aboutsummaryrefslogtreecommitdiff
path: root/terraform/unifi-controller
diff options
context:
space:
mode:
Diffstat (limited to 'terraform/unifi-controller')
-rw-r--r--terraform/unifi-controller/.terraform.lock.hcl53
-rw-r--r--terraform/unifi-controller/README.md9
-rw-r--r--terraform/unifi-controller/backend.tf6
-rw-r--r--terraform/unifi-controller/main.tf33
-rw-r--r--terraform/unifi-controller/mongo.tf51
-rw-r--r--terraform/unifi-controller/sops.yml39
-rw-r--r--terraform/unifi-controller/terragrunt.hcl10
-rw-r--r--terraform/unifi-controller/unifi.tf110
8 files changed, 232 insertions, 79 deletions
diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl
index b96b3f3..e61b376 100644
--- a/terraform/unifi-controller/.terraform.lock.hcl
+++ b/terraform/unifi-controller/.terraform.lock.hcl
@@ -24,24 +24,24 @@ provider "registry.terraform.io/cyrilgdn/postgresql" {
}
provider "registry.terraform.io/kreuzwerker/docker" {
- version = "3.0.1"
- constraints = "3.0.1"
+ version = "3.0.2"
+ constraints = "3.0.2"
hashes = [
- "h1:X2wZHQoG54NmtojeFcX0PSJPelaIejQRqyyI2h+LjWg=",
- "zh:02f60126ca16b344092df3c315296bf1a216c3b2a68eddb3c89fdfa5ea826118",
- "zh:0d2ee9624a54dbc10538b0c4e296348641b9bfba1354b3f872e43f7ec69a75f2",
- "zh:473d7427da8c9efc231266abc7fdc27fca5f9ee0bdfcdb9914f0a2886e3e23b8",
- "zh:5f0189bcd0c944c001098cb17a23efa79df8f0eec8644a64fe0e4200983ba5b7",
- "zh:6200319c41d6baad3f46701a4028412f8ae2496e29fc4fef9584cc71da5fbbe6",
- "zh:650be621f2216b1240f148eae8fcf80ec57c35925e2b212db7c23a70b9e67e06",
- "zh:72fcfa6207251105066a34f0ec6d27ecc658b565e84fa946da376dd1afadd265",
- "zh:92fc352a2090d3d380c7c8e8bbdf6f99d93a0182701056bb1d2dbfd5049e8ca6",
- "zh:a7e2ef666c2a7eb5661b06cfbd7635cb9543524e7bf6a3851dcf6eacc9950cc4",
- "zh:a8604595e61e8919c51a8656800c8c64557f9a2bc00309315895b380f2e9be19",
- "zh:caf65603a84b749d8f3af2ee47b66f7e21d481f981e2e1d1d59838751c5e3be4",
- "zh:dad40c4e57da284e7f57b5c0cc9dfac3cb27b01d2f2436fbe3464f0a2111b262",
- "zh:dc1b173dbcba9d74879b16f36f6d9e97ef62fbd6fca8db79ec4fe4ec69c0e2f3",
- "zh:e506d04677383b6d62bd69d42dc9005e27a45ccc2efc6e0de607e1f8445981d2",
+ "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=",
+ "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f",
+ "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95",
+ "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138",
+ "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da",
+ "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2",
+ "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06",
+ "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1",
+ "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710",
+ "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005",
+ "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d",
+ "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792",
+ "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387",
+ "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62",
+ "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d",
]
}
@@ -66,3 +66,22 @@ provider "registry.terraform.io/linode/linode" {
"zh:ee653d5d08cb331ce2d8dc1010e68d363470ae87be62c0515e5d2418727cd02b",
]
}
+
+provider "registry.terraform.io/lokkersp/sops" {
+ version = "0.6.10"
+ constraints = "0.6.10"
+ hashes = [
+ "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=",
+ "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea",
+ "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e",
+ "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001",
+ "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289",
+ "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e",
+ "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71",
+ "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da",
