Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/unifi/defaults/main.yml
+++ b/roles/unifi/defaults/main.yml
@@ -0,0 +1,22 @@
+---
+
+unifi_root_dir: /opt/unifi
+unifi_version: 6.5.53
+unifi_archive_url: https://www.ubnt.com/downloads/unifi/{{ unifi_version }}/UniFi.unix.zip
+unifi_archive_sha1: 17fc9cf63ffc24d38d2a9723ae6437e1161675db
+unifi_manage_upgrade: True
+unifi_http_port: 8080
+unifi_https_port: 8443
+unifi_portal_http_port: 8880
+unifi_portal_https_port: 8843
+unifi_http_ports:
+  - "{{ unifi_http_port }}"
+  - "{{ unifi_https_port }}"
+  - "{{ unifi_portal_http_port }}"
+  - "{{ unifi_portal_https_port }}"
+unifi_stun_ports:
+  - 3478
+unifi_http_src_ip: []
+unifi_stun_src_ip: []
+# Max memory, in MB
+unifi_mem_limit: 2048
--- a/roles/unifi/handlers/main.yml
+++ b/roles/unifi/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart unifi
+  service: name=unifi state=restarted
--- a/roles/unifi/meta/main.yml
+++ b/roles/unifi/meta/main.yml
@@ -0,0 +1,7 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: repo_mongodb # MongoDB isn't in base repo anymore on EL8
+    vars:
+      - mongo_major_version: 3.4 # Unifi recommends Mong 3.4
--- a/roles/unifi/tasks/filebeat.yml
+++ b/roles/unifi/tasks/filebeat.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/unifi.yml
+  tags: unifi,log
--- a/roles/unifi/tasks/main.yml
+++ b/roles/unifi/tasks/main.yml
@@ -0,0 +1,236 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: unifi
+
+- name: Set default install mode to none
+  set_fact: unifi_install_mode="none"
+  tags: unifi
+
+- name: Remove mongodb from base repo
+  yum: name=mongodb-server state=absent
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version is version('8','<')
+  tags: unifi
+
+- name: Install dependencies
+  yum: name={{ unifi_packages }}
+  notify: restart unifi
+  tags: unifi
+
+- name: Create a system account to run unifi
+  user:
+    name: unifi
+    comment: "Unifi system account"
+    system: True
+    shell: /sbin/nologin
+  tags: unifi
+
+- name: Check if unifi is installed
+  stat: path={{ unifi_root_dir }}/meta/ansible_version
+  register: unifi_version_file
+  tags: unifi
+
+- name: Check installed version
+  command:  cat {{ unifi_root_dir }}/meta/ansible_version
+  register: unifi_current_version
+  changed_when: False
+  when: unifi_version_file.stat.exists
+  tags: unifi
+
+- name: Set install mode to install
+  set_fact: unifi_install_mode='install'
+  when: not unifi_version_file.stat.exists
+  tags: unifi
+
+- name: Set install mode to upgrade
+  set_fact: unifi_install_mode='upgrade'
+  when:
+    - unifi_version_file.stat.exists
+    - unifi_current_version is defined
+    - unifi_current_version.stdout != unifi_version
+    - unifi_manage_upgrade == True
+  tags: unifi
+
+- name: Create archive directory
+  file: path={{ unifi_root_dir }}/archives/{{ unifi_current_version.stdout }} state=directory
+  when: unifi_install_mode == 'upgrade'
+  tags: unifi
+
+- name: Stop the service
+  service: name=unifi state=stopped
+  when: unifi_install_mode == 'upgrade'
+  tags: unifi
+
+- name: Archive current version
+  synchronize:
+    src: "{{ unifi_root_dir }}/app"
+    dest: "{{ unifi_root_dir }}/archives/{{ unifi_current_version.stdout }}/"
+    recursive: True
+    delete: True
+    compress: False
+    rsync_opts:
+      - '--sparse'
+  delegate_to: "{{ inventory_hostname }}"
+  when: unifi_install_mode == 'upgrade'
+  tags: unifi
+
+- name: Create directories
+  file: path={{ unifi_root_dir }}/{{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  with_items:
+    - path: tmp
+    - path: app
+      owner: unifi
+      group: unifi
+    - path: 'app/data'
+      owner: unifi
+      group: unifi
+      mode: 700
+    - path: meta
+    - path: archives
+    - path: backup
+      owner: unifi
+      group: unifi
+      mode: 700
+  tags: unifi
+
+- name: Download unifi archive
+  get_url:
+    url: "{{ unifi_archive_url }}"
+    dest: "{{ unifi_root_dir }}/tmp"
+    checksum: "sha1:{{ unifi_archive_sha1 }}"
+  when: unifi_install_mode != 'none'
+  tags: unifi
+
+- name: Extract Unifi
+  unarchive:
+    src: "{{ unifi_root_dir }}/tmp/UniFi.unix.zip"
