From 6247e9c5215a2ba357f3c54af6be3199d2bcbf15 Mon Sep 17 00:00:00 2001
From: Yves G <theYinYeti@yalis.fr>
Date: Sat, 10 Oct 2020 16:37:52 +0200
Subject: [PATCH] Motion video-surveillance

---
 group_vars/all                                |  29 ++
 roles/dmz_motion_front/handlers/main.yml      |  10 +
 roles/dmz_motion_front/meta.OK/main.yml       |   7 +
 roles/dmz_motion_front/tasks/main.yml         |  56 ++++
 .../dmz_motion_front/templates/index.html.j2  | 103 +++++++
 roles/front_run/meta.OK/main.yml              |   1 +
 .../files/example_mask_640_360.pgm            | Bin 0 -> 230461 bytes
 roles/motion_back/handlers/main.yml           |  22 ++
 roles/motion_back/meta.OK/main.yml            |   8 +
 roles/motion_back/tasks/main.yml              | 251 ++++++++++++++++++
 roles/motion_back/templates/email.sh.j2       |   9 +
 roles/motion_back/templates/upload.sh.j2      |  40 +++
 roles/ssowat/templates/conf.json.j2           |   2 +
 site.yml                                      |   2 +
 14 files changed, 540 insertions(+)
 create mode 100644 roles/dmz_motion_front/handlers/main.yml
 create mode 100644 roles/dmz_motion_front/meta.OK/main.yml
 create mode 100644 roles/dmz_motion_front/tasks/main.yml
 create mode 100644 roles/dmz_motion_front/templates/index.html.j2
 create mode 100644 roles/motion_back/files/example_mask_640_360.pgm
 create mode 100644 roles/motion_back/handlers/main.yml
 create mode 100644 roles/motion_back/meta.OK/main.yml
 create mode 100644 roles/motion_back/tasks/main.yml
 create mode 100755 roles/motion_back/templates/email.sh.j2
 create mode 100755 roles/motion_back/templates/upload.sh.j2

diff --git a/group_vars/all b/group_vars/all
index b5178a6..ba7b9dd 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -124,6 +124,9 @@ http_pfx_gitea: /git
 # URL prefix of LDAP-Account-Manager (web UI for LDAP).
 http_pfx_lam: /account
 
+# URL prefix of Motion (video surveillance).
+http_pfx_motion: /netcam
+
 # URL prefix of Movim (XMPP web client).
 http_pfx_movim: /social
 
@@ -308,6 +311,32 @@ media_minidlna_conf: |
   root_container=B
   friendly_name=HomeMedia
 
+# Motion data directory
+motion_data: /var/lib/motion
+motion_cloud_url: 'https://www.mediafire.com/'
+motion_cloud_login: login
+motion_cloud_password: password
+motion_cloud_id: app_id_xxxxx
+motion_cloud_key: xxxxxxxxxx…xxxxxxxxxx
+motion_email_recipient: hostmaster@localhost
+motion_cameras: '[
+    {
+      "id": 1, "name": "street door",
+      "url": "rtsp://user:password@street.example.org:554/videoMain",
+      "width": 640, "height": 360,
+      "mask_file": "example_mask_640_360.pgm",
+      "framerate": 5
+    },
+    {
+      "id": 2, "name": "garden door",
+      "url": "rtsp://user:password@garden.example.org:554/videoMain",
+      "width": 640, "height": 360,
+      "mask_file": null,
+      "framerate": 5
+    }
+  ]'
+motion_web_title: "Video surveillance"
+
 # Name of the Movim database in PostgreSQL.
 movim_db: movim
 
diff --git a/roles/dmz_motion_front/handlers/main.yml b/roles/dmz_motion_front/handlers/main.yml
new file mode 100644
index 0000000..8f91f95
--- /dev/null
+++ b/roles/dmz_motion_front/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# The home-server project produces a multi-purpose setup using Ansible.
+# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
+# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
+
+- name: restart nginx.service
+  systemd:
+    daemon_reload: true
+    name: nginx.service
+    state: restarted
diff --git a/roles/dmz_motion_front/meta.OK/main.yml b/roles/dmz_motion_front/meta.OK/main.yml
new file mode 100644
index 0000000..7f3de13
--- /dev/null
+++ b/roles/dmz_motion_front/meta.OK/main.yml
@@ -0,0 +1,7 @@
+---
+# The home-server project produces a multi-purpose setup using Ansible.
+# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
+# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
+
+dependencies:
+  - role: dmz_nginx
diff --git a/roles/dmz_motion_front/tasks/main.yml b/roles/dmz_motion_front/tasks/main.yml
new file mode 100644
index 0000000..68ee7e8
--- /dev/null
+++ b/roles/dmz_motion_front/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+# The home-server project produces a multi-purpose setup using Ansible.
+# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
+# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
+
+- name: create a directory for the Motion web page
+  file:
+    name: /srv/http/motion
+    state: directory
+    mode: 0750
+    owner: root
+    group: http
+
+- name: send the feedback and control web page for Motion
+  template:
+    src: templates/index.html.j2
+    dest: /srv/http/motion/index.html
+    mode: 0640
+    owner: root
+    group: http
+
+- name: configure nginx for Motion
+  copy:
+    content: |
+      location {{http_pfx_motion}}/ {
+        alias /srv/http/motion/;
+        index index.html;
+      }
+      location {{http_pfx_motion}}/control/ {
+        proxy_pass       http://unix:/run/shared_sockets/motion_control.socket:/;
+        proxy_buffering  off;
+        proxy_cache      off;
+        proxy_set_header Host      $host;
+        proxy_set_header X-Real-IP $remote_addr;
+      }
+      location {{http_pfx_motion}}/camera/ {
+        proxy_pass       http://unix:/run/shared_sockets/motion_stream.socket:/;
+        proxy_buffering  off;
+        proxy_cache      off;
+        proxy_set_header Host      $host;
+        proxy_set_header X-Real-IP $remote_addr;
+      }
+    dest: /etc/nginx/inc.d/motion.https.inc
+    mode: 0440
+    owner: http
+    group: http
+  notify:
+    - restart nginx.service
+
+### LOCAL COMMIT ⇒ ###
+- name: commit local changes
+  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
+  vars:
+    msg: Gitea
+### ⇐ LOCAL COMMIT ###
+- meta: flush_handlers
diff --git a/roles/dmz_motion_front/templates/index.html.j2 b/roles/dmz_motion_front/templates/index.html.j2
new file mode 100644
index 0000000..db4b813
--- /dev/null
+++ b/roles/dmz_motion_front/templates/index.html.j2
@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <title>{{motion_web_title}}</title>
+    <script type="text/javascript">
+      var motionControl = {
+        Camera: function(section) {
+          this.number = section.dataset.number;
+
+          section.innerHTML = document.getElementById('camera-template').innerHTML;
+
+          this.statusFrame = section.getElementsByClassName('status-iframe')[0];
+          this.offLink = section.getElementsByClassName('status-off')[0];
+          this.onLink = section.getElementsByClassName('status-on')[0];
+          this.motionImg = section.getElementsByClassName('camera-motion')[0];
+          this.statusFrame.src = 'control/' + this.number + '/detection/status';
+          this.offLink['data-href'] = 'control/' + this.number + '/detection/pause';
+          this.onLink['data-href'] = 'control/' + this.number + '/detection/start';
+          this.motionImgEventListener = () => { this.resizeMotion(); };
+          this.motionImg.addEventListener('load', this.motionImgEventListener);
+          this.motionImg.src =  'camera/' + this.number + '/motion';
+          section.getElementsByClassName('camera-stream')[0].src = 'camera/' + this.number + '/stream';
+          section.getElementsByTagName('h1')[0].innerHTML = section.dataset.title;
+
+          this.offLink.addEventListener('click', event => { this.handleStatusControl(event); });
+          this.onLink.addEventListener('click', event => { this.handleStatusControl(event); });
+        },
+        init: function() {
+          const cameras = document.getElementsByClassName('camera');
+          for (let i = 0; i < cameras.length; i++) {
+            new motionControl.Camera(cameras[i]);
+          }
+        }
+      };
+      motionControl.Camera.prototype.handleStatusControl = function(event) {
+        event.preventDefault();
