Network & remote access

Ports

Fregata’s default listeners:

Port	Service	Bound to	Notes
`8971`	nginx → Frigate web UI + HTTP API	`0.0.0.0`	Auto-switches to HTTPS if `~/Fregata/config/ssl/cert.pem` exists.
`1984`	go2rtc admin UI	`127.0.0.1`	Localhost only by default.
`8554`	go2rtc RTSP re-stream	`127.0.0.1`	Used by Fregata internally. Expose deliberately if you need it.
`8555`	go2rtc WebRTC	`0.0.0.0`	Needed for low-latency live view from outside the Mac.

The HA integration only needs 8971. Most users don’t think about the others.

Reaching it from another device on your LAN

Fregata is happy to serve 8971 to anything on your LAN. Just open http://<mac-ip>:8971 from a different device.

A couple of practical notes:

Use a hostname, not an IP. Bonjour gives you <mac-name>.local for free; bookmarking that survives DHCP shuffles. Set the hostname in System Settings → General → Sharing → Local hostname.
macOS firewall. If you’ve enabled it (System Settings → Network → Firewall), the first inbound connection to Fregata triggers the standard “allow incoming connections” prompt. Allow it once and the rule sticks.

Putting Fregata behind a reverse proxy

A common setup: Caddy or Traefik on a NAS or small Linux box, terminating TLS, and proxying to the Mac. The minimum Caddyfile:

cameras.your-house.example {
    reverse_proxy http://10.0.1.42:8971
}

Caddy gets you a Let’s Encrypt cert, HTTP/2, websocket upgrade (needed for live MSE/WebRTC), and a clean URL.

If you’d rather keep TLS termination on the Mac itself, drop cert.pem and privkey.pem into ~/Fregata/config/ssl/ and Fregata will switch to HTTPS automatically on the next start. The files have to be readable by the user the app runs as (i.e. you).

Exposing it to the public internet

Short answer: don’t, unless you absolutely mean to.

Long answer: if you do, the bare minimum:

Put it behind a real reverse proxy with TLS (Caddy, Traefik, Cloudflare Tunnel).
Enable Frigate’s authentication. Add to config.yml:
```
auth:
  enabled: true
```
Restart, then go to http://localhost:8971 once on the LAN to set the admin password (Frigate’s auth uses HTTP Basic by default — see their auth docs).
Restrict by source IP at the proxy if you can.
Don’t expose 8554 (RTSP) or 1984 (go2rtc admin) to the internet under any circumstance. They have no auth.

The reasonable middle path for “I want to check my cameras from my phone” is Tailscale or a similar mesh VPN: install on the Mac and on your phone, hit http://<tailscale-ip>:8971 from anywhere. No public exposure, no certificate work, near-zero attack surface.

Mac sleep and Wake-On-Demand

Fregata keeps the system awake while it’s running. As soon as the menu-bar status reads Running, the supervisor takes a ProcessInfo activity assertion with .idleSystemSleepDisabled and holds it until Frigate stops, errors out, or you quit the app. You don’t need to touch System Settings; the display is still free to sleep, only the system itself stays awake.

This means the boring 24/7 install case — Mac mini in a closet, Fregata launched at login, never restarted — just works.

Caveats worth knowing about:

A laptop that closes its lid still sleeps. Lid closure is a hardware-level signal that overrides every software assertion. If you need 24/7 detection, run on a desktop or use clamshell mode with an external display attached.
The activity is released on .error and .stopping. A Fregata that crashed or was stopped by you doesn’t strand the Mac awake.
Belt-and-braces: if you want the same behavior even when Fregata isn’t running, System Settings → Energy Saver / Battery → “Prevent automatic sleeping when display is off” (desktop) or “Prevent automatic sleeping on power adapter” (laptop). Pair with “Wake for network access” so the Mac wakes when something hits port 8971.
caffeinate command is still useful for short-term debugging windows where Fregata isn’t yet running.

Ports for Home Assistant

If you’re running HA on a different host, see the Home Assistant guide — the integration needs to reach 8971 and (if you’ve enabled it) MQTT on whatever broker you’re using.