Skip to content

Ansible automation for installing the Frigate security system as a stand-alone server

License

Notifications You must be signed in to change notification settings

drikster80/ansible-frigate-standalone

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Overview

This Ansible code automates the deployment of a frigate server on VM or Bare Metal, with optional OAuth2 & HTTPS support.

Login with Google

Includes roles and variables to support optional configurations:

Configuration Details
Coral.AI PCI device Installs drivers for the Coral M.2 PCI device. Passes into container
Nvidia GPU (encoding/decoding) Installs drivers, CUDA, and container-toolkit. Configures container to support GPU decoding
Google OAuth2 Login Installs oauth2-proxy for SSL termination and configures OAuth2. Rather than setting up a home auth system, just use "Login with Google". ¯\(ツ)/¯ Can specify which email addresses should be allowed to access the service
Isolated Camera Network Configures optional interface that segregates the camera network from the internet-accessible network for additional security

NOTE: Not every configuration combination has been tested. Tested using Ubuntu 22.04.3 Server (no graphical interface). I've tried to account for a lot of different situations, but your results may vary. Feel free to submit an Issue or Pull Request if you find something that doesn't work.

ToDo List:

  • Create variable for camera video encoding (currently defaulted to H.265)
  • Separate the Nvidia container-toolkit from CUDA package list. DONE!
  • Allow use of own certificates for HTTPS
  • Refactor ansible variable precedence to be clear how to override variables DONE!
  • Test on Ubuntu Desktop and a few different versions
  • Ensure all scripts are idempotent and can be run multiple times (currently not idempotent due to docker-compose-excerpt.yml.j2 process)

Quickstart Installation

Ansible should be run from a separate linux or WSL host that has passwordless ssh and passwordless sudo access to the Ubuntu server. For instructions on setting up the host, installing ansible, setting up SSH/password-less sudo see "Setup_Details.md".

There is an example config.yml template that can be modified. It automatically configures the Coral AI and Nvidia GPU requirements, however if you already know what your end-state config will be, you can just replace the contents of this file with your config and it will copy it to the correct location (/opt/frigate/config/config.yml). Or you can keep the defaults and modify it in the webUI.

Clone the repo and install requirements

git clone https://github.com/drikster80/ansible-frigate-standalone.git

cd ansible-main
ansible-galaxy install -r requirements.yml

Set initial variables

Open the inventories/frigate.yml and set the following variables:

      ansible_host: '<INSERT IP OF TARGET>'    # IP of new target server
      ansible_user: 'frigate'                  # Username for the target server with passwordless ssh & sudo

Next, update the config in the server_config.yml for your needs. Below are the minimum variables that should be set.

Variable Description Value Types default Notes
ansible_host Target frigate system IP address or hostname (String) None
ansible_user Username to of target system Username (String) frigate Also sets docker_users and coral_ai_drivers_user
access_interface Interface used for webserver String ens33 Sets interface to Firewalld 'public' zone & opens correct ports depending on oauth2 usage
camera_network_interface Interface used for camera network String eno4np2 Sets interface to Firewalld 'dmz' zone & closes all inbound ports
camera_rtsp_user Username of camera(s) username admin
camera_rtsp_password Password of camera(s) username ChangeMeNow!
nvidia_gpu_present Is a GPU used for encoding/decoding Boolean false
coral_pci_present Is a Coral.AI PCI device used Boolean false
oauth2_enable Enable Google OAuth2 login proxy & HTTPS Boolean false Requires some of Google API Credentials (free for gmail accounts)
frigate_fqdn Fully-Qualified Domain Name of frigate system hostname (string) server.example.com Only required if oauth2_proxy is enabled

Execute the scripts

ansible-playbook -i inventories/frigate.yml frigate.yml

General system architecture

In all deplyoments, Ansible will install docker, pull the specified frigate container, assign the interfaces to specific firewalld zones, and create a docker-compose.yml file. The diagram below depicts an example setup with the Google login (oauth2) and an isolated camera network.

High Level Architecture

Two directories are setup on the host during installation:

  • /opt/frigate: Stores the frigate config and media locations (can be set differently in variables)
  • /root/.frigate: Stores the sensitive items such as UN/PW of cameras, SSL private key, & authorized gmail addresses

Nvidia GPU Configuration details

My setup uses the Nvidia T400 GB, but it should work for any Nvidia GPU.

Nvidia Role Variables

Utilizes Nvidia's own Ansible Role to perform installation of the driver. Additional variables can be set. See the role details for more information.

NOTE: Some cards are restricted on the number of concurrent Encoder streams. This installation will optionally download and patch the Nvidia drivers with the Keylase Nvidia Patch to unlock additional streams. To see whether your card is limited, see the Nvidia Encode and Decode GPU Matrix.

