Using nginx, we can expose the Frigate web server via HTTPS. Since
Frigate has no built-in authentication, we need to use Authelia via the
nginx proxy auth feature.
Since Fedora CoreOS machines are not managed by Ansible, we need another
way to keep the HTTPS certificate up-to-date. To that end, I've added
the `fetchcert.sh` script, along with a corresponding systemd service
and timer unit, that will fetch the latest certificate from the Secret
resource managed by the Kubernetes API. The script authenticates with
a long-lived bearer token associated with a particular Kubernetes
service account and downloads the current Secret to a local file. If
the certificate in the Secret is different than the one already in
place, the certificate and key files are updated and nginx is reloaded.
The `collectd.yaml` Butane configuration fragment configures the machine
to install *collectd* and its various plugin packages directly on the
host using `rpm-ostree` (via *install-packages.service*).
Some machines may need to install multiple packages for separate use
cases. Requiring each use case to define a systemd unit that runs
`rpm-ostree install` directly would be cumbersome and also quite slow,
as each one would have to run in turn. Instead, now there is a single
*install-packages.service* which installs all of the packages listed in
files in `/etc/ignition/packages.d`. On first boot, all files in that
directory are read and all the packages they list will be installed in a
single `rpm-ostree install` invocation.
When`ProtectSystem` is enabled, systemd sets up a separate mount
namespace for the service. Unfortunately, this appears to interfere
with Podman and prevents it from cleaning up containers on shutdown.
To keep the API key a secret, we're encrypting the environment file in
the repository with GnuPG. The decrypted copy only lives in the work
tree and is never committed. Changes have to be re-encrypted and
committed.
Enabling hardware acceleration using VA-API dramatically reduces
`ffmpeg` CPU usage. For this to work, the Frigate container needs
access to the DRI device node.
Since *frigate.service* runs as root, the directories created by
`StateDirectory` are owned by root. The processes inside the container,
therefore, cannot access them. Thus, we have to use `systemd-tmpfiles`
to create the state directories with the appropriate permissions.
When developing Butane/Ignition files, I frequently forget to update the
parent files after making a change to an included file. This causes a
lot of wasted time re-provisioning, only to discover that my change
did not take effect. To alleviate this, we'll use `make` with some
macro magic to scan the Butane files for their dependencies, and let it
generate whatever Ignition files need updating any time a dependant file
changes.
I've also added a "publish" step to the Makefile, since I also
frequently forget to upload the regenerated Ignition files to the
server, causing the same headaches.
The *frigate* container must run as root, so we use a custom user
namespace to map root in the container to an unprivilged user on the
host.
For some reason, Podman (on CoreOS anyway) fails to stop a container
that uses a separate network namespace. It reports "invalid argument"
when attempting to unmount the `netns` file, which then causes the
container to get "stuck" in `Storage` state. Rebooting the host is
apparently the only way to get the container to start again correctly.
Fortunately, there's no particular reason to use an alternate network
namespace for Frigate, so it can use the host's network and avoid this
problem.
The *gasket-driver* container installs the `gasket` and `apex` kernel
modules, which provide the driver for the Google Coral EdgeTPU AI
accellerator module. The container image must be built ahead of time,
of course, and contains modules built for a specific Fedora kernel
version.
The udev rule has two purposes: to set the permissions on the device
node so that any user on the system can access it, and to "tag" the
device so that systemd will generate a `.device` unit for it. The
latter allows other units (e.g. Frigate) to express a `Requires=` and
`After=` dependency on the device unit, so that they do not start until
the driver is loaded.
The first host running Fedora CoreOS (FCOS) is
*k8s-aarch64-n0.pyrocufflink.blue*. This is a Raspberry Pi 4 that is a
specialized member of the Kubernetes cluster. It hosts the Zigbee2MQTT
and ZWaveJS2MQTT containers, and has the Zigbee and ZWave controller USB
devices attached.
Dustin