+        let url = event.target['data-href'];
+        let request = new XMLHttpRequest();
+        request.addEventListener('load', () => { this.reloadStatus(); }, false);
+        request.addEventListener('error', () => { this.showError(); }, false);
+        request.open('GET', url);
+        request.send();
+      };
+      motionControl.Camera.prototype.reloadStatus = function() {
+        this.statusFrame.contentWindow.location.reload(true);
+      };
+      motionControl.Camera.prototype.showError = function(event) {
+        console.log(event);
+        alert('ERROR (type ' + event.type + '); see the browser console for details.');
+      };
+      motionControl.Camera.prototype.resizeMotion = function() {
+        this.motionImg.removeEventListener('load', this.motionImgEventListener);
+        this.motionImg.width /= 2; // height automatic
+      }
+
+      window.addEventListener('load', motionControl.init);
+    </script>
+    <style type="text/css">
+      #camera-template {
+        display: none;
+      }
+      .status-control {
+        float: left;
+        clear: left;
+        margin: 0.1em 0.5em;
+        padding: 0.25em;
+        width: 3em;
+        height: 1em;
+        box-sizing: content-box;
+        /* border-width: 0.5em 1em; assumed for native look */
+      }
+      .status-iframe {
+        box-sizing: border-box;
+        width: calc(100% - 6.5em);
+        min-width: 30ex;
+        height: 4.3em;
+      }
+      .camera-output {
+        clear: both;
+      }
+    </style>
+  </head>
+  <body>
+    <h1>{{motion_web_title}}</h1>
+{% for camera in (motion_cameras | from_json) %}
+    <section class="camera" data-number={{camera.id}} data-title="{{camera.name}}"></section>
+{% endfor %}
+
+    <div id="camera-template">
+      <h1></h1>
+      <section class="camera-control">
+        <button class="status-control status-off">OFF</button>
+        <button class="status-control status-on">ON</button>
+        <iframe class="status-iframe" type="text/plain; charset=UTF-8" src=""></iframe>
+      </section>
+      <section class="camera-output">
+        <img class="camera-stream" src="">
+        <img class="camera-motion" src="">
+      </section>
+    </div>
+  </body>
+</html>
diff --git a/roles/front_run/meta.OK/main.yml b/roles/front_run/meta.OK/main.yml
index bbfb196..5bed625 100644
--- a/roles/front_run/meta.OK/main.yml
+++ b/roles/front_run/meta.OK/main.yml
@@ -8,6 +8,7 @@ dependencies:
   - role: dovecot
   - role: front
   - role: ihmgit_back
+  - role: motion_back
   - role: movim_back
   - role: nextcloud_back
   - role: postgresql
diff --git a/roles/motion_back/files/example_mask_640_360.pgm b/roles/motion_back/files/example_mask_640_360.pgm
new file mode 100644
index 0000000000000000000000000000000000000000..9b90e2359213d808f908c9c26f52d955953c76b7
GIT binary patch
literal 230461
zcmeI5Ym*hl8OQV5PeD~)CuNNK1@a=57pD9QNySQ8l}b{%Rpleh;({Vx2}H#^ikBF#
zD53}`Dk6A6L|Fw9!-8ByU}4Gb>C0TsbU)9`^w#m5`R$wO>Ha@YpZU$d=FFby?z#S&
zD}KD}7k|0oH-Ed~cgueJ&t<>-)pge|`^OD``Rk2;`s1>ze)_X3fBLhlmtFts>z4ib
z4}bstPj39<71v&U<+7h&d*u~ZU31M9KkCWfW&VDU1bSk>AN?TV^Pw)|KTI%60{Cx~
z^ywS_;ek;Sz<;BpPv7_t4~&uk{u?EI`o@2FV3Y*#-ze$RH~zx|qa=X;MoFK(@gE)-
zB?0_5O8WGT|M0*l3E;m`(x-3yhX+PU0RN4WK7HdqJTOWE_-~Z-=^Ovyfl(5`f1{*N
z-}ny?jFJHU8zp`E#(#KVlmwR6f1^Ay`W^=Y_-`D}(&T<d{5QGhb{vij|Bb_0n%vKb
z|0eg`j>D1Rzi~KAllvL*-{hX#aX2#kHx6fMaz7*fo7{6d4o8On#^EeY?q|e*lY4H*
z;mGjcIGm-){fzi;a?kBJ92x!_hqE-fpAr8}?ztU@Bg22=aF!<bGvdF=J-6d<WcY6!
z&eG(5M*KIq=XM;94F8S8S(@C>i2o+{+>XPM;lFV>OOyK<@!#a0+i^HD{5K9~X>vbf
zru%zmatUx`qa>iSU$$?QpOL;Nmq3mGrtg0AxvhH+969}7-gtO&32<biB#>Kd#odo?
