dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

Merge branch 'feature/redeploy-frigate'

frigate-exporter
Dustin 2024-08-14 20:30:48 -05:00
parent 27b172f083 6e5e12f8b6
commit d7a271de20
38 changed files with 682 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
datavol.yml
View File

@ -48,5 +48,5 @@
- name: fix data volume selinux context - name: fix data volume selinux context
command: command:
restorecon -RF {{ item.mountpoint }} restorecon -F {{ item.mountpoint }}
loop: '{{ data_volumes }}' loop: '{{ data_volumes }}'

7
dch-root-ca.yml Normal file
View File

@ -0,0 +1,7 @@
- hosts: all
roles:
- role: trustca
ca: dch-root-ca
- role: trustca
ca: dch-root-ca-r2
tags: dch-root-ca-r2

25
deploy/nvr2.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 noet :
ansible-playbook \
-l nvr2.pyrocufflink.blue \
wait-for-host.yml \
|| exit
printf 'Waiting for SSH host certificate to be signed ... '
until ssh-keyscan -c nvr2.pyrocufflink.blue 2>/dev/null | grep -q cert; do
sleep 1
done
echo done
ansible-playbook \
-l nvr2.pyrocufflink.blue \
useproxy.yml \
datavol.yml \
bootstrap.yml \
pyrocufflink.yml \
frigate.yml \
collectd.yml \
promtail.yml \
-u root \
-e @join.creds \
|| exit

4
frigate.yml
View File

@ -1,4 +1,8 @@
- hosts: frigate - hosts: frigate
roles: roles:
- role: gasket-dkms
tags: gasket-dkms
- role: frigate - role: frigate
tags: frigate tags: frigate
- role: frigate-caddy
tags: frigate-caddy

10
group_vars/Fedora.yml Normal file
View File

@ -0,0 +1,10 @@
useproxy_yum_repos:
- file: fedora
name: fedora
baseurl: http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
- file: fedora-cisco-openh264
name: fedora-cisco-openh264
baseurl: https://codecs.fedoraproject.org/openh264/$releasever/$basearch/os/
- file: fedora-updates
name: updates
baseurl: http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/

