aboutsummaryrefslogtreecommitdiff
path: root/terraform/unifi-controller
diff options
context:
space:
mode:
Diffstat (limited to 'terraform/unifi-controller')
-rw-r--r--terraform/unifi-controller/.terraform.lock.hcl52
-rw-r--r--terraform/unifi-controller/README.md9
-rw-r--r--terraform/unifi-controller/backend.tf6
-rw-r--r--terraform/unifi-controller/main.tf38
-rw-r--r--terraform/unifi-controller/mongo.tf51
-rw-r--r--terraform/unifi-controller/sops.yml39
-rw-r--r--terraform/unifi-controller/terragrunt.hcl10
-rw-r--r--terraform/unifi-controller/unifi.tf110
8 files changed, 236 insertions, 79 deletions
diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl
index b96b3f3..84ffd81 100644
--- a/terraform/unifi-controller/.terraform.lock.hcl
+++ b/terraform/unifi-controller/.terraform.lock.hcl
@@ -24,24 +24,23 @@ provider "registry.terraform.io/cyrilgdn/postgresql" {
}
provider "registry.terraform.io/kreuzwerker/docker" {
- version = "3.0.1"
- constraints = "3.0.1"
+ version = "3.6.2"
+ constraints = "3.6.2"
hashes = [
- "h1:X2wZHQoG54NmtojeFcX0PSJPelaIejQRqyyI2h+LjWg=",
- "zh:02f60126ca16b344092df3c315296bf1a216c3b2a68eddb3c89fdfa5ea826118",
- "zh:0d2ee9624a54dbc10538b0c4e296348641b9bfba1354b3f872e43f7ec69a75f2",
- "zh:473d7427da8c9efc231266abc7fdc27fca5f9ee0bdfcdb9914f0a2886e3e23b8",
- "zh:5f0189bcd0c944c001098cb17a23efa79df8f0eec8644a64fe0e4200983ba5b7",
- "zh:6200319c41d6baad3f46701a4028412f8ae2496e29fc4fef9584cc71da5fbbe6",
- "zh:650be621f2216b1240f148eae8fcf80ec57c35925e2b212db7c23a70b9e67e06",
- "zh:72fcfa6207251105066a34f0ec6d27ecc658b565e84fa946da376dd1afadd265",
- "zh:92fc352a2090d3d380c7c8e8bbdf6f99d93a0182701056bb1d2dbfd5049e8ca6",
- "zh:a7e2ef666c2a7eb5661b06cfbd7635cb9543524e7bf6a3851dcf6eacc9950cc4",
- "zh:a8604595e61e8919c51a8656800c8c64557f9a2bc00309315895b380f2e9be19",
- "zh:caf65603a84b749d8f3af2ee47b66f7e21d481f981e2e1d1d59838751c5e3be4",
- "zh:dad40c4e57da284e7f57b5c0cc9dfac3cb27b01d2f2436fbe3464f0a2111b262",
- "zh:dc1b173dbcba9d74879b16f36f6d9e97ef62fbd6fca8db79ec4fe4ec69c0e2f3",
- "zh:e506d04677383b6d62bd69d42dc9005e27a45ccc2efc6e0de607e1f8445981d2",
+ "h1:1K3j0xUY2D0+E+DBDQc6k1u6Al9MkuNWrIC9rnvwFSM=",
+ "zh:22b51a8fb63481d290bdad9a221bc8c9e45d66d1a0cd45beed3f3627bf1debd8",
+ "zh:2b902eb80a1ae033af1135cc165d192668820a7f8ea15beb5472f811c18bea1f",
+ "zh:57815dcea28aedb86ed33924cd186aaee8bd31670bd78437a2a2daf2b00ce2ae",
+ "zh:583af9c6fe7e3bfc04f50aec046a9b4f98b7eddd6d1e143454e5d06a66afcf87",
+ "zh:80f8cba54f639a53c4d7714edb7246064b7f4f48ba93a70f18c914d656d799db",
+ "zh:894709f0c393c4ee91fdb849128e7f0bce688f293cd1643a6d4e39c842367278",
+ "zh:a91b41dbcb203d6dae2bb72b98c4c21c41255026b35df01895882784c4650071",
+ "zh:aec40a8157aae093412a1fb9a71ab2bea370db152e285c2d81e37ed378444b9c",
+ "zh:b87d7def2485dde6e57723c1265158f371440a8a84954c9fdb0580cf89de66bf",
+ "zh:b9dc243200ad9cd00250cb8c793ecea4ee3c57a121faf8efdb289f30008b5778",
+ "zh:dcb103831db6d3ef95468685cd104be3928793996542a1f675dc34a2ce67951d",
+ "zh:e59b4a0f2b5881016896d4417b1ab2fb87f34450663efeb01f3bcf7c3606fbbb",
+ "zh:fbd068c01114f0712578cf02f363b5521338ab1befedddf7090da532298b43d0",
