assign a static IP address for each of
     my servers. Most consumer routers allow for this in their web interface; I
     have something like the following in my router's <code>/etc/dhcpd.conf</code>:
     <pre><code>host kitchen {
 	fixed-address 10.0.1.101;
 	hardware ethernet de:ad:be:ef:8d:8e;
 }</code></pre>
   </p>
   <aside class="bordered br-yellow">
     <p>
       If you are using <code>network-manager</code> with a WiFi connection,
       you'll need to disable MAC address randomization, or your router / DHCP
       server will not be able to consistently match to the device.
     </p>
     <br>
     <pre><code>$ sudo mg /etc/NetworkManager/conf.d/wifi_rand_mac.conf</code></pre>
     <br>
     <pre><code>[device]
 wifi.scan-rand-mac-address=no</code></pre>
   </aside>
   <p>
     Set up a firewall; I block all ports by default, and at most leave three ports
     open: one for <code>SSH</code>, one for the camera livestream (e.g.,
     <code>3000</code>), and optionally one for the web interface (e.g.,
     <code>8080</code>).</p>
   <p>
     If you intend to share the livestream over the internet, you'll need a relay
     or a port forward from your router. Depending on your network setup, you may
     need to enable hairpin NAT or split-horizon DNS to access the servers by their
     domain name when on the local network.
   </p>
   <aside class="bordered br-yellow">
     <p>
       I don't recommend allowing for remote access to web interface; and would
       advise limiting access to the livestream if possible. <code>motion</code> is
       not written in a memory safe language; all security cameras are a
       double-edged sword that can compromise your own privacy.
     </p>
   </aside>
   <h2>SSH</h2>
   <p>Create an SSH keypair:
   </p>
   <pre><code>ssh-keygen -t ed25519</code></pre>
   <p>
     Then, copy the public key to the server:
   </p>
   <pre><code>ssh-copy-id -i ${SSH_KEY_PATH} username@10.0.1.101 </code></pre>
   <p>Add the server to your SSH config:
   </p>
   <pre><code>Host kitchen
 	Hostname 10.0.1.101
 	IdentityFile ~/.ssh/keys/kitchen</code></pre>
   <p>
     On the server, disable root login and password authentication; enable public
     key authentication.
   </p>
   <pre><code>$ sudo mg /etc/ssh/sshd_config</code></pre>
   <pre><code>PermitRootLogin no
 PubkeyAuthentication yes
 PasswordAuthentication no</code></pre>
   <p>
     Restart the SSH daemon:
   </p>
   <pre><code>$ systemctl restart sshd</code></pre>
   <h2>Motion</h2>
   <p>
     <code><a href="https://motion-project.github.io/">motion</a></code> provides
     the core features of the system — multiple cameras, live streams, web
     control, motion detection, saving images and movies, timelapse, and event
     triggers. Install it:
   </p>
   <pre><code>$ sudo apt-get install motion</code></pre>
   <p>
     On Raspberry Pi OS, the installation will create a
     <code>motion</code> user, homed at <code>/var/lib/motion/</code>. The
     configuration file for <code>motion</code> is located at
     <code>/etc/motion/motion.conf</code>; the <code>systemd</code> unit file is
     <code>/usr/lib/systemd/system/motion.service</code>.
   </p>
   <p>
     <code>motion</code>'s behavior is controlled via its configuration file. The
     <a
       href="https://motion-project.github.io/motion_config.html">documentation</a>
     covers the settings, and should be reviewed; situation will dictate which
     values to use. I discuss configuration below, after setting up the other
     components of the system.
   </p>
   <h2>Object Detection</h2>
   <a href="/static/media/1920/dwrz_20221026_1.jpg" >
     <img class="img-center" src="/static/media/720/dwrz_20221026_1.jpg">
   </a>
   <p>
     <code><a href="https://github.com/WongKinYiu/yolov7">yolov7</a></code>
     provides the object detection functionality. I use the "tiny" weights for
     faster processing on a Raspberry Pi. On a Raspberry Pi 400, I typically see
     inferences complete under a second.
   </p>
   <pre><code>$ sudo apt-get install git pip
 $ sudo -u motion bash
 $ git clone https://github.com/WongKinYiu/yolov7.git
 $ cd yolov7/
 $ pip install -r requirements.txt
 $ wget https://github.com/WongKinYiu/yolov7/releases/download/v0.1/yolov7-tiny.pt
 $ mkdir -p /tmp/yolov7/</code></pre>
   <p>
     <a href="https://aws.amazon.com/rekognition/">AWS Rekognition</a> can be used
     as an alternative to <code>yolov7</code>. I had better — and cheaper —
     results with <code>yolov7</code>. However, if you encounter any issues with
     the <code>yolov7</code> installation, AWS offers a convenient fallback.
   </p>
   <p>
     To use Rekognition, you will need to setup an AWS account, install the
     <code>aws</code> CLI, and ideally, create an IAM user with permissions
     restricted to the Rekognition service. You will also need to
     install <code><a href="https://stedolan.github.io/jq/">jq</a></code> to
     parse the JSON response from AWS.
   </p>
   <pre><code>$ sudo apt-get install jq
 $ pip3 install --system awscli
 $ sudo -u motion bash
 $ aws configure</code></pre>
   <h2>Notifications</h2>
   <a href="/static/media/1920/dwrz_20230124T165950_edit.jpg" >
     <img class="img-center" src="/static/media/720/dwrz_20230124T165950_edit.jpg">
   </a>
   <p>
     I've set things up so that notifications are only sent when two smartphones
     are not reachable on the network. The upside is less notifications (though
     they'll sometimes come through if the device goes to sleep). If you go this
     route, you'll need need to set up static IP addresses for your devices, and
     remember to take them with you.
   </p>
   <p>
     I send SMS notifications by emailing my mobile phone number, setting the
     recipient to something like <code>1234567890@msg.fi.google.com</code>. That
     option may not be available depending on your mobile service provider. A
     fallback would be to send notifications to an email address, or to use a
     service like <a href="https://www.twilio.com/">Twilio</a> or
     <a href="https://aws.amazon.com/sns/">AWS SNS</a>.
   </p>
   <p>
     I include the object-detected camera snapshot in notifications. While it's
     not too difficult to write a script or simple program to compose
     <a href="https://en.wikipedia.org/wiki/MIME">MIME</a>
     emails, it's easier to just install
     <code><a href="http://www.mutt.org/">mutt</a></code>.
   </p>
   <pre><code>$ sudo apt-get install mutt</code></pre>
   <p>
     Configure <code>msmtp</code> and <code>mutt</code> for the <code>motion</code>
     user:
   </p>
   <pre><code>$ sudo -u motion bash
 $ cd ~
 $ mg .msmtprc</code></pre>
   <pre><code>defaults
 auth            on
 tls             on
 tls_trust_file  /etc/ssl/certs/ca-certificates.crt
 logfile         ~/.cache/msmtp.log
 
