diff options
Diffstat (limited to 'terraform/unifi-controller')
-rw-r--r-- | terraform/unifi-controller/.terraform.lock.hcl | 19 | ||||
-rw-r--r-- | terraform/unifi-controller/README.md | 9 | ||||
-rw-r--r-- | terraform/unifi-controller/main.tf | 20 | ||||
-rw-r--r-- | terraform/unifi-controller/mongo.tf | 48 | ||||
-rw-r--r-- | terraform/unifi-controller/sops.yml | 39 | ||||
-rw-r--r-- | terraform/unifi-controller/unifi.tf | 39 |
6 files changed, 157 insertions, 17 deletions
diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl index b96b3f3..9fa446f 100644 --- a/terraform/unifi-controller/.terraform.lock.hcl +++ b/terraform/unifi-controller/.terraform.lock.hcl @@ -66,3 +66,22 @@ provider "registry.terraform.io/linode/linode" { "zh:ee653d5d08cb331ce2d8dc1010e68d363470ae87be62c0515e5d2418727cd02b", ] } + +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/unifi-controller/README.md b/terraform/unifi-controller/README.md new file mode 100644 index 0000000..66f0fb0 --- /dev/null +++ b/terraform/unifi-controller/README.md @@ -0,0 +1,9 @@ +# Mongo init + +After the mongo database has been started the first time, execute the output of: + + terraform output -json|jq -r .mongo_init_js.value + +in a mongo shell: + + docker exec -it unifi-mongo mongo diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf index 3bf81ae..f5f7b0a 100644 --- a/terraform/unifi-controller/main.tf +++ b/terraform/unifi-controller/main.tf @@ -14,6 +14,10 @@ terraform { source = "cyrilgdn/postgresql" version = "1.18.0" } + sops = { + source = "lokkersp/sops" + version = "0.6.10" + } } } @@ -23,10 +27,16 @@ provider "docker" { locals { domain_name = "unifi.vpn.trygvis.io" + + docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless" + docker_image_mongo = "mongo:7.0" + + mongo_database = "unifi" + mongo_username = "unifi" + mongo_password = data.sops_file_entry.mongo_password.data } -# variable "foo" {} -# -# output "bar" { -# value = var.foo.value -# } +data "sops_file_entry" "mongo_password" { + source_file = "sops.yml" + data_key = "mongo_password" +} diff --git a/terraform/unifi-controller/mongo.tf b/terraform/unifi-controller/mongo.tf new file mode 100644 index 0000000..98b4e36 --- /dev/null +++ b/terraform/unifi-controller/mongo.tf @@ -0,0 +1,48 @@ +resource "docker_network" "unifi" { + name = "unifi" +} + +data "docker_registry_image" "mongo" { + name = local.docker_image_mongo +} + +resource "docker_image" "mongo" { + name = data.docker_registry_image.mongo.name + pull_triggers = [data.docker_registry_image.mongo.sha256_digest] +} + +resource "docker_volume" "unifi-mongo" { + name = "unifi-mongo" +} + +resource "docker_container" "unifi-mongo" { + image = docker_image.mongo.image_id + name = "unifi-mongo" + hostname = "unifi-mongo" + + networks_advanced { + name = docker_network.unifi.name + } + + volumes { + volume_name = docker_volume.unifi-mongo.name + container_path = "/data/db" + } +} + +output "mongo_init_js" { + sensitive = true + value = <<-EOF + db.getSiblingDB("${local.mongo_database}"). + createUser({ + user: "${local.mongo_database}", + pwd: "${local.mongo_password}", + roles: [{role: "dbOwner", db: "${local.mongo_database}"}]}); + + db.getSiblingDB("${local.mongo_database}_stat"). + createUser({ + user: "${local.mongo_database}", + pwd: "${local.mongo_password}", + roles: [{role: "dbOwner", db: "${local.mongo_database}_stat"}]}); + EOF +} diff --git a/terraform/unifi-controller/sops.yml b/terraform/unifi-controller/sops.yml new file mode 100644 index 0000000..ce815b2 --- /dev/null +++ b/terraform/unifi-controller/sops.yml @@ -0,0 +1,39 @@ +mongo_password: ENC[AES256_GCM,data:BdrzXzqlYf0LO0ru361m/ZIqErFT/yRl+2pdsmFZNYyrgrZN+3q9aZoMCSva1E6w4xGbMmjG6WSgQlf+yRIlb6k9q0yFSPE9gbfhESILrSuO2McVjSO0KCK7+nI3b9nlb2Lp2A==,iv:yNNWskWG2lAZZOp8HgWomAgFg1BdXQ1zH/SmMnQVSkQ=,tag:OxpdBIr47OUpEqj+hmyKMw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUlUNnlVVDZBMGFyT2cy + djZMbjVUa2UxRlRzNzVMNmNWQkFRSWlselc4CjV5dU5QUGtrTWpqL2k2L29wSjRI + ak9ZL2hDb3F0UHFkZDVmV2lxVjVRVG8KLS0tIGIyNDF3cTRRTTZ4R1oyVHU5YUVJ + Y09WN2EvVDZwTExybms2UmJEN0h1OUkKJLGAUByueidNKz9LrRLUzkAhT3+mczz6 + 10JVToEgm5+N95zEXBiZtaNftvGYU6eVqHtwFyVm3lbO7VBYpvhRNQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMnVTcno3emdKRWUvL25j + MjEzN0pMUktPcjU3QW5CeEtYL2dFS1ZMdW13CjJVT0FOWTBUOWVCa0tEZE4yM1lx + d2F0TjAvaDBvcmdkR0pHV0c5KzRqdzgKLS0tIDR6TThRdWtMSzdkL2FHKytCNU8r + WHc3OWM0b0lSMGRUM2NnNmdocnNiRVkKko4z88f5PzmVzxfB8Zi/zZhccvxqYqym + nvd7uja8Ght+DpT/stYIrYyu0lyBOTVirwTIaEHr5bKUY1d+TwwP/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a29XdEZkdkZuU0M3MGpU + YkJRbjdWOWpmdjQyUHY5VDBqUTRYUk9LR21BCkxjOUU4Mmg4NXZwVnRJYWp4NnZr + a0xUS3pQTjJNam5qQXhhZUkxaW5nVWsKLS0tIFJ3eFJxbytPQkZJKzF2MGorVmlr + LzVLTE1qZkp0YUhFT3h2dktuMnJGZE0KnirLt0k2g2XqqIKIu6nNNIoZMF25Ir7E + EFjv/k/kKVLPesrdtfwKRCLQqtQjV0j1qtqPOKoUDcrE3zxs4r4gaA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-20T07:04:41Z" + mac: ENC[AES256_GCM,data:hjDc7d8/8dwEb23Xb16WBsoEOE7hepyLYz2n2DW6aKT14RLOAxB85kP8Ibwb0tC4DqwNkCqOWJ6WxhHrZA2IKE4co6bsD8uc6atM2EgRm6Xctgr2lqvYMr7WtPFKIQF+/K7358i7vf/tyvtdvNINVuBXVra5LcxVTSVyUIb1m+w=,iv:VKDovzX5RO9RIjm85JlfsNE5sd+TVYRh8FbFJHIZpgw=,tag:tbdoa4Cow5jYEVvP9LXEiQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf index fc10542..8e6c7d7 100644 --- a/terraform/unifi-controller/unifi.tf +++ b/terraform/unifi-controller/unifi.tf @@ -3,7 +3,7 @@ data "docker_network" "traefik" { } data "docker_registry_image" "unifi-controller" { - name = "lscr.io/linuxserver/unifi-controller:latest" + name = local.docker_image_controller } resource "docker_image" "unifi-controller" { @@ -12,7 +12,7 @@ resource "docker_image" "unifi-controller" { } resource "docker_volume" "unifi-controller" { - name = "unifi-controller" + name = "unifi-controller-new" } resource "docker_container" "unifi-controller" { @@ -26,19 +26,27 @@ resource "docker_container" "unifi-controller" { name = data.docker_network.traefik.name } + networks_advanced { + name = docker_network.unifi.name + } + dynamic "ports" { for_each = [ - { port = 161, proto = "udp" }, - { port = 3478, proto = "udp" }, - { port = 6789, proto = "tcp" }, - { port = 8081, proto = "tcp" }, -# { port = 8080, proto = "tcp" }, # not used, we have configured it to 9080 - { port = 9080, proto = "tcp" }, - { port = 8880, proto = "tcp" }, -# { port = 8443, proto = "tcp" }, - { port = 10001, proto = "udp" }, + # Taken from https://fleet.linuxserver.io/image?name=linuxserver/unifi-controller + { port = 1900, proto = "udp" }, # Required for Make controller discoverable on L2 network option + { port = 3478, proto = "udp" }, # Unifi STUN port + { port = 5514, proto = "tcp" }, # Remote syslog port + { port = 6789, proto = "tcp" }, # For mobile throughput test + { port = 8080, proto = "tcp" }, # Required for device communication + + # Public HTTP is handled by traefik + # { port = 8443, proto = "tcp" }, # Unifi web admin port + + # Not used + # { port = 8843, proto = "tcp" }, # Unifi guest portal HTTPS redirect port + # { port = 8880, proto = "tcp" }, # Unifi guest portal HTTP redirect port - # { port = 8843, proto = "tcp" }, web ui + { port = 10001, proto = "udp" }, # Required for AP discovery ] content { internal = ports.value["port"] @@ -61,6 +69,7 @@ resource "docker_container" "unifi-controller" { { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" }, { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" }, { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" }, + { label = "traefik.docker.network", value = "traefik" }, # { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" }, ] content { @@ -72,6 +81,12 @@ resource "docker_container" "unifi-controller" { env = [ "PUID=1000", "PGID=1000", + "TZ=Europe/Oslo", "MEM_LIMIT=default", + "MONGO_USER=${local.mongo_username}", + "MONGO_PASS=${local.mongo_password}", + "MONGO_HOST=${docker_container.unifi-mongo.hostname}", + "MONGO_PORT=27017", + "MONGO_DBNAME=${local.mongo_database}", ] } |