]
}
@@ -66,3 +65,22 @@ provider "registry.terraform.io/linode/linode" {
"zh:ee653d5d08cb331ce2d8dc1010e68d363470ae87be62c0515e5d2418727cd02b",
]
}
+
+provider "registry.terraform.io/lokkersp/sops" {
+ version = "0.6.10"
+ constraints = "0.6.10"
+ hashes = [
+ "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=",
+ "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea",
+ "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e",
+ "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001",
+ "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289",
+ "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e",
+ "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71",
+ "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da",
+ "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9",
+ "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1",
+ "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/terraform/unifi-controller/README.md b/terraform/unifi-controller/README.md
new file mode 100644
index 0000000..66f0fb0
--- /dev/null
+++ b/terraform/unifi-controller/README.md
@@ -0,0 +1,9 @@
+# Mongo init
+
+After the mongo database has been started the first time, execute the output of:
+
+ terraform output -json|jq -r .mongo_init_js.value
+
+in a mongo shell:
+
+ docker exec -it unifi-mongo mongo
diff --git a/terraform/unifi-controller/backend.tf b/terraform/unifi-controller/backend.tf
index 5f2d6d0..bebc5a5 100644
--- a/terraform/unifi-controller/backend.tf
+++ b/terraform/unifi-controller/backend.tf
@@ -1,12 +1,16 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
+ required_version = "~> 1.9.5"
+
backend "s3" {
bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
key = "unifi-controller/terraform.tfstate"
skip_region_validation = true
skip_credentials_validation = true
skip_metadata_api_check = true
+ skip_requesting_account_id = true
+ skip_s3_checksum = true
region = "eu-central-1"
- endpoint = "eu-central-1.linodeobjects.com"
+ endpoints = { s3 : "https://eu-central-1.linodeobjects.com" }
}
}
diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf
index 3bf81ae..cc3ab98 100644
--- a/terraform/unifi-controller/main.tf
+++ b/terraform/unifi-controller/main.tf
@@ -1,10 +1,8 @@
terraform {
- required_version = "~> 1.3.5"
-
required_providers {
docker = {
source = "kreuzwerker/docker"
- version = "3.0.1"
+ version = "3.6.2"
}
linode = {
source = "linode/linode"
@@ -14,19 +12,41 @@ terraform {
source = "cyrilgdn/postgresql"
version = "1.18.0"
}
+ sops = {
+ source = "lokkersp/sops"
+ version = "0.6.10"
+ }
}
}
provider "docker" {
- host = "ssh://conflatorio.vpn.trygvis.io"
+ host = "ssh://unifi.dn42.trygvis.io"
}
locals {
domain_name = "unifi.vpn.trygvis.io"
+
+ public_ip = module.ipam.hosts.unifi.address
+
+# docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless"
+# unifi_version = "8.6.9-ls73"
+# unifi_version = "8.5.6-ls68"
+# unifi_version = "9.0.108-ls74"
+# unifi_version = "9.5.21-ls109"
+ unifi_version = "10.0.162-ls114"