 account         gmail
 host            smtp.gmail.com
 port            587
 from            user@example.com
 user            user@example.com
 password        ${PASSWORD}
 
 account default : gmail</code></pre>
   <pre><code>$ chmod 600 .msmtprc
 $ mg .muttrc</code></pre>
   <pre><code>set sendmail="/usr/bin/msmtp"
 set use_from=yes
 set from=user@example.com</code></pre>
   <h2>Exporting Data</h2>
   <p>
     I've configured the system to delete snapshots after sending the
     corresponding notification. This makes it harder to retrieve data if someone
     gains access to the server. However, since I want to be able to review past
     snapshots and timelapse footage, I backup the data off the servers.
   </p>
   <p>
     There are several options — <code>rsync</code> or <code>scp</code> files to
     a remote server, perhaps one with an encrypted drive. Additionally, or
     alternatively, the files can be backed up to the cloud, to a service like
     <a href="https://aws.amazon.com/s3/">AWS S3</a> or <a
 						         href="https://www.backblaze.com/b2/cloud-storage.html">Backblaze B2</a>.
   </p>
   <p>
     For <code>b2</code>, I took the following steps:
     <ol>
       <li>Create an account.</li>
       <li>Create a bucket.</li>
       <li>
         Setup lifecycle rules on the bucket to delete files after a certain
         number of days.
       </li>
       <li>Create an application key.</li>
     </ol>
   </p>
   <p>
     On the servers, I install and configure the <code>b2</code> CLI.
   </p>
   <pre><code>$ sudo apt-get install backblaze-b2
 $ sudo -u motion bash
 $ backblaze-b2 authorize-account</code></pre>
   <h2>DDNS</h2>
   <p>
     To make the camera stream available remotely and conveniently — without a
     <code>VPN</code>, port forwarding, or dealing with IP addresses — I use
     subdomains to reach my cameras. You will need your own domain for similar
     functionality.
   </p>
   <p>
     I don't have a static IP from my ISP, so I use Dynamic DNS to keep my
     subdomain records updated. A <code>systemd</code> timer regularly runs a
     script to update the <code>A</code> and/or <code>AAAA</code> records for the
     server's subdomain.
   </p>
   <p>
     The public IP of the server is retrieved with a DNS lookup, using
     <code>dig</code>. On Raspberry Pi OS, you'll need to install the
     <code>dnsutils</code> package:
   </p>
   <pre><code>$ sudo apt-get intsall dnsutils</code></pre>
   <p>
     How you update your records will depend on your registrar. I use
     <a href="https://aws.amazon.com/route53/">AWS Route53</a>, and a simple Go
     program I wrote called <code>
       <a href="https://code.dwrz.net/src/file/cmd/r53/main.go.html">
         r53</a></code>, which wraps around the
       <a href="https://github.com/aws/aws-sdk-go-v2/">AWS Go SDK</a> and
       <code>dig</code>.
   </p>
   <p>
     A script is probably easier to install. The following isn't as full featured
     as <code>r53</code>, but it doesn't require compiling and installing a Go
     binary:
   </p>
   <pre><code>#!/usr/bin/env bash
 
