From 684f1a33ba4b705557eebebbf8ffc8d5984e33d4 Mon Sep 17 00:00:00 2001 From: Lino Silva Date: Fri, 25 Nov 2022 23:27:37 +0000 Subject: [PATCH] feat: Frigate --- README.md | 1 + collections/requirements.yml | 1 + inventory/my-cluster/host_vars/frigate | 5 + inventory/my-cluster/hosts.ini | 6 + roles/frigate/install-app/tasks/main.yml | 20 +++ .../install-app/templates/docker-compose.yml | 20 +++ roles/frigate/install-docker/tasks/main.yml | 11 ++ roles/frigate/provision/cgroup/tasks/main.yml | 16 +++ roles/frigate/provision/create/tasks/main.yml | 28 ++++ roles/frigate/provision/delete/tasks/main.yml | 26 ++++ .../provision/enable-ssh/tasks/main.yml | 8 ++ roles/frigate/provision/start/tasks/main.yml | 8 ++ roles/frigate/update/tasks/main.yml | 6 + .../templates/dashboard.admin-user-role.yml | 12 ++ .../templates/dashboard.admin-user.yml | 5 + .../{ => k3s}/provision/cgroup/tasks/main.yml | 0 .../{ => k3s}/provision/create/tasks/main.yml | 0 .../{ => k3s}/provision/delete/tasks/main.yml | 0 .../provision/enable-ssh/tasks/main.yml | 0 roles/{ => k3s}/provision/pre/tasks/main.yml | 0 .../{ => k3s}/provision/start/tasks/main.yml | 0 roles/longhorn/tasks/main.yml | 27 ++++ roles/redis/tasks/main.yml | 26 ++++ roles/redis/templates/deployment.yml | 35 +++++ roles/redis/templates/pvc.yml | 12 ++ roles/redis/templates/service.yml | 15 ++ site.yml | 134 +++++++++++------- 27 files changed, 370 insertions(+), 52 deletions(-) create mode 100644 inventory/my-cluster/host_vars/frigate create mode 100644 roles/frigate/install-app/tasks/main.yml create mode 100644 roles/frigate/install-app/templates/docker-compose.yml create mode 100644 roles/frigate/install-docker/tasks/main.yml create mode 100644 roles/frigate/provision/cgroup/tasks/main.yml create mode 100644 roles/frigate/provision/create/tasks/main.yml create mode 100644 roles/frigate/provision/delete/tasks/main.yml create mode 100644 roles/frigate/provision/enable-ssh/tasks/main.yml create mode 100644 roles/frigate/provision/start/tasks/main.yml create mode 100644 roles/frigate/update/tasks/main.yml create mode 100644 roles/k3s/dashboard/templates/dashboard.admin-user-role.yml create mode 100644 roles/k3s/dashboard/templates/dashboard.admin-user.yml rename roles/{ => k3s}/provision/cgroup/tasks/main.yml (100%) rename roles/{ => k3s}/provision/create/tasks/main.yml (100%) rename roles/{ => k3s}/provision/delete/tasks/main.yml (100%) rename roles/{ => k3s}/provision/enable-ssh/tasks/main.yml (100%) rename roles/{ => k3s}/provision/pre/tasks/main.yml (100%) rename roles/{ => k3s}/provision/start/tasks/main.yml (100%) create mode 100644 roles/longhorn/tasks/main.yml create mode 100644 roles/redis/tasks/main.yml create mode 100644 roles/redis/templates/deployment.yml create mode 100644 roles/redis/templates/pvc.yml create mode 100644 roles/redis/templates/service.yml diff --git a/README.md b/README.md index e646717..37d7641 100644 --- a/README.md +++ b/README.md @@ -115,5 +115,6 @@ This repo is really standing on the shoulders of giants. Thank you to all those ## TODO +- https://docs.k3s.io/installation/kube-dashboard - https://www.phillipsj.net/posts/k3s-enable-nfs-storage/ - https://www.authelia.com/integration/kubernetes/chart/ diff --git a/collections/requirements.yml b/collections/requirements.yml index 0d176b4..6eadb5e 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -4,3 +4,4 @@ collections: - name: community.general - name: ansible.posix - name: kubernetes.core + - name: community.docker diff --git a/inventory/my-cluster/host_vars/frigate b/inventory/my-cluster/host_vars/frigate new file mode 100644 index 0000000..a30604b --- /dev/null +++ b/inventory/my-cluster/host_vars/frigate @@ -0,0 +1,5 @@ +--- + +ansible_user: root +ansible_host: 10.0.2.14 +ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/hosts.ini b/inventory/my-cluster/hosts.ini index c2d8836..cfbd9f1 100644 --- a/inventory/my-cluster/hosts.ini +++ b/inventory/my-cluster/hosts.ini @@ -10,6 +10,12 @@ k3s-agent-revali master node +[lxc] +frigate + +[lxc:children] +k3s_cluster + [baremetal] mipha epona diff --git a/roles/frigate/install-app/tasks/main.yml b/roles/frigate/install-app/tasks/main.yml new file mode 100644 index 0000000..85af274 --- /dev/null +++ b/roles/frigate/install-app/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Create