+ docker_image_controller = "lscr.io/linuxserver/unifi-network-application:${local.unifi_version}"
+ docker_image_mongo = "mongo:7.0"
+
+ mongo_database = "unifi"
+ mongo_username = "unifi"
+ mongo_password = data.sops_file_entry.mongo_password.data
+}
+
+data "sops_file_entry" "mongo_password" {
+ source_file = "sops.yml"
+ data_key = "mongo_password"
}
-# variable "foo" {}
-#
-# output "bar" {
-# value = var.foo.value
-# }
+module "ipam" {
+ source = "../ipam6"
+}
diff --git a/terraform/unifi-controller/mongo.tf b/terraform/unifi-controller/mongo.tf
new file mode 100644
index 0000000..f7c1950
--- /dev/null
+++ b/terraform/unifi-controller/mongo.tf
@@ -0,0 +1,51 @@
+# resource "docker_network" "unifi" {
+# name = "unifi"
+# }
+
+data "docker_registry_image" "mongo" {
+ name = local.docker_image_mongo
+}
+
+resource "docker_image" "mongo" {
+ name = data.docker_registry_image.mongo.name
+ pull_triggers = [data.docker_registry_image.mongo.sha256_digest]
+}
+
+resource "docker_volume" "unifi-mongo" {
+ name = "unifi-mongo"
+}
+
+resource "docker_container" "unifi-mongo" {
+ image = docker_image.mongo.image_id
+ name = "unifi-mongo"
+ hostname = "unifi-mongo"
+
+# networks_advanced {
+# name = docker_network.unifi.name
+# }
+
+ network_mode = "host"
+
+ volumes {
+ volume_name = docker_volume.unifi-mongo.name
+ read_only = false
+ container_path = "/data/db"
+ }
+}
+
+output "mongo_init_js" {
+ sensitive = true
+ value = <<-EOF
+ db.getSiblingDB("${local.mongo_database}").
+ createUser({
+ user: "${local.mongo_database}",
+ pwd: "${local.mongo_password}",
+ roles: [{role: "dbOwner", db: "${local.mongo_database}"}]});
+
+ db.getSiblingDB("${local.mongo_database}_stat").
+ createUser({
+ user: "${local.mongo_database}",
+ pwd: "${local.mongo_password}",
+ roles: [{role: "dbOwner", db: "${local.mongo_database}_stat"}]});
+ EOF
+}
diff --git a/terraform/unifi-controller/sops.yml b/terraform/unifi-controller/sops.yml
new file mode 100644
index 0000000..ce815b2
--- /dev/null
+++ b/terraform/unifi-controller/sops.yml
@@ -0,0 +1,39 @@
+mongo_password: ENC[AES256_GCM,data:BdrzXzqlYf0LO0ru361m/ZIqErFT/yRl+2pdsmFZNYyrgrZN+3q9aZoMCSva1E6w4xGbMmjG6WSgQlf+yRIlb6k9q0yFSPE9gbfhESILrSuO2McVjSO0KCK7+nI3b9nlb2Lp2A==,iv:yNNWskWG2lAZZOp8HgWomAgFg1BdXQ1zH/SmMnQVSkQ=,tag:OxpdBIr47OUpEqj+hmyKMw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUlUNnlVVDZBMGFyT2cy
+ djZMbjVUa2UxRlRzNzVMNmNWQkFRSWlselc4CjV5dU5QUGtrTWpqL2k2L29wSjRI
+ ak9ZL2hDb3F0UHFkZDVmV2lxVjVRVG8KLS0tIGIyNDF3cTRRTTZ4R1oyVHU5YUVJ
+ Y09WN2EvVDZwTExybms2UmJEN0h1OUkKJLGAUByueidNKz9LrRLUzkAhT3+mczz6
+ 10JVToEgm5+N95zEXBiZtaNftvGYU6eVqHtwFyVm3lbO7VBYpvhRNQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMnVTcno3emdKRWUvL25j
+ MjEzN0pMUktPcjU3QW5CeEtYL2dFS1ZMdW13CjJVT0FOWTBUOWVCa0tEZE4yM1lx
+ d2F0TjAvaDBvcmdkR0pHV0c5KzRqdzgKLS0tIDR6TThRdWtMSzdkL2FHKytCNU8r
+ WHc3OWM0b0lSMGRUM2NnNmdocnNiRVkKko4z88f5PzmVzxfB8Zi/zZhccvxqYqym
+ nvd7uja8Ght+DpT/stYIrYyu0lyBOTVirwTIaEHr5bKUY1d+TwwP/g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a29XdEZkdkZuU0M3MGpU
+ YkJRbjdWOWpmdjQyUHY5VDBqUTRYUk9LR21BCkxjOUU4Mmg4NXZwVnRJYWp4NnZr
