r/frigate: Clean up Frigate role

* Switch to Quadlet-style `.container` for systemd unit
* Update to new image tag naming scheme (not arch-specific)
* Use environment variables for secrets
* Allow the entire `frigate_config` variable to be overridden

roles/frigate/defaults/main.yml

@@ -1,7 +1,16 @@
-frigate_image_tag: '{{ frigate_default_image_tag }}'
+frigate_image_tag: 0.12.1
+frigate_image: ghcr.io/blakeblackshear/frigate:{{ frigate_image_tag }}
 frigate_mqtt:
   host: localhost
 frigate_detectors:
   cpu:
     type: cpu
 frigate_cameras: {}
+frigate_enable_gpu: false
+frigate_enable_tpu: false
+frigate_shm_size: 256
+frigate_config:
+  mqtt: '{{ frigate_mqtt }}'
+  detectors: '{{ frigate_detectors }}'
+  cameras: '{{ frigate_cameras }}'
+frigate_env: {}

roles/frigate/tasks/main.yml

@@ -44,7 +44,7 @@
 
 - name: ensure frigate container image is available
   podman_image:
-    name: docker.io/blakeblackshear/frigate:{{ frigate_image_tag }}
+    name: '{{ frigate_image }}'
     tag: stable
     state: present
     force: '{{ frigate_update|d|bool }}'
@@ -54,22 +54,16 @@
   - container-image
   - container
 
-- name: ensure frigate systemd unit is installed
+- name: ensure frigate container unit is installed
   template:
-    src: frigate.service.j2
-    dest: /etc/systemd/system/frigate.service
-    mode: '0644'
+    src: frigate.container.j2
+    dest: /etc/containers/systemd/frigate.container
+    mode: u=rw,go=r
   notify:
   - reload systemd
   - restart frigate
   tags:
   - systemd
-- name: ensure frigate starts at boot
-  service:
-    name: frigate
-    enabled: true
-  tags:
-  - service
 
 - name: ensure frigate configuration directory exists
   file:
@@ -82,7 +76,7 @@
   - config
 - name: ensure frigate is configured
   copy:
-    dest: /etc/frigate/frigate.yml
+    dest: /etc/frigate/config.yml
     content: >-
       {{ frigate_config|to_nice_yaml(indent=2) }}
     mode: '0640'
@@ -92,13 +86,17 @@
   - restart frigate
   tags:
   - config
-
-- name: ensure frigate starts at boot
-  service:
-    name: frigate
-    enabled: true
+- name: ensure frigate environment is set
+  template:
+    src: frigate.environ.j2
+    dest: /etc/frigate/environ
+    mode: u=r,go=
+    owner: root
+    group: root
+  notify:
+  - restart frigate
   tags:
-  - service
+  - config
 
 - name: flush handlers
   meta: flush_handlers

roles/frigate/templates/frigate.container.j2

@@ -0,0 +1,45 @@
+# vim: set ft=systemd.jinja :
+[Unit]
+Description=Frigate NVR
+Wants=network-online.target
+After=network-online.target
+{% if frigate_enable_tpu %}
+Requires=dev-apex_0.device
+After=dev-apex_0.device
+{% endif %}
+RequiresMountsFor=/var/lib/frigate
+
+[Container]
+Image={{ frigate_image }}
+Pull=never
+PodmanArgs=--uidmap 0:{{ frigate_user.uid }}:1
+PodmanArgs=--gidmap 0:{{ frigate_user.group }}:1
+PodmanArgs=--uidmap 1:6000001:65536
+PodmanArgs=--gidmap 1:6000001:65536
+{% if frigate_shm_size|d %}
+PodmanArgs=--shm-size {{ frigate_shm_size }}m
+{% endif %}
+EnvironmentFile=/etc/frigate/environ
+Volume=/var/lib/frigate/media:/media/frigate:rw,z,U
+Volume=/var/lib/frigate/tmp:/tmp:rw,z,U
+Volume=/etc/frigate/config.yml:/config/config.yml:ro
+{% if frigate_enable_tpu %}
+AddDevice=/dev/apex_0
+{% endif %}
+{% if frigate_enable_gpu %}
+AddDevice=/dev/dri/renderD128
+{% endif %}
+AddCapability=CAP_PERFMON
+Network=host
+Annotation=org.systemd.property.KillMode='none'
+
+[Service]
+UMask=0077
+Restart=always
+RestartSec=1
+TimeoutStopSec=infinity
+StateDirectory=%N/tmp
+StateDirectory=%N/media
+
+[Install]
+WantedBy=multi-user.target

roles/frigate/templates/frigate.environ.j2

@@ -0,0 +1,3 @@
+{% for key, value in frigate_env.items() %}
+{{ key }}={{ value }}
+{% endfor %}

roles/frigate/vars/aarch64.yml

@@ -1 +0,0 @@
-frigate_default_image_tag: stable-aarch64

roles/frigate/vars/main.yml

@@ -1,6 +1,2 @@
 frigate_podman_packages:
 - podman
-frigate_config:
-  mqtt: '{{ frigate_mqtt }}'
-  detectors: '{{ frigate_detectors }}'
-  cameras: '{{ frigate_cameras }}'

roles/frigate/vars/x86_64.yml

@@ -1 +0,0 @@
-frigate_default_image_tag: stable-amd64