203
group_vars/frigate-prod.yml Normal file
View File

@ -0,0 +1,203 @@
frigate_enable_gpu: true
frigate_enable_tpu: true
frigate_config:
ffmpeg:
hwaccel_args: preset-vaapi
cameras:
front_porch:
detect:
height: 1080
width: 1920
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:8554/front_porch
input_args: preset-rtsp-restream
roles:
- detect
- path: rtsp://frigate:{FRIGATE_AMCREST_RTSP_PASSWORD}@172.30.0.213/cam/realmonitor?channel=1&subtype=0
roles:
- record
objects:
track:
- person
- cat
- dog
- bird
filters:
dog:
threshold: 0.8
bird:
threshold: 0.8
record:
enabled: true
events:
retain:
default: 365
retain:
days: 30
rtmp:
enabled: false
snapshots:
enabled: true
retain:
default: 365
zones:
front_door:
coordinates: 1920,1080,1920,0,1770,0,1366,657,1533,1080
front_porch_window:
coordinates: 1168,337,1026,75,1040,0,1300,0,1257,231
front_steps:
coordinates: 0,1080,1533,1080,1366,595,925,672,531,529,216,587
motion:
mask:
- 189,0,0,0,0,175
driveway:
detect:
height: 1080
width: 1920
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:8554/driveway
input_args: preset-rtsp-restream
roles:
- detect
- path: rtsp://frigate:{FRIGATE_AMCREST_RTSP_PASSWORD}@172.30.0.212/cam/realmonitor?channel=1&subtype=0
roles:
- record
objects:
track:
- person
- cat
- dog
- car
filters:
person:
threshold: 0.8
dog:
threshold: 0.8
bird:
threshold: 0.8
record:
enabled: true
events:
retain:
default: 365
required_zones:
- driveway_entry_zone
- garage_pad_zone
retain:
days: 30
rtmp:
enabled: false
snapshots:
enabled: true
retain:
default: 365
required_zones:
- driveway_entry_zone
- garage_pad_zone
zones:
neighbor_zone:
coordinates: 1920,0,1920,317,1644,179,1382,89,1030,0
objects: []
driveway_entry_zone:
coordinates: 624,0,148,0,0,107,0,251,111,328
garage_pad_zone:
coordinates: 0,507,0,431,616,23,834,51,1180,119,1545,243,1475,583,1285,1080,404,1080,239,843
motion:
mask:
- 157,0,0,0,0,119
- 1419,89,1058,0,1920,0,1920,324,1823,267
back_yard:
detect:
height: 1080
width: 1920
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:8554/back_yard
input_args: preset-rtsp-restream
roles:
- detect
- path: rtsp://frigate:{FRIGATE_AMCREST_RTSP_PASSWORD}@172.30.0.215/cam/realmonitor?channel=1&subtype=0
roles:
- record
objects:
track:
- person
- cat
- dog
record:
enabled: true
events:
retain:
default: 365
retain:
days: 30
rtmp:
enabled: false
snapshots:
enabled: true
retain:
default: 365
zones:
pool_zone:
coordinates: 532,78,1063,21,1117,31,979,208,931,301,515,307,406,375,231,373,204,291
go2rtc:
streams:
front_porch:
- rtsp://frigate:{FRIGATE_AMCREST_RTSP_PASSWORD}@172.30.0.213/cam/realmonitor?channel=1&subtype=0
driveway:
- rtsp://frigate:{FRIGATE_AMCREST_RTSP_PASSWORD}@172.30.0.212/cam/realmonitor?channel=1&subtype=0
back_yard:
- rtsp://frigate:{FRIGATE_AMCREST_RTSP_PASSWORD}@172.30.0.215/cam/realmonitor?channel=1&subtype=0
detectors:
coral:
device: pci:0
type: edgetpu
birdseye:
restream: true
mqtt:
host: mqtt.pyrocufflink.blue
password: '{FRIGATE_MQTT_PASSWORD}'
port: 8883
tls_ca_certs: /etc/ssl/certs/ca-certificates.crt
user: frigate
frigate_https_proxy_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62363833343565316638356665316534393035356664396638313330616663613639366334353663
3934356433303066343431343935633138656264363064650a393636363062383437656464383262
30653965353264336665653264303036323430363030313165626536353736333132386365623230
3534326634343838650a643063666637666636333863326634356630663135326464666433356565
30353339356433376436363863663730323165643232356633376266323536373431643564666562
3935646435306537653530616230343239623966656434313334
frigate_env:
https_proxy: http://frigate:{{ frigate_https_proxy_password }}@proxy.pyrocufflink.blue:3128
FRIGATE_AMCREST_RTSP_PASSWORD: !vault |
$ANSIBLE_VAULT;1.1;AES256
64353062663837623164386433333966303233313064343665313434643434663131346664666333
3862333434616235306432336534653036633837613931310a343630373832343465656231646665
63303964306334316330653966373836623966363836303331613631346235643061613463376232
3538303063633930370a303861663161366335346465633262336537336164373431326330383733
30656437343837623432356532636461663666636163663634373837353734313163
FRIGATE_MQTT_PASSWORD: !vault |
$ANSIBLE_VAULT;1.1;AES256
30613633316564303239363734633761666164643062636137383232313961363665666539373162
3235623565386663323234326365303133643732663462320a666136623939316634616265326532
39373933353261633264633532393838333632346464303837623836303630636438366532663765
6563616533333338320a333933643734666631343932613561303930366238653632346530653438
39646635313162646463613263643665363936356361353933653334336533346136323932363936
64363061653233363962623333303337303863623736323232366535633263656332363964373163
333339396137363862663037313861643066
LIBVA_DRIVER_NAME: radeonsi
PLUS_API_KEY: !vault |
$ANSIBLE_VAULT;1.1;AES256
32373139306134646230393961623365643938393430626362353130616661326161613630353533
6463326333373638636463353366343531396237326637350a323465373561656236633935393639
38343239643333363235386139393936373337333138336161663736366131336336396237356630
3532373537303237350a633530373461393630383262366562343638353062653764356135306461
31336137353464376332613738386439613161663065333533653465346661663964626332336232
64326434346638366262326463336639393037316361323039623265626163663539343063636164
31333862333831353461376435303565633163663364383732626639383032313234363030353965
65303430356237383965

