frigate: Switch to pre-compiled gasket-driver RPM

The DKMS package for the _gasket-driver_ kernel modules is something of
a problem.  For one thing, upstream seems to have abandoned the driver
itself, and it now requires several patches in order to compile for
current kernel versions.  These patches are not included in the DKMS
package, and thus have to be applied manually after installing it.  More
generally, I don't really like how DKMS works anyway.  Besides requiring
a full kernel development toolchain on a production system, it's
impossible to know if a module will compile successfully until _after_
the new kernel has been installed and booted.  This has frequently meant
that Frigate won't come up after an update because building the module
failed.  I would much rather have a notification about a compatibility
issue for an _upcoming_ update, rather than an applied one.

To rectify these issues, I have created a new RPM package tha contains
pre-built, signed kernel modules for the Coral EdgeTPU device.  Unlike
the DKMS package, this package needs to be rebuilt for every kernel
version, however, this is done by Jenkins before the updated kernel gets
installed on the machine.  It also expresses a dependency on an exact
kernel version, so the kernel cannot be updated until a corresponding
_gasket-driver_ package is available.

frigate.yml

@@ -1,7 +1,7 @@
 - hosts: frigate
   roles:
-  - role: gasket-dkms
-    tags: gasket-dkms
+  - role: gasket-driver
+    tags: gasket-driver
   - role: frigate
     tags: frigate
   - role: frigate-caddy

roles/gasket-driver/handlers/main.yml

@@ -0,0 +1,26 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /usr/local/share/dch/mok.crt <<EOF
+    {{ mok_password }}
+    {{ mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Use this password when enrolling: {{ mok_password }}
+      Press ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot

roles/gasket-driver/tasks/main.yml

@@ -0,0 +1,52 @@
+# vim: set ft=yaml.jinja :
+- set_fact:
+    mok_password: >-
+      {{ lookup("pipe", "diceware -d ' ' -n 6 -w en_eff --no-caps") }}
+  args:
+    cacheable: false
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - mokutil
+    state: present
+  tags:
+  - install
+
+- name: ensure gasket-dkms is not installed
+  package:
+    name: gasket-dkms
+    state: absent
+  tags:
+  - uninstall
+
+- name: ensure local dch data dir exists
+  file:
+    path: /usr/local/share/dch
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - cert
+- name: ensure kernel module signing key is present
+  copy:
+    src: mok.crt
+    dest: /usr/local/share/dch/mok.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket-driver is installed
+  package:
+    name: gasket-driver
+    state: present
+  tags:
+  - install