unifi-controller
This commit is contained in:
commit
9858cd0213
|
@ -0,0 +1 @@
|
|||
.vscode
|
|
@ -0,0 +1,2 @@
|
|||
[defaults]
|
||||
stdout_callback=debug
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
# - name: Raspbian based servers
|
||||
# hosts: raspbian
|
||||
# roles:
|
||||
# - os/raspbian
|
||||
|
||||
- name: Unifi controller
|
||||
hosts: unific
|
||||
roles:
|
||||
- servers/nixos
|
||||
vars_files:
|
||||
- vars/unific.yaml
|
|
@ -0,0 +1,2 @@
|
|||
- name: Check connection to host by showing uptime
|
||||
shell: uptime
|
|
@ -0,0 +1,9 @@
|
|||
# HowTo
|
||||
|
||||
- Burn [NixOS image from Hydra](https://hydra.nixos.org/build/231609399) to SD Card.
|
||||
|
||||
- First manual steps:
|
||||
- Put a password for the `nixos` user so we can ssh into the machine.
|
||||
- Enable python: `nix-env -iA nixos.python3` (required for Ansible)
|
||||
- Add public ssh key to authorized keys
|
||||
- Run the playbook: `ansible-playbook -i inventory/servers.yaml playbook.yml -l <hostname>`
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
- name: Install, configure, and start Apache
|
||||
become: true
|
||||
block:
|
||||
- name: Get current configuration.nix contents
|
||||
shell: cat /etc/nixos/configuration.nix
|
||||
register: current_config
|
||||
failed_when: false
|
||||
|
||||
- name: Install template for configuration.nix
|
||||
template:
|
||||
src: "{{ inventory_hostname }}.nix"
|
||||
dest: /etc/nixos/configuration.nix
|
||||
mode: 0700
|
||||
register: template_result
|
||||
|
||||
- name: Test configuration
|
||||
shell: /run/current-system/sw/bin/nixos-rebuild test
|
||||
register: test_result
|
||||
when: template_result.changed
|
||||
|
||||
- name: Switch to configuration configuration
|
||||
shell: /run/current-system/sw/bin/nixos-rebuild switch
|
||||
when: test_result.rc == 0
|
||||
register: switch_result
|
||||
|
||||
- name: Enable configuration on boot
|
||||
shell: /run/current-system/sw/bin/nixos-rebuild boot
|
||||
when: switch_result.rc == 0
|
||||
rescue:
|
||||
- name: Restore original configuration.nix
|
||||
become: true
|
||||
copy:
|
||||
content: "{{ current_config.stdout }}"
|
||||
dest: /etc/nixos/configuration.nix
|
||||
when: current_config is defined
|
|
@ -0,0 +1,158 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
user = "{{ system_user_username }}";
|
||||
password = "{{ system_user_password }}";
|
||||
hostname = "{{ hostname }}";
|
||||
userID = "1000"; # UserID for the unifi-controller coontainer
|
||||
|
||||
in {
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
|
||||
initrd = {
|
||||
availableKernelModules = [ "nfs" ];
|
||||
supportedFilesystems = [ "nfs" ];
|
||||
};
|
||||
loader = {
|
||||
grub.enable = false;
|
||||
generic-extlinux-compatible.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim # needed for manual intervention
|
||||
python3 # needed for ansible
|
||||
pkgs.podman # needed to run unifi-controller
|
||||
nfs-utils # needed to mount nfs-share
|
||||
];
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-label/NIXOS_SD";
|
||||
fsType = "ext4";
|
||||
options = [ "noatime" ];
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = hostname;
|
||||
wireless = {
|
||||
enable = false;
|
||||
};
|
||||
enableIPv6 = false;
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 8443 8080 8843 8880 6789 ];
|
||||
allowedUDPPorts = [ 3478 10001 1900 5514 ];
|
||||
};
|
||||
};
|
||||
|
||||
security.sudo = {
|
||||
enable = true;
|
||||
extraRules = [{
|
||||
# commands = [
|
||||
# {
|
||||
# command = "/run/current-system/sw/bin/nixos-rebuild test";
|
||||
# options = [ "NOPASSWD" ];
|
||||
# }
|
||||
# {
|
||||
# command = "/run/current-system/sw/bin/nixos-rebuild switch";
|
||||
# options = [ "NOPASSWD" ];
|
||||
# }
|
||||
# {
|
||||
# command = "/run/current-system/sw/bin/nixos-rebuild boot";
|
||||
# options = [ "NOPASSWD" ];
|
||||
# }
|
||||
# ];
|
||||
# groups = ["wheel"];
|
||||
# Allow unifi-controller user to sudo without password because ansible
|
||||
users = [ user ];
|
||||
commands = [{
|
||||
command = "ALL";
|
||||
options = [ "NOPASSWD" ];
|
||||
}];
|
||||
}];
|
||||
};
|
||||
|
||||
services = {
|
||||
rpcbind.enable = true; # needed for NFS
|
||||
nfs.server.enable = true; # needed for NFS mount O.o
|
||||
openssh = {
|
||||
enable = true;
|
||||
settings.PasswordAuthentication = false;
|
||||
settings.KbdInteractiveAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
system = {
|
||||
stateVersion = "23.05";
|
||||
};
|
||||
|
||||
systemd = {
|
||||
mounts = [{
|
||||
type = "nfs";
|
||||
mountConfig = {
|
||||
Options = "noatime";
|
||||
};
|
||||
what = "{{ nfs_server_ip }}:{{ nfs_server_share }}";
|
||||
where = "/nfs";
|
||||
}];
|
||||
|
||||
automounts = [{
|
||||
wantedBy = [ "multi-user.target" "podman-unifi-controller.service" ];
|
||||
automountConfig = {
|
||||
TimeoutIdleSec = "600";
|
||||
};
|
||||
where = "/nfs";
|
||||
}];
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
podman = {
|
||||
enable = true;
|
||||
dockerSocket.enable = true;
|
||||
};
|
||||
|
||||
oci-containers.containers = {
|
||||
unifi-controller = {
|
||||
image = "{{ unifi_controller_image_name }}:{{ unifi_controller_image_tag }}";
|
||||
autoStart = true;
|
||||
extraOptions = [ "--network=host" ];
|
||||
volumes = [ "/nfs/config:/config" ];
|
||||
environment = {
|
||||
PUID = userID;
|
||||
PGID = userID;
|
||||
TZ = "Europe/Madrid";
|
||||
MEM_LIMIT = "1024";
|
||||
MEM_STARTUP = "1024";
|
||||
};
|
||||
ports = [
|
||||
"8443:8443"
|
||||
"3478:3478/udp"
|
||||
"10001:10001/udp"
|
||||
"8080:8080"
|
||||
"1900:1900/udp"
|
||||
"8843:8843"
|
||||
"8880:8880"
|
||||
"6789:6789"
|
||||
"5514:5514/udp"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users."${user}" = {
|
||||
uid = 1001;
|
||||
isNormalUser = true;
|
||||
password = password;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"{{ system_user_ssh_public_key }}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
}
|
Loading…
Reference in New Issue