9
group_vars/frigate.yml Normal file
View File

@ -0,0 +1,9 @@
# vim: set ft=yaml.jinja :
frigate_caddy_forward_auth:
url: https://auth.pyrocufflink.blue
path: /api/verify
location: '?rd=https://{{ frigate_caddy_server_name }}'
frigate_caddy_acme:
email: frigate@pyrocufflink.blue
url: https://ca.pyrocufflink.blue/acme/acme/directory

4
group_vars/needproxy.yml Normal file
View File

@ -0,0 +1,4 @@
http_proxy: http://proxy.pyrocufflink.blue:3128
https_proxy: '{{ http_proxy }}'
all_proxy: '{{ http_proxy }}'
no_proxy: localhost,pyrocufflink.blue,*.pyrocufflink.blue,127.0.0.1,172.30.0.*,172.30.0.0/24

4
group_vars/vm-hosts.yml
View File

@ -243,7 +243,7 @@ vm_autostart:
- dc-grumbly - dc-grumbly
- dc-headphone - dc-headphone
- delay 30s - delay 30s
- logs0 - loki0
- delay 10s - delay 10s
- db0 - db0
- k8s-ctrl0 - k8s-ctrl0
@ -262,4 +262,4 @@ vm_autostart:
- matrix0 - matrix0
- delay 10s - delay 10s
- pxe0 - pxe0
- unifi2 - unifi3

23
host_vars/gw1.pyrocufflink.blue/squid.yml
View File

@ -1,3 +1,8 @@
squid_auth_param:
basic:
program: /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.htpasswd
children: 1
squid_acl: squid_acl:
localnet: localnet:
- 'src 10.0.0.0/8 # RFC 1918 local private network (LAN)' - 'src 10.0.0.0/8 # RFC 1918 local private network (LAN)'
@ -7,6 +12,8 @@ squid_acl:
- 'src fe80::/10 # RFC 4291 link-local (directly plugged) machines' - 'src fe80::/10 # RFC 4291 link-local (directly plugged) machines'
trusted: trusted:
- src 172.30.0.0/26 - src 172.30.0.0/26
- src 172.30.0.211/32
- src 172.30.0.214/32
kubernetes: kubernetes:
- src 172.30.0.160/28 - src 172.30.0.160/28
unifi_controller: unifi_controller:
@ -18,6 +25,10 @@ squid_acl:
- 'port 443 # https' - 'port 443 # https'
CONNECT: CONNECT:
- method CONNECT - method CONNECT
frigate:
- proxy_auth frigate
github_api:
- dstdomain api.github.com
kickstart: kickstart:
- url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$ - url_regex rosalina.pyrocufflink.blue/~dustin/kickstart/.*\.ks$
fcos_updates: fcos_updates:
@ -29,6 +40,9 @@ squid_acl:
- dstdomain dl.fedoraproject.org - dstdomain dl.fedoraproject.org
- dstdomain fedoraproject-updates-archive.fedoraproject.org - dstdomain fedoraproject-updates-archive.fedoraproject.org
- dstdomain mirrors.fedoraproject.org - dstdomain mirrors.fedoraproject.org
fedora_copr:
- dstdomain copr.fedorainfracloud.org
- dstdomain download.copr.fedorainfracloud.org
dch_repo: dch_repo:
- url_regex files.pyrocufflink.blue/yum/.+ - url_regex files.pyrocufflink.blue/yum/.+
google_fonts: google_fonts:
@ -43,10 +57,11 @@ squid_acl:
- dstdomain docker.io - dstdomain docker.io
- dstdomain auth.docker.io - dstdomain auth.docker.io
- dstdomain production.cloudflare.docker.com - dstdomain production.cloudflare.docker.com
linuxserverio: ghcr:
- dstdomain lscr.io
- dstdomain ghcr.io - dstdomain ghcr.io
- dstdomain pkg-containers.githubusercontent.com - dstdomain pkg-containers.githubusercontent.com
linuxserverio:
- dstdomain lscr.io
squid_http_access: squid_http_access:
- 'deny !Safe_ports' - 'deny !Safe_ports'
@ -56,13 +71,17 @@ squid_http_access:
- deny to_localhost - deny to_localhost
- allow localnet fcos_updates - allow localnet fcos_updates
- allow localnet fedora_repo - allow localnet fedora_repo
- allow localnet fedora_copr
- allow localnet grafana_rpm - allow localnet grafana_rpm
- allow google_fonts - allow google_fonts
- allow trusted kickstart - allow trusted kickstart
- allow trusted dch_repo - allow trusted dch_repo
- allow trusted ghcr
- allow kubernetes stripe_api - allow kubernetes stripe_api
- allow unifi_controller dockerhub - allow unifi_controller dockerhub
- allow unifi_controller ghcr
- allow unifi_controller linuxserverio - allow unifi_controller linuxserverio
- allow trusted frigate github_api
- deny all - deny all
squid_cache_dir: squid_cache_dir:

5
host_vars/nvr2.pyrocufflink.blue.yml Normal file
View File

@ -0,0 +1,5 @@
data_volumes:
- dev: /dev/md/frigate
fstype: btrfs
mountpoint: /var/lib/frigate
mountopts: x-systemd.mount-timeout=3m

14
hosts
View File

@ -28,6 +28,7 @@ pyrocufflink
collectd collectd
[collectd-sensors] [collectd-sensors]
nvr2.pyrocufflink.blue
[dch-proxy] [dch-proxy]
@ -47,6 +48,15 @@ bitwarden_rs
[file-servers] [file-servers]
file0.pyrocufflink.blue file0.pyrocufflink.blue
[frigate:children]
frigate-prod
frigate-test
[frigate-prod]
nvr2.pyrocufflink.blue
[frigate-test]
[gitea] [gitea]
git0.pyrocufflink.blue git0.pyrocufflink.blue
@ -81,6 +91,9 @@ burp-server
[nfs-client:children] [nfs-client:children]
k8s-node k8s-node
[needproxy]
nvr2.pyrocufflink.blue
[nextcloud] [nextcloud]
cloud0.pyrocufflink.blue cloud0.pyrocufflink.blue
@ -109,6 +122,7 @@ file0.pyrocufflink.blue
git0.pyrocufflink.blue git0.pyrocufflink.blue
k8s-ctrl0.pyrocufflink.blue k8s-ctrl0.pyrocufflink.blue
matrix0.pyrocufflink.blue matrix0.pyrocufflink.blue
nvr2.pyrocufflink.blue
pxe0.pyrocufflink.blue pxe0.pyrocufflink.blue
smtp1.pyrocufflink.blue smtp1.pyrocufflink.blue
web0.pyrocufflink.blue web0.pyrocufflink.blue

7
newvm.sh
View File

@ -58,6 +58,13 @@ while [ $# -gt 0 ]; do
shift shift
fedora="${1#*=}" fedora="${1#*=}"
;; ;;
--network)
shift
network="$1"
;;
--network=*)
network="${1#*=}"
;;
--no-console|--noconsole) --no-console|--noconsole)
console=false console=false
;; ;;

1
roles/caddy/files/Caddyfile Normal file
View File

@ -0,0 +1 @@
import Caddyfile.d/*.caddyfile

4
roles/caddy/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: reload caddy
service:
name: caddy
state: reloaded

47
roles/caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
- name: ensure caddy is installed
package:
name: caddy
state: present
tags:
- install
- name: ensure base caddy configuration is set
copy:
src: Caddyfile
dest: /etc/caddy/Caddyfile
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- config
- name: ensure firewall is configured for caddy
firewalld:
service: '{{ item }}'
permanent: true
immediate: true
state: enabled
when: host_uses_firewalld|d(true)
loop:
- http
- https
tags:
- firewalld
- name: flush handlers
meta: flush_handlers
- name: ensure caddy starts at boot
service:
name: caddy
enabled: true
tags:
- service
- name: ensure caddy is running
service:
name: caddy
state: started
tags:
- service