 readonly HZ="${AWS_HOSTED_ZONE}"
 readonly DOMAIN="${HOSTNAME}"
 
 err() {
   echo "[$(date -u +'%Y-%m-%dT%H:%M:%S%:z')]: $*" >&2
 }
 
 main() {
   if ! [[ -x "$(command -v aws)" ]]; then
     err "aws cli not installed"; exit 1
   fi
 
   # Get the IP address.
   ip="$(dig -4 +short myip.opendns.com @resolver1.opendns.com)"
   if [[ -z "${ip}" ]]; then
     err "failed to get ip address"; exit 2
   fi
   printf "ip: %s\n" "${ip}"
 
   # Update the domains.
   update='{
   "Comment": "DDNS",
   "Changes": [
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "'"${DOMAIN}"'",
        "Type": "A",
        "TTL": 300,
        "ResourceRecords": [{ "Value": "'"${ip}"'" }]
      }
    }
  ]
 }'
 
   printf "requesting update for %s\n" "${DOMAIN}"
   aws route53 change-resource-record-sets \
       --hosted-zone-id "${HZ}" \
       --change-batch "${update}"
 }
 
 main "$@"</code></pre>
   <p>
     If you are using AWS Route53, you'll need to install and setup the <code>aws</code> CLI for whichever user will run the DDNS service. Again, it's best to create an AWS IAM user with permissions limited to Route53.
   </p>
   <pre><code>$ pip3 install --system awscli
 $ sudo su
 # aws configure</pre></code>
   <p>
     <code>scp</code> the script or the <code>r53</code> binary to the server,
     then move it and set appropriate permissions:
   </p>
   <pre><code>$ scp r53 user@server
 $ sudo mv r53 /usr/local/bin/
 $ sudo chmod 755 /usr/local/bin/r53</code></pre>
   <p>
     Test the command to ensure that it works:
   </p>
   <pre><code>$ r53 $HOSTNAME</code></pre>
   <p>
     These are the <code>systemd</code> unit and timer files — install them at
     <code>/usr/lib/systemd/system/</code>:
   </p>
   <pre><code>[Unit]
 Description=DDNS
 RefuseManualStart=no
 RefuseManualStop=yes
 
 [Service]
 Type=oneshot
 ExecStart=ddns
 
 [Install]
 WantedBy=timers.target</code></pre>
 
   <pre><code>[Unit]
 Description=DDNS
 RefuseManualStart=no
 RefuseManualStop=no
 
 [Timer]
 OnBootSec=1min
 OnCalendar=*-*-* *:*/5:00
 Persistent=true
 RandomizedDelaySec=15
 Unit=ddns.service
 
 [Install]
 WantedBy=default.target</code></pre>
   <p>
     Then, enable the timer:
   </p>
   <pre><code>$ systemctl enable --now ddns.timer</code></pre>
   <a href="/static/media/1920/dwrz_20221018T191948_edit.jpg" >
     <img class="img-center" src="/static/media/720/dwrz_20221018T191948_edit.jpg">
   </a>
   <h2>TLS Certificates</h2>
   <p>
     <code>motion</code> will need TLS certificates to encrypt the livestream,
     webcontrol, and authentication for each. We can get free certificates from <a
 									         href="https://letsencrypt.org/">Let's Encrypt</a>, using <code><a
 																		  href="https://certbot.eff.org/">certbot</a></code>. The following assumes a
     <code>
       <a href="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">
         dns-01
       </a>
     </code> challenge with Route53.
   </p>
   <p>
     Install <code>certbot</code> and the <code>python3-certbot-dns-route53</code>
     plugin:
   </p>
   <pre><code>$ sudo apt-get install certbot python3-certbot-dns-route53</code></pre>
   <p>
     Run <code>certbot</code> to generate certificates:
   </p>
   <pre><code>$ sudo certbot certonly \
     --agree-tos \
     --email user@example.com \
     --non-interactive \
     --quiet \
     --verbose \
     --dns-route53 \
     -d ${DOMAIN}</code></pre>
   <p>
     Add the <code>motion</code> user to the <code>ssl-cert</code> group.
 
