feat: Frigate

README.md

@@ -115,5 +115,6 @@ This repo is really standing on the shoulders of giants. Thank you to all those
 
 ## TODO
 
+- https://docs.k3s.io/installation/kube-dashboard
 - https://www.phillipsj.net/posts/k3s-enable-nfs-storage/
 - https://www.authelia.com/integration/kubernetes/chart/

collections/requirements.yml

@@ -4,3 +4,4 @@ collections:
   - name: community.general
   - name: ansible.posix
   - name: kubernetes.core
+  - name: community.docker

inventory/my-cluster/host_vars/frigate

@@ -0,0 +1,5 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.14
+ansible_ssh_pass: "{{ proxmox_api_password }}"

inventory/my-cluster/hosts.ini

@@ -10,6 +10,12 @@ k3s-agent-revali
 master
 node
 
+[lxc]
+frigate
+
+[lxc:children]
+k3s_cluster
+
 [baremetal]
 mipha
 epona

roles/frigate/install-app/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Create directory for docker-compose
+  ansible.builtin.file:
+    path: /root/docker/frigate/
+    state: directory
+    mode: "0755"
+
+- name: Copy docker-compose file
+  template:
+    src: "docker-compose.yml"
+    dest: /root/docker/frigate/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Run docker-compose
+  ansible.builtin.shell:
+  args:
+    cmd: docker compose up -d
+    chdir: /root/docker/frigate/

roles/frigate/install-app/templates/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.9"
+services:
+  frigate:
+    container_name: frigate
+    privileged: true
+    restart: unless-stopped
+    image: blakeblackshear/frigate:stable
+    shm_size: "256mb"
+    devices:
+      - /dev/bus/usb:/dev/bus/usb
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /config/config.yml:/config/config.yml:ro
+      - /db:/db
+      - type: tmpfs
+        target: /tmp/cache
+        tmpfs:
+          size: 1000000000
+    ports:
+      - "5000:5000"

roles/frigate/install-docker/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Get convenience script
+  uri:
+    url: "https://get.docker.com"
+    method: GET
+    dest: /tmp/get-docker.sh
+    mode: a+x
+    creates: /tmp/get-docker.sh
+
+- name: Execute script
+  ansible.builtin.shell: /tmp/get-docker.sh

roles/frigate/provision/cgroup/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Add cgroup rule
+  ansible.builtin.blockinfile:
+    path: /etc/pve/nodes/epona/lxc/605.conf
+    state: present
+    block: |
+      lxc.cgroup2.devices.allow: c 226:0 rwm
+      lxc.cgroup2.devices.allow: c 226:128 rwm
+      lxc.cgroup2.devices.allow: c 29:0 rwm
+      lxc.cgroup2.devices.allow: c 189:* rwm
+      lxc.apparmor.profile: unconfined
+      lxc.cgroup2.devices.allow: a
+      lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0, 0
+      lxc.mount.entry: /dev/bus/usb/002 dev/bus/usb/002 none bind,optional,create=dir 0, 0
+      lxc.cap.drop:
+      lxc.mount.auto: cgroup:rw

roles/frigate/provision/create/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Create container
+  community.general.proxmox:
+    vmid: 605
+    node: epona
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    password: "{{ lxc_password }}"
+    hostname: frigate
+    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+    netif: "{'net0':'name=eth0,\
+      gw=10.0.0.1,\
+      ip=10.0.2.14/21,\
+      hwaddr=44:ae:9f:cd:b9:2a,\
+      bridge=vmbr0'}"
+    cores: 1
+    memory: 6144
+    unprivileged: no
+    swap: 0
+    searchdomain: "home"
+    onboot: 1
+    mounts: '{"mp0":"/mnt/pve/hyrule-8tb-nfs/frigate/config,mp=/config","mp1":"/mnt/pve/hyrule-8tb-nfs/frigate/media,mp=/media/frigate","mp2":"local-lvm:16,mp=/db"}'
+    features:
+      - nesting=1
+      - keyctl=1
+    disk: local-lvm:30
+    force: yes

roles/frigate/provision/delete/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Stop container
+  community.general.proxmox:
+    vmid: 605
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: stopped
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove containers
+  community.general.proxmox:
+    vmid: 605
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: absent
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    regexp: "^10.0.2.14"

roles/frigate/provision/enable-ssh/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n 605 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n 605 service ssh restart

roles/frigate/provision/start/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Start deployments
+  community.general.proxmox:
+    vmid: 605
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: started

roles/frigate/update/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Update all packages to their latest version
+  ansible.builtin.apt:
+    name: "*"
+    update_cache: yes
+    state: latest

roles/k3s/dashboard/templates/dashboard.admin-user-role.yml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: admin-user
+    namespace: kubernetes-dashboard