1
roles/frigate-caddy/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
frigate_caddy_server_name: frigate.{{ ansible_domain }}

3
roles/frigate-caddy/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
dependencies:
- role: caddy
tags: caddy

11
roles/frigate-caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
- name: ensure caddy is configured to proxy for frigate
template:
src: Caddyfile.j2
dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- config

23
roles/frigate-caddy/templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,23 @@
{# vim: set sw=4 ts=4 sts=4 et : #}
{{ frigate_caddy_server_name }} {
{% if frigate_caddy_forward_auth|d %}
forward_auth {{ frigate_caddy_forward_auth.url }} {
uri {{ frigate_caddy_forward_auth.path }}
header_up Host {upstream_hostport}
@unauthorized status 401
handle_response @unauthorized {
respond "" 301
header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
}
}
{% endif %}
reverse_proxy localhost:5000
{% if frigate_caddy_acme|d %}
tls {{ frigate_caddy_acme.email }} {
ca {{ frigate_caddy_acme.url }}
}
{% endif %}
}

11
roles/frigate/defaults/main.yml
View File

@ -1,7 +1,16 @@
frigate_image_tag: '{{ frigate_default_image_tag }}' frigate_image_tag: 0.12.1
frigate_image: ghcr.io/blakeblackshear/frigate:{{ frigate_image_tag }}
frigate_mqtt: frigate_mqtt:
host: localhost host: localhost
frigate_detectors: frigate_detectors:
cpu: cpu:
type: cpu type: cpu
frigate_cameras: {} frigate_cameras: {}
frigate_enable_gpu: false
frigate_enable_tpu: false
frigate_shm_size: 256
frigate_config:
mqtt: '{{ frigate_mqtt }}'
detectors: '{{ frigate_detectors }}'
cameras: '{{ frigate_cameras }}'
frigate_env: {}

34
roles/frigate/tasks/main.yml
View File

@ -44,7 +44,7 @@
- name: ensure frigate container image is available - name: ensure frigate container image is available
podman_image: podman_image:
name: docker.io/blakeblackshear/frigate:{{ frigate_image_tag }} name: '{{ frigate_image }}'
tag: stable tag: stable
state: present state: present
force: '{{ frigate_update|d|bool }}' force: '{{ frigate_update|d|bool }}'
@ -54,22 +54,16 @@
- container-image - container-image
- container - container
- name: ensure frigate systemd unit is installed - name: ensure frigate container unit is installed
template: template:
src: frigate.service.j2 src: frigate.container.j2
dest: /etc/systemd/system/frigate.service dest: /etc/containers/systemd/frigate.container
mode: '0644' mode: u=rw,go=r
notify: notify:
- reload systemd - reload systemd
- restart frigate - restart frigate
tags: tags:
- systemd - systemd
- name: ensure frigate starts at boot
service:
name: frigate
enabled: true
tags:
- service
- name: ensure frigate configuration directory exists - name: ensure frigate configuration directory exists
file: file:
@ -82,7 +76,7 @@
- config - config
- name: ensure frigate is configured - name: ensure frigate is configured
copy: copy:
dest: /etc/frigate/frigate.yml dest: /etc/frigate/config.yml
content: >- content: >-
{{ frigate_config|to_nice_yaml(indent=2) }} {{ frigate_config|to_nice_yaml(indent=2) }}
mode: '0640' mode: '0640'
@ -92,13 +86,17 @@
- restart frigate - restart frigate
tags: tags:
- config - config
- name: ensure frigate environment is set
- name: ensure frigate starts at boot template:
service: src: frigate.environ.j2
name: frigate dest: /etc/frigate/environ
enabled: true mode: u=r,go=
owner: root
group: root
notify:
- restart frigate
tags: tags:
- service - config
- name: flush handlers - name: flush handlers
meta: flush_handlers meta: flush_handlers

