Add unifi controller

docs/hp-switch.md

@@ -51,12 +51,12 @@ vlan 2 tagged 23,24
 
 vlan 6 name public-event
 vlan 6 qos priority 0
-vlan 6 tagged 21-24
+vlan 6 tagged 13,15,21-24
 
 vlan 7 name weinturm
 vlan 7 qos priority 1
 vlan 7 tagged 21-23
-vlan 7 untagged 1-12,24
+vlan 7 untagged 1-12,13,15,24
 
 vlan 8 name voice
 vlan 8 qos priority 5
@@ -66,6 +66,9 @@ vlan 8 voice
 
 interface ethernet 1-12 enable
 
+interface ethernet 13,15 enable
+interface ethernet 13,15 name WLAN
+
 interface ethernet 17,19 enable
 interface ethernet 17,19 name dect
 

hosts/pbx/networking.nix

@@ -1,4 +1,5 @@
 {
+  lib,
   pkgs,
   config,
   ...
@@ -173,6 +174,37 @@
           ];
         }
       ];
+
+      option-def = lib.lists.optional config.services.unifi.enable {
+        name = "unifi-address";
+        code = 1;
+        space = "ubnt";
+        type = "ipv4-address";
+        encapsulate = "";
+      };
+
+      client-classes = lib.lists.optional config.services.unifi.enable {
+        name = "ubnt";
+        test = "(option[vendor-class-identifier].text == 'ubnt')";
+        option-def = [
+          {
+            name = "vendor-encapsulated-options";
+            code = 43;
+            type = "empty";
+            encapsulate = "ubnt";
+          }
+        ];
+        option-data = [
+          {
+            name = "unifi-address";
+            space = "ubnt";
+            data = "192.168.96.1";
+          }
+          {
+            name = "vendor-encapsulated-options";
+          }
+        ];
+      };
     };
   };
 

hosts/pbx/secrets.yaml

@@ -1,3 +1,4 @@
+unpoller: ENC[AES256_GCM,data:w1PvLyJlUP+hsJFcgW9hKD/CvTQzSin+,iv:LuSbsN6Hg9XOc1SCYTBjQNXtqlg5tfHutzTNt4dm20I=,tag:BLBmfB0OwhR3VZzvVyd4IQ==,type:str]
 fieldpoc:
     omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
     sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
@@ -24,8 +25,8 @@ sops:
             TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
             JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-23T09:35:37Z"
-    mac: ENC[AES256_GCM,data:e1hoBiXA1BrLVTaf/siFWwjDSPvgaWYmfzMBjoIqShj1MnUg8vXBfPR89bhsPNtOkW7s0HVsgFeKBMFm0++xkDOb/Xy7gdzPltF4f8P0D5SrlcEoeHgRQWLCgxJLB4suKUBhUauccKKg1NlIVXw3MgizBjG7+bTfGDXZfVGGJy4=,iv:O0JE5V6rVkPnCpxVsGJUpeQZsmJF4ZxPTnqnLwZZnlg=,tag:AnejfZw44+8CnoDHS1KIsg==,type:str]
+    lastmodified: "2025-07-23T20:25:37Z"
+    mac: ENC[AES256_GCM,data:fuTK5OV8mL8xe23/IkwDHiseSvfZ7BteR88k40rVCQaHOtVU66BteffEzxB6oHTQdmr4Ni8S7lrT2s3Y5oUpKe8oy6a7fbDL8fSipiKXzrUDvmnIr02Cp3UkUeEZrZXgClp31YRLtL00u1qvgSOxSBGCHXJwY1Xyoy9T5u0PNtQ=,iv:wQNa9COOvgoEmbPbCr1p/51158B9/97iqKGmvfYRti4=,tag:TEheul0eeir06sRGHm1NvQ==,type:str]
     pgp:
         - created_at: "2025-07-18T23:14:45Z"
           enc: |-

hosts/pbx/services/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ./fieldpoc
     ./public-ip4-tunnel.nix
+    ./unifi-controller
     ./webserver.nix
   ];
 }

hosts/pbx/services/unifi-controller/default.nix

@@ -0,0 +1,46 @@
+args: let
+  domain = "unifi.weinturm.de";
+in {
+  imports = [
+    (import ./unpoller.nix (args // {inherit domain;}))
+  ];
+
+  services.unifi.enable = true;
+
+  networking.firewall.interfaces.weinturm = {
+    # https://help.ubnt.com/hc/en-us/articles/218506997
+    allowedTCPPorts = [
+      8080 # Port for UAP to inform controller.
+      8880 # Port for HTTP portal redirect, if guest portal is enabled.
+      8843 # Port for HTTPS portal redirect, ditto.
+      6789 # Port for UniFi mobile speed test.
+    ];
+    allowedUDPPorts = [
+      3478 # UDP port used for STUN.
+      10001 # UDP port used for device discovery.
+    ];
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/unifi";
+      user = "unifi";
+      group = "unifi";
+      mode = "u=rwx,g=rx,o=rx";
+    }
+  ];
+
+  services.nginx.virtualHosts = {
+    "${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:8443";
+        recommendedProxySettings = true;
+        extraConfig = ''
+          proxy_ssl_verify off;
+        '';
+      };
+    };
+  };
+}

hosts/pbx/services/unifi-controller/unpoller.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  domain,
+  ...
+}: {
+  sops.secrets.unpoller = {
+    owner = config.services.prometheus.exporters.unpoller.user;
+    sopsFile = ../../secrets.yaml;
+  };
+
+  services.prometheus.exporters.unpoller = {
+    enable = true;
+    controllers = [
+      {
+        user = "unpoller";
+        url = "https://${domain}";
+        pass = config.sops.secrets.unpoller.path;
+        verify_ssl = false;
+        hash_pii = true;
+      }
+    ];
+    log.prometheusErrors = true;
+  };
+}

modules/default.nix

@@ -10,6 +10,7 @@
     ./nix.nix
     ./security.nix
     ./sshd.nix
+    ./unfree.nix
     ./zram.nix
   ];
 

modules/unfree.nix

@@ -0,0 +1,7 @@
+{lib, ...}: {
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    lib.elem (lib.getName pkg) [
+      "mongodb"
+      "unifi-controller"
+    ];
+}