z+P-Jzo73~|^L&^$e(UPkLLeo9Y~?*0H|_jzX7;SNoln0%_urhaqyT}01TI8!9rXUY
zEux|c0!u^SkoVuiOVa^aArK*O)cf!Gh>9i%EDeEK@4xL!(*ao_5Fv2V`)_YVMH2*;
zhQN2;e+QSQ1F}LOLg2jj-?4~_CI~DIflJ<h-!DxEWQ9PCz)EYt>EYj|V_~#GAPIrH
ztpDywl8qz~XhvYY_1{y?!capX34smPe_N7dBMAhW5qQS>Z&$N0)DTEQV3YOV{v_E*
z0)b`(Ubp@`(ku)$1d<SV%lhwBl58Y_Kr;fnjsK=DHVZ=yfg}VzGXA?WNivc^pdo<+
z#($4C3_}iqBn0dL=$DctBMAf=5;$tEe{VJnLk@u?1Ww?;BpgZ7j=&k?KfZt4;UlUe
zfeXfe8#<;T90IKf%ufvrcvq`nf*{b9!0LhjrY?2OLp%i95LjovfKRuHB?bar2|Q%{
zceHCB;vvw6z>~&*2in9E1A(pto;Uv6-8B#K5NJbSv+>{7HnGG&peuoG#()3qnumA@
zv?1`W@!tb&Vu^u3R|0#D|5kO)Lp%i95ctISFN>{`+9oeC5YP~qvHm-u5u<@XVgg@T
z{~b!4mvj)&5IAQ2$LnV_w9up`aLW4c?bM0M2LT0v@2&q{QD~7sAT<HE0_Bsb6O#`D
z8UkhjV75-9MFWA<1RgeDz$}288Z7x#1YWc^fM-=|L=Z?z;7#j47Qj!-m25f!b_JM>
z7l7z^p-M}@y@HSzAf@F>HXQ-?3NBs%r{jexErE+>25|Ob+O%YYfR2ED1qe&9>2RS+
zOyDu|4=_tmCgw^y9f6mP|5$=ohYM9=0`J%#09k@OF<8>62)GgWyn;c63sGVMN9^_Q
z)5Lj62LTO%)7F3QX~bwCkeI-w<;H-oC(cVc2&f3GHU4`>B}N2+#02aTSnCs~B^?A*
z1h$y#-_0s9A_ycV@Sgn#<b2}1q=SHlfPDv7c3dMy1A)W@zOmQ8FB9h_9RxH4&RYL{
zq!FWmKw<*(D~thmCeBMb2&f3$Yy9`JN{k2si3vPo{I@Z2TGBy4MPRG(-&&Oz5d;zw
z*kk;66EERP43=~%0tb!%vXd$`A_$}<Fl+rclQu2cAfO^}&iaoLfGS*wQWIEZ49E{K
zslk#@Mc_f>zlT&}L=Z?!z`lfV#eCwtq=Ufai!y^9_6CqCm@+FA4GAa~_S<Lu#|W5)
zY>~?ZK9ME=v;KQumZE?_GXmRW`J7z?YqKmx0fA-&G{Xw)2$)BjWkwAFnZPQ=f3+`}
zFW{RMQn^DE5GWAHP8W6pMK=XWAq`}p8UpnMvM=iEi?v_ce?WK(W|0cz6a=zea+WjJ
ze|uyp3J5eJkUg)E+qZCSQAm+Mpa}uhtKFV37r+fo5~GEHf<QK<SlD2j@!u*%J|qxm
zLLkeI%JTj82JkysiUI;n2xOUJV!0av{Z*69XdxgI$g<aD(M7um<p;791q7N9$TH2V
zW!9T7U=~4bf)=fUK$fjgOsuqT0nt1xR`iJk0*=7Kh3#8c4sYK#*T2<a1uYP0Ltw#J
zpUZKFjsG%UgD$f|(S*Q)u@oy?xkcD`3r!QYXk`Km{?jaNe}}mMDt@bxyF>v2Phi1U
zns-}1ZT$C!kD~yA6a*H1bw*C~rt#mCvJwRZ8W33Y)qYw3sqx?KvJwRZ8W33Ym11R$
z<Hmp4xdy3`LO>+2=qtqy;H7C}K*eAMu}cIH@B{|7Qv3pK7lHZM2U37Q0s;g7DSlRY
z#a#b*0-S(3DRKe>TRorehe~^m|5yYo1c>@p1O~QREzj)z%J^^jT&rFPf<Qe1V=H+T
zBDV@E|A5qUq_!Oa<3GjHLTik2Z@X@Yf<P?+<Ep1?+e(!$80Dr?B|8x4M!>jgrMwK~
zZlhe+tvjM2P$FPlm3>{RtlP2wfMnm-HBtwGb_A^d-VvkE+f@Kr1V%)KKu^H>?=d;z
z9wU8MR-%A_mVou&O&7!fI|oTKT2;)200M@9^<O4`t=cCbir=bX3jr+w=f53dz)>qb
zB`Og>Kuf^+??EwO&Mty*KvW`tfR=#s-<15j%Kb*GSTSGQIlA5xaQ;)w0)EwKSp~57
zrb!6E`%fO(_p#AVE7t2s_yI{Z(FDBz{w*HnF{_ma%ZRBEK)?|2{*z~6x;Y?<(bCX`
zfQ~@!KY14BBSySgml+iVWCFSW<XM<ojd;DB6$J!z1akk$voP&4(3%y?b)BQ?J%QYR
z@;ZPgte9n>dvBX$01EyS|F4+8#i(~D>zzb>Cs6R8JPUK9QOm-<Q|0)z1PcC>N4D%R
zYWYr4+dI0x6DasE6MtC#%&HX&w)LGW$FCz$^q)8j^ORN3=yIcifJC6^KY13WeG%qc
zQdZg_pd(Q9pF9iGF2l<*s5-c)L;^+s$+Iwb8u`ugdNE?h2q3UPpyWSs7UqnVpMV_%
zk`O5QPn?DMot1x*q;HZypyWS!7Uo?>zXfm*NJ60GKY14BvqsM<FiGH(q<sIEiL)?w
zS-<iNG~P)<pnUxkXJNWkh(1lyIZ1j?pzJ?!7N%Q;h#SD(J0}f*vj5~+nD?3hZUEEZ
z?|qhv|HN6Cn{5C$fW5a)5&#wd{aZ@<kqzJmP$EUUhCs!C;w;Qr8^8^qhAtY3K-GWJ
zEX+$QO$0Z95?R_c1gicMXJI~WBe((7;6)=4sQOPFTW`nUXWRe^WNFqAsQOQwh55OS
z;092G7mYw*$bZr-%riEE8$f|9%^Ctj{u3ux+95FFf6AKP(e$0bkpIM4n9tb|ZUFo4
zofOAE<Ues1rhO4t#tmQ!{(a9e>_2H1<`Emh4Pf8Blj8V?{U^=BykK9%#SLHz{(a9e
z?7x-LE6(jY`1}IcckiS){$c-R(hEMe*cfgAQ=EXF=cw`De*`4^Yz#Mm0w|hg0yX}d
zIvWo=?qYZZ90x_KOu%`mxZN8MbIVY20~qH-tAaq$cdq<^5ch-?asw!UqFE&1JXhKt
zkB7Zw#oPeKIngQ;DEZFqycv&ktHAIJV4M@JG683~()P~zXrNmKh8w^rCK?q4O1|?u
zhvSiJtdJYPI44>~0^V|^f-nmI1uNzTP~?jsPM~Bvzq9f}H0pgP<QKpwCmKZp&PkPR
zd>Y)>PR$rV5io)%0q3O3_Ni#l+;S`D1~AHrMv*|pcW!qo{>}QJ)o}wT0!9!e;0#yY
z#z&#P?&NWsMti0a0+sd0ovRkM_eJ3xa7u0fqnv1z2sk4RZD(VVXPulIz!)alL;}u8
zL)-1q(Dhc&4PX=#jS_(&-?@t0FU3N)IT<&AF-){c1e}kCw_nCWzi@hP0ArYFlL$B;
z4R2qHg<jwnz!)Cdv;>BI=W3?U$8v12GHw84lxUL(IJebo_r+r0b^+V~#xT()5O6lC
z*=~%5x>XPu0~n)3n?#_-cfRUWB>19ThnHnwB9Lej33#*B6n4d;?W?FWZUAGHXcGw3
z*v?no6N~j@0Ap9lSOVH05PtqUFya3qgpN6z?um$Kf<T;rb5ZT~jY#bLZ8qfbh=?W#
z#0k{;&Q;zPdj{twfr#%cjDG-HdriPut$sTbVdLJ!m3<Ns(FB1gfqLJ$+7}|RC!Ofo
zh=?W#L<u+()o-WIMS}ljV^&BDRz`Br)N=y$zVo%Qw}HIsRIzXAp5x{41p>}Pf$fG!
