weinturm-infra/hosts/pbx/services/unifi-controller/default.nix

args: let
  domain = "unifi.weinturm.de";
in {
  imports = [
    (import ./unpoller.nix (args // {inherit domain;}))
  ];

  services.unifi.enable = true;

  networking.firewall.interfaces.weinturm = {
    # https://help.ubnt.com/hc/en-us/articles/218506997
    allowedTCPPorts = [
      8080 # Port for UAP to inform controller.
      8880 # Port for HTTP portal redirect, if guest portal is enabled.
      8843 # Port for HTTPS portal redirect, ditto.
      6789 # Port for UniFi mobile speed test.
    ];
    allowedUDPPorts = [
      3478 # UDP port used for STUN.
      10001 # UDP port used for device discovery.
    ];
  };

  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/unifi";
      user = "unifi";
      group = "unifi";
      mode = "u=rwx,g=rx,o=rx";
    }
  ];

  services.nginx.virtualHosts = {
    "${domain}" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "https://127.0.0.1:8443";
        recommendedProxySettings = true;
        extraConfig = ''
          proxy_ssl_verify off;
        '';
      };
    };
  };
}