diff --git a/docs/hp-switch.md b/docs/hp-switch.md index be66b38..17cdb50 100644 --- a/docs/hp-switch.md +++ b/docs/hp-switch.md @@ -51,12 +51,12 @@ vlan 2 tagged 23,24 vlan 6 name public-event vlan 6 qos priority 0 -vlan 6 tagged 21-24 +vlan 6 tagged 13,15,21-24 vlan 7 name weinturm vlan 7 qos priority 1 vlan 7 tagged 21-23 -vlan 7 untagged 1-12,24 +vlan 7 untagged 1-12,13,15,24 vlan 8 name voice vlan 8 qos priority 5 @@ -66,6 +66,9 @@ vlan 8 voice interface ethernet 1-12 enable +interface ethernet 13,15 enable +interface ethernet 13,15 name WLAN + interface ethernet 17,19 enable interface ethernet 17,19 name dect diff --git a/hosts/pbx/networking.nix b/hosts/pbx/networking.nix index 7679d3f..acb383c 100644 --- a/hosts/pbx/networking.nix +++ b/hosts/pbx/networking.nix @@ -1,4 +1,5 @@ { + lib, pkgs, config, ... @@ -173,6 +174,37 @@ ]; } ]; + + option-def = lib.lists.optional config.services.unifi.enable { + name = "unifi-address"; + code = 1; + space = "ubnt"; + type = "ipv4-address"; + encapsulate = ""; + }; + + client-classes = lib.lists.optional config.services.unifi.enable { + name = "ubnt"; + test = "(option[vendor-class-identifier].text == 'ubnt')"; + option-def = [ + { + name = "vendor-encapsulated-options"; + code = 43; + type = "empty"; + encapsulate = "ubnt"; + } + ]; + option-data = [ + { + name = "unifi-address"; + space = "ubnt"; + data = "192.168.96.1"; + } + { + name = "vendor-encapsulated-options"; + } + ]; + }; }; }; diff --git a/hosts/pbx/secrets.yaml b/hosts/pbx/secrets.yaml index bb57413..65e6b3c 100644 --- a/hosts/pbx/secrets.yaml +++ b/hosts/pbx/secrets.yaml @@ -1,3 +1,4 @@ +unpoller: ENC[AES256_GCM,data:w1PvLyJlUP+hsJFcgW9hKD/CvTQzSin+,iv:LuSbsN6Hg9XOc1SCYTBjQNXtqlg5tfHutzTNt4dm20I=,tag:BLBmfB0OwhR3VZzvVyd4IQ==,type:str] fieldpoc: omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str] sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str] @@ -24,8 +25,8 @@ sops: TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-23T09:35:37Z" - mac: ENC[AES256_GCM,data:e1hoBiXA1BrLVTaf/siFWwjDSPvgaWYmfzMBjoIqShj1MnUg8vXBfPR89bhsPNtOkW7s0HVsgFeKBMFm0++xkDOb/Xy7gdzPltF4f8P0D5SrlcEoeHgRQWLCgxJLB4suKUBhUauccKKg1NlIVXw3MgizBjG7+bTfGDXZfVGGJy4=,iv:O0JE5V6rVkPnCpxVsGJUpeQZsmJF4ZxPTnqnLwZZnlg=,tag:AnejfZw44+8CnoDHS1KIsg==,type:str] + lastmodified: "2025-07-23T20:25:37Z" + mac: ENC[AES256_GCM,data:fuTK5OV8mL8xe23/IkwDHiseSvfZ7BteR88k40rVCQaHOtVU66BteffEzxB6oHTQdmr4Ni8S7lrT2s3Y5oUpKe8oy6a7fbDL8fSipiKXzrUDvmnIr02Cp3UkUeEZrZXgClp31YRLtL00u1qvgSOxSBGCHXJwY1Xyoy9T5u0PNtQ=,iv:wQNa9COOvgoEmbPbCr1p/51158B9/97iqKGmvfYRti4=,tag:TEheul0eeir06sRGHm1NvQ==,type:str] pgp: - created_at: "2025-07-18T23:14:45Z" enc: |- diff --git a/hosts/pbx/services/default.nix b/hosts/pbx/services/default.nix index d22355b..4a97612 100644 --- a/hosts/pbx/services/default.nix +++ b/hosts/pbx/services/default.nix @@ -2,6 +2,7 @@ imports = [ ./fieldpoc ./public-ip4-tunnel.nix + ./unifi-controller ./webserver.nix ]; } diff --git a/hosts/pbx/services/unifi-controller/default.nix b/hosts/pbx/services/unifi-controller/default.nix new file mode 100644 index 0000000..baea9e9 --- /dev/null +++ b/hosts/pbx/services/unifi-controller/default.nix @@ -0,0 +1,46 @@ +args: let + domain = "unifi.weinturm.de"; +in { + imports = [ + (import ./unpoller.nix (args // {inherit domain;})) + ]; + + services.unifi.enable = true; + + networking.firewall.interfaces.weinturm = { + # https://help.ubnt.com/hc/en-us/articles/218506997 + allowedTCPPorts = [ + 8080 # Port for UAP to inform controller. + 8880 # Port for HTTP portal redirect, if guest portal is enabled. + 8843 # Port for HTTPS portal redirect, ditto. + 6789 # Port for UniFi mobile speed test. + ]; + allowedUDPPorts = [ + 3478 # UDP port used for STUN. + 10001 # UDP port used for device discovery. + ]; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/unifi"; + user = "unifi"; + group = "unifi"; + mode = "u=rwx,g=rx,o=rx"; + } + ]; + + services.nginx.virtualHosts = { + "${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "https://127.0.0.1:8443"; + recommendedProxySettings = true; + extraConfig = '' + proxy_ssl_verify off; + ''; + }; + }; + }; +} diff --git a/hosts/pbx/services/unifi-controller/unpoller.nix b/hosts/pbx/services/unifi-controller/unpoller.nix new file mode 100644 index 0000000..e89e089 --- /dev/null +++ b/hosts/pbx/services/unifi-controller/unpoller.nix @@ -0,0 +1,24 @@ +{ + config, + domain, + ... +}: { + sops.secrets.unpoller = { + owner = config.services.prometheus.exporters.unpoller.user; + sopsFile = ../../secrets.yaml; + }; + + services.prometheus.exporters.unpoller = { + enable = true; + controllers = [ + { + user = "unpoller"; + url = "https://${domain}"; + pass = config.sops.secrets.unpoller.path; + verify_ssl = false; + hash_pii = true; + } + ]; + log.prometheusErrors = true; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 6497baa..41909df 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -10,6 +10,7 @@ ./nix.nix ./security.nix ./sshd.nix + ./unfree.nix ./zram.nix ]; diff --git a/modules/unfree.nix b/modules/unfree.nix new file mode 100644 index 0000000..b900b5f --- /dev/null +++ b/modules/unfree.nix @@ -0,0 +1,7 @@ +{lib, ...}: { + nixpkgs.config.allowUnfreePredicate = pkg: + lib.elem (lib.getName pkg) [ + "mongodb" + "unifi-controller" + ]; +}