r/gasket-dkms: Build/sign Coral TPU driver

The *gasket-dkms* package provides the `gasket` and `apex` kernel
modules, which are needed fro the Google Coral Edge TPU.  Since these
are out-of-tree modules, they are not allowed in Fedora proper, so they
are provided in a COPR, and have to be rebuilt for every kernel version.
The DKMS framework handles automatically building the modules whenever
the kernel updates.

For systems usign UEFI with SecureBoot enabled, kernel modules must be
signed by a key trusted by the platform.  For locally-built modules, we
can use the Machine Owner Key (MOK).  Unfortunately, enrolling a new MOK
requires rebooting and manual intervention during the boot process.
Therefore, the *gasket-dkms* role has a `pause` step to ensure someone
is paying attention and able handle the key enrollment interactively.

Eventually, I'd like to have an RPM package with these modules
pre-built, so production servers do not need the kernel development
tools (`perl`, `gcc`, headers, etc.).  It will be tricky, though, to
make sure the modules get rebuilt for every kernel version as Fedora
releases them.

frigate.yml

@@ -1,4 +1,6 @@
 - hosts: frigate
   roles:
+  - role: gasket-dkms
+    tags: gasket-dkms
   - role: frigate
     tags: frigate

roles/gasket-dkms/defaults/main.yml

@@ -0,0 +1 @@
+gasket_dkms_copr: kylegospo/google-coral-dkms

roles/gasket-dkms/files/sign.dkms.conf

@@ -0,0 +1,4 @@
+# vim set ft=sh :
+sign_tool='/etc/dkms/sign_helper.sh'
+mok_signing_key='/etc/pki/tls/private/dkms.key'
+mok_certificate='/etc/pki/tls/certs/dkms.der'

roles/gasket-dkms/handlers/main.yml

@@ -0,0 +1,25 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /etc/pki/tls/certs/dkms.der <<EOF
+    {{ vault_mok_password }}
+    {{ vault_mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Pres ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot

roles/gasket-dkms/tasks/main.yml

@@ -0,0 +1,64 @@
+# vim: set ft=yaml.jinja :
+- name: load secrets
+  include_vars: vault/dkms
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - dkms
+    - dnf-command(copr)
+    - mokutil
+    - openssl
+    state: present
+  tags:
+  - install
+
+- name: ensure dkms module signing key is present
+  command:
+    openssl req
+    -new
+    -x509
+    -newkey rsa:4096
+    -keyout /etc/pki/tls/private/dkms.key
+    -nodes
+    -subj '/CN=DKMS Modules'
+    -days 3650
+    -outform DER
+    -out /etc/pki/tls/certs/dkms.der
+  args:
+    creates: /etc/pki/tls/certs/dkms.der
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+  - dkms
+
+- name: ensure dkms is configured to sign modules with the mok
+  copy:
+    src: sign.dkms.conf
+    dest: /etc/dkms/framework.conf.d/10-sign.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+  - dkms
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket dkms copr is enabled
+  command:
+    dnf copr enable -y {{ gasket_dkms_copr }}
+  args:
+    creates: /etc/yum.repos.d/{{ gasket_dkms_copr_repo_filename }}
+  tags:
+  - copr
+  - repo
+
+- name: ensure gasket-dkms is installed
+  package:
+    name: gasket-dkms
+    state: present
+  tags:
+  - install

roles/gasket-dkms/vars/main.yml

@@ -0,0 +1,2 @@
+gasket_dkms_copr_repo_filename: >-
+  _copr:copr.fedorainfracloud.org:{{ gasket_dkms_copr | replace("/", ":")}}.repo