roles/k3s/dashboard/templates/dashboard.admin-user.yml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kubernetes-dashboard

roles/longhorn/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Add longhorn dependencies
+  apt:
+    name: nfs-common open-iscsi util-linux
+    state: present
+
+- name: Add longhorn helm repo
+  kubernetes.core.helm_repository:
+    name: longhorn
+    repo_url: "https://charts.longhorn.io"
+
+- name: Update the repository cache
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: dummy
+    namespace: kube-system
+    state: absent
+    update_repo_cache: true
+
+- name: Deploy latest version of Longhorn chart inside longhorn-system namespace (and create it)
+  kubernetes.core.helm:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: longhorn
+    chart_ref: longhorn/longhorn
+    release_namespace: longhorn-system
+    create_namespace: true
+    chart_version: 1.2.4

roles/redis/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Create redis-server namespace
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    name: redis-server
+    api_version: v1
+    kind: Namespace
+    state: present
+
+- name: Create PersistentVolumeClaim
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'pvc.yml') | from_yaml }}"
+
+- name: Deploy redis
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'deployment.yml') | from_yaml }}"
+
+- name: Crete redis-server Service
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'service.yml') | from_yaml }}"

roles/redis/templates/deployment.yml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-server
+  namespace: redis-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis-server
+  template:
+    metadata:
+      labels:
+        app: redis-server
+        name: redis-server
+    spec:
+      nodeSelector:
+        node-type: worker
+      containers:
+        - name: redis-server
+          image: redis
+          args: ["--appendonly", "yes"]
+          ports:
+            - name: redis-server
+              containerPort: 6379
+          volumeMounts:
+            - name: lv-storage
+              mountPath: /data
+          env:
+            - name: ALLOW_EMPTY_PASSWORD
+              value: "yes"
+      volumes:
+        - name: lv-storage
+          persistentVolumeClaim:
+            claimName: redis-pvc

roles/redis/templates/pvc.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-pvc
+  namespace: redis-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi

roles/redis/templates/service.yml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-server
+  namespace: redis-server
+spec:
+  selector:
+    app: redis-server
+  type: LoadBalancer
+  ports:
+    - name: redis-port
+      protocol: TCP
+      port: 6379
+      targetPort: 6379
+  loadBalancerIP: 10.0.4.2

site.yml

@@ -1,66 +1,96 @@
 ---
-- hosts: localhost
+# - hosts: localhost
-  gather_facts: no
+#   gather_facts: no
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: provision/delete
+#     - role: k3s/provision/delete
 
-- hosts: localhost
+# - hosts: localhost
-  gather_facts: no
+#   gather_facts: now
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: provision/create
+#     - role: k3s/provision/create
 
-- hosts: baremetal
+# - hosts: baremetal
-  gather_facts: yes
+#   gather_facts: yes
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: provision/pre
+#     - role: k3s/provision/pre
-    - role: provision/cgroup
+#     - role: k3s/provision/cgroup
 
-- hosts: localhost
+# - hosts: localhost
-  gather_facts: no
+#   gather_facts: no
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: provision/start
+#     - role: k3s/provision/start
 
-- hosts: baremetal
+# - hosts: baremetal
-  gather_facts: yes
+#   gather_facts: yes
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: provision/enable-ssh
+#     - role: k3s/provision/enable-ssh
 
-- hosts: k3s_cluster
+# - hosts: k3s_cluster
-  gather_facts: yes
+#   gather_facts: yes
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: prereq
+#     - role: prereq
-    - role: download
+#     - role: download
 
-- hosts: master
+# - hosts: master
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/master
+#     - role: k3s/master
 
-- hosts: node
+# - hosts: node
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/node
+#     - role: k3s/node
 
-- hosts: master
+# - hosts: master
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/post
+#     - role: k3s/post
 
-- hosts: master
+# - hosts: master
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/copy-config
+#     - role: k3s/copy-config
+
+# - hosts: localhost
+#   become: yes
+#   roles:
+#     - role: longhorn
+#     - role: traefik
+#     - role: nginx
+#     - role: cert-manager
+#     - role: authelia
+#     - role: redis
 
 - hosts: localhost
   become: yes
   roles:
-    - role: traefik
+    - role: frigate/provision/delete
-    - role: nginx
+    - role: frigate/provision/create
-    - role: cert-manager
+
-    - role: authelia
+- hosts: epona
+  become: yes
+  roles:
+    - role: frigate/provision/cgroup
+
+- hosts: localhost
+  become: yes
+  roles:
+    - role: frigate/provision/start
+
+- hosts: epona
+  become: yes
+  roles:
+    - role: frigate/provision/enable-ssh
+
+- hosts: frigate
+  become: yes
+  roles:
+    - role: frigate/update
+    - role: frigate/install-docker
+    - role: frigate/install-app