Merge pull request #22 from freifunk-mwu/unifi

Added unifi: Added java role, service-unifi role, service-nginx-unifi added unifi host
This commit is contained in:
prisma01 2019-08-22 14:51:20 +02:00 committed by GitHub
commit 958b372053
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 359 additions and 0 deletions

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
playbooks/test.yml playbooks/test.yml
roles/geerlingguy.mysql roles/geerlingguy.mysql
roles/powerdns.pdns roles/powerdns.pdns
roles/lean_delivery.java

View file

@ -179,6 +179,46 @@ wireguard_networks:
- kichererbse - kichererbse
- linse - linse
port: 50027 port: 50027
- ipv4: 10.87.253.56/31
peers:
- unifi
- ingwer
port: 50028
- ipv4: 10.87.253.58/31
peers:
- unifi
- spinat
port: 50029
- ipv4: 10.87.253.60/31
peers:
- unifi
- uffschnitt
port: 50030
- ipv4: 10.87.253.62/31
peers:
- unifi
- lotuswurzel
port: 50031
- ipv4: 10.87.253.64/31
peers:
- unifi
- wasserfloh
port: 50032
- ipv4: 10.87.253.66/31
peers:
- unifi
- linse
port: 50033
- ipv4: 10.87.253.68/31
peers:
- unifi
- kichererbse
port: 50034
- ipv4: 10.87.253.70/31
peers:
- unifi
- suesskartoffel
port: 50035
fastd_groups: fastd_groups:
- gateways - gateways

View file

@ -0,0 +1,4 @@
---
server_type: "service"
magic: 195

View file

@ -1,3 +1,4 @@
[services] [services]
kichererbse.freifunk-mwu.de kichererbse.freifunk-mwu.de
linse.freifunk-mwu.de linse.freifunk-mwu.de
unifi.freifunk-mwu.de

2
inventory/unifi Normal file
View file

@ -0,0 +1,2 @@
[unifi]
unifi.freifunk-mwu.de

View file

@ -5,3 +5,4 @@
- import_playbook: services.yml - import_playbook: services.yml
- import_playbook: dns.yml - import_playbook: dns.yml
- import_playbook: buildservers.yml - import_playbook: buildservers.yml
- import_playbook: unifi.yml

8
playbooks/unifi.yml Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/ansible-playbook
---
- name: Unifi Controller.
hosts: unifi
roles:
- service-unifi
- service-nginx-unms

View file

@ -1,2 +1,3 @@
- src: geerlingguy.mysql - src: geerlingguy.mysql
- src: powerdns.pdns - src: powerdns.pdns
- src: lean_delivery.java

View file

@ -0,0 +1,10 @@
# Ansible role service-nginx-unms
Diese Ansible role konfiguriert ausschließlich den erforderlichen nginx vHost. Benötigt eine Installation von unms, die auf den entsprechenden ports lauscht.
- Verwaltet unifi vhost
## Benötigte Variablen
- Variable `http_domain_external` # string: Externe Freifunk MWU Domain
- Variable `http_domain_internal` # string: Interne Freifunk MWU Domain

View file

@ -0,0 +1,9 @@
---
- name: reload systemd
systemd:
daemon_reload: yes
- name: reload nginx
systemd:
name: nginx
state: reloaded

View file

@ -0,0 +1,3 @@
---
dependencies:
- { role: service-nginx }

View file

@ -0,0 +1,10 @@
---
- name: write unifi.conf
template:
src: unms_vhost.conf.j2
dest: /etc/nginx/conf.d/unms.conf
owner: root
group: root
mode: 0644
notify: reload nginx

View file

@ -0,0 +1,43 @@
server {
listen 80;
listen [::]:80;
server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
charset utf-8;
server_tokens off;
proxy_ssl_verify off;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
location /wss/ {
proxy_pass https://localhost:9443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location / {
proxy_pass https://localhost:9443/; # The Unifi Controller Port
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
}

View file

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2015 Günter Grodotzki
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

View file

@ -0,0 +1,24 @@
# Ansible Role: UniFi controller
An Ansible role that installs UniFi Controller (Ubiquiti Networks) on Debian like systems. Also configures reuqired nginx vhost.
## Requirements
none
## Role Variables
- `unifi_controller_jvm_xmx: 1024M`
- `unifi_user: unifi`
## Dependencies
- lean_delivery.java
- service-nginx
## Example Playbook
- hosts: gw
roles:
- { role: service-unifi }

View file

@ -0,0 +1,5 @@
---
unifi_controller_jvm_xmx: 1024M
unifi_user: unifi

View file

@ -0,0 +1,17 @@
---
- name: restart_unifi
service:
name: unifi
state: restarted
enabled: yes
become: yes
- name: reload systemd
systemd:
daemon_reload: yes
- name: reload nginx
systemd:
name: nginx
state: reloaded

View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: lean_delivery.java }
- { role: service-nginx }

View file

@ -0,0 +1,85 @@
---
- name: check for systemd
command: systemctl --version
register: unifi_controller_systemctl_version
ignore_errors: yes
- name: add apt-key unifi
apt_key:
keyserver: keyserver.ubuntu.com
id: 06E85760C0A52C50
become: yes
- name: add apt-repo unifi
apt_repository:
repo: deb [trusted=yes arch=amd64] http://apt.lecomte.at/repacks/debian/ buster ubiquiti
state: present
become: yes
- name: add apt-key mongodb
apt_key:
keyserver: keyserver.ubuntu.com
id: 58712A2291FA4AD5
become: yes
- name: add apt-repo mongodb
apt_repository:
repo: deb [arch=amd64] https://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main
state: present
become: yes
- name: install unifi-controller
apt:
name: unifi
state: present
update_cache: yes
cache_valid_time: 3600
become: yes
- name: create unifi user
user:
name: "{{ unifi_user }}"
shell: /usr/sbin/nologin
home: /var/lib/unifi
system: yes
become: yes
when: unifi_user != 'root'
- name: fix perms
file:
path: "{{ item }}"
state: directory
recurse: yes
owner: "{{ unifi_user }}"
with_items:
- /var/log/unifi
- /var/lib/unifi
- /var/run/unifi
become: yes
notify: restart_unifi
- name: perma run folder
template:
src: tmpfiles.conf
dest: /etc/tmpfiles.d/unifi.conf
mode: 0644
become: yes
when: unifi_controller_systemctl_version is success
- name: add default-conf
template:
src: default.conf
dest: /etc/default/unifi
mode: 0644
become: yes
notify: restart_unifi
- name: write unifi.conf
template:
src: unifi_vhost.conf.j2
dest: /etc/nginx/conf.d/unifi.conf
owner: root
group: root
mode: 0644
notify: reload nginx

View file

@ -0,0 +1,13 @@
---
- name: get java-home
shell: ls /etc/alternatives/java -l | cut -d' ' -f11| sed 's/bin\/java//g'
register: unifi_raw_java_home
when: unifi_java_home is not defined
- name: set java-home
set_fact:
unifi_java_home: "{{ unifi_raw_java_home.stdout }}"
when: unifi_java_home is not defined
- include: install.yml

View file

@ -0,0 +1,4 @@
JVM_MAX_HEAP_SIZE={{ unifi_controller_jvm_xmx }}
JVM_INIT_HEAP_SIZE={{ unifi_controller_jvm_xms }}
JSVC_EXTRA_OPTS="-user {{ unifi_user }} -cwd /usr/lib/unifi"
JAVA_HOME="{{ unifi_java_home }}"

View file

@ -0,0 +1 @@
D /run/unifi 0755 {{ unifi_user }} root

View file

@ -0,0 +1,43 @@
server {
listen 80;
listen [::]:80;
server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }};
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }};
charset utf-8;
server_tokens off;
proxy_ssl_verify off;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
location /wss/ {
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location / {
proxy_pass https://localhost:8443/; # The Unifi Controller Port
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
}

View file

@ -0,0 +1,9 @@
---
unifi_controller_jvm_xms: "{{ unifi_controller_jvm_xmx }}"
# JAVA Variables
java_package: jre
java_major_version: 8
java_distribution: adoptopenjdk
transport: adoptopenjdk-fallback