46
roles/frigate/templates/frigate.container.j2 Normal file
View File

@ -0,0 +1,46 @@
# vim: set ft=systemd.jinja :
[Unit]
Description=Frigate NVR
Wants=network-online.target
After=network-online.target
{% if frigate_enable_tpu %}
Requires=dev-apex_0.device
After=dev-apex_0.device
{% endif %}
RequiresMountsFor=/var/lib/frigate
[Container]
Image={{ frigate_image }}
Pull=never
PodmanArgs=--uidmap 0:{{ frigate_user.uid }}:1
PodmanArgs=--gidmap 0:{{ frigate_user.group }}:1
PodmanArgs=--uidmap 1:6000001:65536
PodmanArgs=--gidmap 1:6000001:65536
{% if frigate_shm_size|d %}
PodmanArgs=--shm-size {{ frigate_shm_size }}m
{% endif %}
EnvironmentFile=/etc/frigate/environ
Volume=/var/lib/frigate/media:/media/frigate:rw,z,U
Volume=/var/lib/frigate/tmp:/tmp:rw,z,U
Volume=/etc/frigate/config.yml:/config/config.yml:ro
{% if frigate_enable_tpu %}
AddDevice=/dev/apex_0
{% endif %}
{% if frigate_enable_gpu %}
AddDevice=/dev/dri/renderD128
{% endif %}
AddCapability=CAP_PERFMON
Network=host
Annotation=org.systemd.property.KillMode='none'
[Service]
UMask=0077
Restart=always
RestartSec=1
TimeoutStartSec=10m
TimeoutStopSec=infinity
StateDirectory=%N/tmp
StateDirectory=%N/media
[Install]
WantedBy=multi-user.target

3
roles/frigate/templates/frigate.environ.j2 Normal file
View File

@ -0,0 +1,3 @@
{% for key, value in frigate_env.items() %}
{{ key }}={{ value }}
{% endfor %}

1
roles/frigate/vars/aarch64.yml
View File

@ -1 +0,0 @@
frigate_default_image_tag: stable-aarch64

4
roles/frigate/vars/main.yml
View File

@ -1,6 +1,2 @@
frigate_podman_packages: frigate_podman_packages:
- podman - podman
frigate_config:
mqtt: '{{ frigate_mqtt }}'
detectors: '{{ frigate_detectors }}'
cameras: '{{ frigate_cameras }}'

1
roles/frigate/vars/x86_64.yml
View File

@ -1 +0,0 @@
frigate_default_image_tag: stable-amd64

1
roles/gasket-dkms/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
gasket_dkms_copr: kylegospo/google-coral-dkms

4
roles/gasket-dkms/files/sign.dkms.conf Normal file
View File

@ -0,0 +1,4 @@
# vim set ft=sh :
sign_tool='/etc/dkms/sign_helper.sh'
mok_signing_key='/etc/pki/tls/private/dkms.key'
mok_certificate='/etc/pki/tls/certs/dkms.der'

25
roles/gasket-dkms/handlers/main.yml Normal file
View File

@ -0,0 +1,25 @@
# vim: set ft=yaml.jinja :
- name: enroll uefi mok
shell: |
mokutil --import /etc/pki/tls/certs/dkms.der <<EOF
{{ vault_mok_password }}
{{ vault_mok_password }}
EOF
notify:
- reboot notify
- reboot the system
tags:
- mok
- name: reboot notify
pause:
prompt: >-
The machine will now reboot and you must manually enroll the MOK.
Pres ENTER to continue
- name: reboot the system
reboot:
reboot_timeout: 300
tags:
- reboot

64
roles/gasket-dkms/tasks/main.yml Normal file
View File

@ -0,0 +1,64 @@
# vim: set ft=yaml.jinja :
- name: load secrets
include_vars: vault/dkms
- name: ensure prerequisite packages are installed
package:
name:
- dkms
- dnf-command(copr)
- mokutil
- openssl
state: present
tags:
- install
- name: ensure dkms module signing key is present
command:
openssl req
-new
-x509
-newkey rsa:4096
-keyout /etc/pki/tls/private/dkms.key
-nodes
-subj '/CN=DKMS Modules'
-days 3650
-outform DER
-out /etc/pki/tls/certs/dkms.der
args:
creates: /etc/pki/tls/certs/dkms.der
notify:
- enroll uefi mok
tags:
- cert
- dkms
- name: ensure dkms is configured to sign modules with the mok
copy:
src: sign.dkms.conf
dest: /etc/dkms/framework.conf.d/10-sign.conf
owner: root
group: root
mode: u=rw,go=r
tags:
- config
- dkms
- name: flush handlers
meta: flush_handlers
- name: ensure gasket dkms copr is enabled
command:
dnf copr enable -y {{ gasket_dkms_copr }}
args:
creates: /etc/yum.repos.d/{{ gasket_dkms_copr_repo_filename }}
tags:
- copr
- repo
- name: ensure gasket-dkms is installed
package:
name: gasket-dkms
state: present
tags:
- install

