diff --git a/.gitignore b/.gitignore index 283439a..b3510dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ playbooks/test.yml roles/geerlingguy.mysql roles/powerdns.pdns +roles/lean_delivery.java diff --git a/inventory/group_vars/all b/inventory/group_vars/all index c50f41f..5f56abe 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -179,6 +179,46 @@ wireguard_networks: - kichererbse - linse port: 50027 + - ipv4: 10.87.253.56/31 + peers: + - unifi + - ingwer + port: 50028 + - ipv4: 10.87.253.58/31 + peers: + - unifi + - spinat + port: 50029 + - ipv4: 10.87.253.60/31 + peers: + - unifi + - uffschnitt + port: 50030 + - ipv4: 10.87.253.62/31 + peers: + - unifi + - lotuswurzel + port: 50031 + - ipv4: 10.87.253.64/31 + peers: + - unifi + - wasserfloh + port: 50032 + - ipv4: 10.87.253.66/31 + peers: + - unifi + - linse + port: 50033 + - ipv4: 10.87.253.68/31 + peers: + - unifi + - kichererbse + port: 50034 + - ipv4: 10.87.253.70/31 + peers: + - unifi + - suesskartoffel + port: 50035 fastd_groups: - gateways diff --git a/inventory/host_vars/unifi.freifunk-mwu.de b/inventory/host_vars/unifi.freifunk-mwu.de new file mode 100644 index 0000000..63fb387 --- /dev/null +++ b/inventory/host_vars/unifi.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- +server_type: "service" + +magic: 195 diff --git a/inventory/services b/inventory/services index fde8e79..786c3e0 100644 --- a/inventory/services +++ b/inventory/services @@ -1,3 +1,4 @@ [services] kichererbse.freifunk-mwu.de linse.freifunk-mwu.de +unifi.freifunk-mwu.de diff --git a/inventory/unifi b/inventory/unifi new file mode 100644 index 0000000..5783f52 --- /dev/null +++ b/inventory/unifi @@ -0,0 +1,2 @@ +[unifi] +unifi.freifunk-mwu.de diff --git a/playbooks/site.yml b/playbooks/site.yml index fdce524..299b3af 100755 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -5,3 +5,4 @@ - import_playbook: services.yml - import_playbook: dns.yml - import_playbook: buildservers.yml +- import_playbook: unifi.yml diff --git a/playbooks/unifi.yml b/playbooks/unifi.yml new file mode 100755 index 0000000..84062ad --- /dev/null +++ b/playbooks/unifi.yml @@ -0,0 +1,8 @@ +#!/usr/bin/ansible-playbook +--- +- name: Unifi Controller. + hosts: unifi + + roles: + - service-unifi + - service-nginx-unms diff --git a/requirements.yml b/requirements.yml index ef4c8cc..2356191 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,3 @@ - src: geerlingguy.mysql - src: powerdns.pdns +- src: lean_delivery.java diff --git a/roles/service-nginx-unms/README.md b/roles/service-nginx-unms/README.md new file mode 100644 index 0000000..e1ef99d --- /dev/null +++ b/roles/service-nginx-unms/README.md @@ -0,0 +1,10 @@ +# Ansible role service-nginx-unms + +Diese Ansible role konfiguriert ausschließlich den erforderlichen nginx vHost. Benötigt eine Installation von unms, die auf den entsprechenden ports lauscht. + +- Verwaltet unifi vhost + +## Benötigte Variablen + +- Variable `http_domain_external` # string: Externe Freifunk MWU Domain +- Variable `http_domain_internal` # string: Interne Freifunk MWU Domain diff --git a/roles/service-nginx-unms/handlers/main.yml b/roles/service-nginx-unms/handlers/main.yml new file mode 100644 index 0000000..8ba62c2 --- /dev/null +++ b/roles/service-nginx-unms/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/service-nginx-unms/meta/main.yml b/roles/service-nginx-unms/meta/main.yml new file mode 100644 index 0000000..814b458 --- /dev/null +++ b/roles/service-nginx-unms/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: service-nginx } diff --git a/roles/service-nginx-unms/tasks/main.yml