zxF3YSIU=G70x<#s-}&m3;b1=qe|7BN<ZwJK5V-7(7AU+^!|0e@9l;I4&%Uk^Q3U}7
zfq?CN^}6|LlCztq?1N!H2tPhoq?&+z2zUbCXraPUFC7%-b}bBiS#5@<`a$@NK`29F
zPfZ|XJ751=G1dG5^Y%e=0rZ3LGhxBhVhYL-C=l>I3l(m?n5&OGWL5S8=mz0u(UDqt
zJS7NJ2!w2x*MFWztn;<TaDEW}!?}hM1R4<VjtUkEkJsFrkK7%gAB4|J&<&6yEf5IW
z&Ntljy_bLHE6q3VMfWPgEcTqlhf{z+l|b&OVCe%N<9~5>7r;AQko3|_pMnAeiUgd2
zBHO~v-F>-ia0lprfnFY+EL`l6G6V_)azlkn-+KMlTr~I>c%$F{%xfq>Ku^FMC{ozz
z(;Y0R7B7Hq40M)7SL^Wc6d+J0P%u=mxW+$&JLmu5Fn55j`IuFOp9#x7um^!K0dJsK
z;fRlS3qLQa7cPK1^Qc2!LjeM60=a=ArB{8r?FH4s9pIjP_jRwK00A|D+(41iD*rkf
zKjdIhz3cM+Jm@a}C9UooAp~**#Y*OJ+XAh8$iaeq_4zLgL9xl|aE3rVfr5b|#Z`VD
z(j!IHu5Su^`G3jvJy8pRVFCpM#fopcNcZmPfq1oFgkxd%UMFD-0X2b`=?ZPPxC`K+
zLS>fu5zvdZEJUQHj?fV(*(tK)zFp^TDvDMWcUXwXL1n8ZP&81iyz;C~`B+fJLPTon
z2pxf-o2m^vY=j?kS`}n0MC72dRTCI;QK-UQ0P``YLrNARQe#JG2@IJiSh3ASTwD=U
z6h=zJ7Xm5*K{E|COxrgtJUP_jDp-g}g&a|Vfb))GyVZpGg`bB*Scs@VmZFBhu!({-
z)29as&zF95DXBMWdPD<(oIuGx!j7Gaz9T4OA)*{CB^807muec8n<pG+r)%0w6$=rm
zpd<1Gf>x?)u;T#pX~0zx3lVv+6jTJN4vOwCH>&}jDvZJ}>sg3M1s#zmQ1*|s_p*t5
zF{oo9B2SirhCt9swGC4z203SI8y746KvhlOXdn=DQhmcFL+t7L)+}2OQ3y045HeDr
z-d+I14}l}=MK}3aXnR5+;Im-0eIre96c%5=JuyzA!wecN)G#~fcqY`$7jU8z(~~qI
z9|h~58-SU=KP2D_xF^m@bC@9;h3k(EIxfuoElc?VPIF><lBH}O&E7KuGMCl{w0r^g
z#5rjWGvK0FwRt1M2O$Yxz-i7*KeB{e6sb3BozD5SPb*TsfcxQ`G)Gx6k80Ok0R8)?
