From 7a3a385eb5ef16c22a9cd86b61ce821c0ad876d6 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sun, 4 Feb 2024 17:07:19 +0000
Subject: [PATCH] Add frigate host

---
 group_vars/frigate.yml                        | 23 ++++++
 host_vars/frigate02.home.foo.sh.yml           | 13 +++
 hosts.yml                                     |  4 +
 playbooks/frigate.yml                         | 82 +++++++++++++++++++
 ... => unbound.conf.frigate02.home.foo.sh.j2} |  0
 5 files changed, 122 insertions(+)
 create mode 100644 group_vars/frigate.yml
 create mode 100644 host_vars/frigate02.home.foo.sh.yml
 create mode 100644 playbooks/frigate.yml
 rename roles/unbound/templates/{unbound.conf.zm02.home.foo.sh.j2 => unbound.conf.frigate02.home.foo.sh.j2} (100%)

diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml
new file mode 100644
index 0000000..03177dc
--- /dev/null
+++ b/group_vars/frigate.yml
@@ -0,0 +1,23 @@
+---
+mem_size: 4096
+num_cpus: 2
+datadisks:
+  - {size: 500}
+
+network_vip_interfaces:
+  - device: eth1
+    vhid: 26
+    ipaddr: 172.20.26.1
+    netmask: 255.255.0.0
+    pass: "{{ vip26_pass }}"
+
+zm_mysql_host: sqldb02.home.foo.sh
+dhcpd_template: dhcpd.conf.cam.j2
+
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+firewall_raw:
+  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
+  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml
new file mode 100644
index 0000000..cc597b3
--- /dev/null
+++ b/host_vars/frigate02.home.foo.sh.yml
@@ -0,0 +1,13 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: eth0
+    vlan: 20
+    mac: "52:54:00:ac:dc:8c"
+    nameservers: []
+  - device: eth1
+    vlan: 26
+    ipaddr: 172.20.26.3
+    netmask: 255.255.255.0
+    proto: static
+    nameservers: [172.20.26.1, 172.20.26.3]
diff --git a/hosts.yml b/hosts.yml
index 5931786..2317395 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -13,6 +13,9 @@ dnagw:
   hosts:
     dna-gw01.home.foo.sh:
     dna-gw02.home.foo.sh:
+frigate:
+  hosts:
+    frigate02.home.foo.sh:
 fsolgw:
   hosts:
     fsol-gw01.home.foo.sh:
@@ -144,6 +147,7 @@ openbsd:
 rocky8:
   children:
     collab:
+    frigate:
     homeassistant:
     mail:
     minecraft:
diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml
new file mode 100644
index 0000000..9da0eb3
--- /dev/null
+++ b/playbooks/frigate.yml
@@ -0,0 +1,82 @@
+---
+- name: Deploy KVM virtual machines
+  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
+  vars:
+    myhosts: frigate
+
+- name: Configure instance
+  hosts: frigate
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  pre_tasks:
+    - name: Mount /export
+      ansible.posix.mount:
+        name: /export
+        src: LABEL=/export
+        fstype: xfs
+        opts: noatime,noexec,nosuid,nodev
+        passno: "0"
+        dump: "0"
+        state: mounted
+
+  roles:
+    - base
+    - mod_auth_gssapi
+    - role: keytab
+      keytab_path: /etc/httpd/httpd.keytab
+      keytab_principals: HTTP/cctv.foo.sh@FOO.SH
+      keytab_group: apache
+
+  tasks:
+    - name: Run handlers to get interfaces configured
+      ansible.builtin.meta: flush_handlers
+
+    - name: Copy DNS zone files
+      ansible.builtin.copy:
+        dest: "/var/lib/unbound/{{ item }}"
+        src: "/srv/dns/{{ item }}"
+        mode: "0644"
+        owner: root
+        group: "{{ ansible_wheel }}"
+      tags: dns
+      notify: Restart unbound
+      with_items:
+        - 26.20.172.in-addr.arpa
+        - cam.foo.sh
+
+    - name: Include unbound role
+      ansible.builtin.import_role:
+        name: unbound
+
+    - name: Include dhcpd role
+      ansible.builtin.include_role:
+        name: dhcpd
+
+    - name: Include frigate role
+      ansible.builtin.include_role:
+        name: frigate
+
+    - name: Require authentication for frigate
+      ansible.builtin.copy:
+        dest: /etc/httpd/conf.local.d/frigate-auth.conf
+        content: |
+          <Location /frigate>
+            AuthType        GSSAPI
+            GssapiBasicAuth On
+            AuthName        "Password Required"
+            Require         valid-user
+          </Location>
+        mode: "0644"
+        owner: root
+        group: "{{ ansible_wheel }}"
+      notify: Restart apache
+
+    - name: Enable NTP server for cam network
+      ansible.builtin.lineinfile:
+        path: /etc/chrony.conf
+        regexp: "^#?allow .*"
+        line: "allow 172.20.26.0/24"
diff --git a/roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2
similarity index 100%
rename from roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2
rename to roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2