From 60b7a20e1ff591c67bb301cfd9c52b48c2714c5a Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Nov 2025 12:18:53 -0600
Subject: [PATCH] frigate: Switch to pre-compiled gasket-driver RPM

The DKMS package for the _gasket-driver_ kernel modules is something of
a problem.  For one thing, upstream seems to have abandoned the driver
itself, and it now requires several patches in order to compile for
current kernel versions.  These patches are not included in the DKMS
package, and thus have to be applied manually after installing it.  More
generally, I don't really like how DKMS works anyway.  Besides requiring
a full kernel development toolchain on a production system, it's
impossible to know if a module will compile successfully until _after_
the new kernel has been installed and booted.  This has frequently meant
that Frigate won't come up after an update because building the module
failed.  I would much rather have a notification about a compatibility
issue for an _upcoming_ update, rather than an applied one.

To rectify these issues, I have created a new RPM package tha contains
pre-built, signed kernel modules for the Coral EdgeTPU device.  Unlike
the DKMS package, this package needs to be rebuilt for every kernel
version, however, this is done by Jenkins before the updated kernel gets
installed on the machine.  It also expresses a dependency on an exact
kernel version, so the kernel cannot be updated until a corresponding
_gasket-driver_ package is available.
---
 frigate.yml                           |   4 +-
 roles/gasket-driver/files/mok.crt     | Bin 0 -> 793 bytes
 roles/gasket-driver/handlers/main.yml |  26 +++++++++++++
 roles/gasket-driver/tasks/main.yml    |  52 ++++++++++++++++++++++++++
 4 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 roles/gasket-driver/files/mok.crt
 create mode 100644 roles/gasket-driver/handlers/main.yml
 create mode 100644 roles/gasket-driver/tasks/main.yml

diff --git a/frigate.yml b/frigate.yml
index 1fe4b20..784ff13 100644
--- a/frigate.yml
+++ b/frigate.yml
@@ -1,7 +1,7 @@
 - hosts: frigate
   roles:
-  - role: gasket-dkms
-    tags: gasket-dkms
+  - role: gasket-driver
+    tags: gasket-driver
   - role: frigate
     tags: frigate
   - role: frigate-caddy
diff --git a/roles/gasket-driver/files/mok.crt b/roles/gasket-driver/files/mok.crt
new file mode 100644
index 0000000000000000000000000000000000000000..c1adab589197a15c307ab6272bd1886e36d28072
GIT binary patch
literal 793
zcmXqLViq-MV*I;+nTe5!NrbIxz4rfS(UR{p-1qaAE8889ZI3kIW#iOp^Jx3d%gD&h
z%3vU6C}AMR#vIDR%){?eT3nKur{Juo;E`C8oM9j*&TC|9XlQ6=Xl`O^WEdsRYmCgr
ztG9_!3E3(}RtDxKMt%l^CPpr%CPqev>nA+!OK557UJU=RignHTtEx#nhlBr><ljva
zFEW|Jq`jts=Uh+X&Wb%LSGDafGlh8Yw&e$0_6%D8YT2G=@e()F?VTGeD)gTu`aTr)
zy1IVnA4U_OpOXYXOun%4@6FiED!(6(g|8c%R?dAT(7y7eNp7M3v#SNC_OAZFJMYGo
zn+h#A5>2aLH)b6Q$l0^Ow$Xf9v0YKE>e>FYE0)Jy&0c8g>v>;SIcdi6&HS9#KN?SN
zn{VCD|AQ?z^6YWGeXESUw2!y$d@r~6Ccj_&UvcK8d@FC=bc#Q;`JLUu-BEL{zWVgr
zuJ_WxPc}yLQdivWe)MLKWlH<QNB+g$Sruk3USAiPTv*7&%*epFIM^W2K$eX;RF;oL
zj73EBNnQBV`6~9}W{19ieXZ0Sa_H!J19_0NGK++PSOazi{2&FwjEw(TSPhsN8UG^(
zJ2yDk85wNjj>#9r%=OoaaVYMsozqwxq|E!w)FR!?pybn11H*^0iEmF{n<~M1$4({r
zj^?WUOWo%5NG&-r$IZXs&W#zx+;s(OOS&!7vv&*5H&N_M4LegS{n9c~ReH(0qn84=
z8m#J#Jn8p&PRQ@?C#Lf3W%MoT->G42`Th=%#nf+{_nOPh?rc4&yeIeROF2o07>C&C
zSNo=AR`~wg6}O1N@|@?VyT`2Uy6;wTPdWOb|9JFl!J0<dP0#oR_z&hz6zKH&p}<#`
zx45|V!}^;UTO2dB<ds(?Chbv5JNWgB(1}lOFDFZ+Cs-d2-e7g0Nz3_T1HW(K0uJGG
T3z?@zXWw2^R~WItFuoK3-)u&I

literal 0
HcmV?d00001

diff --git a/roles/gasket-driver/handlers/main.yml b/roles/gasket-driver/handlers/main.yml
new file mode 100644
index 0000000..5564d70
--- /dev/null
+++ b/roles/gasket-driver/handlers/main.yml
@@ -0,0 +1,26 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /usr/local/share/dch/mok.crt <<EOF
+    {{ mok_password }}
+    {{ mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Use this password when enrolling: {{ mok_password }}
+      Press ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot
diff --git a/roles/gasket-driver/tasks/main.yml b/roles/gasket-driver/tasks/main.yml
new file mode 100644
index 0000000..41e6802
--- /dev/null
+++ b/roles/gasket-driver/tasks/main.yml
@@ -0,0 +1,52 @@
+# vim: set ft=yaml.jinja :
+- set_fact:
+    mok_password: >-
+      {{ lookup("pipe", "diceware -d ' ' -n 6 -w en_eff --no-caps") }}
+  args:
+    cacheable: false
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - mokutil
+    state: present
+  tags:
+  - install
+
+- name: ensure gasket-dkms is not installed
+  package:
+    name: gasket-dkms
+    state: absent
+  tags:
+  - uninstall
+
+- name: ensure local dch data dir exists
+  file:
+    path: /usr/local/share/dch
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - cert
+- name: ensure kernel module signing key is present
+  copy:
+    src: mok.crt
+    dest: /usr/local/share/dch/mok.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket-driver is installed
+  package:
+    name: gasket-driver
+    state: present
+  tags:
+  - install