unifi-controller

.gitignore

@@ -0,0 +1 @@
+.vscode

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+stdout_callback=debug

playbook.yml

@@ -0,0 +1,12 @@
+---
+# - name: Raspbian based servers
+#   hosts: raspbian
+#   roles:
+#     - os/raspbian
+
+- name: Unifi controller
+  hosts: unific
+  roles:
+    - servers/nixos
+  vars_files:
+    - vars/unific.yaml

roles/debug/tasks/main.yml

@@ -0,0 +1,2 @@
+- name: Check connection to host by showing uptime
+  shell: uptime

roles/servers/nixos/README.md

@@ -0,0 +1,9 @@
+# HowTo
+
+- Burn [NixOS image from Hydra](https://hydra.nixos.org/build/231609399) to SD Card.
+
+- First manual steps:
+	- Put a password for the `nixos` user so we can ssh into the machine.
+    - Enable python: `nix-env -iA nixos.python3` (required for Ansible)
+    - Add public ssh key to authorized keys
+- Run the playbook: `ansible-playbook -i inventory/servers.yaml playbook.yml -l <hostname>`

roles/servers/nixos/tasks/main.yaml

@@ -0,0 +1,36 @@
+---
+- name: Install, configure, and start Apache
+  become: true
+  block:
+    - name: Get current configuration.nix contents
+      shell: cat /etc/nixos/configuration.nix
+      register: current_config
+      failed_when: false
+
+    - name: Install template for configuration.nix
+      template:
+        src: "{{ inventory_hostname }}.nix"
+        dest: /etc/nixos/configuration.nix
+        mode: 0700
+      register: template_result
+
+    - name: Test configuration
+      shell: /run/current-system/sw/bin/nixos-rebuild test
+      register: test_result
+      when: template_result.changed
+
+    - name: Switch to configuration configuration
+      shell: /run/current-system/sw/bin/nixos-rebuild switch
+      when: test_result.rc == 0
+      register: switch_result
+
+    - name: Enable configuration on boot
+      shell: /run/current-system/sw/bin/nixos-rebuild boot
+      when: switch_result.rc == 0
+  rescue:
+    - name: Restore original configuration.nix
+      become: true
+      copy:
+        content: "{{ current_config.stdout }}"
+        dest: /etc/nixos/configuration.nix
+      when: current_config is defined

roles/servers/nixos/templates/unific.nix

@@ -0,0 +1,158 @@
+{ config, pkgs, lib, ... }:
+
+let
+  user = "{{ system_user_username }}";
+  password = "{{ system_user_password }}";
+  hostname = "{{ hostname }}";
+  userID = "1000"; # UserID for the unifi-controller coontainer
+
+in {
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd = {
+      availableKernelModules = [ "nfs" ];
+      supportedFilesystems = [ "nfs" ];
+    };
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    vim # needed for manual intervention
+    python3 # needed for ansible
+    pkgs.podman # needed to run unifi-controller
+    nfs-utils # needed to mount nfs-share
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+
+  networking = {
+    hostName = hostname;
+    wireless = {
+      enable = false;
+    };
+    enableIPv6 = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 8443 8080 8843 8880 6789 ];
+      allowedUDPPorts = [ 3478 10001 1900 5514 ];
+    };
+  };
+
+  security.sudo = {
+    enable = true;
+    extraRules = [{
+      # commands = [
+      #   {
+      #     command = "/run/current-system/sw/bin/nixos-rebuild test";
+      #     options = [ "NOPASSWD" ];
+      #   }
+      #   {
+      #     command = "/run/current-system/sw/bin/nixos-rebuild switch";
+      #     options = [ "NOPASSWD" ];
+      #   }
+      #   {
+      #     command = "/run/current-system/sw/bin/nixos-rebuild boot";
+      #     options = [ "NOPASSWD" ];
+      #   }
+      # ];
+      # groups = ["wheel"];
+      # Allow unifi-controller user to sudo without password because ansible
+      users = [ user ];
+      commands = [{
+        command = "ALL";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+  };
+
+  services = {
+    rpcbind.enable = true; # needed for NFS
+    nfs.server.enable = true; # needed for NFS mount O.o
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+    };
+  };
+
+  system = {
+    stateVersion = "23.05";
+  };
+
+  systemd = {
+    mounts = [{
+      type = "nfs";
+      mountConfig = {
+        Options = "noatime";
+      };
+      what = "{{ nfs_server_ip }}:{{ nfs_server_share }}";
+      where = "/nfs";
+    }];
+
+    automounts = [{
+      wantedBy = [ "multi-user.target" "podman-unifi-controller.service" ];
+      automountConfig = {
+        TimeoutIdleSec = "600";
+      };
+      where = "/nfs";
+    }];
+  };
+
+  virtualisation = {
+    podman = {
+      enable = true;
+      dockerSocket.enable = true;
+    };
+
+    oci-containers.containers = {
+      unifi-controller = {
+        image = "{{ unifi_controller_image_name }}:{{ unifi_controller_image_tag }}";
+        autoStart = true;
+        extraOptions = [ "--network=host" ];
+        volumes = [ "/nfs/config:/config" ];
+        environment = {
+            PUID = userID;
+            PGID = userID;
+            TZ = "Europe/Madrid";
+            MEM_LIMIT = "1024";
+            MEM_STARTUP = "1024";
+        };
+        ports = [
+            "8443:8443"
+            "3478:3478/udp"
+            "10001:10001/udp"
+            "8080:8080"
+            "1900:1900/udp"
+            "8843:8843"
+            "8880:8880"
+            "6789:6789"
+            "5514:5514/udp"
+        ];
+      };
+    };
+  };
+
+  users = {
+    mutableUsers = false;
+    users."${user}" = {
+      uid = 1001;
+      isNormalUser = true;
+      password = password;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "{{ system_user_ssh_public_key }}"
+      ];
+    };
+  };
+
+  hardware.enableRedistributableFirmware = true;
+}