unifi: Going mongoless!HEADmaster

5 files changed, 72 insertions, 16 deletions

diff --git a/terraform/unifi-controller/README.md b/terraform/unifi-controller/README.md
new file mode 100644
index 0000000..66f0fb0
--- /dev/null
+++ b/terraform/unifi-controller/README.md
@@ -0,0 +1,9 @@
+# Mongo init
+
+After the mongo database has been started the first time, execute the output of:
+
+    terraform output -json|jq -r .mongo_init_js.value
+
+in a mongo shell:
+
+    docker exec -it unifi-mongo mongo
diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf
index 915685a..f5f7b0a 100644
--- a/terraform/unifi-controller/main.tf
+++ b/terraform/unifi-controller/main.tf
@@ -28,14 +28,15 @@ provider "docker" {
 locals {
   domain_name = "unifi.vpn.trygvis.io"
 
-  docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24"
-  docker_image_mongo = "mongo:3.6"
+  docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless"
+  docker_image_mongo = "mongo:7.0"
 
+  mongo_database = "unifi"
   mongo_username = "unifi"
-  mongo_password = data.sops_file_entry.mongo_password
+  mongo_password = data.sops_file_entry.mongo_password.data
 }
 
 data "sops_file_entry" "mongo_password" {
-  source_file = "../../sops.yml"
+  source_file = "sops.yml"
   data_key    = "mongo_password"
 }
diff --git a/terraform/unifi-controller/mongo.tf b/terraform/unifi-controller/mongo.tf
index 747b3b1..98b4e36 100644
--- a/terraform/unifi-controller/mongo.tf
+++ b/terraform/unifi-controller/mongo.tf
@@ -1,5 +1,5 @@
-resource "docker_network" "unifi-mongo" {
-  name = "unifi-mongo"
+resource "docker_network" "unifi" {
+  name = "unifi"
 }
 
 data "docker_registry_image" "mongo" {
@@ -21,7 +21,7 @@ resource "docker_container" "unifi-mongo" {
   hostname = "unifi-mongo"
 
   networks_advanced {
-    name = docker_network.unifi-mongo.name
+    name = docker_network.unifi.name
   }
 
