diff --git a/frigate.yml b/frigate.yml
index 0112a7b..800848e 100644
--- a/frigate.yml
+++ b/frigate.yml
@@ -1,4 +1,6 @@
 - hosts: frigate
   roles:
+  - role: gasket-dkms
+    tags: gasket-dkms
   - role: frigate
     tags: frigate
diff --git a/roles/gasket-dkms/defaults/main.yml b/roles/gasket-dkms/defaults/main.yml
new file mode 100644
index 0000000..c6498ea
--- /dev/null
+++ b/roles/gasket-dkms/defaults/main.yml
@@ -0,0 +1 @@
+gasket_dkms_copr: kylegospo/google-coral-dkms
diff --git a/roles/gasket-dkms/files/sign.dkms.conf b/roles/gasket-dkms/files/sign.dkms.conf
new file mode 100644
index 0000000..90c7508
--- /dev/null
+++ b/roles/gasket-dkms/files/sign.dkms.conf
@@ -0,0 +1,4 @@
+# vim set ft=sh :
+sign_tool='/etc/dkms/sign_helper.sh'
+mok_signing_key='/etc/pki/tls/private/dkms.key'
+mok_certificate='/etc/pki/tls/certs/dkms.der'
diff --git a/roles/gasket-dkms/handlers/main.yml b/roles/gasket-dkms/handlers/main.yml
new file mode 100644
index 0000000..9255fc8
--- /dev/null
+++ b/roles/gasket-dkms/handlers/main.yml
@@ -0,0 +1,25 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /etc/pki/tls/certs/dkms.der <<EOF
+    {{ vault_mok_password }}
+    {{ vault_mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Pres ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot
diff --git a/roles/gasket-dkms/tasks/main.yml b/roles/gasket-dkms/tasks/main.yml
new file mode 100644
index 0000000..e5956d6
--- /dev/null
+++ b/roles/gasket-dkms/tasks/main.yml
@@ -0,0 +1,64 @@
+# vim: set ft=yaml.jinja :
+- name: load secrets
+  include_vars: vault/dkms
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - dkms
+    - dnf-command(copr)
+    - mokutil
+    - openssl
+    state: present
+  tags:
+  - install
+
+- name: ensure dkms module signing key is present
+  command:
+    openssl req
+    -new
+    -x509
+    -newkey rsa:4096
+    -keyout /etc/pki/tls/private/dkms.key
+    -nodes
+    -subj '/CN=DKMS Modules'
+    -days 3650
+    -outform DER
+    -out /etc/pki/tls/certs/dkms.der
+  args:
+    creates: /etc/pki/tls/certs/dkms.der
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+  - dkms
+
+- name: ensure dkms is configured to sign modules with the mok
+  copy:
+    src: sign.dkms.conf
+    dest: /etc/dkms/framework.conf.d/10-sign.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+  - dkms
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket dkms copr is enabled
+  command:
+    dnf copr enable -y {{ gasket_dkms_copr }}
+  args:
+    creates: /etc/yum.repos.d/{{ gasket_dkms_copr_repo_filename }}
+  tags:
+  - copr
+  - repo
+
+- name: ensure gasket-dkms is installed
+  package:
+    name: gasket-dkms
+    state: present
+  tags:
+  - install
diff --git a/roles/gasket-dkms/vars/main.yml b/roles/gasket-dkms/vars/main.yml
new file mode 100644
index 0000000..80db820
--- /dev/null
+++ b/roles/gasket-dkms/vars/main.yml
@@ -0,0 +1,2 @@
+gasket_dkms_copr_repo_filename: >-
+  _copr:copr.fedorainfracloud.org:{{ gasket_dkms_copr | replace("/", ":")}}.repo