+ a0xUS3pQTjJNam5qQXhhZUkxaW5nVWsKLS0tIFJ3eFJxbytPQkZJKzF2MGorVmlr
+ LzVLTE1qZkp0YUhFT3h2dktuMnJGZE0KnirLt0k2g2XqqIKIu6nNNIoZMF25Ir7E
+ EFjv/k/kKVLPesrdtfwKRCLQqtQjV0j1qtqPOKoUDcrE3zxs4r4gaA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-05-20T07:04:41Z"
+ mac: ENC[AES256_GCM,data:hjDc7d8/8dwEb23Xb16WBsoEOE7hepyLYz2n2DW6aKT14RLOAxB85kP8Ibwb0tC4DqwNkCqOWJ6WxhHrZA2IKE4co6bsD8uc6atM2EgRm6Xctgr2lqvYMr7WtPFKIQF+/K7358i7vf/tyvtdvNINVuBXVra5LcxVTSVyUIb1m+w=,iv:VKDovzX5RO9RIjm85JlfsNE5sd+TVYRh8FbFJHIZpgw=,tag:tbdoa4Cow5jYEVvP9LXEiQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/terraform/unifi-controller/terragrunt.hcl b/terraform/unifi-controller/terragrunt.hcl
index 5236c23..f378bf5 100644
--- a/terraform/unifi-controller/terragrunt.hcl
+++ b/terraform/unifi-controller/terragrunt.hcl
@@ -2,10 +2,6 @@ include "root" {
path = find_in_parent_folders()
}
-dependency "docker" {
- config_path = "../conflatorio-docker"
-}
-
-# inputs = {
-# vpc_id = dependency.docker.outputs.foo
-# }
+#dependency "ipam6" {
+# config_path = "../ipam6"
+#}
diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf
index fc10542..4f1317f 100644
--- a/terraform/unifi-controller/unifi.tf
+++ b/terraform/unifi-controller/unifi.tf
@@ -1,77 +1,97 @@
-data "docker_network" "traefik" {
- name = "traefik"
-}
+# data "docker_network" "traefik" {
+# name = "traefik"
+# }
-data "docker_registry_image" "unifi-controller" {
- name = "lscr.io/linuxserver/unifi-controller:latest"
+data "docker_registry_image" "unifi-network-application" {
+ name = local.docker_image_controller
}
-resource "docker_image" "unifi-controller" {
- name = data.docker_registry_image.unifi-controller.name
- pull_triggers = [data.docker_registry_image.unifi-controller.sha256_digest]
+resource "docker_image" "unifi-network-application" {
+ name = data.docker_registry_image.unifi-network-application.name
+ pull_triggers = [data.docker_registry_image.unifi-network-application.sha256_digest]
}
-resource "docker_volume" "unifi-controller" {
- name = "unifi-controller"
+resource "docker_volume" "unifi-network-application" {
+ name = "unifi-network-application"
}
-resource "docker_container" "unifi-controller" {
- image = docker_image.unifi-controller.image_id
- name = "unifi-controller"
- hostname = "unifi-controller"
+resource "docker_container" "unifi-network-application" {
+ image = docker_image.unifi-network-application.image_id
+ name = "unifi-network-application"
+ hostname = "unifi-network-application"
# privileged = true
- # must_run = false
+ must_run = true
- networks_advanced {
- name = data.docker_network.traefik.name
- }
+ network_mode = "host"
+
+# networks_advanced {
+# name = data.docker_network.traefik.name
+# }
+
+# networks_advanced {
+# name = docker_network.unifi.name
+# }
dynamic "ports" {
for_each = [
- { port = 161, proto = "udp" },
- { port = 3478, proto = "udp" },
- { port = 6789, proto = "tcp" },
- { port = 8081, proto = "tcp" },
-# { port = 8080, proto = "tcp" }, # not used, we have configured it to 9080
- { port = 9080, proto = "tcp" },
- { port = 8880, proto = "tcp" },
-# { port = 8443, proto = "tcp" },
- { port = 10001, proto = "udp" },
+ # Taken from https://fleet.linuxserver.io/image?name=linuxserver/unifi-controller
+ { port = 1900, proto = "udp" }, # Required for Make controller discoverable on L2 network option
+ { port = 3478, proto = "udp" }, # Unifi STUN port
+ { port = 5514, proto = "tcp" }, # Remote syslog port
+ { port = 6789, proto = "tcp" }, # For mobile throughput test
+ { port = 8080, proto = "tcp" }, # Required for device communication
+
+ # Public HTTP is handled by traefik
+ # Not anymore!
+ { port = 8443, proto = "tcp" }, # Unifi web admin port
+
+ # Not used
+ # { port = 8843, proto = "tcp" }, # Unifi guest portal HTTPS redirect port
+ # { port = 8880, proto = "tcp" }, # Unifi guest portal HTTP redirect port
- # { port = 8843, proto = "tcp" }, web ui
+ { port = 10001, proto = "udp" }, # Required for AP discovery
]
content {
internal = ports.value["port"]
external = ports.value["port"]
protocol = ports.value["proto"]
- ip = "fdf3:aad9:a885:77dd::2"
+ ip = local.public_ip
}
}
volumes {
- volume_name = docker_volume.unifi-controller.name
+ volume_name = docker_volume.unifi-network-application.name
+ read_only = false
container_path = "/config"
}
- dynamic "labels" {
- for_each = [
- { label = "traefik.enable", value = "true" },
- { label = "traefik.http.routers.unifi-controller.rule", value = "Host(`${local.domain_name}`)" },
- { label = "traefik.http.routers.unifi-controller.entrypoints", value = "websecure" },
- { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" },
- { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" },
- { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" },
- # { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" },
- ]
- content {
- label = labels.value["label"]
- value = labels.value["value"]
- }
- }
+# dynamic "labels" {
+# for_each = [
+# { label = "traefik.enable", value = "true" },
+# { label = "traefik.http.routers.unifi-network-application.rule", value = "Host(`${local.domain_name}`)" },
+# { label = "traefik.http.routers.unifi-network-application.entrypoints", value = "websecure" },
+# { label = "traefik.http.routers.unifi-network-application.tls.certresolver", value = "linode" },
+# { label = "traefik.http.services.unifi-network-application.loadbalancer.server.port", value = "8443" },
+# { label = "traefik.http.services.unifi-network-application.loadbalancer.server.scheme", value = "https" },
+# { label = "traefik.docker.network", value = "traefik" },
+# # { label = "traefik.http.services.unifi-network-application.loadbalancer.passHostHeader", value = "false" },
+# ]
+# content {
+# label = labels.value["label"]
+# value = labels.value["value"]
+# }
+# }
env = [
"PUID=1000",
"PGID=1000",
+ "TZ=Europe/Oslo",
"MEM_LIMIT=default",
+ "MONGO_USER=${local.mongo_username}",
+ "MONGO_PASS=${local.mongo_password}",
+ #"MONGO_HOST=${docker_container.unifi-mongo.hostname}",
+ "MONGO_HOST=localhost",
+ "MONGO_PORT=27017",
+ "MONGO_DBNAME=${local.mongo_database}",
]
}
generated by cgit v1.2.3 (git 2.51.0) at 2026-03-06 18:35:34 +0000