Merge branch 'feature/redeploy-frigate'

roles/caddy/files/Caddyfile

@@ -0,0 +1 @@
+import Caddyfile.d/*.caddyfile

roles/caddy/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: reload caddy
+  service:
+    name: caddy
+    state: reloaded

roles/caddy/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: ensure caddy is installed
+  package:
+    name: caddy
+    state: present
+  tags:
+  - install
+
+- name: ensure base caddy configuration is set
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure firewall is configured for caddy
+  firewalld:
+    service: '{{ item }}'
+    permanent: true
+    immediate: true
+    state: enabled
+  when: host_uses_firewalld|d(true)
+  loop:
+  - http
+  - https
+  tags:
+  - firewalld
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure caddy starts at boot
+  service:
+    name: caddy
+    enabled: true
+  tags:
+  - service
+- name: ensure caddy is running
+  service:
+    name: caddy
+    state: started
+  tags:
+  - service

roles/frigate-caddy/defaults/main.yml

@@ -0,0 +1 @@
+frigate_caddy_server_name: frigate.{{ ansible_domain }}

roles/frigate-caddy/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy

roles/frigate-caddy/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: ensure caddy is configured to proxy for frigate
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config

roles/frigate-caddy/templates/Caddyfile.j2

@@ -0,0 +1,23 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ frigate_caddy_server_name }} {
+{% if frigate_caddy_forward_auth|d %}
+   forward_auth {{ frigate_caddy_forward_auth.url }} {
+       uri {{ frigate_caddy_forward_auth.path }}
+       header_up Host {upstream_hostport}
+
+       @unauthorized status 401
+       handle_response @unauthorized {
+           respond "" 301
+           header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
+        }
+    }
+
+{% endif %}
+    reverse_proxy localhost:5000
+{% if frigate_caddy_acme|d %}
+
+    tls {{ frigate_caddy_acme.email }} {
+        ca {{ frigate_caddy_acme.url }}
+    }
+{% endif %}
+}

roles/frigate/defaults/main.yml

@@ -1,7 +1,16 @@
-frigate_image_tag: '{{ frigate_default_image_tag }}'
+frigate_image_tag: 0.12.1
+frigate_image: ghcr.io/blakeblackshear/frigate:{{ frigate_image_tag }}
 frigate_mqtt:
   host: localhost
 frigate_detectors:
   cpu:
     type: cpu
 frigate_cameras: {}
+frigate_enable_gpu: false
+frigate_enable_tpu: false
+frigate_shm_size: 256
+frigate_config:
+  mqtt: '{{ frigate_mqtt }}'
+  detectors: '{{ frigate_detectors }}'
+  cameras: '{{ frigate_cameras }}'
+frigate_env: {}

roles/frigate/tasks/main.yml

@@ -44,7 +44,7 @@
 
 - name: ensure frigate container image is available
   podman_image:
-    name: docker.io/blakeblackshear/frigate:{{ frigate_image_tag }}
+    name: '{{ frigate_image }}'
     tag: stable
     state: present
     force: '{{ frigate_update|d|bool }}'
@@ -54,22 +54,16 @@
   - container-image
   - container
 
-- name: ensure frigate systemd unit is installed
+- name: ensure frigate container unit is installed
   template:
-    src: frigate.service.j2
-    dest: /etc/systemd/system/frigate.service
-    mode: '0644'
+    src: frigate.container.j2
+    dest: /etc/containers/systemd/frigate.container
+    mode: u=rw,go=r
   notify:
   - reload systemd
   - restart frigate
   tags:
   - systemd
-- name: ensure frigate starts at boot
-  service:
-    name: frigate
-    enabled: true
-  tags:
-  - service
 
 - name: ensure frigate configuration directory exists
   file:
@@ -82,7 +76,7 @@
   - config
 - name: ensure frigate is configured
   copy:
-    dest: /etc/frigate/frigate.yml
+    dest: /etc/frigate/config.yml
     content: >-
       {{ frigate_config|to_nice_yaml(indent=2) }}
     mode: '0640'
@@ -92,13 +86,17 @@
   - restart frigate
   tags:
   - config
-
-- name: ensure frigate starts at boot
-  service:
-    name: frigate
-    enabled: true
+- name: ensure frigate environment is set
+  template:
+    src: frigate.environ.j2
+    dest: /etc/frigate/environ
+    mode: u=r,go=
+    owner: root
+    group: root
+  notify:
+  - restart frigate
   tags:
-  - service
+  - config
 
