Added privileged status for access to Coral TPU

[DCCoder90]

No description provided.

[github-actions]

Pulumi Preview

Logging in using access token from PULUMI_ACCESS_TOKEN
Previewing update (prod)

View Live: https://app.pulumi.com/DCCoder90/home-net/prod/previews/c04128c9-b149-4a9b-9965-e26ad8a4941b

Downloading plugin docker-4.11.2: starting
Downloading plugin cloudflare-5.0.0: starting
Downloading plugin authentik-2024.10.3: starting
Downloading plugin docker-4.11.2: done
Installing plugin docker-4.11.2: starting
Downloading plugin cloudflare-5.0.0: done
Installing plugin cloudflare-5.0.0: starting
Downloading plugin authentik-2024.10.3: done
Installing plugin authentik-2024.10.3: starting
@ Previewing update....
Installing plugin cloudflare-5.0.0: done
Installing plugin authentik-2024.10.3: done
Installing plugin docker-4.11.2: done

    pulumi:pulumi:Stack home-net-prod  Compiling the program ...
@ Previewing update......
    pulumi:pulumi:Stack home-net-prod  Finished compiling
    pulumi:pulumi:Stack home-net-prod running Finished compiling
@ Previewing update.....
 -- docker:index:Container frigate delete original 
 +- docker:index:Container frigate replace [diff: ~privileged]
 ++ docker:index:Container frigate create replacement [diff: ~privileged]
 ~  authentik:index:Outpost proxy-outpost update [diff: ~protocolProviders]
    pulumi:pulumi:Stack home-net-prod  
Resources:
    ~ 1 to update
    +-1 to replace
    2 changes. 139 unchanged

warning: A new version of Pulumi is available. To upgrade from version '3.229.0' to '3.230.0', visit https://pulumi.com/docs/install/ for manual instructions and release notes.

[pulumi]

🍹 The Update (preview) for DCCoder90/home-net/prod (at f393959) was successful.

✨ Neo Explanation

This enables privileged mode on the Frigate container (causing a restart) and reorders the Authentik outpost's provider list. The privileged container change is the key item to validate — it's intentional for hardware access but meaningfully reduces security isolation. 🟡 Moderate Risk

Two unrelated changes are bundled here:

Authentik outpost reassignment — The protocolProviders list is being reordered (IDs 63, 65, 64, 67 shuffled). The same four providers are still assigned; this is effectively a no-op in terms of access policy but Pulumi detects the array order change as a diff.

Frigate container going privileged — The frigate container is being replaced (privileged: false → true). Enabling privileged mode grants the container full access to the host's devices and kernel capabilities — typically required for hardware-accelerated video processing (e.g., GPU or /dev/dri access). The replacement means a brief container restart/downtime for Frigate. More importantly, privileged containers are a significant security boundary reduction: a compromise of the Frigate process would have direct host access.

🟡 Warning — docker:index:Container frigate: Enabling privileged: true removes container isolation from the host. Confirm this is intentional (e.g., hardware transcoding requirement) and that Frigate is not exposed to untrusted networks.

Resource Changes

    Name           Type                              Operation
+-  frigate        docker:index/container:Container  create-replacement
~   proxy-outpost  authentik:index/outpost:Outpost   update