From d7c7a1e484eb615d96ce36d7a841fbcb5efda09b Mon Sep 17 00:00:00 2001 From: Sebastian Schmachtel Date: Thu, 22 Aug 2019 14:48:39 +0200 Subject: [PATCH] Added Unfi Server to ansible. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Squashed commit of the following: commit 3ba76f9e3c02e4a343c0af62ce0327dee6f2f109 Author: Julian Labus Date: Thu Aug 22 13:18:05 2019 +0200 make unifi.yml executable commit 36002be43a7c1af76660682469dc7efcc06fac5f Author: Sebastian Schmachtel Date: Thu Aug 22 13:10:32 2019 +0200 Changed magic < 255 commit c26bbac23620455653d8e21bf512c48493362d43 Author: Sebastian Schmachtel Date: Thu Aug 22 12:05:42 2019 +0200 Ergänzug um Installation von UNMS commit 220ba24e471f8139d775eec1d4b3da46e8befdf7 Author: Sebastian Schmachtel Date: Thu Aug 22 12:01:38 2019 +0200 moved service-nginx-unifi into service-unifi commit 570f5673c47b72e959e6da8940a9cbcbf1e496bf Author: Sebastian Schmachtel Date: Thu Aug 22 11:40:27 2019 +0200 remove lean_delivery.java from unifi playbook. already in dependencies of service-unifi commit 4775cff44d53e07b720e8760f0e4ece1460e0717 Author: Sebastian Schmachtel Date: Thu Aug 22 11:38:44 2019 +0200 adjusted readme, remove galaxy info, removed unit test commit 75711495fcb40f618cd65029ceda6b3cfed7e581 Author: Sebastian Schmachtel Date: Thu Aug 22 11:32:59 2019 +0200 fix type in unifi inventory commit 513b4f6b8f3d1426e58a19ece6514e467916d680 Author: Sebastian Schmachtel Date: Thu Aug 22 11:32:44 2019 +0200 move service-unifi back to correct location commit ea32af8275fd7e6c34281e02eeb2323cbea55f64 Author: Sebastian Schmachtel Date: Thu Aug 22 11:31:42 2019 +0200 move service-unifi to temp directory commit 87698c8d84a66cbf844e923c6dd41de87cba7759 Author: Sebastian Schmachtel Date: Thu Aug 22 02:09:17 2019 +0200 Move host definition to inentory commit b469c3f6307dbed9f40310c590abc0c672487973 Author: Sebastian Schmachtel Date: Thu Aug 22 01:52:19 2019 +0200 Add unifi.yml to site.yml, remove wireguard role from unifi.yml commit 77fa3aa0eb04b01a7b10dd66cede41b09e0aa5c0 Author: Sebastian Schmachtel Date: Wed Aug 14 21:17:49 2019 +0200 Add unifi to wireguard commit c63b850ddd470aa43d8ec25663f086180157673d Author: Julian Labus Date: Tue Aug 13 08:35:53 2019 +0200 Add wireguard_networks for host unifi commit 21341ad359fcfe9a9e4735ca50750f1bd5ea2ab6 Author: Sebastian Schmachtel Date: Mon Aug 12 22:49:17 2019 +0200 Add unms nginx vhost commit 0c0dff99b6ddbf8c5a354cce040b649c43948d64 Author: Sebastian Schmachtel Date: Mon Aug 12 21:44:30 2019 +0200 Add java role to gitignore commit 4fa292b5e5528b732e71dfd204ce53878cc3ee7e Author: Sebastian Schmachtel Date: Mon Aug 12 21:43:50 2019 +0200 minor changes commit 25ab40e85e8b2fd6eb4a770e4c26a82894db3622 Author: Sebastian Schmachtel Date: Mon Aug 12 21:17:39 2019 +0200 move java repo to requirements.yml, replace duplicated serice-nginx with service-nginx + dependency commit d9aa004149da7ac3893b698d4dcb329236a521fe Author: Sebastian Schmachtel Date: Mon Aug 12 00:52:24 2019 +0200 Added unif host: Added java role, service-unifi role, service-nginx-unifi added unifi host --- .gitignore | 1 + inventory/group_vars/all | 40 +++++++++ inventory/host_vars/unifi.freifunk-mwu.de | 4 + inventory/services | 1 + inventory/unifi | 2 + playbooks/site.yml | 1 + playbooks/unifi.yml | 8 ++ requirements.yml | 1 + roles/service-nginx-unms/README.md | 10 +++ roles/service-nginx-unms/handlers/main.yml | 9 ++ roles/service-nginx-unms/meta/main.yml | 3 + roles/service-nginx-unms/tasks/main.yml | 10 +++ .../templates/unms_vhost.conf.j2 | 43 ++++++++++ roles/service-unifi/LICENSE | 21 +++++ roles/service-unifi/README.md | 24 ++++++ roles/service-unifi/defaults/main.yml | 5 ++ roles/service-unifi/handlers/main.yml | 17 ++++ roles/service-unifi/meta/main.yml | 4 + roles/service-unifi/tasks/install.yml | 85 +++++++++++++++++++ roles/service-unifi/tasks/main.yml | 13 +++ roles/service-unifi/templates/default.conf | 4 + roles/service-unifi/templates/tmpfiles.conf | 1 + .../templates/unifi_vhost.conf.j2 | 43 ++++++++++ roles/service-unifi/vars/main.yml | 9 ++ 24 files changed, 359 insertions(+) create mode 100644 inventory/host_vars/unifi.freifunk-mwu.de create mode 100644 inventory/unifi create mode 100755 playbooks/unifi.yml create mode 100644 roles/service-nginx-unms/README.md create mode 100644 roles/service-nginx-unms/handlers/main.yml create mode 100644 roles/service-nginx-unms/meta/main.yml create mode 100644 roles/service-nginx-unms/tasks/main.yml create mode 100644 roles/service-nginx-unms/templates/unms_vhost.conf.j2 create mode 100644 roles/service-unifi/LICENSE create mode 100644 roles/service-unifi/README.md create mode 100644 roles/service-unifi/defaults/main.yml create mode 100644 roles/service-unifi/handlers/main.yml create mode 100644 roles/service-unifi/meta/main.yml create mode 100644 roles/service-unifi/tasks/install.yml create mode 100644 roles/service-unifi/tasks/main.yml create mode 100644 roles/service-unifi/templates/default.conf create mode 100644 roles/service-unifi/templates/tmpfiles.conf create mode 100644 roles/service-unifi/templates/unifi_vhost.conf.j2 create mode 100644 roles/service-unifi/vars/main.yml diff --git a/.gitignore b/.gitignore index 283439a..b3510dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ playbooks/test.yml roles/geerlingguy.mysql roles/powerdns.pdns +roles/lean_delivery.java diff --git a/inventory/group_vars/all b/inventory/group_vars/all index c50f41f..5f56abe 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -179,6 +179,46 @@ wireguard_networks: - kichererbse - linse port: 50027 + - ipv4: 10.87.253.56/31 + peers: + - unifi + - ingwer + port: 50028 + - ipv4: 10.87.253.58/31 + peers: + - unifi + - spinat + port: 50029 + - ipv4: 10.87.253.60/31 + peers: + - unifi + - uffschnitt + port: 50030 + - ipv4: 10.87.253.62/31 + peers: + - unifi + - lotuswurzel + port: 50031 + - ipv4: 10.87.253.64/31 + peers: + - unifi + - wasserfloh + port: 50032 + - ipv4: 10.87.253.66/31 + peers: + - unifi + - linse + port: 50033 + - ipv4: 10.87.253.68/31 + peers: + - unifi + - kichererbse + port: 50034 + - ipv4: 10.87.253.70/31 + peers: + - unifi + - suesskartoffel + port: 50035 fastd_groups: - gateways diff --git a/inventory/host_vars/unifi.freifunk-mwu.de b/inventory/host_vars/unifi.freifunk-mwu.de new file mode 100644 index 0000000..63fb387 --- /dev/null +++ b/inventory/host_vars/unifi.freifunk-mwu.de @@ -0,0 +1,4 @@ +--- +server_type: "service" + +magic: 195 diff --git a/inventory/services b/inventory/services index fde8e79..786c3e0 100644 --- a/inventory/services +++ b/inventory/services @@ -1,3 +1,4 @@ [services] kichererbse.freifunk-mwu.de linse.freifunk-mwu.de +unifi.freifunk-mwu.de diff --git a/inventory/unifi b/inventory/unifi new file mode 100644 index 0000000..5783f52 --- /dev/null +++ b/inventory/unifi @@ -0,0 +1,2 @@ +[unifi] +unifi.freifunk-mwu.de diff --git a/playbooks/site.yml b/playbooks/site.yml index fdce524..299b3af 100755 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -5,3 +5,4 @@ - import_playbook: services.yml - import_playbook: dns.yml - import_playbook: buildservers.yml +- import_playbook: unifi.yml diff --git a/playbooks/unifi.yml b/playbooks/unifi.yml new file mode 100755 index 0000000..84062ad --- /dev/null +++ b/playbooks/unifi.yml @@ -0,0 +1,8 @@ +#!/usr/bin/ansible-playbook +--- +- name: Unifi Controller. + hosts: unifi + + roles: + - service-unifi + - service-nginx-unms diff --git a/requirements.yml b/requirements.yml index ef4c8cc..2356191 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,3 @@ - src: geerlingguy.mysql - src: powerdns.pdns +- src: lean_delivery.java diff --git a/roles/service-nginx-unms/README.md b/roles/service-nginx-unms/README.md new file mode 100644 index 0000000..e1ef99d --- /dev/null +++ b/roles/service-nginx-unms/README.md @@ -0,0 +1,10 @@ +# Ansible role service-nginx-unms + +Diese Ansible role konfiguriert ausschließlich den erforderlichen nginx vHost. Benötigt eine Installation von unms, die auf den