 - name: flush handlers
   meta: flush_handlers

roles/frigate/templates/frigate.container.j2

@@ -0,0 +1,46 @@
+# vim: set ft=systemd.jinja :
+[Unit]
+Description=Frigate NVR
+Wants=network-online.target
+After=network-online.target
+{% if frigate_enable_tpu %}
+Requires=dev-apex_0.device
+After=dev-apex_0.device
+{% endif %}
+RequiresMountsFor=/var/lib/frigate
+
+[Container]
+Image={{ frigate_image }}
+Pull=never
+PodmanArgs=--uidmap 0:{{ frigate_user.uid }}:1
+PodmanArgs=--gidmap 0:{{ frigate_user.group }}:1
+PodmanArgs=--uidmap 1:6000001:65536
+PodmanArgs=--gidmap 1:6000001:65536
+{% if frigate_shm_size|d %}
+PodmanArgs=--shm-size {{ frigate_shm_size }}m
+{% endif %}
+EnvironmentFile=/etc/frigate/environ
+Volume=/var/lib/frigate/media:/media/frigate:rw,z,U
+Volume=/var/lib/frigate/tmp:/tmp:rw,z,U
+Volume=/etc/frigate/config.yml:/config/config.yml:ro
+{% if frigate_enable_tpu %}
+AddDevice=/dev/apex_0
+{% endif %}
+{% if frigate_enable_gpu %}
+AddDevice=/dev/dri/renderD128
+{% endif %}
+AddCapability=CAP_PERFMON
+Network=host
+Annotation=org.systemd.property.KillMode='none'
+
+[Service]
+UMask=0077
+Restart=always
+RestartSec=1
+TimeoutStartSec=10m
+TimeoutStopSec=infinity
+StateDirectory=%N/tmp
+StateDirectory=%N/media
+
+[Install]
+WantedBy=multi-user.target

roles/frigate/templates/frigate.environ.j2

@@ -0,0 +1,3 @@
+{% for key, value in frigate_env.items() %}
+{{ key }}={{ value }}
+{% endfor %}

roles/frigate/vars/aarch64.yml

@@ -1 +0,0 @@
-frigate_default_image_tag: stable-aarch64

roles/frigate/vars/main.yml

@@ -1,6 +1,2 @@
 frigate_podman_packages:
 - podman
-frigate_config:
-  mqtt: '{{ frigate_mqtt }}'
-  detectors: '{{ frigate_detectors }}'
-  cameras: '{{ frigate_cameras }}'

roles/frigate/vars/x86_64.yml

@@ -1 +0,0 @@
-frigate_default_image_tag: stable-amd64

roles/gasket-dkms/defaults/main.yml

@@ -0,0 +1 @@
+gasket_dkms_copr: kylegospo/google-coral-dkms

roles/gasket-dkms/files/sign.dkms.conf

@@ -0,0 +1,4 @@
+# vim set ft=sh :
+sign_tool='/etc/dkms/sign_helper.sh'
+mok_signing_key='/etc/pki/tls/private/dkms.key'
+mok_certificate='/etc/pki/tls/certs/dkms.der'

roles/gasket-dkms/handlers/main.yml

@@ -0,0 +1,25 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /etc/pki/tls/certs/dkms.der <<EOF
+    {{ vault_mok_password }}
+    {{ vault_mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Pres ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot

roles/gasket-dkms/tasks/main.yml

@@ -0,0 +1,64 @@
+# vim: set ft=yaml.jinja :
+- name: load secrets
+  include_vars: vault/dkms
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - dkms
+    - dnf-command(copr)
+    - mokutil
+    - openssl
+    state: present
+  tags:
+  - install
+
+- name: ensure dkms module signing key is present
+  command:
+    openssl req
+    -new
+    -x509
+    -newkey rsa:4096
+    -keyout /etc/pki/tls/private/dkms.key
+    -nodes
+    -subj '/CN=DKMS Modules'
+    -days 3650
+    -outform DER
+    -out /etc/pki/tls/certs/dkms.der
+  args:
+    creates: /etc/pki/tls/certs/dkms.der
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+  - dkms
+
+- name: ensure dkms is configured to sign modules with the mok
+  copy:
+    src: sign.dkms.conf
+    dest: /etc/dkms/framework.conf.d/10-sign.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+  - dkms
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket dkms copr is enabled
+  command:
+    dnf copr enable -y {{ gasket_dkms_copr }}
+  args:
+    creates: /etc/yum.repos.d/{{ gasket_dkms_copr_repo_filename }}
+  tags:
+  - copr
+  - repo
+
+- name: ensure gasket-dkms is installed
+  package:
+    name: gasket-dkms
+    state: present
+  tags:
+  - install

roles/gasket-dkms/vars/main.yml

@@ -0,0 +1,2 @@
+gasket_dkms_copr_repo_filename: >-
+  _copr:copr.fedorainfracloud.org:{{ gasket_dkms_copr | replace("/", ":")}}.repo

roles/squid/templates/squid.conf.j2

@@ -1,4 +1,12 @@
 cache_log {{ squid_cache_log }}
+{% if squid_auth_param|d %}
+
+{% for scheme in squid_auth_param %}
+{% for key, value in squid_auth_param[scheme].items() %}
+auth_param {{ scheme }} {{ key }} {{ value }}
+{% endfor %}
+{% endfor %}
+{% endif %}
 {% if squid_acl is not defined %}
 #
 # Recommended minimum configuration:

roles/useproxy/defaults/main.yml

@@ -0,0 +1 @@
+useproxy_yum_repos: []

roles/useproxy/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: reset connection
+  meta: reset_connection

roles/useproxy/tasks/main.yml

@@ -0,0 +1,73 @@
+- name: ensure environment.d directory exists
+  file:
+    path: /etc/environment.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - config
+- name: ensure proxy environment variables are set
+  template:
+    src: proxy.env.j2
+    dest: /etc/environment.d/40-proxy.env
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+
+- name: ensure /etc/environment is assembled
+  assemble:
+    src: /etc/environment.d
+    dest: /etc/environment
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reset connection
+  tags:
+  - config
+
+- name: ensure systemd default service drop-in directory exists
+  file:
+    path: /etc/systemd/system/service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure proxy is configured for systemd services
+  copy:
+    dest: /etc/systemd/system/service.d/40-proxy.conf
+    content: |
+      [Service]
+      EnvironmentFile=-/etc/environment.d/40-proxy.env
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
+- name: ensure yum repos are configured to use baseurl
+  ini_file:
+    path: /etc/yum.repos.d/{{ item.file }}.repo
+    section: '{{ item.name }}'
+    option: baseurl
+    value: '{{ item.baseurl }}'
+    state: present
+  loop: '{{ useproxy_yum_repos }}'
+  tags:
+  - yum
+- name: ensure yum repos are configured to not use metalink
+  ini_file:
+    path: /etc/yum.repos.d/{{ item.file }}.repo
+    section: '{{ item.name }}'
+    option: metalink
+    state: absent
+  loop: '{{ useproxy_yum_repos }}'
+  tags:
+  - yum
+
+- name: flush handlers
+  meta: flush_handlers

roles/useproxy/templates/proxy.env.j2

@@ -0,0 +1,16 @@
+{% if http_proxy|d %}
+http_proxy={{ http_proxy }}
+HTTP_PROXY={{ http_proxy }}
+{% endif %}
+{% if https_proxy|d %}
+https_proxy={{ https_proxy }}
+HTTPS_PROXY={{ https_proxy }}
+{% endif %}
+{% if all_proxy|d %}
+all_proxy={{ all_proxy }}
+ALL_PROXY={{ all_proxy }}
+{% endif %}
+{% if no_proxy %}
+no_proxy={{ no_proxy }}
+NO_PROXY={{ no_proxy }}
+{% endif %}