jalr/weinturm-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add unifi controller

Browse source
This commit is contained in:
Jakob Lechner 2025-07-23 22:57:37 +02:00
parent 93e8d80d64
commit 6bb4707649
8 changed files with 119 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/hp-switch.md
View file

@ -51,12 +51,12 @@ vlan 2 tagged 23,24
vlan 6 name public-event vlan 6 name public-event
vlan 6 qos priority 0 vlan 6 qos priority 0
vlan 6 tagged 21-24 vlan 6 tagged 13,15,21-24
vlan 7 name weinturm vlan 7 name weinturm
vlan 7 qos priority 1 vlan 7 qos priority 1
vlan 7 tagged 21-23 vlan 7 tagged 21-23
vlan 7 untagged 1-12,24 vlan 7 untagged 1-12,13,15,24
vlan 8 name voice vlan 8 name voice
vlan 8 qos priority 5 vlan 8 qos priority 5
@ -66,6 +66,9 @@ vlan 8 voice
interface ethernet 1-12 enable interface ethernet 1-12 enable
interface ethernet 13,15 enable
interface ethernet 13,15 name WLAN
interface ethernet 17,19 enable interface ethernet 17,19 enable
interface ethernet 17,19 name dect interface ethernet 17,19 name dect

32
hosts/pbx/networking.nix
View file

@ -1,4 +1,5 @@
{ {
lib,
pkgs, pkgs,
config, config,
... ...
@ -173,6 +174,37 @@
]; ];
} }
]; ];
option-def = lib.lists.optional config.services.unifi.enable {
name = "unifi-address";
code = 1;
space = "ubnt";
type = "ipv4-address";
encapsulate = "";
};
client-classes = lib.lists.optional config.services.unifi.enable {
name = "ubnt";
test = "(option[vendor-class-identifier].text == 'ubnt')";
option-def = [
{
name = "vendor-encapsulated-options";
code = 43;
type = "empty";
encapsulate = "ubnt";
}
];
option-data = [
{
name = "unifi-address";
space = "ubnt";
data = "192.168.96.1";
}
{
name = "vendor-encapsulated-options";
}
];
};
}; };
}; };

5
hosts/pbx/secrets.yaml
View file

@ -1,3 +1,4 @@
unpoller: ENC[AES256_GCM,data:w1PvLyJlUP+hsJFcgW9hKD/CvTQzSin+,iv:LuSbsN6Hg9XOc1SCYTBjQNXtqlg5tfHutzTNt4dm20I=,tag:BLBmfB0OwhR3VZzvVyd4IQ==,type:str]
fieldpoc: fieldpoc:
omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str] omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str] sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
@ -24,8 +25,8 @@ sops:
TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ== JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-23T09:35:37Z" lastmodified: "2025-07-23T20:25:37Z"
mac: ENC[AES256_GCM,data:e1hoBiXA1BrLVTaf/siFWwjDSPvgaWYmfzMBjoIqShj1MnUg8vXBfPR89bhsPNtOkW7s0HVsgFeKBMFm0++xkDOb/Xy7gdzPltF4f8P0D5SrlcEoeHgRQWLCgxJLB4suKUBhUauccKKg1NlIVXw3MgizBjG7+bTfGDXZfVGGJy4=,iv:O0JE5V6rVkPnCpxVsGJUpeQZsmJF4ZxPTnqnLwZZnlg=,tag:AnejfZw44+8CnoDHS1KIsg==,type:str] mac: ENC[AES256_GCM,data:fuTK5OV8mL8xe23/IkwDHiseSvfZ7BteR88k40rVCQaHOtVU66BteffEzxB6oHTQdmr4Ni8S7lrT2s3Y5oUpKe8oy6a7fbDL8fSipiKXzrUDvmnIr02Cp3UkUeEZrZXgClp31YRLtL00u1qvgSOxSBGCHXJwY1Xyoy9T5u0PNtQ=,iv:wQNa9COOvgoEmbPbCr1p/51158B9/97iqKGmvfYRti4=,tag:TEheul0eeir06sRGHm1NvQ==,type:str]
pgp: pgp:
- created_at: "2025-07-18T23:14:45Z" - created_at: "2025-07-18T23:14:45Z"
enc: |- enc: |-

1
hosts/pbx/services/default.nix
View file

@ -2,6 +2,7 @@
imports = [ imports = [
./fieldpoc ./fieldpoc
./public-ip4-tunnel.nix ./public-ip4-tunnel.nix
./unifi-controller
./webserver.nix ./webserver.nix
]; ];
} }

46
hosts/pbx/services/unifi-controller/default.nix Normal file
View file

@ -0,0 +1,46 @@
args: let
domain = "unifi.weinturm.de";
in {
imports = [
(import ./unpoller.nix (args // {inherit domain;}))
];
services.unifi.enable = true;
networking.firewall.interfaces.weinturm = {
# https://help.ubnt.com/hc/en-us/articles/218506997
allowedTCPPorts = [
8080 # Port for UAP to inform controller.
8880 # Port for HTTP portal redirect, if guest portal is enabled.
8843 # Port for HTTPS portal redirect, ditto.
6789 # Port for UniFi mobile speed test.
];
allowedUDPPorts = [
3478 # UDP port used for STUN.
10001 # UDP port used for device discovery.
];
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/unifi";
user = "unifi";
group = "unifi";
mode = "u=rwx,g=rx,o=rx";
}
];
services.nginx.virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
recommendedProxySettings = true;
extraConfig = ''
proxy_ssl_verify off;
'';
};
};
};
}

24
hosts/pbx/services/unifi-controller/unpoller.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
domain,
...
}: {
sops.secrets.unpoller = {
owner = config.services.prometheus.exporters.unpoller.user;
sopsFile = ../../secrets.yaml;
};
services.prometheus.exporters.unpoller = {
enable = true;
controllers = [
{
user = "unpoller";
url = "https://${domain}";
pass = config.sops.secrets.unpoller.path;
verify_ssl = false;
hash_pii = true;
}
];
log.prometheusErrors = true;
};
}

1
modules/default.nix
View file

@ -10,6 +10,7 @@
./nix.nix ./nix.nix
./security.nix ./security.nix
./sshd.nix ./sshd.nix
./unfree.nix
./zram.nix ./zram.nix
]; ];

7
modules/unfree.nix Normal file
View file

@ -0,0 +1,7 @@
{lib, ...}: {
nixpkgs.config.allowUnfreePredicate = pkg:
lib.elem (lib.getName pkg) [
"mongodb"
"unifi-controller"
];
}