unifi-controller

9 files changed, 287 insertions, 14 deletions

diff --git a/bin/terragrunt b/bin/terragrunt
new file mode 100755
index 0000000..04086d1
--- /dev/null
+++ b/bin/terragrunt
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -euo pipefail
+
+v=0.44.0
+
+basedir="${0%/*}"
+self="${0##*/}"
+
+s=$(uname -s)
+case "$s"
+in
+  Darwin) s=darwin ;;
+  Linux) s=linux ;;
+  *) echo "Unsupported system: $s" >/dev/stderr ;;
+esac
+
+m=$(uname -m)
+case "$m"
+in
+  x86_64) m=amd64 ;;
+  arm64) ;;
+  *) echo "Unsupported machine: $m" >/dev/stderr ;;
+esac
+
+url=https://github.com/gruntwork-io/terragrunt/releases/download/v${v}/terragrunt_${s}_${m}
+bin="$basedir/.tmp/$v/$self"
+
+if [[ ! -x "$bin" ]]
+then
+  mkdir -p $(dirname "$bin")
+  wget -O "$bin" "$url"
+  chmod +x $bin
+fi
+
+exec "$bin" "${@}"
diff --git a/terraform/backend.tf b/terraform/backend.tf
new file mode 100644
index 0000000..d970fc9
--- /dev/null
+++ b/terraform/backend.tf
@@ -0,0 +1,12 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    bucket                      = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
+    endpoint                    = "eu-central-1.linodeobjects.com"
+    key                         = "./terraform.tfstate"
+    region                      = "eu-central-1"
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+  }
+}
diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf
index 46d4671..a1cedec 100644
--- a/terraform/conflatorio-docker/traefik.tf
+++ b/terraform/conflatorio-docker/traefik.tf
@@ -1,20 +1,20 @@
 resource "docker_network" "traefik" {
   name = "traefik"
-#  ipv6 = true
+  #  ipv6 = true
 
   ipam_config {
     gateway = "172.20.0.1"
     subnet  = "172.20.0.0/16"
   }
 
-#  ipam_config {
-#    subnet  = "fd00:dead:beef::/48"
-#    gateway = "fd00:dead:beef::1"
-#  }
+  #  ipam_config {
+  #    subnet  = "fd00:dead:beef::/48"
+  #    gateway = "fd00:dead:beef::1"
+  #  }
 }
 
 resource "docker_image" "traefik" {
-  name = "traefik:2.9"
+  name = "traefik:2.9.8"
 }
 
 resource "docker_container" "traefik" {
@@ -47,7 +47,10 @@ resource "docker_container" "traefik" {
 
   command = [
     "--log.level=DEBUG",
-    "--api.insecure=true",
+    "--api=true",
+    "--api.dashboard=true",
+    "--api.debug=true",
+    #    "--api.insecure=true",
     "--providers.docker=true",
     "--providers.docker.exposedbydefault=false",
     "--entrypoints.websecure.address=:443",
@@ -58,15 +61,26 @@ resource "docker_container" "traefik" {
     "--certificatesresolvers.linode.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53",
     "--certificatesresolvers.linode.acme.email=root@trygvis.io",
     "--certificatesresolvers.linode.acme.storage=/letsencrypt/acme.json",
-  ]
 
-  #  labels {
-  #    label = "traefik.enable"
-  #    value = "true"
-  #  }
+    # There doesn't seem to be a way to define a specific
+    # serversTransport through the CLI or lables, to here backend
+    # certificate checks are globally disabled.
+    "--serverstransport.insecureskipverify",
+  ]
 
-  #  - "{{ docker_service__root }}/traefik/letsencrypt:/letsencrypt"
-  #  - "/var/run/docker.sock:/var/run/docker.sock:ro"
+  dynamic "labels" {
+    for_each = [
+      { label = "traefik.enable", value = "true" },
+      { label = "traefik.http.routers.traefik.service", value = "api@internal" },
+      { label = "traefik.http.routers.traefik.rule", value = "Host(`conflatorio.vpn.trygvis.io`)" },
+      { label = "traefik.http.routers.traefik.entrypoints", value = "websecure" },
+      { label = "traefik.http.routers.traefik.tls.certresolver", value = "linode" },
+    ]
+    content {
+      label = labels.value["label"]
+      value = labels.value["value"]
+    }
+  }
 