zD>3({`Cw$}1%ZlrRJ$7unY{rqU%<U^PMU)Zcqm?N*8|*FKMsa3;54VE7g^#)3$(hK
z=KE_6$bZ1Sa88<o3^+`vK5RSxytEpJ3*rkn&AI7A7U!8}+eaOmLv^!(`2u!$*h&PN
z`Od5TYR`ukUdLMf;|o}#PP-#e^^S5se<#h+n(3H)0Xw{G1p-RH4avUnd20;FLNJ~V
zg*bsBV<{^h$d?<Ry}c4+-wqt_m{tfZ5U5y3zk4vpcl^$B82^9dY$(MEl%3OH@4oy3
zc=_a-Vj!2lIC5GG1d7IKR{pGz<y3Jr7MH&Q8H#ZN%{*6B-&?o<UOw~kt*&jge_2hu
zXIdf9;r=hn4wU%Kf3yAWfd#qzmAJ4ICE%`FEw<|}RWi@d?pnX_Qlv^PyATKyXyH2_
zvcD$niTqueHLX-ZpiID<sYPLJ^#WK<%^n0q0xfKphwKy6BY;4ZKyIcMr8T_tJPMaa
zkw6RA6+%7|^CN&jj6lImEsA$@0gS<=O(f95bj6Sl#10TZAVQ#MrWWNp<|4Uif`CMz
zh385kymVC}OnZz#$xJPFZs!6R!%Le$poQhiA-jbRXof(9K-o+!_89IGp-YoQpoQZq
zA@53E&<=qhfr^=0?5?!$Wes*g0|bHuS{SYxV&BOS?1Bae1PN5l)MlTz4hHekAP{Kd
zw`xpbE~d~M%@8OPsCuc@{>SB<>_I?Fpq1aMLARaLc83lEB?46|wcFoT%E=A{v;^Au
zts1rbgtk9)5GWF;I;rLU6UCgAA)qDD(r-gyGujT(L7+fj$Ve?K)-n#JK$W7FKufy~
zhq3H|7CE{Cfng)Htl=?mfht8UftGHo3F9%amN~kdK#h^wR`D1($4W^_psm?z;&=?K
zWR5H+P~)T4RXhgHxl+;*Xl=HdKpq3@n4`)G)Yzzf6_0^)u#{8;+MBH=lE=U*=7@3v
zH7@E<#be-{EF}$r4rZ$h<uR}ZIvP))&O{yRcns{xQqU0S;I-ON9s_Hrqj3akP1K>1
z$H0y(TMdB@R;v%?F|Y<Z8cU$wL|tlm42-$-1iCn_K9<M8dip5qJ=Cd|$H3T1O`wz0
z>VtU<tfr5!-a_4Kc?^uNv;?|2tv;H^z*_p~>K)XvmdC&tOG%)k(*of<23F$ly)0m$
zj@3K{?!B>;06H2i6wYH{CI7z5LI&zs&tu@e8%ufo9eoxI=P|JI1oT`MG*H(D9s~E>
zS-QjTYO`QGkAZb3py#Tfe>ykt7`W%wQXPJ0n*|f_7+7@zdM*mur+WjBfqU*P&Efwa
D(9q2N

literal 0
HcmV?d00001

diff --git a/roles/motion_back/handlers/main.yml b/roles/motion_back/handlers/main.yml
new file mode 100644
index 0000000..a92a1dc
--- /dev/null
+++ b/roles/motion_back/handlers/main.yml
@@ -0,0 +1,22 @@
+---
+# The home-server project produces a multi-purpose setup using Ansible.
+# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
+# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
+
+- name: restart motion.service
+  systemd:
+    daemon_reload: true
+    name: motion.service
+    state: restarted
+
+- name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
+  systemd:
+    daemon_reload: true
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
+    state: restarted
+
+- name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
+  systemd:
+    daemon_reload: true
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
+    state: restarted
diff --git a/roles/motion_back/meta.OK/main.yml b/roles/motion_back/meta.OK/main.yml
new file mode 100644
index 0000000..38034be
--- /dev/null
+++ b/roles/motion_back/meta.OK/main.yml
@@ -0,0 +1,8 @@
+---
+# The home-server project produces a multi-purpose setup using Ansible.
+# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
+# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
+
+dependencies:
+  - role: cleanupdate
+  - role: sockets
diff --git a/roles/motion_back/tasks/main.yml b/roles/motion_back/tasks/main.yml
new file mode 100644
index 0000000..900caf8
--- /dev/null
+++ b/roles/motion_back/tasks/main.yml
@@ -0,0 +1,251 @@
+---
+# The home-server project produces a multi-purpose setup using Ansible.
+# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
+# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
+
+### UPSTREAM BEGIN ⇒ ###
+- name: pull prerequisites from upstream
+  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
+  vars:
+    msg: motion
+### ⇐ UPSTREAM BEGIN ###
+
+- name: install software
+  package:
+    name: "{{item}}"
+    state: present
+  with_items:
+    - curl
+    - motion
+    - 's-nail'
+    - socat
+
+### UPSTREAM END ⇒ ###
+- name: merge upstream
+  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
+  vars:
+    msg: motion
+### ⇐ UPSTREAM END ###
+
+- name: send the script for Motion to send emails
+  template:
+    src: templates/email.sh.j2
+    dest: /etc/motion/email.sh
+    owner: root
+    group: motion
+    mode: 0750
+  notify:
+    - restart motion.service
+
+- name: send the script for Motion to upload files
+  template:
+    src: templates/upload.sh.j2
+    dest: /etc/motion/upload.sh
+    owner: root
+    group: motion
+    mode: 0750
+  notify:
+    - restart motion.service
+
+- name: send main Motion configuration
+  copy:
+    content: |
+      target_dir {{motion_data}}
+      on_event_end /etc/motion/email.sh %$ %v %Y-%m-%d %H:%M:%S
+      on_picture_save /etc/motion/upload.sh "%f"
+      minimum_motion_frames 5
+      event_gap 10
+      picture_output on
+      picture_quality 50
+      picture_filename %$-%v-%Y%m%d%H%M%S-%q@%K_%L
+      movie_output off
+      webcontrol_port 1080
+      webcontrol_localhost on
+      webcontrol_interface 1
+      webcontrol_parms 1
+      stream_port 1081
+      stream_localhost on
+      stream_preview_method 4
+      stream_quality 20
+      camera_dir /etc/motion/camera.d
+    dest: /etc/motion/motion.conf
+    owner: root
+    group: motion
+    mode: 0640
+  notify:
+    - restart motion.service
+
+- name: create the directory for Motion cameras
+  file:
+    name: /etc/motion/camera.d
+    state: directory
+    owner: root
+    group: motion
+    mode: 0750
+
+- name: send mask-files for Motion cameras
+  copy:
+    src: files/{{item.mask_file}}
+    dest: /etc/motion/camera.d/{{item.mask_file}}
+    owner: root
+    group: motion
+    mode: 0640
+  with_items: "{{motion_cameras}}"
+  when:
+    - (item.mask_file != None)
+  notify:
+    - restart motion.service
+
+- name: send Motion cameras configuration
+  copy:
+    content: |
+      camera_id {{item.id}}
+      camera_name {{item.name}}
+      netcam_url {{item.url}}
+      {{ ('mask_file /etc/motion/camera.d/' + item.mask_file) if item.mask_file != None else '' }}
+      width {{item.width}}
+      height {{item.height}}
+      framerate {{item.framerate}}
+      text_right %q (%ix%J+%K+%L)
+      auto_brightness 0
+      noise_tune on
+      lightswitch_percent 40
+      lightswitch_frames 15
+    dest: /etc/motion/camera.d/camera_{{item.id}}.conf
+    owner: root
+    group: motion
+    mode: 0640
+  with_items: "{{motion_cameras}}"
+  notify:
+    - restart motion.service
+
+- name: identify all Motion cameras configured on the server
+  find:
+    paths: [ '/etc/motion/camera.d' ]
+    patterns: [ 'camera_*.conf' ]
+  register: existing_cameras
+  changed_when: false
+
+- name: only keep basenames of configured Motion cameras
+  set_fact:
+    existing_cameras: "{{ existing_cameras.files | map(attribute='path') | map('basename') | list }}"
+  changed_when: false
+
+- name: filter out up-to-date Motion cameras
+  set_fact:
+    existing_cameras: "{{ existing_cameras | reject('contains', 'camera_' + (item.id | string) + '.conf') | list }}"
+  with_items: "{{ motion_cameras }}"
+  changed_when: false
+
+- name: delete old Motion cameras
+  file:
+    path: /etc/motion/camera.d/{{item}}
+    state: absent
+  with_items: "{{ existing_cameras }}"
+  notify:
+    - restart motion.service
+
+- name: ensure ownership of the Motion data directory
+  file:
+    path: "{{motion_data}}"
+    state: directory
+    owner: motion
+    recurse: true
+
+- name: prepare override of Motion launch parameters
+  file:
+    name: /etc/systemd/system/motion.service.d
+    state: directory
+
+- name: override Motion launch parameters
+  copy:
+    content: |
+      [Unit]
+      Description=Motion daemon, paused
+      [Service]
+      ExecStart=
+      ExecStart=/usr/bin/motion -n -m
+    dest: /etc/systemd/system/motion.service.d/paused-mode.conf
+    mode: 0644
+  notify:
+    - restart motion.service
+
+- name: create a generic service for socat-based port-forwarding
+  copy:
+    content: |
+      [Unit]
+      Description=socat-based Unix domain socket to IPv4/TCP forwarding
+      After=network-online.target
+      Wants=network-online.target
+      [Service]
+      ExecStartPre=/usr/bin/sh -c 'rm -f "$${0%%%%:*}"' "%I"
+      ExecStart=/usr/bin/sh -c 'exec /usr/bin/socat -d UNIX-LISTEN:"$${0%%%%:*}",fork,mode=0666 TCP4:$${0#*:}' "%I"
+      PrivateDevices=yes
+      ProtectSystem=full
+      NoNewPrivileges=yes
+      ReadWritePaths=/run /tmp
+    dest: /etc/systemd/system/socat-unix-to-tcp4@.service
+    mode: 0644
+  notify:
+    - restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
+    - restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
+
+- name: prepare instanciation of socat-based port-forwarding for Motion control
+  file:
+    name: /etc/systemd/system/socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service.d
+    state: directory
+
+- name: instanciate socat-based port-forwarding for Motion control
+  copy:
+    content: |
+      [Unit]
+      Description=socat-based Unix–TCP forwarding of Motion control
+      After=motion.service
+      Wants=motion.service
+    dest: /etc/systemd/system/socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service.d/dependency.conf
+    mode: 0644
+  notify:
+    - restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
+
+- name: prepare instanciation of socat-based port-forwarding for Motion stream
+  file:
+    name: /etc/systemd/system/socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service.d
+    state: directory
+
+- name: instanciate socat-based port-forwarding for Motion stream
+  copy:
+    content: |
+      [Unit]
+      Description=socat-based Unix–TCP forwarding of Motion stream
+      After=motion.service
+      Wants=motion.service
+    dest: /etc/systemd/system/socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service.d/dependency.conf
+    mode: 0644
+  notify:
+    - restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
+
+- name: enable Motion
+  systemd:
+    daemon_reload: true
+    name: motion.service
+    enabled: true
+
+- name: enable unix-to-tcp forwarding for Motion control
+  systemd:
+    daemon_reload: true
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
+    enabled: true
+
+- name: enable unix-to-tcp forwarding for Motion stream
+  systemd:
+    daemon_reload: true
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
+    enabled: true
+
+### LOCAL COMMIT ⇒ ###
+- name: commit local changes
+  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
+  vars:
+    msg: motion
+### ⇐ LOCAL COMMIT ###
+- meta: flush_handlers
diff --git a/roles/motion_back/templates/email.sh.j2 b/roles/motion_back/templates/email.sh.j2
new file mode 100755
index 0000000..cf33abd
--- /dev/null
+++ b/roles/motion_back/templates/email.sh.j2
@@ -0,0 +1,9 @@
+#!/bin/bash
+# $1: camera
+# $2: event number
+# $3: ISO date
+# $4: ISO time
+
+printf 'Camera: %s\nEvent:  %s\nDate:   %s %s\n\nCloud:  %s' \
+  "$1" "$2" "$3" "$4" '{{motion_cloud_url}}' \
+| mail -s 'Motion event' {{motion_email_recipient}}
diff --git a/roles/motion_back/templates/upload.sh.j2 b/roles/motion_back/templates/upload.sh.j2
new file mode 100755
index 0000000..fa46ea6
--- /dev/null
+++ b/roles/motion_back/templates/upload.sh.j2
@@ -0,0 +1,40 @@
+#!/bin/bash
+# $1: file to upload
+
+BASE_URL=https://www.mediafire.com/api
+TOKEN_FILE=/var/lib/motion/token
+LOGIN='{{motion_cloud_login}}'
+PASSWORD='{{motion_cloud_password}}'
+
+# Plowshare App ID & API key
+APP_ID={{motion_cloud_id}}
+API_KEY='{{motion_cloud_key}}'
+
+token="$(find "$TOKEN_FILE" -mmin -9 -exec cat {} \; 2>/dev/null)"
+set -e
+
+f="$1"
+file_size="$(stat -L --printf=%s "$f")"
+file_name="$(basename "$f")"
+
+if [ -z "$token" ]; then
+  token_json="$(curl \
+      -d "email=$LOGIN" --data-urlencode "password=$PASSWORD" \
+      -d "application_id=$APP_ID" \
+      -d "signature=$(printf '%s' "$LOGIN$PASSWORD$APP_ID$API_KEY" | sha1sum | head -c40)" \
+      -d 'version=1' -d 'response_format=json' \
+      "$BASE_URL/user/get_session_token.php" \
+    | tr -d '\r\n ')"
+
+  grep -qF '"result":"Success"' <<<"$token_json"
+
+  token="$(sed -rn 's/.*"session_token":"(([^"]|\\")*)".*/\1/p' <<<"$token_json" \
+    | sed 's/\\\(.\)/\1/g')"
+
+  printf '%s' "$token" >"$TOKEN_FILE"
+fi
+
+curl \
+    -F "Filedata=@$f;filename=$file_name" \
+    -H "x-filename: $file_name" -H "x-filesize: $file_size" \
+    "$BASE_URL/upload/simple.php?session_token=${token}&path=/Camera&action_on_duplicate=keep&response_format=json"
diff --git a/roles/ssowat/templates/conf.json.j2 b/roles/ssowat/templates/conf.json.j2
index 934295d..142a58e 100644
--- a/roles/ssowat/templates/conf.json.j2
+++ b/roles/ssowat/templates/conf.json.j2
@@ -47,11 +47,13 @@
       },
       "you": {
          "allow": {
+            "{{net_soa}}{{http_pfx_motion}}/": "Surveillance",
             "{{net_soa}}{{http_pfx_transmission}}": "BitTorrent"
          }
       },
       "me": {
          "allow": {
+            "{{net_soa}}{{http_pfx_motion}}/": "Surveillance",
             "{{net_soa}}{{http_pfx_movim}}/": "Social",
             "{{net_soa}}{{http_pfx_transmission}}": "BitTorrent",
             "{{net_soa}}{{http_pfx_wallabag}}/": "Read later"
diff --git a/site.yml b/site.yml
index de991eb..1136c84 100644
--- a/site.yml
+++ b/site.yml
@@ -33,6 +33,7 @@
     - ssh
     - dovecot
     - mediaplayer
+    - motion_back
     - front_run
     - acme_back
     - nextcloud_davfs
@@ -61,6 +62,7 @@
     - dmz_dotclear_front
     - dmz_ihmldap
     - dmz_prosody_front
+    - dmz_motion_front
 #    - dmz_wallabag_front
     - acme_front
     - privatebin