By default, the installation effectively uses all GPUs available. This can be changed in the docker-compose-exerpt.yml.j2 template if needed. Update the following section as needed.

{% if nvidia_gpu_present %}
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              capabilities: [gpu]
{% endif %}

Nvidia GPU Variables

Variable Description Value Types default Notes
nvidia_driver_branch Version of Nvidia Driver to use String "535" only tested 535
patch_driver_nvenc Whether to patch the driver for unlimted encode/decode streams Boolean true Uses the Keylase patch. Not necessary for all cards/
nvidia_driver_ubuntu_install_from_cuda_repo Whether to install from the Nvidia cuda repo Boolean true
nvidia_driver_ubuntu_cuda_keyring_package Package to use for repo String "cuda-keyring_1.1-1_all.deb" The Nvidia ansible code is older and uses an older version. Upgraded to latest here.
nvidia_driver_skip_reboot Whether to reboot after driver install Boolean false The playbook already reboots after all drivers are installed
install_cuda_packages Whether to install additinoal CUDA packages Boolean true These aren't technically ncessary if just encoding/decoding, but I normally install them anyway for other services. If you are using the GPU as a detector, then you need them.
additional_nvidia_packages List of additional Nvidia packages to install List of strings
  • cuda-toolkit
  • libcudnn8
  • nvidia-gds
  • nvidia-container-toolkit

Coral AI Configuration details

If the coral_pci_present: true, the scripts will download and install the Coral AI Driver Packages in accordance to the install instructions.

The Coral AI device is also set in the following config files:

Coral AI Variables

Variable Description Value Types default Notes
coral_ai_drivers_user Username of device String {{ansible_user }} Not needed since Docker is run as root but keeping for future use

OAuth2 Configuration details

If the oauth2_enable: true, the scripts will utilize OAuth2 Proxy for both the Authentication and HTTPS (TLS) termination. OAuth2-Proxy can use a bunch of different providers. By default, we setup Google (e.g. Gmail). But more providers are available such as Microsoft, Facebook, etc. At this time, these scripts only handle Google. If you implement another, please consider contibuting it back through a PR.

Requirements:

  • A Fully-Qualified Domain Name for your server (can use override your local DNS/Router or hosts file if you don't have a public domain)
  • Google Client ID
  • Google Client Secret (provided with the Client ID)

The ansible scripts will automatically generate a 32-byte "cookie secret" for you, but you can also provide your own in the cookie_secret variable if you'd like.

TLS Certificates

During the installation, the ansible scripts generate a Self-Signed CA certificate as well as a server certificate. These are placed in the following locations and be overwritten after installation.

  • CA private Key: /etc/ssl/private/frigate_ca_privatekey.pem
  • CA public cert: /etc/ssl/certs/frigate_ca_cert.pem
  • Frgiate private Key: /root/.frigate/.frigate_privatekey.pem
  • Frigate public cert: /opt/frigate/certs/frigate_cert.pem'

Setting up the Google API Credentials

Google provides anyone with a Gmail account access to create "credentials" that an app can use for login. As far as I can tell, this is completely free.

For more details, checkout the oauth2-proxy docs for the Google setup for more information, but here is the basics from their docs:

  1. Create a new project: https://console.developers.google.com/project
  2. Choose the new project from the top right project dropdown (only if another project is selected)
  3. In the project Dashboard center pane, choose "APIs & Services"
  4. In the left Nav pane, choose "Credentials"
  5. In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.

NOTE: If this is the first time, Google requires the app setup to be in "Testing" and must be set to "Make Internal". Everything still works. You don't need to set any "Test Users" since we are only requesting the email address and setting that in /root/.frigate/.auth_emails.txt

  1. In the center pane, choose "Credentials" tab.
    • Open the "New credentials" drop down
    • Choose "OAuth client ID"
    • Choose "Web application"
    • Application name is freeform, choose something appropriate
    • Authorized JavaScript origins is your domain ex: https://example.server.com (FQDN that you set)
    • Authorized redirect URIs is the location of oauth2/callback ex: https://example.server.com/oauth2/callback
    • Choose "Create"
  2. Open server_config.yml and Update the variables oauth2_proxy_client_id with Client ID and oauth2_proxy_secret with the Client Secret.
  3. Add the emails you would like to authorize to the authorized_emails variable as a list. By default, all are blocked.

It's recommended to refresh sessions on a short interval (1h) with cookie-refresh setting which validates that the account is still authorized.

About

Ansible automation for installing the Frigate security system as a stand-alone server

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages