14 files changed, 113 insertions, 114 deletions
diff --git a/ansible/group_vars/all/ipam.yml b/ansible/group_vars/all/ipam.yml
index 0430803..54fc444 100644
--- a/ansible/group_vars/all/ipam.yml
+++ b/ansible/group_vars/all/ipam.yml
@@ -48,10 +48,6 @@ ipam6:
         conflatorio: "fdb1:4242:3538:2008:8042:32ff:fe0c:7161"
         danneri: "fdb1:4242:3538:2008:9422:d355:95b7:f170"
         unifi: "fdb1:4242:3538:2008:5054:ff:fe4d:96c"
-    danneri_cluster:
-        range: "fdb1:4242:3538:2009::/64"
-    danneri_service:
-        range: "fdb1:4242:3538:2010::/64"
 
     k8s:
       range: "fdb1:4242:3538:3000::/52"
diff --git a/ansible/host_vars/unifi/systemd-networkd.yml b/ansible/host_vars/unifi/systemd-networkd.yml
new file mode 100644
index 0000000..4ee9ee6
--- /dev/null
+++ b/ansible/host_vars/unifi/systemd-networkd.yml
@@ -0,0 +1,2 @@
+systemd_networkd__files:
+  - unifi/systemd-networkd/enp1s0.network
diff --git a/ansible/plays/host-unifi.yml b/ansible/plays/host-unifi.yml
new file mode 100644
index 0000000..41fb292
--- /dev/null
+++ b/ansible/plays/host-unifi.yml
@@ -0,0 +1,18 @@
+- hosts:
+    - unifi
+  tasks:
+    - become: yes
+      apt:
+        name:
+          - etckeeper
+
+    - import_role:
+        name: timezone
+
+    - import_role:
+        name: systemd-networkd
+
+    - become: yes
+      apt:
+        name:
+          - docker.io
diff --git a/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network
new file mode 100644
index 0000000..251bf45
--- /dev/null
+++ b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network
@@ -0,0 +1,8 @@
+[Match] 
+Name=enp1s0
+
+[Network]
+DHCP=ipv4
+
+[IPv6AcceptRA]
+Token=static:{{ ipam6.networks.lhn2_dn42.hosts.unifi }}
diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml
index c1f5a47..12672ec 100644
--- a/ansible/roles/superusers/tasks/main.yml
+++ b/ansible/roles/superusers/tasks/main.yml
@@ -16,7 +16,7 @@
     unix_groups:
       - sudo
       - systemd-journal
-  with_items: "{{ unix_groups }}"
+  with_items: "{{ unix_groups + (['docker'] if 'docker' in getent_group else []) }}"
   loop_control:
     loop_var: group
   include_tasks: adjust-group.yml
diff --git a/ansible/roles/unifi/handlers/main.yml b/ansible/roles/unifi/handlers/main.yml
deleted file mode 100644
index ce78323..0000000
--- a/ansible/roles/unifi/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: update apt cache
-  apt:
-    update_cache: yes
diff --git a/ansible/roles/unifi/tasks/main.yml b/ansible/roles/unifi/tasks/main.yml
deleted file mode 100644
index 11c4c00..0000000
--- a/ansible/roles/unifi/tasks/main.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-- name: Ubiquiti APT key
-  notify: update apt cache
-  apt_key:
-    id: 06E85760C0A52C50
-    keyserver: keyserver.ubuntu.com
-
-- name: Ubiquiti APT repository
-  notify: update apt cache
-  copy:
-    dest: /etc/apt/sources.list.d/unifi.list
-    content: 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti'
-
-- meta: flush_handlers
-
-- name: packages
-  apt:
-    name: "{{ items }}"
-    install_recommends: no
-  vars:
-    items:
-      - openjdk-8-jre
-      - unifi
diff --git a/ansible/unifi.yml b/ansible/unifi.yml
deleted file mode 100644
index d417a2a..0000000
--- a/ansible/unifi.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-- hosts:
-    - unifi
-  roles:
-    - role: unifi
-      tags: unifi
-      become: yes
diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl
index 9fa446f..e61b376 100644
--- a/terraform/unifi-controller/.terraform.lock.hcl
+++ b/terraform/unifi-controller/.terraform.lock.hcl
@@ -24,24 +24,24 @@ provider "registry.terraform.io/cyrilgdn/postgresql" {
 }
 
