frigate: Run Frigate in a container

The *frigate* container must run as root, so we use a custom user
namespace to map root in the container to an unprivilged user on the
host.

For some reason, Podman (on CoreOS anyway) fails to stop a container
that uses a separate network namespace.  It reports "invalid argument"
when attempting to unmount the `netns` file, which then causes the
container to get "stuck" in `Storage` state.  Rebooting the host is
apparently the only way to get the container to start again correctly.
Fortunately, there's no particular reason to use an alternate network
namespace for Frigate, so it can use the host's network and avoid this
problem.

frigate.container

@@ -0,0 +1,31 @@
+[Unit]
+Description=Frigate NVR
+Wants=network-online.target
+After=network-online.target
+Requires=dev-apex_0.device
+After=dev-apex_0.device
+
+[Container]
+Image=ghcr.io/blakeblackshear/frigate:0.12.1
+PodmanArgs=--uidmap 0:209:1
+PodmanArgs=--gidmap 0:209:1
+PodmanArgs=--uidmap 1:6000001:65536
+PodmanArgs=--gidmap 1:6000001:65536
+PodmanArgs=--shm-size 256m
+Volume=/var/lib/frigate:/media/frigate:rw,z
+Volume=/var/lib/frigate/tmp:/tmp:rw,z
+Volume=/var/lib/frigate/config:/config:rw,z
+AddDevice=/dev/apex_0
+Network=host
+
+[Service]
+StateDirectory=%N/tmp %N/config
+PrivateTmp=yes
+ProtectSystem=full
+TemporaryFileSystem=/etc/containers/networks
+ReadWritePaths=/etc/containers/networks
+UMask=0077
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

frigate.yaml

@@ -0,0 +1,14 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/containers/systemd/frigate.container
+    mode: 0644
+    contents:
+      local: frigate.container
+
+systemd:
+  units:
+  - name: frigate.service
+    enabled: true