Merge pull request #22 from freifunk-mwu/unifi

Added unifi: Added java role, service-unifi role, service-nginx-unifi added unifi host
2019-08-22 14:51:20 +02:00 · 2019-08-22 14:51:20 +02:00 · 958b372053
commit 958b372053
parent 876c93737d d7c7a1e484
24 changed files with 359 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 playbooks/test.yml
 roles/geerlingguy.mysql
 roles/powerdns.pdns
+roles/lean_delivery.java
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -179,6 +179,46 @@ wireguard_networks:
      - kichererbse
      - linse
    port: 50027
+  - ipv4: 10.87.253.56/31
+    peers:
+      - unifi
+      - ingwer
+    port: 50028
+  - ipv4: 10.87.253.58/31
+    peers:
+      - unifi
+      - spinat
+    port: 50029
+  - ipv4: 10.87.253.60/31
+    peers:
+      - unifi
+      - uffschnitt
+    port: 50030
+  - ipv4: 10.87.253.62/31
+    peers:
+      - unifi
+      - lotuswurzel
+    port: 50031
+  - ipv4: 10.87.253.64/31
+    peers:
+      - unifi
+      - wasserfloh
+    port: 50032
+  - ipv4: 10.87.253.66/31
+    peers:
+      - unifi
+      - linse
+    port: 50033
+  - ipv4: 10.87.253.68/31
+    peers:
+      - unifi
+      - kichererbse
+    port: 50034
+  - ipv4: 10.87.253.70/31
+    peers:
+      - unifi
+      - suesskartoffel
+    port: 50035

 fastd_groups:
  - gateways
--- a/inventory/host_vars/unifi.freifunk-mwu.de
+++ b/inventory/host_vars/unifi.freifunk-mwu.de
@ -0,0 +1,4 @@
+---
+server_type: "service"
+
+magic: 195
--- a/inventory/services
+++ b/inventory/services
@ -1,3 +1,4 @@
 [services]
 kichererbse.freifunk-mwu.de
 linse.freifunk-mwu.de
+unifi.freifunk-mwu.de
--- a/inventory/unifi
+++ b/inventory/unifi
@ -0,0 +1,2 @@
+[unifi]
+unifi.freifunk-mwu.de
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@ -5,3 +5,4 @@
 - import_playbook: services.yml
 - import_playbook: dns.yml
 - import_playbook: buildservers.yml
+- import_playbook: unifi.yml
--- a/playbooks/unifi.yml
+++ b/playbooks/unifi.yml
@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+---
+- name: Unifi Controller.
+  hosts: unifi
+
+  roles:
+  - service-unifi
+  - service-nginx-unms
--- a/requirements.yml
+++ b/requirements.yml
@ -1,2 +1,3 @@
 - src: geerlingguy.mysql
 - src: powerdns.pdns
+- src: lean_delivery.java
--- a/roles/service-nginx-unms/README.md
+++ b/roles/service-nginx-unms/README.md
@ -0,0 +1,10 @@
+# Ansible role service-nginx-unms
+
+Diese Ansible role konfiguriert ausschließlich den erforderlichen nginx vHost. Benötigt eine Installation von unms, die auf den entsprechenden ports lauscht.
+
+- Verwaltet unifi vhost
+
+## Benötigte Variablen
+
+- Variable `http_domain_external` # string: Externe Freifunk MWU Domain
+- Variable `http_domain_internal` # string: Interne Freifunk MWU Domain
--- a/roles/service-nginx-unms/handlers/main.yml
+++ b/roles/service-nginx-unms/handlers/main.yml
@ -0,0 +1,9 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
--- a/roles/service-nginx-unms/meta/main.yml
+++ b/roles/service-nginx-unms/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: service-nginx }
--- a/roles/service-nginx-unms/tasks/main.yml
+++ b/roles/service-nginx-unms/tasks/main.yml
@ -0,0 +1,10 @@
+---
+
+- name: write unifi.conf
+  template:
+    src: unms_vhost.conf.j2
+    dest: /etc/nginx/conf.d/unms.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
--- a/roles/service-nginx-unms/templates/unms_vhost.conf.j2
+++ b/roles/service-nginx-unms/templates/unms_vhost.conf.j2
@ -0,0 +1,43 @@
+server {
+        listen 80;
+        listen [::]:80;
+
+        server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+        location / {
+                return 301 https://$host$request_uri;
+        }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+    charset utf-8;
+    server_tokens off;
+    proxy_ssl_verify off;
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location /wss/ {
+        proxy_pass https://localhost:9443;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_read_timeout 86400;
+    }
+
+    location / {
+            proxy_pass https://localhost:9443/; # The Unifi Controller Port
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+    }
+
+
+}
--- a/roles/service-unifi/LICENSE
+++ b/roles/service-unifi/LICENSE
@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Günter Grodotzki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/roles/service-unifi/README.md
+++ b/roles/service-unifi/README.md
@ -0,0 +1,24 @@
+
+# Ansible Role: UniFi controller
+
+An Ansible role that installs UniFi Controller (Ubiquiti Networks) on Debian like systems. Also configures reuqired nginx vhost.
+
+## Requirements
+
+none
+
+## Role Variables
+
+- `unifi_controller_jvm_xmx: 1024M`
+- `unifi_user: unifi`
+
+## Dependencies
+
+- lean_delivery.java
+- service-nginx
+
+## Example Playbook
+
+    - hosts: gw
+      roles:
+        - { role: service-unifi }
--- a/roles/service-unifi/defaults/main.yml
+++ b/roles/service-unifi/defaults/main.yml
@ -0,0 +1,5 @@
+---
+
+unifi_controller_jvm_xmx: 1024M
+
+unifi_user: unifi
--- a/roles/service-unifi/handlers/main.yml
+++ b/roles/service-unifi/handlers/main.yml
@ -0,0 +1,17 @@
+---
+
+- name: restart_unifi
+  service:
+    name: unifi
+    state: restarted
+    enabled: yes
+  become: yes
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
--- a/roles/service-unifi/meta/main.yml
+++ b/roles/service-unifi/meta/main.yml
@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: lean_delivery.java }
+  - { role: service-nginx }
--- a/roles/service-unifi/tasks/install.yml
+++ b/roles/service-unifi/tasks/install.yml
@ -0,0 +1,85 @@
+---
+
+- name: check for systemd
+  command: systemctl --version
+  register: unifi_controller_systemctl_version
+  ignore_errors: yes
+
+- name: add apt-key unifi
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 06E85760C0A52C50
+  become: yes
+
+- name: add apt-repo unifi
+  apt_repository:
+    repo: deb [trusted=yes arch=amd64] http://apt.lecomte.at/repacks/debian/ buster ubiquiti
+    state: present
+  become: yes
+
+- name: add apt-key mongodb
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 58712A2291FA4AD5
+  become: yes
+
+- name: add apt-repo mongodb
+  apt_repository:
+    repo: deb [arch=amd64] https://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main
+    state: present
+  become: yes
+
+- name: install unifi-controller
+  apt:
+    name: unifi
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+  become: yes
+
+- name: create unifi user
+  user:
+    name: "{{ unifi_user }}"
+    shell: /usr/sbin/nologin
+    home: /var/lib/unifi
+    system: yes
+  become: yes
+  when: unifi_user != 'root'
+
+- name: fix perms
+  file:
+    path: "{{ item }}"
+    state: directory
+    recurse: yes
+    owner: "{{ unifi_user }}"
+  with_items:
+    - /var/log/unifi
+    - /var/lib/unifi
+    - /var/run/unifi
+  become: yes
+  notify: restart_unifi
+
+- name: perma run folder
+  template:
+    src: tmpfiles.conf
+    dest: /etc/tmpfiles.d/unifi.conf
+    mode: 0644
+  become: yes
+  when: unifi_controller_systemctl_version is success
+
+- name: add default-conf
+  template:
+    src: default.conf
+    dest: /etc/default/unifi
+    mode: 0644
+  become: yes
+  notify: restart_unifi
+
+- name: write unifi.conf
+  template:
+    src: unifi_vhost.conf.j2
+    dest: /etc/nginx/conf.d/unifi.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
--- a/roles/service-unifi/tasks/main.yml
+++ b/roles/service-unifi/tasks/main.yml
@ -0,0 +1,13 @@
+---
+
+- name: get java-home
+  shell: ls /etc/alternatives/java -l | cut -d' ' -f11| sed 's/bin\/java//g'
+  register: unifi_raw_java_home
+  when: unifi_java_home is not defined
+
+- name: set java-home
+  set_fact:
+    unifi_java_home: "{{ unifi_raw_java_home.stdout }}"
+  when: unifi_java_home is not defined
+
+- include: install.yml
--- a/roles/service-unifi/templates/default.conf
+++ b/roles/service-unifi/templates/default.conf
@ -0,0 +1,4 @@
+JVM_MAX_HEAP_SIZE={{ unifi_controller_jvm_xmx }}
+JVM_INIT_HEAP_SIZE={{ unifi_controller_jvm_xms }}
+JSVC_EXTRA_OPTS="-user {{ unifi_user }} -cwd /usr/lib/unifi"
+JAVA_HOME="{{ unifi_java_home }}"
--- a/roles/service-unifi/templates/tmpfiles.conf
+++ b/roles/service-unifi/templates/tmpfiles.conf
@ -0,0 +1 @@
+D /run/unifi 0755 {{ unifi_user }} root
--- a/roles/service-unifi/templates/unifi_vhost.conf.j2
+++ b/roles/service-unifi/templates/unifi_vhost.conf.j2
@ -0,0 +1,43 @@
+server {
+        listen 80;
+        listen [::]:80;
+
+        server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+        location / {
+                return 301 https://$host$request_uri;
+        }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+    charset utf-8;
+    server_tokens off;
+    proxy_ssl_verify off;
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location /wss/ {
+        proxy_pass https://localhost:8443;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_read_timeout 86400;
+    }
+
+    location / {
+            proxy_pass https://localhost:8443/; # The Unifi Controller Port
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+    }
+
+
+}
--- a/roles/service-unifi/vars/main.yml
+++ b/roles/service-unifi/vars/main.yml
@ -0,0 +1,9 @@
+---
+
+unifi_controller_jvm_xms: "{{ unifi_controller_jvm_xmx }}"
+
+# JAVA Variables
+java_package: jre
+java_major_version: 8
+java_distribution: adoptopenjdk
+transport: adoptopenjdk-fallback