entsprechenden ports lauscht. + +- Verwaltet unifi vhost + +## Benötigte Variablen + +- Variable `http_domain_external` # string: Externe Freifunk MWU Domain +- Variable `http_domain_internal` # string: Interne Freifunk MWU Domain diff --git a/roles/service-nginx-unms/handlers/main.yml b/roles/service-nginx-unms/handlers/main.yml new file mode 100644 index 0000000..8ba62c2 --- /dev/null +++ b/roles/service-nginx-unms/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/service-nginx-unms/meta/main.yml b/roles/service-nginx-unms/meta/main.yml new file mode 100644 index 0000000..814b458 --- /dev/null +++ b/roles/service-nginx-unms/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: service-nginx } diff --git a/roles/service-nginx-unms/tasks/main.yml b/roles/service-nginx-unms/tasks/main.yml new file mode 100644 index 0000000..590f3ec --- /dev/null +++ b/roles/service-nginx-unms/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: write unifi.conf + template: + src: unms_vhost.conf.j2 + dest: /etc/nginx/conf.d/unms.conf + owner: root + group: root + mode: 0644 + notify: reload nginx diff --git a/roles/service-nginx-unms/templates/unms_vhost.conf.j2 b/roles/service-nginx-unms/templates/unms_vhost.conf.j2 new file mode 100644 index 0000000..d4c7701 --- /dev/null +++ b/roles/service-nginx-unms/templates/unms_vhost.conf.j2 @@ -0,0 +1,43 @@ +server { + listen 80; + listen [::]:80; + + server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + charset utf-8; + server_tokens off; + proxy_ssl_verify off; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + + location /wss/ { + proxy_pass https://localhost:9443; + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_read_timeout 86400; + } + + location / { + proxy_pass https://localhost:9443/; # The Unifi Controller Port + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + } + + +} diff --git a/roles/service-unifi/LICENSE b/roles/service-unifi/LICENSE new file mode 100644 index 0000000..23e2c1d --- /dev/null +++ b/roles/service-unifi/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Günter Grodotzki + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/service-unifi/README.md b/roles/service-unifi/README.md new file mode 100644 index 0000000..308ea04 --- /dev/null +++ b/roles/service-unifi/README.md @@ -0,0 +1,24 @@ + +# Ansible Role: UniFi controller + +An Ansible role that installs UniFi Controller (Ubiquiti Networks) on Debian like systems. Also configures reuqired nginx vhost. + +## Requirements + +none + +## Role Variables + +- `unifi_controller_jvm_xmx: 1024M` +- `unifi_user: unifi` + +## Dependencies + +- lean_delivery.java +- service-nginx + +## Example Playbook + + - hosts: gw + roles: + - { role: service-unifi } diff --git a/roles/service-unifi/defaults/main.yml b/roles/service-unifi/defaults/main.yml new file mode 100644 index 0000000..02c2a30 --- /dev/null +++ b/roles/service-unifi/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +unifi_controller_jvm_xmx: 1024M + +unifi_user: unifi diff --git a/roles/service-unifi/handlers/main.yml b/roles/service-unifi/handlers/main.yml new file mode 100644 index 0000000..f98f701 --- /dev/null +++ b/roles/service-unifi/handlers/main.yml @@ -0,0 +1,17 @@ +--- + +- name: restart_unifi + service: + name: unifi + state: restarted + enabled: yes + become: yes + +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/service-unifi/meta/main.yml b/roles/service-unifi/meta/main.yml new file mode 100644 index 0000000..fb90194 --- /dev/null +++ b/roles/service-unifi/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - { role: lean_delivery.java } + - { role: service-nginx } diff --git a/roles/service-unifi/tasks/install.yml b/roles/service-unifi/tasks/install.yml new file mode 100644 index 0000000..2d8779f --- /dev/null +++ b/roles/service-unifi/tasks/install.yml @@ -0,0 +1,85 @@ +--- + +- name: check for systemd + command: systemctl --version + register: unifi_controller_systemctl_version + ignore_errors: yes + +- name: add apt-key