   env = [
     "LINODE_TOKEN=${data.sops_file_entry.linode_token.data}"
diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl
new file mode 100644
index 0000000..74d2de9
--- /dev/null
+++ b/terraform/terragrunt.hcl
@@ -0,0 +1,16 @@
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket                      = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
+    key                         = "${path_relative_to_include()}/terraform.tfstate"
+    region                      = "eu-central-1"
+    skip_region_validation      = true
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    endpoint                    = "eu-central-1.linodeobjects.com"
+  }
+}
diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl
new file mode 100644
index 0000000..b96b3f3
--- /dev/null
+++ b/terraform/unifi-controller/.terraform.lock.hcl
@@ -0,0 +1,68 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cyrilgdn/postgresql" {
+  version     = "1.18.0"
+  constraints = "1.18.0"
+  hashes = [
+    "h1:Nf26liFILUZXPh1P2B8T3qtq2Tc7objtm0sBSt0lhh0=",
+    "zh:251b609167ce25e974607c0c7dd3f90cfc45980c9068364f896e26c31416d96c",
+    "zh:317980d14a6a171f118bb522ffd02046e508d98100073f97671aeb2adae30d79",
+    "zh:3622c6414e91f8ccceed94ddf12062a22c14de4fac73c6142b009ae791ca7cd4",
+    "zh:36be2b338c230b0ab0c7b4c55049dba9bd8d705973c2cceaf3e293d41f520db5",
+    "zh:4332e83b91f60c43679ff9660c8ef4ebe251e05926a4d20dc64db1bfbabc8670",
+    "zh:444835840c917aff17f49f9f7b4ae542d5bd9f2ec306b581d1931b00380213bd",
+    "zh:5174bd85ea94ed4a6cef6c02bc27498f47ac21841fcab7487ab19d8513c97e54",
+    "zh:61c6eb6b2bf18cdc0734c101854e25990ba24a16580c6bbc599a0b00f72be397",
+    "zh:b40bbc61a4e522b22ebd57f01a518370a97cd6945e4bdd2955e5f887c88ee3f6",
+    "zh:d7aeb158c884f6590d6033cd44d5e9438f648bcb5ca3bd54573847c287845b00",
+    "zh:da3bee1282f6b48572d15f7a693113931afb306b98e29c09c9a054bdc3d6df44",
+    "zh:ec864a068eeab48899d99405f5606379478df8e48c005844d63a5360c23d5e15",
+    "zh:fda709d1cabde236b79c98c9abb80f2c1591fdea751afadc546073056be6e6ba",
+    "zh:ff08607ab25d1c5b55c3794b67a4ee2c9ac5023962c196ce587df34f0e201ca6",
+  ]
+}
+
+provider "registry.terraform.io/kreuzwerker/docker" {
+  version     = "3.0.1"
+  constraints = "3.0.1"
+  hashes = [
+    "h1:X2wZHQoG54NmtojeFcX0PSJPelaIejQRqyyI2h+LjWg=",
+    "zh:02f60126ca16b344092df3c315296bf1a216c3b2a68eddb3c89fdfa5ea826118",
+    "zh:0d2ee9624a54dbc10538b0c4e296348641b9bfba1354b3f872e43f7ec69a75f2",
+    "zh:473d7427da8c9efc231266abc7fdc27fca5f9ee0bdfcdb9914f0a2886e3e23b8",
+    "zh:5f0189bcd0c944c001098cb17a23efa79df8f0eec8644a64fe0e4200983ba5b7",
+    "zh:6200319c41d6baad3f46701a4028412f8ae2496e29fc4fef9584cc71da5fbbe6",
+    "zh:650be621f2216b1240f148eae8fcf80ec57c35925e2b212db7c23a70b9e67e06",
+    "zh:72fcfa6207251105066a34f0ec6d27ecc658b565e84fa946da376dd1afadd265",
+    "zh:92fc352a2090d3d380c7c8e8bbdf6f99d93a0182701056bb1d2dbfd5049e8ca6",
+    "zh:a7e2ef666c2a7eb5661b06cfbd7635cb9543524e7bf6a3851dcf6eacc9950cc4",
+    "zh:a8604595e61e8919c51a8656800c8c64557f9a2bc00309315895b380f2e9be19",
+    "zh:caf65603a84b749d8f3af2ee47b66f7e21d481f981e2e1d1d59838751c5e3be4",
+    "zh:dad40c4e57da284e7f57b5c0cc9dfac3cb27b01d2f2436fbe3464f0a2111b262",
+    "zh:dc1b173dbcba9d74879b16f36f6d9e97ef62fbd6fca8db79ec4fe4ec69c0e2f3",
+    "zh:e506d04677383b6d62bd69d42dc9005e27a45ccc2efc6e0de607e1f8445981d2",
+  ]
+}
+
+provider "registry.terraform.io/linode/linode" {
+  version     = "1.30.0"
+  constraints = "1.30.0"
+  hashes = [
+    "h1:rd4yQ7u3awn2kTqdKf5D67TTeo6rybYpDry/WwvolRA=",
+    "zh:197c61c5eb2252f65c18d2aa65cdc0511617b13e2388118f3fe063d7969dd7ad",
+    "zh:1a66470682acb13dc57308d5b1eaa19ff60c2404a3b15714e3072d02d569b1a5",
+    "zh:368cdcf17073a39687da830c02cf3ce50e0d8f03b7ec808b49561628be798abc",
+    "zh:42f2510a70afbb7fc8928df119d1e14ce1b61d2aded13b88072858ee5861feb2",
+    "zh:57734dd1e8255abd52a33ff79c20ef4efc3831850b22dd1a628e6301c3cf95c6",
+    "zh:61d614a7a4607bfc4ab6bfd0501007501957b973dbd028e0e513a3d4df07f12e",
+    "zh:79243f22fc0a9adfc1123abdd17c515f0ce4d8147302889033b6c44f6a48337e",
+    "zh:9f7cd46185bbe2c001dab1d0bd6c17a9740e7279d3fffe93755f2c964e267213",
+    "zh:9fdc9f8f47bde4140bc14cf082bbc2ceb63a3bebf0683df2fefd83c9e248274c",
+    "zh:aa1fd80a7ea245f8b852e40c68ccde2d8b6446e2138ebdec7425c67e82099881",
+    "zh:bb31f1ba5b0e001cf343d3a4cfafa70e6f3e30fd8a200d2cd7e077663efe0456",
+    "zh:da87881fa030287df2009028c49581e1fd0ff89baef0d8543b27ca506eff2971",