+ "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9",
+ "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1",
+ "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/terraform/unifi-controller/README.md b/terraform/unifi-controller/README.md
new file mode 100644
index 0000000..66f0fb0
--- /dev/null
+++ b/terraform/unifi-controller/README.md
@@ -0,0 +1,9 @@
+# Mongo init
+
+After the mongo database has been started the first time, execute the output of:
+
+ terraform output -json|jq -r .mongo_init_js.value
+
+in a mongo shell:
+
+ docker exec -it unifi-mongo mongo
diff --git a/terraform/unifi-controller/backend.tf b/terraform/unifi-controller/backend.tf
index 5f2d6d0..bebc5a5 100644
--- a/terraform/unifi-controller/backend.tf
+++ b/terraform/unifi-controller/backend.tf
@@ -1,12 +1,16 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
+ required_version = "~> 1.9.5"
+
backend "s3" {
bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
key = "unifi-controller/terraform.tfstate"
skip_region_validation = true
skip_credentials_validation = true
skip_metadata_api_check = true
+ skip_requesting_account_id = true
+ skip_s3_checksum = true
region = "eu-central-1"
- endpoint = "eu-central-1.linodeobjects.com"
+ endpoints = { s3 : "https://eu-central-1.linodeobjects.com" }
}
}
diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf
index 3bf81ae..f93bc78 100644
--- a/terraform/unifi-controller/main.tf
+++ b/terraform/unifi-controller/main.tf
@@ -1,10 +1,8 @@
terraform {
- required_version = "~> 1.3.5"
-
required_providers {
docker = {
source = "kreuzwerker/docker"
- version = "3.0.1"
+ version = "3.0.2"
}
linode = {
source = "linode/linode"
@@ -14,19 +12,36 @@ terraform {
source = "cyrilgdn/postgresql"
version = "1.18.0"
}
+ sops = {
+ source = "lokkersp/sops"
+ version = "0.6.10"
+ }
}
}
provider "docker" {
- host = "ssh://conflatorio.vpn.trygvis.io"
+ host = "ssh://unifi.dn42.trygvis.io"
}
locals {
domain_name = "unifi.vpn.trygvis.io"
+
+ public_ip = module.ipam.hosts.unifi.address
+
+# docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless"
+ docker_image_controller = "lscr.io/linuxserver/unifi-network-application:8.5.6-ls68"
+ docker_image_mongo = "mongo:7.0"
+
+ mongo_database = "unifi"
+ mongo_username = "unifi"
+ mongo_password = data.sops_file_entry.mongo_password.data
+}
+
+data "sops_file_entry" "mongo_password" {
+ source_file = "sops.yml"
+ data_key = "mongo_password"
}
-# variable "foo" {}
-#
-# output "bar" {
-# value = var.foo.value
-# }
+module "ipam" {
+ source = "../ipam6"
+}
diff --git a/terraform/unifi-controller/mongo.tf b/terraform/unifi-controller/mongo.tf
new file mode 100644
index 0000000..f7c1950
--- /dev/null
+++ b/terraform/unifi-controller/mongo.tf
@@ -0,0 +1,51 @@
+# resource "docker_network" "unifi" {
+# name = "unifi"
+# }
+
+data "docker_registry_image" "mongo" {
+ name = local.docker_image_mongo
+}
+
+resource "docker_image" "mongo" {
+ name = data.docker_registry_image.mongo.name
+ pull_triggers = [data.docker_registry_image.mongo.sha256_digest]
+}
+
+resource "docker_volume" "unifi-mongo" {
+ name = "unifi-mongo"
+}
+
+resource "docker_container" "unifi-mongo" {
+ image = docker_image.mongo.image_id
+ name = "unifi-mongo"
+ hostname = "unifi-mongo"
+
+# networks_advanced {
+# name = docker_network.unifi.name
+# }
+
+ network_mode = "host"
+
+ volumes {
+ volume_name = docker_volume.unifi-mongo.name
+ read_only = false
+ container_path = "/data/db"
+ }
+}
+
+output "mongo_init_js" {
+ sensitive = true
+ value = <<-EOF
+ db.getSiblingDB("${local.mongo_database}").
+ createUser({
+ user: "${local.mongo_database}",
+ pwd: "${local.mongo_password}",
+ roles: [{role: "dbOwner", db: "${local.mongo_database}"}]});
+
+ db.getSiblingDB("${local.mongo_database}_stat").
+ createUser({
+ user: "${local.mongo_database}",
+ pwd: "${local.mongo_password}",
+ roles: [{role: "dbOwner", db: "${local.mongo_database}_stat"}]});
+ EOF
+}
diff --git a/terraform/unifi-controller/sops.yml b/terraform/unifi-controller/sops.yml
new file mode 100644
index 0000000..ce815b2
--- /dev/null
+++ b/terraform/unifi-controller/sops.yml
@@ -0,0 +1,39 @@
+mongo_password: ENC[AES256_GCM,data:BdrzXzqlYf0LO0ru361m/ZIqErFT/yRl+2pdsmFZNYyrgrZN+3q9aZoMCSva1E6w4xGbMmjG6WSgQlf+yRIlb6k9q0yFSPE9gbfhESILrSuO2McVjSO0KCK7+nI3b9nlb2Lp2A==,iv:yNNWskWG2lAZZOp8HgWomAgFg1BdXQ1zH/SmMnQVSkQ=,tag:OxpdBIr47OUpEqj+hmyKMw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUlUNnlVVDZBMGFyT2cy
+ djZMbjVUa2UxRlRzNzVMNmNWQkFRSWlselc4CjV5dU5QUGtrTWpqL2k2L29wSjRI
+ ak9ZL2hDb3F0UHFkZDVmV2lxVjVRVG8KLS0tIGIyNDF3cTRRTTZ4R1oyVHU5YUVJ
+ Y09WN2EvVDZwTExybms2UmJEN0h1OUkKJLGAUByueidNKz9LrRLUzkAhT3+mczz6
+ 10JVToEgm5+N95zEXBiZtaNftvGYU6eVqHtwFyVm3lbO7VBYpvhRNQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMnVTcno3emdKRWUvL25j
+ MjEzN0pMUktPcjU3QW5CeEtYL2dFS1ZMdW13CjJVT0FOWTBUOWVCa0tEZE4yM1lx
+ d2F0TjAvaDBvcmdkR0pHV0c5KzRqdzgKLS0tIDR6TThRdWtMSzdkL2FHKytCNU8r
+ WHc3OWM0b0lSMGRUM2NnNmdocnNiRVkKko4z88f5PzmVzxfB8Zi/zZhccvxqYqym
+ nvd7uja8Ght+DpT/stYIrYyu0lyBOTVirwTIaEHr5bKUY1d+TwwP/g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a29XdEZkdkZuU0M3MGpU
+ YkJRbjdWOWpmdjQyUHY5VDBqUTRYUk9LR21BCkxjOUU4Mmg4NXZwVnRJYWp4NnZr
+ a0xUS3pQTjJNam5qQXhhZUkxaW5nVWsKLS0tIFJ3eFJxbytPQkZJKzF2MGorVmlr
+ LzVLTE1qZkp0YUhFT3h2dktuMnJGZE0KnirLt0k2g2XqqIKIu6nNNIoZMF25Ir7E
+ EFjv/k/kKVLPesrdtfwKRCLQqtQjV0j1qtqPOKoUDcrE3zxs4r4gaA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-05-20T07:04:41Z"
+ mac: ENC[AES256_GCM,data:hjDc7d8/8dwEb23Xb16WBsoEOE7hepyLYz2n2DW6aKT14RLOAxB85kP8Ibwb0tC4DqwNkCqOWJ6WxhHrZA2IKE4co6bsD8uc6atM2EgRm6Xctgr2lqvYMr7WtPFKIQF+/K7358i7vf/tyvtdvNINVuBXVra5LcxVTSVyUIb1m+w=,iv:VKDovzX5RO9RIjm85JlfsNE5sd+TVYRh8FbFJHIZpgw=,tag:tbdoa4Cow5jYEVvP9LXEiQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/terraform/unifi-controller/terragrunt.hcl b/terraform/unifi-controller/terragrunt.hcl
index 5236c23..f378bf5 100644
--- a/terraform/unifi-controller/terragrunt.hcl
+++ b/terraform/unifi-controller/terragrunt.hcl
@@ -2,10 +2,6 @@ include "root" {
path = find_in_parent_folders()
}
-dependency "docker" {
- config_path = "../conflatorio-docker"
-}
-
-# inputs = {
-# vpc_id = dependency.docker.outputs.foo
-# }
+#dependency "ipam6" {
+# config_path = "../ipam6"
+#}
diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf
index fc10542..4f1317f 100644
--- a/terraform/unifi-controller/unifi.tf
+++ b/terraform/unifi-controller/unifi.tf
@@ -1,77 +1,97 @@
-data "docker_network" "traefik" {
- name = "traefik"
-}
+# data "docker_network" "traefik" {
+# name = "traefik"
+# }
-data "docker_registry_image" "unifi-controller" {
- name = "lscr.io/linuxserver/unifi-controller:latest"
+data "docker_registry_image" "unifi-network-application" {
+ name = local.docker_image_controller
}
-resource "docker_image" "unifi-controller" {
- name = data.docker_registry_image.unifi-controller.name
- pull_triggers = [data.docker_registry_image.unifi-controller.sha256_digest]
+resource "docker_image" "unifi-network-application" {
+ name = data.docker_registry_image.unifi-network-application.name
+ pull_triggers = [data.docker_registry_image.unifi-network-application.sha256_digest]
}
-resource "docker_volume" "unifi-controller" {
- name = "unifi-controller"
+resource "docker_volume" "unifi-network-application" {
+ name = "unifi-network-application"
}
-resource "docker_container" "unifi-controller" {
- image = docker_image.unifi-controller.image_id
- name = "unifi-controller"
- hostname = "unifi-controller"
+resource "docker_container" "unifi-network-application" {
+ image = docker_image.unifi-network-application.image_id
+ name = "unifi-network-application"
+ hostname = "unifi-network-application"
# privileged = true
- # must_run = false
+ must_run = true
- networks_advanced {
- name = data.docker_network.traefik.name
- }
+ network_mode = "host"
+
+# networks_advanced {
+# name = data.docker_network.traefik.name
+# }
+
+# networks_advanced {
+# name = docker_network.unifi.name
+# }
dynamic "ports" {
for_each = [
- { port = 161, proto = "udp" },
- { port = 3478, proto = "udp" },
- { port = 6789, proto = "tcp" },
- { port = 8081, proto = "tcp" },
-# { port = 8080, proto = "tcp" }, # not used, we have configured it to 9080
- { port = 9080, proto = "tcp" },
- { port = 8880, proto = "tcp" },
-# { port = 8443, proto = "tcp" },
- { port = 10001, proto = "udp" },
+ # Taken from https://fleet.linuxserver.io/image?name=linuxserver/unifi-controller
+ { port = 1900, proto = "udp" }, # Required for Make controller discoverable on L2 network option
+ { port = 3478, proto = "udp" }, # Unifi STUN port
+ { port = 5514, proto = "tcp" }, # Remote syslog port
+ { port = 6789, proto = "tcp" }, # For mobile throughput test
+ { port = 8080, proto = "tcp" }, # Required for device communication
+
+ # Public HTTP is handled by traefik
+ # Not anymore!
+ { port = 8443, proto = "tcp" }, # Unifi web admin port
+
+ # Not used
+ # { port = 8843, proto = "tcp" }, # Unifi guest portal HTTPS redirect port
+ # { port = 8880, proto = "tcp" }, # Unifi guest portal HTTP redirect port
- # { port = 8843, proto = "tcp" }, web ui
+ { port = 10001, proto = "udp" }, # Required for AP discovery
]
content {
internal = ports.value["port"]
external = ports.value["port"]
protocol = ports.value["proto"]
- ip = "fdf3:aad9:a885:77dd::2"
+ ip = local.public_ip
}
}
volumes {
- volume_name = docker_volume.unifi-controller.name
+ volume_name = docker_volume.unifi-network-application.name
+ read_only = false
container_path = "/config"
}
- dynamic "labels" {
- for_each = [
- { label = "traefik.enable", value = "true" },
- { label = "traefik.http.routers.unifi-controller.rule", value = "Host(`${local.domain_name}`)" },
- { label = "traefik.http.routers.unifi-controller.entrypoints", value = "websecure" },
- { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" },
- { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" },
- { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" },
- # { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" },
- ]
- content {
- label = labels.value["label"]
- value = labels.value["value"]
- }
- }
+# dynamic "labels" {
+# for_each = [
+# { label = "traefik.enable", value = "true" },
+# { label = "traefik.http.routers.unifi-network-application.rule", value = "Host(`${local.domain_name}`)" },
+# { label = "traefik.http.routers.unifi-network-application.entrypoints", value = "websecure" },
+# { label = "traefik.http.routers.unifi-network-application.tls.certresolver", value = "linode" },
+# { label = "traefik.http.services.unifi-network-application.loadbalancer.server.port", value = "8443" },
+# { label = "traefik.http.services.unifi-network-application.loadbalancer.server.scheme", value = "https" },
+# { label = "traefik.docker.network", value = "traefik" },
+# # { label = "traefik.http.services.unifi-network-application.loadbalancer.passHostHeader", value = "false" },
+# ]
+# content {
+# label = labels.value["label"]
+# value = labels.value["value"]
+# }
+# }
env = [
"PUID=1000",
"PGID=1000",
+ "TZ=Europe/Oslo",
"MEM_LIMIT=default",
+ "MONGO_USER=${local.mongo_username}",
+ "MONGO_PASS=${local.mongo_password}",
+ #"MONGO_HOST=${docker_container.unifi-mongo.hostname}",
+ "MONGO_HOST=localhost",
+ "MONGO_PORT=27017",
+ "MONGO_DBNAME=${local.mongo_database}",
]
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-05 23:16:04 +0000