2
roles/gasket-dkms/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
gasket_dkms_copr_repo_filename: >-
_copr:copr.fedorainfracloud.org:{{ gasket_dkms_copr | replace("/", ":")}}.repo

8
roles/squid/templates/squid.conf.j2
View File

@ -1,4 +1,12 @@
cache_log {{ squid_cache_log }} cache_log {{ squid_cache_log }}
{% if squid_auth_param|d %}
{% for scheme in squid_auth_param %}
{% for key, value in squid_auth_param[scheme].items() %}
auth_param {{ scheme }} {{ key }} {{ value }}
{% endfor %}
{% endfor %}
{% endif %}
{% if squid_acl is not defined %} {% if squid_acl is not defined %}
# #
# Recommended minimum configuration: # Recommended minimum configuration:

1
roles/useproxy/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
useproxy_yum_repos: []

6
roles/useproxy/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
- name: reload systemd
systemd:
daemon_reload: true
- name: reset connection
meta: reset_connection

73
roles/useproxy/tasks/main.yml Normal file
View File

@ -0,0 +1,73 @@
- name: ensure environment.d directory exists
file:
path: /etc/environment.d
owner: root
group: root
mode: u=rwx,go=rx
state: directory
tags:
- config
- name: ensure proxy environment variables are set
template:
src: proxy.env.j2
dest: /etc/environment.d/40-proxy.env
owner: root
group: root
mode: u=rw,go=r
tags:
- config
- name: ensure /etc/environment is assembled
assemble:
src: /etc/environment.d
dest: /etc/environment
owner: root
group: root
mode: u=rw,go=r
notify:
- reset connection
tags:
- config
- name: ensure systemd default service drop-in directory exists
file:
path: /etc/systemd/system/service.d
owner: root
group: root
mode: u=rwx,go=rx
state: directory
tags:
- systemd
- name: ensure proxy is configured for systemd services
copy:
dest: /etc/systemd/system/service.d/40-proxy.conf
content: |
[Service]
EnvironmentFile=-/etc/environment.d/40-proxy.env
notify:
- reload systemd
tags:
- systemd
- name: ensure yum repos are configured to use baseurl
ini_file:
path: /etc/yum.repos.d/{{ item.file }}.repo
section: '{{ item.name }}'
option: baseurl
value: '{{ item.baseurl }}'
state: present
loop: '{{ useproxy_yum_repos }}'
tags:
- yum
- name: ensure yum repos are configured to not use metalink
ini_file:
path: /etc/yum.repos.d/{{ item.file }}.repo
section: '{{ item.name }}'
option: metalink
state: absent
loop: '{{ useproxy_yum_repos }}'
tags:
- yum
- name: flush handlers
meta: flush_handlers

16
roles/useproxy/templates/proxy.env.j2 Normal file
View File

@ -0,0 +1,16 @@
{% if http_proxy|d %}
http_proxy={{ http_proxy }}
HTTP_PROXY={{ http_proxy }}
{% endif %}
{% if https_proxy|d %}
https_proxy={{ https_proxy }}
HTTPS_PROXY={{ https_proxy }}
{% endif %}
{% if all_proxy|d %}
all_proxy={{ all_proxy }}
ALL_PROXY={{ all_proxy }}
{% endif %}
{% if no_proxy %}
no_proxy={{ no_proxy }}
NO_PROXY={{ no_proxy }}
{% endif %}

5
useproxy.yml Normal file
View File

@ -0,0 +1,5 @@
- import_playbook: dyngroups.yml
- hosts: needproxy
roles:
- useproxy