directory for docker-compose + ansible.builtin.file: + path: /root/docker/frigate/ + state: directory + mode: "0755" + +- name: Copy docker-compose file + template: + src: "docker-compose.yml" + dest: /root/docker/frigate/docker-compose.yml + owner: root + group: root + mode: 0755 + +- name: Run docker-compose + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/frigate/ diff --git a/roles/frigate/install-app/templates/docker-compose.yml b/roles/frigate/install-app/templates/docker-compose.yml new file mode 100644 index 0000000..7af0cbe --- /dev/null +++ b/roles/frigate/install-app/templates/docker-compose.yml @@ -0,0 +1,20 @@ +version: "3.9" +services: + frigate: + container_name: frigate + privileged: true + restart: unless-stopped + image: blakeblackshear/frigate:stable + shm_size: "256mb" + devices: + - /dev/bus/usb:/dev/bus/usb + volumes: + - /etc/localtime:/etc/localtime:ro + - /config/config.yml:/config/config.yml:ro + - /db:/db + - type: tmpfs + target: /tmp/cache + tmpfs: + size: 1000000000 + ports: + - "5000:5000" diff --git a/roles/frigate/install-docker/tasks/main.yml b/roles/frigate/install-docker/tasks/main.yml new file mode 100644 index 0000000..855b990 --- /dev/null +++ b/roles/frigate/install-docker/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Get convenience script + uri: + url: "https://get.docker.com" + method: GET + dest: /tmp/get-docker.sh + mode: a+x + creates: /tmp/get-docker.sh + +- name: Execute script + ansible.builtin.shell: /tmp/get-docker.sh diff --git a/roles/frigate/provision/cgroup/tasks/main.yml b/roles/frigate/provision/cgroup/tasks/main.yml new file mode 100644 index 0000000..8021cf8 --- /dev/null +++ b/roles/frigate/provision/cgroup/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Add cgroup rule + ansible.builtin.blockinfile: + path: /etc/pve/nodes/epona/lxc/605.conf + state: present + block: | + lxc.cgroup2.devices.allow: c 226:0 rwm + lxc.cgroup2.devices.allow: c 226:128 rwm + lxc.cgroup2.devices.allow: c 29:0 rwm + lxc.cgroup2.devices.allow: c 189:* rwm + lxc.apparmor.profile: unconfined + lxc.cgroup2.devices.allow: a + lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0, 0 + lxc.mount.entry: /dev/bus/usb/002 dev/bus/usb/002 none bind,optional,create=dir 0, 0 + lxc.cap.drop: + lxc.mount.auto: cgroup:rw diff --git a/roles/frigate/provision/create/tasks/main.yml b/roles/frigate/provision/create/tasks/main.yml new file mode 100644 index 0000000..3a05122 --- /dev/null +++ b/roles/frigate/provision/create/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Create container + community.general.proxmox: + vmid: 605 + node: epona + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + password: "{{ lxc_password }}" + hostname: frigate + ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst" + netif: "{'net0':'name=eth0,\ + gw=10.0.0.1,\ + ip=10.0.2.14/21,\ + hwaddr=44:ae:9f:cd:b9:2a,\ + bridge=vmbr0'}" + cores: 1 + memory: 6144 + unprivileged: no + swap: 0 + searchdomain: "home" + onboot: 1 + mounts: '{"mp0":"/mnt/pve/hyrule-8tb-nfs/frigate/config,mp=/config","mp1":"/mnt/pve/hyrule-8tb-nfs/frigate/media,mp=/media/frigate","mp2":"local-lvm:16,mp=/db"}' + features: + - nesting=1 + - keyctl=1 + disk: local-lvm:30 + force: yes diff --git a/roles/frigate/provision/delete/tasks/main.yml b/roles/frigate/provision/delete/tasks/main.yml new file mode 100644 index 0000000..7ecd07c --- /dev/null +++ b/roles/frigate/provision/delete/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Stop container + community.general.proxmox: + vmid: 605 + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: stopped + ignore_errors: true + timeout: 90 + +- name: Remove containers + community.general.proxmox: + vmid: 605 + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: absent + ignore_errors: true + timeout: 90 + +- name: Remove .ssh/known_hosts lines + ansible.builtin.lineinfile: + path: /Users/lino.silva/.ssh/known_hosts + state: absent + regexp: "^10.0.2.14" diff --git a/roles/frigate/provision/enable-ssh/tasks/main.yml b/roles/frigate/provision/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..a42bd32 --- /dev/null +++ b/roles/frigate/provision/enable-ssh/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 605 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 605 service ssh restart diff --git a/roles/frigate/provision/start/tasks/main.yml b/roles/frigate/provision/start/tasks/main.yml new file mode 100644 index 0000000..8c5db86 --- /dev/null +++ b/roles/frigate/provision/start/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Start deployments + community.general.proxmox: + vmid: 605 + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: started diff --git a/roles/frigate/update/tasks/main.yml b/roles/frigate/update/tasks/main.yml new file mode 100644 index 0000000..66a65a4 --- /dev/null +++ b/roles/frigate/update/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update all packages to their latest version + ansible.builtin.apt: + name: "*" + update_cache: yes + state: latest diff --git a/roles/k3s/dashboard/templates/dashboard.admin-user-role.yml b/roles/k3s/dashboard/templates/dashboard.admin-user-role.yml new file mode 100644 index 0000000..d88c871 --- /dev/null +++ b/roles/k3s/dashboard/templates/dashboard.admin-user-role.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard diff --git a/roles/k3s/dashboard/templates/dashboard.admin-user.yml b/roles/k3s/dashboard/templates/dashboard.admin-user.yml new file mode 100644 index 0000000..54cabb7 --- /dev/null +++ b/roles/k3s/dashboard/templates/dashboard.admin-user.yml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard diff --git a/roles/provision/cgroup/tasks/main.yml b/roles/k3s/provision/cgroup/tasks/main.yml similarity index 100% rename from roles/provision/cgroup/tasks/main.yml rename to roles/k3s/provision/cgroup/tasks/main.yml diff --git a/roles/provision/create/tasks/main.yml b/roles/k3s/provision/create/tasks/main.yml similarity index 100% rename from roles/provision/create/tasks/main.yml rename to roles/k3s/provision/create/tasks/main.yml diff --git a/roles/provision/delete/tasks/main.yml b/roles/k3s/provision/delete/tasks/main.yml similarity index 100% rename from roles/provision/delete/tasks/main.yml rename to roles/k3s/provision/delete/tasks/main.yml diff --git a/roles/provision/enable-ssh/tasks/main.yml b/roles/k3s/provision/enable-ssh/tasks/main.yml similarity index 100% rename from roles/provision/enable-ssh/tasks/main.yml rename to roles/k3s/provision/enable-ssh/tasks/main.yml diff --git a/roles/provision/pre/tasks/main.yml b/roles/k3s/provision/pre/tasks/main.yml similarity index 100% rename from roles/provision/pre/tasks/main.yml rename to roles/k3s/provision/pre/tasks/main.yml diff --git a/roles/provision/start/tasks/main.yml b/roles/k3s/provision/start/tasks/main.yml similarity index 100% rename from roles/provision/start/tasks/main.yml rename to roles/k3s/provision/start/tasks/main.yml diff --git a/roles/longhorn/tasks/main.yml b/roles/longhorn/tasks/main.yml new file mode 100644 index 0000000..f6ce698 --- /dev/null +++ b/roles/longhorn/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Add longhorn dependencies + apt: + name: nfs-common open-iscsi util-linux + state: present + +- name: Add longhorn helm repo + kubernetes.core.helm_repository: + name: longhorn + repo_url: "https://charts.longhorn.io" + +- name: Update the repository cache + kubernetes.core.helm: + kubeconfig: /Users/lino.silva/.kube/config + name: dummy + namespace: kube-system + state: absent + update_repo_cache: true + +- name: Deploy latest version of Longhorn chart inside longhorn-system namespace (and create it) + kubernetes.core.helm: + kubeconfig: /Users/lino.silva/.kube/config + name: longhorn + chart_ref: longhorn/longhorn + release_namespace: longhorn-system + create_namespace: true + chart_version: 1.2.4 diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml new file mode 100644 index 0000000..2818631 --- /dev/null +++ b/roles/redis/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Create redis-server namespace + kubernetes.core.k8s: + kubeconfig: /Users/lino.silva/.kube/config + name: redis-server + api_version: v1 + kind: Namespace + state: present + +- name: Create PersistentVolumeClaim + kubernetes.core.k8s: + kubeconfig: /Users/lino.silva/.kube/config + state: present + definition: "{{ lookup('template', 'pvc.yml') | from_yaml }}" + +- name: Deploy redis + kubernetes.core.k8s: + kubeconfig: /Users/lino.silva/.kube/config + state: present + definition: "{{ lookup('template', 'deployment.yml') | from_yaml }}" + +- name: Crete redis-server Service + kubernetes.core.k8s: + kubeconfig: /Users/lino.silva/.kube/config + state: present + definition: "{{ lookup('template', 'service.yml') | from_yaml }}" diff --git a/roles/redis/templates/deployment.yml b/roles/redis/templates/deployment.yml new file mode 100644 index 0000000..a26006b --- /dev/null +++ b/roles/redis/templates/deployment.