     Then, change group ownership for access.
   </p>
   <pre><code>$ chown -R root:ssl-cert letsencrypt/archive/${DOMAIN}
 $ chown -R root:ssl-cert letsencrypt/live/${DOMAIN}
 $ chmod 440 letsencrypt/archive/${DOMAIN}/privkey1.pem</code></pre>
   <a href="/static/media/1920/dwrz_20230104T104635_edit.jpg" >
     <img class="img-center" src="/static/media/720/dwrz_20230104T104635_edit.jpg">
   </a>
   <h2>Motion Scripts</h2>
   <p>
     We're nearly there. Three scripts are used to tie functionality together;
     they should be copied over to <code>/var/lib/motion</code> and made
     executable by the <code>motion</code> user. I use a
     <a href="https://code.dwrz.net/vigil/file/setup.html">script</a> to make
     installing the scripts a little easier.
   </p>
   <p>
     An <code>alert</code> script is called when motion is detected; it sends a
     notification via email.
   </p>
   <pre><code>#!/usr/bin/env bash
 
 # Devices to check -- if populated and up, no notifications are sent.
 readonly DEVICES=()
 readonly RECIPIENT="${NOTIFICATION_RECIPIENT}"
 
 check_devices() {
   for device in "${DEVICES[@]}"; do
     if ping -c 1 -w 1 "${device}" &> "/dev/null"; then
       return 0
     fi
   done
 
   return 255
 }
 
 main() {
   # If devices are present, don't notify.
   if (( "${#DEVICES[@]}" )); then
     if check_devices; then
       exit 0
     fi
   fi
 
   echo "${HOSTNAME}: motion detected at $(date '+%Y-%m-%dT%H:%M:%S%:z')." | \
     mutt -s "${HOSTNAME}: Motion Detected" \
 	 -- "${RECIPIENT}"
 }
 
 main "$@"</code></pre>
   <p>
     The <code>sync</code> script is used to backup timelapse videos:
   </p>
   <pre><code>#!/usr/bin/env bash
 
 readonly BUCKET="${B2_BUCKET}"
 
 main() {
   local filepath="$1"
   local name
   name="$(basename "${filepath}")"
 
   backblaze-b2 upload-file \
 	       --threads 2 \
 	       "${BUCKET}" \
 	       "${HOME}/timelapse/${name}" \
 	       "${HOSTNAME}/timelapse/${name}"
 
   # Delete outdated files.
   # This assumes the timelapse is created on an hourly basis.
   rm -f "$1"
   find "${HOME}/timelapse/" -mmin +60 -delete
 }
 
 main "$@"</code></pre>
   <p>
     The <code>notify</code> script sends notifications, and backs up the
     snapshots:
   </p>
   <pre><code>#!/usr/bin/env bash
 
 # Backblaze B2 Bucket
 readonly BUCKET="${B2_BUCKET}"
 
 # Devices to check -- if populated and up, no notifications are sent.
 readonly DEVICES=()
 
 # COCO Labels
 readonly LABEL_PERSON=0
 readonly LABEL_CAT=15
 
 # Lockfile to ensure that only one instance of the script is running.
 readonly LOCKFILE="/tmp/motion-notify.lock.d"
 
 # yolov7 working directory.
 readonly PROJECT="/tmp/yolov7"
 
 # Notification recipient.
 readonly RECIPIENT="${NOTIFICATION_RECIPIENT}"
 
 acquire_lock () {
   while true; do
     if mkdir "${LOCKFILE}"; then
       break;
     fi
     sleep 1
   done
 }
 
 check_devices() {
   for device in "${DEVICES[@]}"; do
     if ping -c 1 -w 1 "${device}" &> "/dev/null"; then
       return 0
     fi
   done
 
   return 255
 }
 
 detect_objects() {
   local filepath="$1"
 
