motioneye: Deploy motionEye camera software

The *motioneye* role installs motionEye on a Fedora machine using `pip`.
It configures Apache to proxy for motionEye for outside (HTTPS) access.

The official installation instructions and default configuration for
motionEye assume it will be running as root.  There is, however, no
specific reason for this, as it works just fine as an unprivileged user.
The only minor surprise is that the `conf_path` configuration setting
must be writable, as this is where motionEye places generated
configuration for `motion`.  This path does not, however, have to
include the `motioneye.conf` file itself, which can still be read-only.

hosts

@@ -68,6 +68,8 @@ koji0.pyrocufflink.blue
 [koji-web]
 koji0.pyrocufflink.blue
 
+[motioneye]
+
 [named-server:children]
 pyrocufflink-dns
 

motioneye.yml

@@ -0,0 +1,5 @@
+- hosts: motioneye
+  roles:
+  - role: apache
+    tags: apache
+  - motioneye

roles/motioneye/files/motioneye.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=motionEye Server
+
+[Service]
+User=motioneye
+ExecStart=/usr/bin/meyectl startserver -c /etc/motioneye.conf
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.target

roles/motioneye/files/motioneye.tmpfiles.conf

@@ -0,0 +1 @@
+d /run/motioneye 0755 motioneye motioneye -

roles/motioneye/handlers/main.yml

@@ -0,0 +1,10 @@
+- name: process tmpfiles
+  command: systemd-tmpfiles --create
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart motioneye
+  service:
+    name: motioneye
+    state: restarted

roles/motioneye/tasks/main.yml

@@ -0,0 +1,110 @@
+- name: ensure rpmfusion repo is available
+  dnf:
+    name: >-
+      https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_version }}.noarch.rpm
+    state: present
+  tags: install
+
+- name: ensure motion is installed
+  package:
+    name: '{{ motion_packages }}'
+    state: present
+  tags: install
+- name: ensure motioneye dependencies are installed
+  package:
+    name: '{{ motioneye_packages }}'
+    state: present
+  tags: install
+- name: ensure motioneye is installed
+  pip:
+    name: motioneye
+    executable: /usr/bin/pip2
+    state: present
+  tags:
+  - install
+  - pip
+
+- name: ensure motioneye user exists
+  user:
+    name: motioneye
+    system: true
+    shell: /sbin/nologin
+    state: present
+  tags:
+  - user
+
+- name: ensure motioneye media directory exists
+  file:
+    path: /var/lib/motioneye
+    owner: motioneye
+    group: motioneye
+    mode: '0755'
+    state: directory
+- name: ensure motioneye configuration directory exists
+  file:
+    path: /var/lib/motioneye/conf
+    owner: motioneye
+    group: motioneye
+    mode: '0755'
+    state: directory
+- name: ensure motioneye log directory exists
+  file:
+    path: /var/log/motioneye
+    owner: motioneye
+    group: motioneye
+    mode: '0755'
+    state: directory
+
+- name: ensure motioneye is configured
+  template:
+    src: motioneye.conf.j2
+    dest: /etc/motioneye.conf
+    mode: '0644'
+
+- name: ensure tmpfiles.d directory exists
+  file:
+    path: /etc/tmpfiles.d
+    mode: '0755'
+    state: directory
+- name: ensure motioneye tmpfiles are configured
+  copy:
+    src: motioneye.tmpfiles.conf
+    dest: /etc/tmpfiles.d/motioneye.conf
+  notify: process tmpfiles
+
+- name: ensure motioneye systemd unit is installed
+  copy:
+    src: motioneye.service
+    dest: /etc/systemd/system/motioneye.service
+    mode: '0644'
+  notify:
+  - reload systemd
+  - restart motioneye
+  tags: systemd
+- name: ensure motioneye service is enabled
+  service:
+    name: motioneye
+    enabled: true
+- meta: flush_handlers
+- name: ensure motioneye service is running
+  service:
+    name: motioneye
+    state: started
+
+- name: ensure apache is allowed to proxy for motioneye
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+  tags:
+  - apache
+  - selinux
+- name: ensure apache is configured to proxy for motioneye
+  template:
+    src: motioneye.httpd.conf.j2
+    dest: /etc/httpd/conf.d/motioneye.conf
+    mode: '0644'
+  notify: reload httpd
+  tags:
+  - apache
+  - apache-config