unifi + apt_key: + keyserver: keyserver.ubuntu.com + id: 06E85760C0A52C50 + become: yes + +- name: add apt-repo unifi + apt_repository: + repo: deb [trusted=yes arch=amd64] http://apt.lecomte.at/repacks/debian/ buster ubiquiti + state: present + become: yes + +- name: add apt-key mongodb + apt_key: + keyserver: keyserver.ubuntu.com + id: 58712A2291FA4AD5 + become: yes + +- name: add apt-repo mongodb + apt_repository: + repo: deb [arch=amd64] https://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main + state: present + become: yes + +- name: install unifi-controller + apt: + name: unifi + state: present + update_cache: yes + cache_valid_time: 3600 + become: yes + +- name: create unifi user + user: + name: "{{ unifi_user }}" + shell: /usr/sbin/nologin + home: /var/lib/unifi + system: yes + become: yes + when: unifi_user != 'root' + +- name: fix perms + file: + path: "{{ item }}" + state: directory + recurse: yes + owner: "{{ unifi_user }}" + with_items: + - /var/log/unifi + - /var/lib/unifi + - /var/run/unifi + become: yes + notify: restart_unifi + +- name: perma run folder + template: + src: tmpfiles.conf + dest: /etc/tmpfiles.d/unifi.conf + mode: 0644 + become: yes + when: unifi_controller_systemctl_version is success + +- name: add default-conf + template: + src: default.conf + dest: /etc/default/unifi + mode: 0644 + become: yes + notify: restart_unifi + +- name: write unifi.conf + template: + src: unifi_vhost.conf.j2 + dest: /etc/nginx/conf.d/unifi.conf + owner: root + group: root + mode: 0644 + notify: reload nginx diff --git a/roles/service-unifi/tasks/main.yml b/roles/service-unifi/tasks/main.yml new file mode 100644 index 0000000..35c9f1a --- /dev/null +++ b/roles/service-unifi/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- name: get java-home + shell: ls /etc/alternatives/java -l | cut -d' ' -f11| sed 's/bin\/java//g' + register: unifi_raw_java_home + when: unifi_java_home is not defined + +- name: set java-home + set_fact: + unifi_java_home: "{{ unifi_raw_java_home.stdout }}" + when: unifi_java_home is not defined + +- include: install.yml diff --git a/roles/service-unifi/templates/default.conf b/roles/service-unifi/templates/default.conf new file mode 100644 index 0000000..b5c04b1 --- /dev/null +++ b/roles/service-unifi/templates/default.conf @@ -0,0 +1,4 @@ +JVM_MAX_HEAP_SIZE={{ unifi_controller_jvm_xmx }} +JVM_INIT_HEAP_SIZE={{ unifi_controller_jvm_xms }} +JSVC_EXTRA_OPTS="-user {{ unifi_user }} -cwd /usr/lib/unifi" +JAVA_HOME="{{ unifi_java_home }}" diff --git a/roles/service-unifi/templates/tmpfiles.conf b/roles/service-unifi/templates/tmpfiles.conf new file mode 100644 index 0000000..c24d385 --- /dev/null +++ b/roles/service-unifi/templates/tmpfiles.conf @@ -0,0 +1 @@ +D /run/unifi 0755 {{ unifi_user }} root diff --git a/roles/service-unifi/templates/unifi_vhost.conf.j2 b/roles/service-unifi/templates/unifi_vhost.conf.j2 new file mode 100644 index 0000000..21f03f3 --- /dev/null +++ b/roles/service-unifi/templates/unifi_vhost.conf.j2 @@ -0,0 +1,43 @@ +server { + listen 80; + listen [::]:80; + + server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name unifi.{{ http_domain_external }} unifi.{{ http_domain_internal }}; + + charset utf-8; + server_tokens off; + proxy_ssl_verify off; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + + location /wss/ { + proxy_pass https://localhost:8443; + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_read_timeout 86400; + } + + location / { + proxy_pass https://localhost:8443/; # The Unifi Controller Port + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + } + + +} diff --git a/roles/service-unifi/vars/main.yml b/roles/service-unifi/vars/main.yml new file mode 100644 index 0000000..04b9985 --- /dev/null +++ b/roles/service-unifi/vars/main.yml @@ -0,0 +1,9 @@ +--- + +unifi_controller_jvm_xms: "{{ unifi_controller_jvm_xmx }}" + +# JAVA Variables +java_package: jre +java_major_version: 8 +java_distribution: adoptopenjdk +transport: adoptopenjdk-fallback