b/roles/service-nginx-unms/tasks/main.yml new file mode 100644 index 0000000..590f3ec --- /dev/null +++ b/roles/service-nginx-unms/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: write unifi.conf + template: + src: unms_vhost.conf.j2 + dest: /etc/nginx/conf.d/unms.conf + owner: root + group: root + mode: 0644 + notify: reload nginx diff --git a/roles/service-nginx-unms/templates/unms_vhost.conf.j2 b/roles/service-nginx-unms/templates/unms_vhost.conf.j2 new file mode 100644 index 0000000..d4c7701 --- /dev/null +++ b/roles/service-nginx-unms/templates/unms_vhost.conf.j2 @@ -0,0 +1,43 @@ +server { + listen 80; + listen [::]:80; + + server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + charset utf-8; + server_tokens off; + proxy_ssl_verify off; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + + location /wss/ { + proxy_pass https://localhost:9443; + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_read_timeout 86400; + } + + location / { + proxy_pass https://localhost:9443/; # The Unifi Controller Port + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + } + + +} diff --git a/roles/service-unifi/LICENSE b/roles/service-unifi/LICENSE new file mode 100644 index 0000000..23e2c1d --- /dev/null +++ b/roles/service-unifi/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Günter Grodotzki + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/service-unifi/README.md b/roles/service-unifi/README.md new file mode 100644 index 0000000..308ea04 --- /dev/null +++ b/roles/service-unifi/README.md @@ -0,0 +1,24 @@ + +# Ansible Role: UniFi controller + +An Ansible role that installs UniFi Controller (Ubiquiti Networks) on Debian like systems. Also configures reuqired nginx vhost. + +## Requirements + +none + +## Role Variables + +- `unifi_controller_jvm_xmx: 1024M` +- `unifi_user: unifi` + +## Dependencies + +- lean_delivery.java +- service-nginx + +## Example Playbook + + - hosts: gw + roles: + - { role: service-unifi } diff --git a/roles/service-unifi/defaults/main.yml b/roles/service-unifi/defaults/main.yml new file mode 100644 index 0000000..02c2a30 --- /dev/null +++ b/roles/service-unifi/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +unifi_controller_jvm_xmx: 1024M + +unifi_user: unifi diff --git a/roles/service-unifi/handlers/main.yml b/roles/service-unifi/handlers/main.yml new file mode 100644 index 0000000..f98f701 --- /dev/null +++ b/roles/service-unifi/handlers/main.yml @@ -0,0 +1,17 @@ +--- + +- name: restart_unifi + service: + name: unifi + state: restarted + enabled: yes + become: yes + +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/service-unifi/meta/main.yml b/roles/service-unifi/meta/main.yml new file mode 100644 index 0000000..fb90194 --- /dev/null +++ b/roles/service-unifi/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - { role: lean_delivery.java } + - { role: service-nginx } diff --git a/roles/service-unifi/tasks/install.yml b/roles/service-unifi/tasks/install.yml new file mode 100644 index 0000000..2d8779f --- /dev/null +++ b/roles/service-unifi/tasks/install.yml @@ -0,0 +1,85 @@ +--- + +- name: check for systemd + command: systemctl --version + register: unifi_controller_systemctl_version + ignore_errors: yes + +- name: add apt-key unifi + apt_key: + keyserver: keyserver.ubuntu.com + id: 06E85760C0A52C50 + become: yes + +- name: add apt-repo unifi + apt_repository: + repo: deb [trusted=yes arch=amd64] http://apt.lecomte.at/repacks/debian/ buster ubiquiti + state: present + become: yes + +- name: add apt-key mongodb + apt_key: + keyserver: keyserver.ubuntu.com + id: 58712A2291FA4AD5 + become: yes + +- name: add apt-repo mongodb + apt_repository: + repo: deb [arch=amd64] https://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main + state: present + become: yes + +- name: install unifi-controller + apt: + name: unifi + state: present + update_cache: yes + cache_valid_time: 3600 + become: yes + +- name: create unifi user + user: + name: "{{ unifi_user }}" + shell: /usr/sbin/nologin + home: /var/lib/unifi + system: yes + become: yes + when: unifi_user != 'root' + +- name: fix perms + file: + path: "{{ item }}" + state: directory + recurse: yes + owner: "{{ unifi_user }}" + with_items: + - /var/log/unifi + - /var/lib/unifi + - /var/run/unifi + become: yes + notify: restart_unifi + +- name: perma run folder + template: + src: tmpfiles.conf + dest: /etc/tmpfiles.d/unifi.conf + mode: 0644 + become: yes + when: unifi_controller_systemctl_version is success + +- name: add default-conf + template: + src: default.conf + dest: /etc/default/unifi + mode: 0644 + become: yes + notify: restart_unifi + +- name: write unifi.conf + template: + src: unifi_vhost.conf.j2 + dest: /etc/nginx/conf.d/unifi.conf + owner: root + group: root + mode: 0644 + notify: reload nginx diff --git a/roles/service-unifi/tasks/main.yml b/roles/service-unifi/tasks/main.yml new file mode 100644 index 0000000..35c9f1a --- /dev/null +++ b/roles/service-unifi/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- name: get java-home + shell: ls /etc/alternatives/java -l | cut -d' ' -f11| sed 's/bin\/java//g' + register: unifi_raw_java_home + when: unifi_java_home is not defined + +- name: set java-home + set_fact: + unifi_java_home: "{{ unifi_raw_java_home.stdout }}" + when: unifi_java_home is not defined + +- include: install.yml diff --git a/roles/service-unifi/templates/default.conf b/roles/service-unifi/templates/default.conf new file mode 100644 index 0000000..b5c04b1 --- /dev/null +++ b/roles/service-unifi/templates/default.conf @@ -0,0 +1,4 @@ +JVM_MAX_HEAP_SIZE={{ unifi_controller_jvm_xmx }} +JVM_INIT_HEAP_SIZE={{ unifi_controller_jvm_xms }} +JSVC_EXTRA_OPTS="-user {{ unifi_user }} -cwd /usr/lib/unifi" +JAVA_HOME="{{ unifi_java_home }}" diff --git a/roles/service-unifi/templates/tmpfiles.conf b/roles/service-unifi/templates/tmpfiles.conf new file mode 100644 index 0000000..c24d385 --- /dev/null +++ b/roles/service-unifi/templates/tmpfiles.conf @@ -0,0 +1 @@ +D /run/unifi 0755 {{ unifi_user }} root diff --git a/roles/service-unifi/templates/unifi_vhost.conf.j2 b/roles/service-unifi/templates/unifi_vhost.conf.j2 new file mode 100644 index 0000000..21f03f3 --- /dev/null +++ b/roles/service-unifi/templates/unifi_vhost.conf.j2 @@ -0,0 +1,43 @@ +server { + listen 80; + listen [::]:80; + + server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + charset utf-8; + server_tokens off; + proxy_ssl_verify off; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + + location /wss/ { + proxy_pass https://localhost:8443; + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_read_timeout 86400; + } + + location / { + proxy_pass https://localhost:8443/; # The Unifi Controller Port + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + } + + +} diff --git a/roles/service-unifi/vars/main.yml b/roles/service-unifi/vars/main.yml new file mode 100644 index 0000000..04b9985 --- /dev/null +++ b/roles/service-unifi/vars/main.yml @@ -0,0 +1,9 @@ +--- + +unifi_controller_jvm_xms: "{{ unifi_controller_jvm_xmx }}" + +# JAVA Variables +java_package: jre +java_major_version: 8 +java_distribution: adoptopenjdk +transport: adoptopenjdk-fallback