roles/motioneye/templates/motioneye.conf.j2

@@ -0,0 +1,98 @@
+
+# path to the configuration directory (must be writable by motionEye)
+conf_path /var/lib/motioneye/conf
+
+# path to the directory where pid files go (must be writable by motionEye)
+run_path /var/run/motioneye
+
+# path to the directory where log files go (must be writable by motionEye)
+log_path /var/log/motioneye
+
+# default output path for media files (must be writable by motionEye)
+media_path /var/lib/motioneye
+
+# the log level (use quiet, error, warning, info or debug)
+log_level info
+
+# the IP address to listen on
+# (0.0.0.0 for all interfaces, 127.0.0.1 for localhost)
+listen 0.0.0.0
+
+# the TCP port to listen on
+port 8765
+
+# path to the motion binary to use (automatically detected if commented)
+#motion_binary /usr/bin/motion
+
+# whether motion HTTP control interface listens on
+# localhost or on all interfaces
+motion_control_localhost true
+
+# the TCP port that motion HTTP control interface listens on
+motion_control_port 7999
+
+# interval in seconds at which motionEye checks if motion is running
+motion_check_interval 10
+
+# whether to restart the motion daemon when an error occurs while communicating with it
+motion_restart_on_errors false
+
+# interval in seconds at which motionEye checks the SMB mounts
+mount_check_interval 300
+
+# interval in seconds at which the janitor is called
+# to remove old pictures and movies
+cleanup_interval 43200
+
+# timeout in seconds to wait for response from a remote motionEye server
+remote_request_timeout 10
+
+# timeout in seconds to wait for mjpg data from the motion daemon
+mjpg_client_timeout 10
+
+# timeout in seconds after which an idle mjpg client is removed
+# (set to 0 to disable)
+mjpg_client_idle_timeout 10
+
+# enable SMB shares (requires motionEye to run as root) 
+smb_shares false
+
+# the directory where the SMB mount points will be created
+smb_mount_root /media
+
+# path to the wpa_supplicant.conf file
+# (enable this to configure wifi settings from the UI)
+#wpa_supplicant_conf /etc/wpa_supplicant.conf
+
+# path to the localtime file
+# (enable this to configure the system time zone from the UI)
+#local_time_file /etc/localtime
+
+# enables shutdown and rebooting after changing system settings
+# (such as wifi settings or time zone)
+enable_reboot false
+
+# timeout in seconds to use when talking to the SMTP server
+smtp_timeout 60
+
+# timeout in seconds to wait for media files list
+list_media_timeout 120
+
+# timeout in seconds to wait for media files list, when sending emails
+list_media_timeout_email 10
+
+# timeout in seconds to wait for zip file creation
+zip_timeout 500
+
+# timeout in seconds to wait for timelapse creation
+timelapse_timeout 500
+
+# enable adding and removing cameras from UI
+add_remove_cameras true
+
+# enables HTTP basic authentication scheme (in addition to, not instead of the signature mechanism)
+http_basic_auth false
+
+# overrides the hostname (useful if motionEye runs behind a reverse proxy)
+# server_name motionEye
+

roles/motioneye/templates/motioneye.httpd.conf.j2

@@ -0,0 +1,13 @@
+# vim: set ft=apache :
+
+RewriteEngine On
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+
+ProxyRequests Off
+ProxyPass / http://localhost:8765/ nocanon
+ProxyPassReverse / http://localhost:8657/
+
+<Location />
+	Require all granted
+</Location>

roles/motioneye/vars/main.yml

@@ -0,0 +1,9 @@
+motion_packages:
+- motion
+- ffmpeg
+# XXX - v4l-utils
+
+motioneye_packages:
+- python2
+- python2-pycurl
+- python2-pillow