nixos/frigate: fix recording and serving of clips/recordings

Frigate does string prefix matching for paths, which isn't exactly
compatible with dynamically provisioned directories of systemd, where
/var/cache/frigate is actually a symlink to /var/cache/private/frigate.

Because we are unlikely to get this fixed upstream, this is one of the
reason we should stop using DynamicUser= here.

The other being, that nginx needs to be able to serve clips and
recordings from both the CacheDirectory and the StateDirectory, and
nginx being a member on a group that may only exist after it was started
up doesn't work reliably.

This is also why we relax the umask to allow g+r/g+rx for newly created
files. Existing installs may need the following permissions fix to get
things going.

```
find /var/lib/frigate/recordings -type d -exec chmod g+rx {} \;
find /var/lib/frigate/recordings -type f -exec chmod g+r {} \;
find /var/cache/frigate -type f -exec chmod g+r {} \;
```

Co-Authored-By: Daniel Barlow <dan@telent.net>

nixos/modules/services/video/frigate.nix

@@ -322,6 +322,16 @@ in
       '';
     };
 
+    systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+      "frigate"
+    ];
+
+    users.users.frigate = {
+      isSystemUser = true;
+      group = "frigate";
+    };
+    users.groups.frigate = {};
+
     systemd.services.frigate = {
       after = [
         "go2rtc.service"
@@ -349,15 +359,18 @@ in
       serviceConfig = {
         ExecStart = "${cfg.package.python.interpreter} -m frigate";
 
-        DynamicUser = true;
         User = "frigate";
+        Group = "frigate";
+
+        UMask = "0027";
 
         StateDirectory = "frigate";
-        UMask = "0077";
+        StateDirectoryMode = "0750";
 
         # Caches
         PrivateTmp = true;
         CacheDirectory = "frigate";
+        CacheDirectoryMode = "0750";
 
         BindPaths = [
           "/migrations:${cfg.package}/share/frigate/migrations:ro"