diff --git a/frigate.yml b/frigate.yml
index 1fe4b20..784ff13 100644
--- a/frigate.yml
+++ b/frigate.yml
@@ -1,7 +1,7 @@
 - hosts: frigate
   roles:
-  - role: gasket-dkms
-    tags: gasket-dkms
+  - role: gasket-driver
+    tags: gasket-driver
   - role: frigate
     tags: frigate
   - role: frigate-caddy
diff --git a/roles/gasket-driver/files/mok.crt b/roles/gasket-driver/files/mok.crt
new file mode 100644
index 0000000..c1adab5
Binary files /dev/null and b/roles/gasket-driver/files/mok.crt differ
diff --git a/roles/gasket-driver/handlers/main.yml b/roles/gasket-driver/handlers/main.yml
new file mode 100644
index 0000000..5564d70
--- /dev/null
+++ b/roles/gasket-driver/handlers/main.yml
@@ -0,0 +1,26 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /usr/local/share/dch/mok.crt <<EOF
+    {{ mok_password }}
+    {{ mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Use this password when enrolling: {{ mok_password }}
+      Press ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot
diff --git a/roles/gasket-driver/tasks/main.yml b/roles/gasket-driver/tasks/main.yml
new file mode 100644
index 0000000..41e6802
--- /dev/null
+++ b/roles/gasket-driver/tasks/main.yml
@@ -0,0 +1,52 @@
+# vim: set ft=yaml.jinja :
+- set_fact:
+    mok_password: >-
+      {{ lookup("pipe", "diceware -d ' ' -n 6 -w en_eff --no-caps") }}
+  args:
+    cacheable: false
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - mokutil
+    state: present
+  tags:
+  - install
+
+- name: ensure gasket-dkms is not installed
+  package:
+    name: gasket-dkms
+    state: absent
+  tags:
+  - uninstall
+
+- name: ensure local dch data dir exists
+  file:
+    path: /usr/local/share/dch
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - cert
+- name: ensure kernel module signing key is present
+  copy:
+    src: mok.crt
+    dest: /usr/local/share/dch/mok.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket-driver is installed
+  package:
+    name: gasket-driver
+    state: present
+  tags:
+  - install