 provider "registry.terraform.io/kreuzwerker/docker" {
-  version     = "3.0.1"
-  constraints = "3.0.1"
+  version     = "3.0.2"
+  constraints = "3.0.2"
   hashes = [
-    "h1:X2wZHQoG54NmtojeFcX0PSJPelaIejQRqyyI2h+LjWg=",
-    "zh:02f60126ca16b344092df3c315296bf1a216c3b2a68eddb3c89fdfa5ea826118",
-    "zh:0d2ee9624a54dbc10538b0c4e296348641b9bfba1354b3f872e43f7ec69a75f2",
-    "zh:473d7427da8c9efc231266abc7fdc27fca5f9ee0bdfcdb9914f0a2886e3e23b8",
-    "zh:5f0189bcd0c944c001098cb17a23efa79df8f0eec8644a64fe0e4200983ba5b7",
-    "zh:6200319c41d6baad3f46701a4028412f8ae2496e29fc4fef9584cc71da5fbbe6",
-    "zh:650be621f2216b1240f148eae8fcf80ec57c35925e2b212db7c23a70b9e67e06",
-    "zh:72fcfa6207251105066a34f0ec6d27ecc658b565e84fa946da376dd1afadd265",
-    "zh:92fc352a2090d3d380c7c8e8bbdf6f99d93a0182701056bb1d2dbfd5049e8ca6",
-    "zh:a7e2ef666c2a7eb5661b06cfbd7635cb9543524e7bf6a3851dcf6eacc9950cc4",
-    "zh:a8604595e61e8919c51a8656800c8c64557f9a2bc00309315895b380f2e9be19",
-    "zh:caf65603a84b749d8f3af2ee47b66f7e21d481f981e2e1d1d59838751c5e3be4",
-    "zh:dad40c4e57da284e7f57b5c0cc9dfac3cb27b01d2f2436fbe3464f0a2111b262",
-    "zh:dc1b173dbcba9d74879b16f36f6d9e97ef62fbd6fca8db79ec4fe4ec69c0e2f3",
-    "zh:e506d04677383b6d62bd69d42dc9005e27a45ccc2efc6e0de607e1f8445981d2",
+    "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=",
+    "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f",
+    "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95",
+    "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138",
+    "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da",
+    "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2",
+    "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06",
+    "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1",
+    "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710",
+    "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005",
+    "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d",
+    "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792",
+    "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387",
+    "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62",
+    "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d",
   ]
 }
 
diff --git a/terraform/unifi-controller/backend.tf b/terraform/unifi-controller/backend.tf
index 5f2d6d0..bebc5a5 100644
--- a/terraform/unifi-controller/backend.tf
+++ b/terraform/unifi-controller/backend.tf
@@ -1,12 +1,16 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 terraform {
+  required_version = "~> 1.9.5"
+
   backend "s3" {
     bucket                      = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
     key                         = "unifi-controller/terraform.tfstate"
     skip_region_validation      = true
     skip_credentials_validation = true
     skip_metadata_api_check     = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum            = true
     region                      = "eu-central-1"
-    endpoint                    = "eu-central-1.linodeobjects.com"
+    endpoints                   = { s3 : "https://eu-central-1.linodeobjects.com" }
   }
 }
diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf
index 55c133c..f93bc78 100644
--- a/terraform/unifi-controller/main.tf
+++ b/terraform/unifi-controller/main.tf
@@ -1,10 +1,8 @@
 terraform {
-  required_version = "~> 1.3.5"
-
   required_providers {
     docker = {
       source  = "kreuzwerker/docker"
-      version = "3.0.1"
+      version = "3.0.2"
     }
     linode = {
       source  = "linode/linode"
@@ -22,15 +20,16 @@ terraform {
 }
 
 provider "docker" {
-  host = "ssh://conflatorio.vpn.trygvis.io"
+  host = "ssh://unifi.dn42.trygvis.io"
 }
 
 locals {
   domain_name = "unifi.vpn.trygvis.io"
 
-  public_ip = "fdb1:4242:3538:2001::ffff"
+  public_ip = module.ipam.hosts.unifi.address
 
-  docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless"
+#  docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless"
+  docker_image_controller = "lscr.io/linuxserver/unifi-network-application:8.5.6-ls68"
   docker_image_mongo      = "mongo:7.0"
 
   mongo_database = "unifi"
@@ -42,3 +41,7 @@ data "sops_file_entry" "mongo_password" {
   source_file = "sops.yml"
   data_key    = "mongo_password"
 }
+
+module "ipam" {
+  source = "../ipam6"
+}
diff --git a/terraform/unifi-controller/mongo.tf b/terraform/unifi-controller/mongo.tf
index 2b83691..f7c1950 100644
--- a/terraform/unifi-controller/mongo.tf
+++ b/terraform/unifi-controller/mongo.tf
@@ -1,6 +1,6 @@
-resource "docker_network" "unifi" {
-  name = "unifi"
-}
+# resource "docker_network" "unifi" {
+#   name = "unifi"
+# }
 
 data "docker_registry_image" "mongo" {
   name = local.docker_image_mongo
@@ -20,11 +20,11 @@ resource "docker_container" "unifi-mongo" {
   name     = "unifi-mongo"
   hostname = "unifi-mongo"
 
-  networks_advanced {
-    name = docker_network.unifi.name
-  }
+#  networks_advanced {
+#    name = docker_network.unifi.name
+#  }
 
-  network_mode = "bridge"
+  network_mode = "host"
 
   volumes {
     volume_name    = docker_volume.unifi-mongo.name
diff --git a/terraform/unifi-controller/terragrunt.hcl b/terraform/unifi-controller/terragrunt.hcl
index 5236c23..f378bf5 100644
--- a/terraform/unifi-controller/terragrunt.hcl
+++ b/terraform/unifi-controller/terragrunt.hcl
@@ -2,10 +2,6 @@ include "root" {
   path = find_in_parent_folders()
 }
 
-dependency "docker" {
-  config_path = "../conflatorio-docker"
-}
-
-# inputs = {
-#   vpc_id = dependency.docker.outputs.foo
-# }
+#dependency "ipam6" {
+#  config_path = "../ipam6"
+#}
diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf
index 4b0f1c6..4f1317f 100644
--- a/terraform/unifi-controller/unifi.tf
+++ b/terraform/unifi-controller/unifi.tf
@@ -1,34 +1,36 @@
-data "docker_network" "traefik" {
-  name = "traefik"
-}
+# data "docker_network" "traefik" {
+#   name = "traefik"
+# }
 
-data "docker_registry_image" "unifi-controller" {
+data "docker_registry_image" "unifi-network-application" {
   name = local.docker_image_controller
 }
 
-resource "docker_image" "unifi-controller" {
-  name          = data.docker_registry_image.unifi-controller.name
-  pull_triggers = [data.docker_registry_image.unifi-controller.sha256_digest]
+resource "docker_image" "unifi-network-application" {
+  name          = data.docker_registry_image.unifi-network-application.name
+  pull_triggers = [data.docker_registry_image.unifi-network-application.sha256_digest]
 }
 
-resource "docker_volume" "unifi-controller" {
-  name = "unifi-controller-new"
+resource "docker_volume" "unifi-network-application" {
+  name = "unifi-network-application"
 }
 
-resource "docker_container" "unifi-controller" {
-  image    = docker_image.unifi-controller.image_id
-  name     = "unifi-controller"
-  hostname = "unifi-controller"
+resource "docker_container" "unifi-network-application" {
+  image    = docker_image.unifi-network-application.image_id
+  name     = "unifi-network-application"
+  hostname = "unifi-network-application"
   #  privileged = true
-  #  must_run   = false
+  must_run   = true
 
-  networks_advanced {
-    name = data.docker_network.traefik.name
-  }
+  network_mode = "host"
 
-  networks_advanced {
-    name = docker_network.unifi.name
-  }
+#  networks_advanced {
+#    name = data.docker_network.traefik.name
+#  }
+
+#  networks_advanced {
+#    name = docker_network.unifi.name
+#  }
 
   dynamic "ports" {
     for_each = [
@@ -40,7 +42,8 @@ resource "docker_container" "unifi-controller" {
       { port = 8080, proto = "tcp" }, # Required for device communication
 
       # Public HTTP is handled by traefik
-      # { port = 8443, proto = "tcp" }, # Unifi web admin port
+      # Not anymore!
+      { port = 8443, proto = "tcp" }, # Unifi web admin port
 
       # Not used
       # { port = 8843, proto = "tcp" }, # Unifi guest portal HTTPS redirect port
@@ -57,27 +60,27 @@ resource "docker_container" "unifi-controller" {
   }
 
   volumes {
-    volume_name    = docker_volume.unifi-controller.name
+    volume_name    = docker_volume.unifi-network-application.name
     read_only      = false
     container_path = "/config"
   }
 
-  dynamic "labels" {
-    for_each = [
-      { label = "traefik.enable", value = "true" },
-      { label = "traefik.http.routers.unifi-controller.rule", value = "Host(`${local.domain_name}`)" },
-      { label = "traefik.http.routers.unifi-controller.entrypoints", value = "websecure" },
-      { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" },
-      { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" },
-      { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" },
-      { label = "traefik.docker.network", value = "traefik" },
-      #      { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" },
-    ]
-    content {
-      label = labels.value["label"]
-      value = labels.value["value"]
-    }
-  }
+#  dynamic "labels" {
+#    for_each = [
+#      { label = "traefik.enable", value = "true" },
+#      { label = "traefik.http.routers.unifi-network-application.rule", value = "Host(`${local.domain_name}`)" },
+#      { label = "traefik.http.routers.unifi-network-application.entrypoints", value = "websecure" },
+#      { label = "traefik.http.routers.unifi-network-application.tls.certresolver", value = "linode" },
+#      { label = "traefik.http.services.unifi-network-application.loadbalancer.server.port", value = "8443" },
+#      { label = "traefik.http.services.unifi-network-application.loadbalancer.server.scheme", value = "https" },
+#      { label = "traefik.docker.network", value = "traefik" },
+#      #      { label = "traefik.http.services.unifi-network-application.loadbalancer.passHostHeader", value = "false" },
+#    ]
+#    content {
+#      label = labels.value["label"]
+#      value = labels.value["value"]
+#    }
+#  }
 
   env = [
     "PUID=1000",
@@ -86,7 +89,8 @@ resource "docker_container" "unifi-controller" {
     "MEM_LIMIT=default",
     "MONGO_USER=${local.mongo_username}",
     "MONGO_PASS=${local.mongo_password}",
-    "MONGO_HOST=${docker_container.unifi-mongo.hostname}",
+    #"MONGO_HOST=${docker_container.unifi-mongo.hostname}",
+    "MONGO_HOST=localhost",
     "MONGO_PORT=27017",
     "MONGO_DBNAME=${local.mongo_database}",
   ]