frigate: Manage state dir with tmpfiles.d

Since *frigate.service* runs as root, the directories created by `StateDirectory` are owned by root. The processes inside the container, therefore, cannot access them. Thus, we have to use `systemd-tmpfiles` to create the state directories with the appropriate permissions.
2023-09-19 10:44:34 -05:00 · 2023-09-19 10:44:34 -05:00 · ddd137a2e9
parent 2a0b23c9a8
commit ddd137a2e9
4 changed files with 15 additions and 2 deletions
--- a/frigate.container
+++ b/frigate.container
@ -12,14 +12,13 @@ PodmanArgs=--gidmap 0:209:1
 PodmanArgs=--uidmap 1:6000001:65536
 PodmanArgs=--gidmap 1:6000001:65536
 PodmanArgs=--shm-size 256m
-Volume=/var/lib/frigate:/media/frigate:rw,z
+Volume=/var/lib/frigate/media:/media/frigate:rw,z
 Volume=/var/lib/frigate/tmp:/tmp:rw,z
 Volume=/var/lib/frigate/config:/config:rw,z
 AddDevice=/dev/apex_0
 Network=host

 [Service]
-StateDirectory=%N/tmp %N/config
 PrivateTmp=yes
 ProtectSystem=full
 TemporaryFileSystem=/etc/containers/networks
--- a/frigate.sysusers
+++ b/frigate.sysusers
@ -0,0 +1,2 @@
+g frigate 209
+u frigate 209:209 "Frigate" /var/lib/frigate /sbin/nologin
--- a/frigate.tmpfiles
+++ b/frigate.tmpfiles
@ -0,0 +1,4 @@
+d /var/lib/frigate 0755 frigate frigate
+d /var/lib/frigate/config 0755 frigate frigate
+d /var/lib/frigate/media 0755 frigate frigate
+d /var/lib/frigate/tmp 0755 frigate frigate
--- a/frigate.yaml
+++ b/frigate.yaml
@ -7,6 +7,14 @@ storage:
    mode: 0644
    contents:
      local: frigate.container
+  - path: /etc/sysusers.d/frigate.conf
+    mode: 0644
+    contents:
+      local: frigate.sysusers
+  - path: /etc/tmpfiles.d/frigate.conf
+    mode: 0644
+    contents:
+      local: frigate.tmpfiles

 systemd:
  units: