Added Unfi Server to ansible.

Squashed commit of the following:

commit 3ba76f9e3c02e4a343c0af62ce0327dee6f2f109
Author: Julian Labus <julian@labus-online.de>
Date:   Thu Aug 22 13:18:05 2019 +0200

    make unifi.yml executable

commit 36002be43a7c1af76660682469dc7efcc06fac5f
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 13:10:32 2019 +0200

    Changed magic < 255

commit c26bbac23620455653d8e21bf512c48493362d43
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 12:05:42 2019 +0200

    Ergänzug um Installation von UNMS

commit 220ba24e471f8139d775eec1d4b3da46e8befdf7
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 12:01:38 2019 +0200

    moved service-nginx-unifi into service-unifi

commit 570f5673c47b72e959e6da8940a9cbcbf1e496bf
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 11:40:27 2019 +0200

    remove lean_delivery.java from unifi playbook. already in dependencies of service-unifi

commit 4775cff44d53e07b720e8760f0e4ece1460e0717
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 11:38:44 2019 +0200

    adjusted readme, remove galaxy info, removed unit test

commit 75711495fcb40f618cd65029ceda6b3cfed7e581
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 11:32:59 2019 +0200

    fix type in unifi inventory

commit 513b4f6b8f3d1426e58a19ece6514e467916d680
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 11:32:44 2019 +0200

    move service-unifi back to correct location

commit ea32af8275fd7e6c34281e02eeb2323cbea55f64
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 11:31:42 2019 +0200

    move service-unifi to temp directory

commit 87698c8d84a66cbf844e923c6dd41de87cba7759
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 02:09:17 2019 +0200

    Move host definition to inentory

commit b469c3f6307dbed9f40310c590abc0c672487973
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Thu Aug 22 01:52:19 2019 +0200

    Add unifi.yml to site.yml, remove wireguard role from unifi.yml

commit 77fa3aa0eb04b01a7b10dd66cede41b09e0aa5c0
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Wed Aug 14 21:17:49 2019 +0200

    Add unifi to wireguard

commit c63b850ddd470aa43d8ec25663f086180157673d
Author: Julian Labus <julian@labus-online.de>
Date:   Tue Aug 13 08:35:53 2019 +0200

    Add wireguard_networks for host unifi

commit 21341ad359fcfe9a9e4735ca50750f1bd5ea2ab6
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Mon Aug 12 22:49:17 2019 +0200

    Add unms nginx vhost

commit 0c0dff99b6ddbf8c5a354cce040b649c43948d64
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Mon Aug 12 21:44:30 2019 +0200

    Add java role to gitignore

commit 4fa292b5e5528b732e71dfd204ce53878cc3ee7e
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Mon Aug 12 21:43:50 2019 +0200

    minor changes

commit 25ab40e85e8b2fd6eb4a770e4c26a82894db3622
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Mon Aug 12 21:17:39 2019 +0200

    move java repo to requirements.yml, replace duplicated serice-nginx with service-nginx + dependency

commit d9aa004149da7ac3893b698d4dcb329236a521fe
Author: Sebastian Schmachtel <prisma_freifunk@oimel.net>
Date:   Mon Aug 12 00:52:24 2019 +0200

    Added unif host: Added java role, service-unifi role, service-nginx-unifi added unifi host

.gitignore

@@ -1,3 +1,4 @@
 playbooks/test.yml
 roles/geerlingguy.mysql
 roles/powerdns.pdns
+roles/lean_delivery.java

inventory/group_vars/all

@@ -179,6 +179,46 @@ wireguard_networks:
       - kichererbse
       - linse
     port: 50027
+  - ipv4: 10.87.253.56/31
+    peers:
+      - unifi
+      - ingwer
+    port: 50028
+  - ipv4: 10.87.253.58/31
+    peers:
+      - unifi
+      - spinat
+    port: 50029
+  - ipv4: 10.87.253.60/31
+    peers:
+      - unifi
+      - uffschnitt
+    port: 50030
+  - ipv4: 10.87.253.62/31
+    peers:
+      - unifi
+      - lotuswurzel
+    port: 50031
+  - ipv4: 10.87.253.64/31
+    peers:
+      - unifi
+      - wasserfloh
+    port: 50032
+  - ipv4: 10.87.253.66/31
+    peers:
+      - unifi
+      - linse
+    port: 50033
+  - ipv4: 10.87.253.68/31
+    peers:
+      - unifi
+      - kichererbse
+    port: 50034
+  - ipv4: 10.87.253.70/31
+    peers:
+      - unifi
+      - suesskartoffel
+    port: 50035
 
 fastd_groups:
   - gateways

inventory/host_vars/unifi.freifunk-mwu.de

@@ -0,0 +1,4 @@
+---
+server_type: "service"
+
+magic: 195

inventory/services

@@ -1,3 +1,4 @@
 [services]
 kichererbse.freifunk-mwu.de
 linse.freifunk-mwu.de
+unifi.freifunk-mwu.de

inventory/unifi

@@ -0,0 +1,2 @@
+[unifi]
+unifi.freifunk-mwu.de

playbooks/site.yml

@@ -5,3 +5,4 @@
 - import_playbook: services.yml
 - import_playbook: dns.yml
 - import_playbook: buildservers.yml
+- import_playbook: unifi.yml

playbooks/unifi.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+---
+- name: Unifi Controller.
+  hosts: unifi
+
+  roles:
+  - service-unifi
+  - service-nginx-unms

requirements.yml

@@ -1,2 +1,3 @@
 - src: geerlingguy.mysql
 - src: powerdns.pdns
+- src: lean_delivery.java

roles/service-nginx-unms/README.md

@@ -0,0 +1,10 @@
+# Ansible role service-nginx-unms
+
+Diese Ansible role konfiguriert ausschließlich den erforderlichen nginx vHost. Benötigt eine Installation von unms, die auf den entsprechenden ports lauscht.
+
+- Verwaltet unifi vhost
+
+## Benötigte Variablen
+
+- Variable `http_domain_external` # string: Externe Freifunk MWU Domain
+- Variable `http_domain_internal` # string: Interne Freifunk MWU Domain

roles/service-nginx-unms/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded

roles/service-nginx-unms/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: service-nginx }

roles/service-nginx-unms/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: write unifi.conf
+  template:
+    src: unms_vhost.conf.j2
+    dest: /etc/nginx/conf.d/unms.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx

roles/service-nginx-unms/templates/unms_vhost.conf.j2

@@ -0,0 +1,43 @@
+server {
+        listen 80;
+        listen [::]:80;
+
+        server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+        location / {
+                return 301 https://$host$request_uri;
+        }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+    charset utf-8;
+    server_tokens off;
+    proxy_ssl_verify off;
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location /wss/ {
+        proxy_pass https://localhost:9443;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_read_timeout 86400;
+    }
+
+    location / {
+            proxy_pass https://localhost:9443/; # The Unifi Controller Port
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+    }
+
+
+}

roles/service-unifi/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Günter Grodotzki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

roles/service-unifi/README.md

@@ -0,0 +1,24 @@
+
+# Ansible Role: UniFi controller
+
+An Ansible role that installs UniFi Controller (Ubiquiti Networks) on Debian like systems. Also configures reuqired nginx vhost.
+
+## Requirements
+
+none
+
+## Role Variables
+
+- `unifi_controller_jvm_xmx: 1024M`
+- `unifi_user: unifi`
+
+## Dependencies
+
+- lean_delivery.java
+- service-nginx
+
+## Example Playbook
+
+    - hosts: gw
+      roles:
+        - { role: service-unifi }

roles/service-unifi/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+unifi_controller_jvm_xmx: 1024M
+
+unifi_user: unifi

roles/service-unifi/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: restart_unifi
+  service:
+    name: unifi
+    state: restarted
+    enabled: yes
+  become: yes
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded

roles/service-unifi/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: lean_delivery.java }
+  - { role: service-nginx }

roles/service-unifi/tasks/install.yml

@@ -0,0 +1,85 @@
+---
+
+- name: check for systemd
+  command: systemctl --version
+  register: unifi_controller_systemctl_version
+  ignore_errors: yes
+
+- name: add apt-key unifi
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 06E85760C0A52C50
+  become: yes
+
+- name: add apt-repo unifi
+  apt_repository:
+    repo: deb [trusted=yes arch=amd64] http://apt.lecomte.at/repacks/debian/ buster ubiquiti
+    state: present
+  become: yes
+
+- name: add apt-key mongodb
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 58712A2291FA4AD5
+  become: yes
+
+- name: add apt-repo mongodb
+  apt_repository:
+    repo: deb [arch=amd64] https://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main
+    state: present
+  become: yes
+
+- name: install unifi-controller
+  apt:
+    name: unifi
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+  become: yes
+
+- name: create unifi user
+  user:
+    name: "{{ unifi_user }}"
+    shell: /usr/sbin/nologin
+    home: /var/lib/unifi
+    system: yes
+  become: yes
+  when: unifi_user != 'root'
+
+- name: fix perms
+  file:
+    path: "{{ item }}"
+    state: directory
+    recurse: yes
+    owner: "{{ unifi_user }}"
+  with_items:
+    - /var/log/unifi
+    - /var/lib/unifi
+    - /var/run/unifi
+  become: yes
+  notify: restart_unifi
+
+- name: perma run folder
+  template:
+    src: tmpfiles.conf
+    dest: /etc/tmpfiles.d/unifi.conf
+    mode: 0644
+  become: yes
+  when: unifi_controller_systemctl_version is success
+
+- name: add default-conf
+  template:
+    src: default.conf
+    dest: /etc/default/unifi
+    mode: 0644
+  become: yes
+  notify: restart_unifi
+
+- name: write unifi.conf
+  template:
+    src: unifi_vhost.conf.j2
+    dest: /etc/nginx/conf.d/unifi.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx

roles/service-unifi/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: get java-home
+  shell: ls /etc/alternatives/java -l | cut -d' ' -f11| sed 's/bin\/java//g'
+  register: unifi_raw_java_home
+  when: unifi_java_home is not defined
+
+- name: set java-home
+  set_fact:
+    unifi_java_home: "{{ unifi_raw_java_home.stdout }}"
+  when: unifi_java_home is not defined
+
+- include: install.yml

roles/service-unifi/templates/default.conf

@@ -0,0 +1,4 @@
+JVM_MAX_HEAP_SIZE={{ unifi_controller_jvm_xmx }}
+JVM_INIT_HEAP_SIZE={{ unifi_controller_jvm_xms }}
+JSVC_EXTRA_OPTS="-user {{ unifi_user }} -cwd /usr/lib/unifi"
+JAVA_HOME="{{ unifi_java_home }}"

roles/service-unifi/templates/tmpfiles.conf

@@ -0,0 +1 @@
+D /run/unifi 0755 {{ unifi_user }} root

roles/service-unifi/templates/unifi_vhost.conf.j2

@@ -0,0 +1,43 @@
+server {
+        listen 80;
+        listen [::]:80;
+
+        server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+        location / {
+                return 301 https://$host$request_uri;
+        }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+
+    charset utf-8;
+    server_tokens off;
+    proxy_ssl_verify off;
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location /wss/ {
+        proxy_pass https://localhost:8443;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_read_timeout 86400;
+    }
+
+    location / {
+            proxy_pass https://localhost:8443/; # The Unifi Controller Port
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+    }
+
+
+}

roles/service-unifi/vars/main.yml

@@ -0,0 +1,9 @@
+---
+
+unifi_controller_jvm_xms: "{{ unifi_controller_jvm_xmx }}"
+
+# JAVA Variables
+java_package: jre
+java_major_version: 8
+java_distribution: adoptopenjdk
+transport: adoptopenjdk-fallback