diff options
Diffstat (limited to 'hosts/common')
| -rw-r--r-- | hosts/common/nas.nix | 1 | ||||
| -rw-r--r-- | hosts/common/server/unifi.nix | 53 |
2 files changed, 54 insertions, 0 deletions
diff --git a/hosts/common/nas.nix b/hosts/common/nas.nix index 4b41e64..2e1b6fc 100644 --- a/hosts/common/nas.nix +++ b/hosts/common/nas.nix @@ -8,6 +8,7 @@ ./server/grafana.nix ./server/traefik.nix ./server/transmission.nix + ./server/unifi.nix ]; users.groups.nas.gid = 5000; diff --git a/hosts/common/server/unifi.nix b/hosts/common/server/unifi.nix new file mode 100644 index 0000000..1da8709 --- /dev/null +++ b/hosts/common/server/unifi.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +let + allowedRules = { + # https://help.ubnt.com/hc/en-us/articles/218506997 + allowedTCPPorts = [ + 8080 # Port for UAP to inform controller. + 8880 # Port for HTTP portal redirect, if guest portal is enabled. + 8843 # Port for HTTPS portal redirect, ditto. + 6789 # Port for UniFi mobile speed test. + ]; + allowedUDPPorts = [ + 3478 # UDP port used for STUN. + 10001 # UDP port used for device discovery. + ]; + }; +in { + config = { + networking.firewall.allowedTCPPorts = [ 8443 ]; + networking.firewall = allowedRules; + users.users.unifi.group = "unifi"; + users.users.unifi.isSystemUser = true; + users.groups.unifi = { }; + + services.unifi = { + enable = true; + openPorts = true; + openFirewall = true; + }; + + services.prometheus.exporters.unifi = { + enable = true; + unifiAddress = "https://localhost:8443/"; + unifiInsecure = true; + influxdb.disable = true; + prometheus = { http_listen = ":9130"; }; + }; + + systemd.services.unifi-available = { + description = "Wait for Unifi to be available"; + after = [ "unifi.service" ]; + before = [ "prometheus-unifi-exporter.service" ]; + wantedBy = [ "prometheus-unifi-exporter.service" ]; + serviceConfig = { + ExecStart = + "${pkgs.curl}/bin/curl --insecure 'https://localhost:8443/'"; + Restart = "on-failure"; + RestartSec = "10"; + Type = "oneshot"; + }; + }; + }; +} |