   python "${HOME}/yolov7/detect.py" \
 	 --exist-ok \
 	 --no-trace \
 	 --save-txt \
 	 --project "${PROJECT}" \
 	 --name "motion" \
 	 --weights "${HOME}/yolov7/yolov7-tiny.pt" \
 	 --source "${filepath}"
 }
 
 notify() {
   local name="$1"
 
   echo "${HOSTNAME} at $(date '+%Y-%m-%dT%H:%M:%S%:z')" | \
     mutt -a "${PROJECT}/motion/${name}.jpg" \
 	 -s "${HOSTNAME}: Motion Detected" \
 	 -- "${RECIPIENT}"
 }
 
 upload() {
   local name="$1"
 
   backblaze-b2 upload-file \
 	       --threads 2 \
 	       "${BUCKET}" \
 	       "${PROJECT}/motion/${name}.jpg" \
 	       "${HOSTNAME}/photo/${name}.jpg"
 }
 
 delete_outdated() {
   local filepath="$1"
 
   acquire_lock
 
   rm -f "$1"
   rm -f "${PROJECT}/motion/${name}.jpg"
   find "${HOME}/photo/" -mmin +5 -delete
   find "${PROJECT}/motion/" -iname "*.jpg" -mmin +5 -delete
   find "${PROJECT}/motion/labels/" -mmin +5 -delete
 
   release_lock
 }
 
 release_lock () {
   rmdir "${LOCKFILE}"
 }
 
 main() {
   local filepath="$1"
   local name
   name="$(basename "${filepath}" .jpg)"
 
   # If devices are present, don't notify.
   if (( "${#DEVICES[@]}" )); then
     if check_devices; then
       delete_outdated "${filepath}" "${name}"
       exit 0
     fi
   fi
 
   detect_objects "${filepath}"
 
   # Send a notification if we match any labels.
   labels="$(awk '{print $1}' "${PROJECT}/motion/labels/${name}.txt")"
   if echo "${labels}" | grep -qw "${LABEL_PERSON}\|${LABEL_CAT}"; then
     notify "${name}"
   fi
 
   upload "${name}"
 
   delete_outdated "${filepath}" "${name}"
 }
 
 main "$@"</code></pre>
   <p>
     With AWS Rekognition, you'll need to adapt the script. The following will
     handle uploading the image to AWS, and check if the labels are actionable:
   </p>
   <pre><code>labels="$(env aws rekognition detect-labels \
 --min-confidence 90 \
 --image-bytes fileb://"${filepath}" \
 | jq -j '.Labels | .[] | "\n",.Name," ",.Confidence')"
 
 if grep --quiet "Human\|Cat" <<< "${labels}"; then
   echo "${HOSTNAME} at $(date '+%Y-%m-%dT%H:%M:%S%:z')" | \
     mutt -a "${filepath}" \
 	 -s "${HOSTNAME}: Motion Detected" \
 	 -- "${RECIPIENT}"
 fi</code></pre>
   <h2>Motion Config</h2>
   <p>
     The last step is to configure <code>motion</code> to:
     <ul>
       <li>Take snapshots on motion detection</li>
       <li>Capture a timelapse — one photo per second, one file per hour, synced to the Backblaze B2</li>
       <li>Serve webcontrol on port 8080 over HTTPS</li>
       <li>Livestream on port 3000 over HTTPS</li>
       <li>Notify on motion detection and send object-detected snapshots</li>
       <li>Keep minimal amounts of data on the local drive</li>
     </ul>
   </p>
   <pre><code># GENERAL
 daemon off
 target_dir ${MOTION_DIR}
 log_file ${MOTION_LOG_FILE}
 
 # IMAGE PROCESSING
 despeckle_filter EedDl
 framerate 24
 text_scale 2
 text_changes on
 text_left %$
 text_right %Y-%m-%d-T%H:%M:%S %q
 
 # MOTION DETECTION
 event_gap 1
 threshold 2000
 
 # MOVIES
 movie_output off
 movie_filename /video/%Y-%m-%dT%H:%M:%S-%v
 
 # PICTURES
 picture_output first
 picture_filename /photo/%Y-%m-%dT%H-%M-%S_%q
 
 # TIMELAPSE
 timelapse_interval 1
 timelapse_mode hourly
 timelapse_fps 60
 timelapse_codec mpg
 timelapse_filename /timelapse/%Y-%m-%d-%H-%M-%S
 