   volumes {
@@ -29,3 +29,20 @@ resource "docker_container" "unifi-mongo" {
     container_path = "/data/db"
   }
 }
+
+output "mongo_init_js" {
+  sensitive = true
+  value = <<-EOF
+  db.getSiblingDB("${local.mongo_database}").
+    createUser({
+      user: "${local.mongo_database}",
+      pwd: "${local.mongo_password}",
+      roles: [{role: "dbOwner", db: "${local.mongo_database}"}]});
+
+  db.getSiblingDB("${local.mongo_database}_stat").
+    createUser({
+      user: "${local.mongo_database}",
+      pwd: "${local.mongo_password}",
+      roles: [{role: "dbOwner", db: "${local.mongo_database}_stat"}]});
+  EOF
+}
diff --git a/terraform/unifi-controller/sops.yml b/terraform/unifi-controller/sops.yml
index daf5231..ce815b2 100644
--- a/terraform/unifi-controller/sops.yml
+++ b/terraform/unifi-controller/sops.yml
@@ -1,4 +1,4 @@
-mongo_password: ENC[AES256_GCM,data:4GK/9eCD/tuhDTgAnvn4nim6zB8q476MG4SYzp4SuxcTK0uUdPKdMj0uWAUySYnFI+hNINSMm5ujZ6PXUdLxE2X04t52Dtm5DoVXgZTrP8WHXz2RHGrVElJ6LABVji3mmh4+Ug==,iv:5j89FCkB9sr85tRzo9qeVUjrqvgZOEihBstXNWgbTOA=,tag:V27pawBT6NqX3V0iAeu7NA==,type:str]
+mongo_password: ENC[AES256_GCM,data:BdrzXzqlYf0LO0ru361m/ZIqErFT/yRl+2pdsmFZNYyrgrZN+3q9aZoMCSva1E6w4xGbMmjG6WSgQlf+yRIlb6k9q0yFSPE9gbfhESILrSuO2McVjSO0KCK7+nI3b9nlb2Lp2A==,iv:yNNWskWG2lAZZOp8HgWomAgFg1BdXQ1zH/SmMnQVSkQ=,tag:OxpdBIr47OUpEqj+hmyKMw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -8,14 +8,32 @@ sops:
         - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRFptMlVVRWFQbjlwb2tj
-            NmtEV29HMm82SjdKTDE4N2pSOUpvRzBOcDAwCnBOcnlKS0dCQjRxc0VzY3pEVyt1
-            K2hRZGpqL3p1ejZJM2xyTDFocnFSMW8KLS0tIEx0cVpOUHVrZTErTXBGKyt2Rmx5
-            Q3NYajIxUFNwUDZ6bW1XT1NWak8vaVkK0IoF+EoQA7AAXmfVICs8wIxJrhlTDKkc
-            cRc2o70ARquivCo/SuYg1f/097BhOucm1lLXfCATvzi5GvMwqXvcTg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUlUNnlVVDZBMGFyT2cy
+            djZMbjVUa2UxRlRzNzVMNmNWQkFRSWlselc4CjV5dU5QUGtrTWpqL2k2L29wSjRI
+            ak9ZL2hDb3F0UHFkZDVmV2lxVjVRVG8KLS0tIGIyNDF3cTRRTTZ4R1oyVHU5YUVJ
+            Y09WN2EvVDZwTExybms2UmJEN0h1OUkKJLGAUByueidNKz9LrRLUzkAhT3+mczz6
+            10JVToEgm5+N95zEXBiZtaNftvGYU6eVqHtwFyVm3lbO7VBYpvhRNQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-20T04:48:47Z"
-    mac: ENC[AES256_GCM,data:BbX2yJsTcmgoY1lL+isa85eBN8OK4BM7wZsuwAJtOsxMDEHYmzJiF4AjKnSoTWqdCLy2PhpUPfLmsunfODhfoiCmfjqr69WHP+fktPK9RRaa+bBGGXAc6/GBWBuvlhmgvy0LKRa9DrCPLOF0lwrEvmur89THCUu6HW60aguO3E0=,iv:C3VFYOdMGh8M4KbS1K0zq8cwmsrjZFkih74use0omdQ=,tag:arLY4XlgJ3Z8fFdXeHBAHw==,type:str]
+        - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMnVTcno3emdKRWUvL25j
+            MjEzN0pMUktPcjU3QW5CeEtYL2dFS1ZMdW13CjJVT0FOWTBUOWVCa0tEZE4yM1lx
+            d2F0TjAvaDBvcmdkR0pHV0c5KzRqdzgKLS0tIDR6TThRdWtMSzdkL2FHKytCNU8r
+            WHc3OWM0b0lSMGRUM2NnNmdocnNiRVkKko4z88f5PzmVzxfB8Zi/zZhccvxqYqym
+            nvd7uja8Ght+DpT/stYIrYyu0lyBOTVirwTIaEHr5bKUY1d+TwwP/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a29XdEZkdkZuU0M3MGpU
+            YkJRbjdWOWpmdjQyUHY5VDBqUTRYUk9LR21BCkxjOUU4Mmg4NXZwVnRJYWp4NnZr
+            a0xUS3pQTjJNam5qQXhhZUkxaW5nVWsKLS0tIFJ3eFJxbytPQkZJKzF2MGorVmlr
+            LzVLTE1qZkp0YUhFT3h2dktuMnJGZE0KnirLt0k2g2XqqIKIu6nNNIoZMF25Ir7E
+            EFjv/k/kKVLPesrdtfwKRCLQqtQjV0j1qtqPOKoUDcrE3zxs4r4gaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-20T07:04:41Z"
+    mac: ENC[AES256_GCM,data:hjDc7d8/8dwEb23Xb16WBsoEOE7hepyLYz2n2DW6aKT14RLOAxB85kP8Ibwb0tC4DqwNkCqOWJ6WxhHrZA2IKE4co6bsD8uc6atM2EgRm6Xctgr2lqvYMr7WtPFKIQF+/K7358i7vf/tyvtdvNINVuBXVra5LcxVTSVyUIb1m+w=,iv:VKDovzX5RO9RIjm85JlfsNE5sd+TVYRh8FbFJHIZpgw=,tag:tbdoa4Cow5jYEVvP9LXEiQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf
index 699628b..8e6c7d7 100644
--- a/terraform/unifi-controller/unifi.tf
+++ b/terraform/unifi-controller/unifi.tf
@@ -12,7 +12,7 @@ resource "docker_image" "unifi-controller" {
 }
 
 resource "docker_volume" "unifi-controller" {
-  name = "unifi-controller"
+  name = "unifi-controller-new"
 }
 
 resource "docker_container" "unifi-controller" {
@@ -26,6 +26,10 @@ resource "docker_container" "unifi-controller" {
     name = data.docker_network.traefik.name
   }
 
+  networks_advanced {
+    name = docker_network.unifi.name
+  }
+
   dynamic "ports" {
     for_each = [
       # Taken from https://fleet.linuxserver.io/image?name=linuxserver/unifi-controller
@@ -65,6 +69,7 @@ resource "docker_container" "unifi-controller" {
       { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" },
       { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" },
       { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" },
+      { label = "traefik.docker.network", value = "traefik" },
       #      { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" },
     ]
     content {
@@ -76,6 +81,12 @@ resource "docker_container" "unifi-controller" {
   env = [
     "PUID=1000",
     "PGID=1000",
+    "TZ=Europe/Oslo",
     "MEM_LIMIT=default",
+    "MONGO_USER=${local.mongo_username}",
+    "MONGO_PASS=${local.mongo_password}",
+    "MONGO_HOST=${docker_container.unifi-mongo.hostname}",
+    "MONGO_PORT=27017",
+    "MONGO_DBNAME=${local.mongo_database}",
   ]
 }