From 533cdc2c09dae89a714d81c217ffa0b8ab8ae89d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 16 Sep 2023 08:03:23 -0500
Subject: [PATCH] frigate: Run Frigate in a container

The *frigate* container must run as root, so we use a custom user
namespace to map root in the container to an unprivilged user on the
host.

For some reason, Podman (on CoreOS anyway) fails to stop a container
that uses a separate network namespace.  It reports "invalid argument"
when attempting to unmount the `netns` file, which then causes the
container to get "stuck" in `Storage` state.  Rebooting the host is
apparently the only way to get the container to start again correctly.
Fortunately, there's no particular reason to use an alternate network
namespace for Frigate, so it can use the host's network and avoid this
problem.
---
 frigate.container | 31 +++++++++++++++++++++++++++++++
 frigate.yaml      | 14 ++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 frigate.container
 create mode 100644 frigate.yaml

diff --git a/frigate.container b/frigate.container
new file mode 100644
index 0000000..15f4ffe
--- /dev/null
+++ b/frigate.container
@@ -0,0 +1,31 @@
+[Unit]
+Description=Frigate NVR
+Wants=network-online.target
+After=network-online.target
+Requires=dev-apex_0.device
+After=dev-apex_0.device
+
+[Container]
+Image=ghcr.io/blakeblackshear/frigate:0.12.1
+PodmanArgs=--uidmap 0:209:1
+PodmanArgs=--gidmap 0:209:1
+PodmanArgs=--uidmap 1:6000001:65536
+PodmanArgs=--gidmap 1:6000001:65536
+PodmanArgs=--shm-size 256m
+Volume=/var/lib/frigate:/media/frigate:rw,z
+Volume=/var/lib/frigate/tmp:/tmp:rw,z
+Volume=/var/lib/frigate/config:/config:rw,z
+AddDevice=/dev/apex_0
+Network=host
+
+[Service]
+StateDirectory=%N/tmp %N/config
+PrivateTmp=yes
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+ReadWritePaths=/etc/containers/networks
+UMask=0077
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/frigate.yaml b/frigate.yaml
new file mode 100644
index 0000000..a2c4183
--- /dev/null
+++ b/frigate.yaml
@@ -0,0 +1,14 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/containers/systemd/frigate.container
+    mode: 0644
+    contents:
+      local: frigate.container
+
+systemd:
+  units:
+  - name: frigate.service
+    enabled: true