 # WEBCONTROL
 webcontrol_auth_method 2
 webcontrol_authentication ${MOTION_USER}:${MOTION_PASSWORD}
 webcontrol_port ${PORT_CONTROL}
 webcontrol_localhost off
 webcontrol_cert ${TLS_CERT}
 webcontrol_key ${TLS_KEY}
 webcontrol_parms 0
 webcontrol_tls on
 
 # LIVE STREAM
 stream_port ${PORT_STREAM}
 stream_localhost off
 stream_quality 25
 stream_motion on
 stream_maxrate 24
 stream_auth_method 2
 stream_authentication ${MOTION_USER}:${MOTION_PASSWORD}
 stream_preview_method 0
 stream_tls on
 
 # SCRIPTS
 on_motion_detected ${MOTION_DIR}/alert
 on_movie_end ${MOTION_DIR}/sync %f
 on_picture_save ${MOTION_DIR}/notify %f
 
 # CAMERA
 camera_name ${CAMERA_NAME}
 videodevice /dev/video0
 height 1080
 width 1920</code></pre>
   </p>
   <p>Restart <code>motion</code> to use the updated configuration:
   </p>
   <pre><code>$ systemctl restart motion</code></pre>
   <h2>Camera Management</h2>
   <p>
     I use a simple script to manage the cameras. This examples allows control
     over three servers (one of which has two cameras):
   </p>
   <pre><code>#!/usr/bin/env bash
 
 readonly WEBCONTROL_PORT="${PORT_CONTROL}"
 
 readonly cameras=(
   "https://${HOST0}:${WEBCONTROL_PORT}/0"
 #  "https://${HOST0}:${WEBCONTROL_PORT}/1"
 #  "https://${HOST1}:${WEBCONTROL_PORT}/${CAMERA0}"
 #  "https://${HOST2}:${WEBCONTROL_PORT}/${CAMERA0}"
 )
 readonly auth=(
   "${MOTION_USER}:${MOTION_PASSWORD}"
 #  "${USER0}:${PW0}"
 #  "${USER1}:${PW1}"
 #  "${USER2}:${PW2}"
 )
 
 err() {
   echo "[$(date -u +'%Y-%m-%dT%H:%M:%S%:z')]: $*" >&2
 }
 
 main() {
   local url="detection/status"
 
   case "$1" in
     "capture"|"c") url="detection/snapshot" ;;
     "pause"|"p") url="detection/pause" ;;
     "start"|"s") url="detection/start" ;;
     "status"|"") url="detection/status" ;;
     *) err "unrecognized command: $1"; exit 1
   esac
 
   for i in "${!cameras[@]}"; do
     curl --digest --user "${auth[i]}" "${cameras[i]}/${url}"
   done
 }
 
 main "$@"</code></pre>
   <h2>Next Steps</h2>
   <a href="/static/media/1920/dwrz_20220304T224024_edit.jpg" >
     <img class="img-center" src="/static/media/720/dwrz_20220304T224024_edit.jpg">
   </a>
   <p>
     As with all software, this project is a work-in-progress, at times
     abandoned, and never completed. There are a few ideas I am exploring as I
     continue to prototype the system:
     <ul>
       <li>
         The most urgent task is to make it easier to set up a new server and to
         keep configuration consistent across servers. I'm working on minimizing
         some of the duplicative work. Another option is to use containers.
       </li>
       <li>
         Use <a href="https://www.openbsd.org/">OpenBSD</a> instead of Raspberry
         Pi OS, replacing <code>msmtp</code> with <code>OpenSTMTPD</code>,
         <code>acme-client</code> for <code>letsencrypt</code>. The main concern
         here is whether wireless and <code>yolov7</code> are sufficiently
         performant.
       </li>
       <li>
         Use an in-memory filesystem and forgo the SSD, which might drop ~$30
         from the cost of the system.
       </li>
       <li>
         Use different hardware — wireless or PoE security cameras with an RTSP
         stream and motion running on a single server.
       </li>
       <li>
         Improve object detection with <code>yolov7</code> by training the model.
       </li>
       <li>
         Develop my own Go service to replace or wrap around <code>motion</code>,
         or replace the bash scripts with Go programs.
       </li>
       <li>
         Add features, like two-way communication.
       </li>
       <li>
         Use <code>yolov7</code> to monitor the camera stream directly, and forgo
         the motion detection step.
       </li>
     </ul>
   </p>
   <p>
     The final thanks must go to the open-source contributors who have made this
     approach possible, from the operating system all the way up to the
     interpreters.
   </p>
 </div>