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-server + namespace: redis-server +spec: + replicas: 1 + selector: + matchLabels: + app: redis-server + template: + metadata: + labels: + app: redis-server + name: redis-server + spec: + nodeSelector: + node-type: worker + containers: + - name: redis-server + image: redis + args: ["--appendonly", "yes"] + ports: + - name: redis-server + containerPort: 6379 + volumeMounts: + - name: lv-storage + mountPath: /data + env: + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + volumes: + - name: lv-storage + persistentVolumeClaim: + claimName: redis-pvc diff --git a/roles/redis/templates/pvc.yml b/roles/redis/templates/pvc.yml new file mode 100644 index 0000000..fa083a2 --- /dev/null +++ b/roles/redis/templates/pvc.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: redis-pvc + namespace: redis-server +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 5Gi diff --git a/roles/redis/templates/service.yml b/roles/redis/templates/service.yml new file mode 100644 index 0000000..3fe467d --- /dev/null +++ b/roles/redis/templates/service.yml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis-server + namespace: redis-server +spec: + selector: + app: redis-server + type: LoadBalancer + ports: + - name: redis-port + protocol: TCP + port: 6379 + targetPort: 6379 + loadBalancerIP: 10.0.4.2 diff --git a/site.yml b/site.yml index a341f1e..01d486a 100644 --- a/site.yml +++ b/site.yml @@ -1,66 +1,96 @@ --- -- hosts: localhost - gather_facts: no - become: yes - roles: - - role: provision/delete +# - hosts: localhost +# gather_facts: no +# become: yes +# roles: +# - role: k3s/provision/delete -- hosts: localhost - gather_facts: no - become: yes - roles: - - role: provision/create +# - hosts: localhost +# gather_facts: now +# become: yes +# roles: +# - role: k3s/provision/create -- hosts: baremetal - gather_facts: yes - become: yes - roles: - - role: provision/pre - - role: provision/cgroup +# - hosts: baremetal +# gather_facts: yes +# become: yes +# roles: +# - role: k3s/provision/pre +# - role: k3s/provision/cgroup -- hosts: localhost - gather_facts: no - become: yes - roles: - - role: provision/start +# - hosts: localhost +# gather_facts: no +# become: yes +# roles: +# - role: k3s/provision/start -- hosts: baremetal - gather_facts: yes - become: yes - roles: - - role: provision/enable-ssh +# - hosts: baremetal +# gather_facts: yes +# become: yes +# roles: +# - role: k3s/provision/enable-ssh -- hosts: k3s_cluster - gather_facts: yes - become: yes - roles: - - role: prereq - - role: download +# - hosts: k3s_cluster +# gather_facts: yes +# become: yes +# roles: +# - role: prereq +# - role: download -- hosts: master - become: yes - roles: - - role: k3s/master +# - hosts: master +# become: yes +# roles: +# - role: k3s/master -- hosts: node - become: yes - roles: - - role: k3s/node +# - hosts: node +# become: yes +# roles: +# - role: k3s/node -- hosts: master - become: yes - roles: - - role: k3s/post +# - hosts: master +# become: yes +# roles: +# - role: k3s/post -- hosts: master - become: yes - roles: - - role: k3s/copy-config +# - hosts: master +# become: yes +# roles: +# - role: k3s/copy-config + +# - hosts: localhost +# become: yes +# roles: +# - role: longhorn +# - role: traefik +# - role: nginx +# - role: cert-manager +# - role: authelia +# - role: redis - hosts: localhost become: yes roles: - - role: traefik - - role: nginx - - role: cert-manager - - role: authelia + - role: frigate/provision/delete + - role: frigate/provision/create + +- hosts: epona + become: yes + roles: + - role: frigate/provision/cgroup + +- hosts: localhost + become: yes + roles: + - role: frigate/provision/start + +- hosts: epona + become: yes + roles: + - role: frigate/provision/enable-ssh + +- hosts: frigate + become: yes + roles: + - role: frigate/update + - role: frigate/install-docker + - role: frigate/install-app