+    "zh:ed6afd7b1bc7237a9dff5c721ca3a5c7c505803cd5ea0b4ad0dfdf07ed6f9b0d",
+    "zh:ee653d5d08cb331ce2d8dc1010e68d363470ae87be62c0515e5d2418727cd02b",
+  ]
+}
diff --git a/terraform/unifi-controller/backend.tf b/terraform/unifi-controller/backend.tf
new file mode 100644
index 0000000..af4b54d
--- /dev/null
+++ b/terraform/unifi-controller/backend.tf
@@ -0,0 +1,12 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    bucket                      = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
+    endpoint                    = "eu-central-1.linodeobjects.com"
+    key                         = "unifi-controller/terraform.tfstate"
+    region                      = "eu-central-1"
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+  }
+}
diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf
new file mode 100644
index 0000000..98d559a
--- /dev/null
+++ b/terraform/unifi-controller/main.tf
@@ -0,0 +1,36 @@
+terraform {
+  required_version = "~> 1.3.5"
+
+  #  backend "s3" {
+  #    bucket                      = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
+  #    key                         = "unifi/terraform.tfstate"
+  #    region                      = "eu-central-1"
+  #    skip_region_validation      = true
+  #    skip_credentials_validation = true
+  #    skip_metadata_api_check     = true
+  #    endpoint                    = "eu-central-1.linodeobjects.com"
+  #  }
+
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.1"
+    }
+    linode = {
+      source  = "linode/linode"
+      version = "1.30.0"
+    }
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = "1.18.0"
+    }
+  }
+}
+
+provider "docker" {
+  host = "ssh://conflatorio.vpn.trygvis.io"
+}
+
+locals {
+  domain_name = "unifi.vpn.trygvis.io"
+}
diff --git a/terraform/unifi-controller/terragrunt.hcl b/terraform/unifi-controller/terragrunt.hcl
new file mode 100644
index 0000000..e147285
--- /dev/null
+++ b/terraform/unifi-controller/terragrunt.hcl
@@ -0,0 +1,3 @@
+include "root" {
+  path = find_in_parent_folders()
+}
diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf
new file mode 100644
index 0000000..55ccef3
--- /dev/null
+++ b/terraform/unifi-controller/unifi.tf
@@ -0,0 +1,76 @@
+data "docker_network" "traefik" {
+  name = "traefik"
+}
+
+data "docker_registry_image" "unifi-controller" {
+  name = "lscr.io/linuxserver/unifi-controller:latest"
+}
+
+resource "docker_image" "unifi-controller" {
+  name          = data.docker_registry_image.unifi-controller.name
+  pull_triggers = [data.docker_registry_image.unifi-controller.sha256_digest]
+}
+
+resource "docker_volume" "unifi-controller" {
+  name = "unifi-controller"
+}
+
+resource "docker_container" "unifi-controller" {
+  image = docker_image.unifi-controller.image_id
+  name  = "unifi-controller"
+  hostname  = "unifi-controller"
+  #  privileged = true
+  #  must_run   = false
+
+  networks_advanced {
+    name = data.docker_network.traefik.name
+  }
+
+  dynamic "ports" {
+    for_each = [
+      { port =   161, proto = "udp" },
+      { port =  3478, proto = "udp" },
+      { port =  6789, proto = "tcp" },
+      { port =  8081, proto = "tcp" },
+      { port =  8080, proto = "tcp" },
+      { port =  8880, proto = "tcp" },
+      { port =  8443, proto = "tcp" },
+      { port = 10001, proto = "udp" },
+
+#      { port =  8843, proto = "tcp" }, web ui
+    ]
+    content {
+      internal = ports.value["port"]
+      external = ports.value["port"]
+      protocol = ports.value["proto"]
+      ip       = "192.168.10.3"
+    }
+  }
+
+  volumes {
+    volume_name    = docker_volume.unifi-controller.name
+    container_path = "/config"
+  }
+
+  dynamic "labels" {
+    for_each = [
+      { label = "traefik.enable", value = "true" },
+      { label = "traefik.http.routers.unifi-controller.rule", value = "Host(`${local.domain_name}`)" },
+      { label = "traefik.http.routers.unifi-controller.entrypoints", value = "websecure" },
+      { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" },
+      { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" },
+      { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" },
+#      { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" },
+    ]
+    content {
+      label = labels.value["label"]
+      value = labels.value["value"]
+    }
+  }
+
+  env = [
+    "PUID=1000",
+    "PGID=1000",
+    "MEM_LIMIT=default",
+  ]
+}