+    dest: "{{ unifi_root_dir }}/tmp"
+    owner: unifi
+    group: unifi
+    remote_src: True
+  when: unifi_install_mode != 'none'
+  tags: unifi
+
+- name: Move unifi to its final directory
+  synchronize:
+    src: "{{ unifi_root_dir }}/tmp/UniFi/{{ item }}"
+    dest: "{{ unifi_root_dir }}/app/"
+    delete: True
+    recursive: True
+  with_items:
+    - bin
+    - conf
+    - dl
+    - lib
+    - webapps
+  delegate_to: "{{ inventory_hostname }}"
+  when: unifi_install_mode != 'none'
+  tags: unifi
+
+- name: Handle unifi HTTP ports
+  iptables_raw:
+    name: unifi_http_ports
+    state: "{{ (unifi_http_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ unifi_http_ports | join(',') }} -s {{ unifi_http_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: [firewall,unifi]
+
+- name: Handle unifi STUN ports
+  iptables_raw:
+    name: unifi_stun_ports
+    state: "{{ (unifi_stun_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p udp -m multiport --dports {{ unifi_stun_ports | join(',') }} -s {{ unifi_stun_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: [firewall,unifi]
+
+- name: Check if a config file already exists
+  stat: path={{ unifi_root_dir }}/app/data/system.properties
+  register: unifi_config
+  tags: unifi
+
+- name: Init config file
+  copy: content="is_default=true" dest={{ unifi_root_dir }}/app/data/system.properties owner=unifi group=unifi mode=640
+  when: not unifi_config.stat.exists
+  tags: unifi
+
+- name: Configure UniFi Controller
+  lineinfile:
+    path: "{{ unifi_root_dir }}/app/data/system.properties"
+    regexp: "^{{ item.option }}.*"
+    line: "{{ item.option }}={{ item.value }}"
+  with_items:
+    - option: unifi.xmx
+      value: 4096
+    - option: unifi.xms
+      value: 4096
+    - option: unifi.G1GC.enabled
+      value: 'true'
+    - option: autobackup.dir
+      value: "{{ unifi_root_dir }}/backup"
+    - option: unifi.http.port
+      value: "{{ unifi_http_port }}"
+    - option: unifi.https.port
+      value: "{{ unifi_https_port }}"
+    - option: portal.http.port
+      value: "{{ unifi_portal_http_port }}"
+    - option: portal.https.port
+      value: "{{ unifi_portal_https_port }}"
+    - option: uuid
+      value: "{{ inventory_hostname | to_uuid }}"
+  notify: restart unifi
+  tags: unifi
+
+- name: Deploy unit file
+  template: src=unifi.service.j2 dest=/etc/systemd/system/unifi.service
+  notify: restart unifi
+  register: unifi_unit
+  tags: unifi
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: unifi_unit.changed
+  tags: unifi
+
+- name: Deploy pre and post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/unifi mode=755
+  loop:
+    - pre
+    - post
+  tags: unifi
+
+- name: Start and enable the service
+  service: name=unifi state=started enabled=True
+  tags: unifi
+
+- name: Compress previous version
+  command: tar cf {{ unifi_root_dir }}/archives/{{ unifi_current_version.stdout }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ unifi_root_dir }}/archives/{{ unifi_current_version.stdout }}"
+    warn: False
+  when: unifi_install_mode == 'upgrade'
+  tags: unifi
+
+- name: Remove archive dir
+  file: path={{ unifi_root_dir }}/archives/{{ unifi_current_version.stdout }} state=absent
+  when: unifi_install_mode == 'upgrade'
+  tags: unifi
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ unifi_root_dir }}/tmp/UniFi.unix.zip"
+    - "{{ unifi_root_dir }}/tmp/UniFi"
+  tags: unifi
+
+- name: Write version installed
+  copy: content={{ unifi_version }} dest={{ unifi_root_dir }}/meta/ansible_version
+  tags: unifi
+
+- include: filebeat.yml
--- a/roles/unifi/templates/filebeat.yml.j2
+++ b/roles/unifi/templates/filebeat.yml.j2
@@ -0,0 +1,5 @@
+- type: log
+  enabled: True
+  paths:
+    - {{ unifi_root_dir }}/app/logs/*.log
+  exclude_files: ['\.\d+$']
--- a/roles/unifi/templates/post-backup.sh.j2
+++ b/roles/unifi/templates/post-backup.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -rf {{ unifi_root_dir }}/backup/mongo/*
--- a/roles/unifi/templates/pre-backup.sh.j2
+++ b/roles/unifi/templates/pre-backup.sh.j2
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mkdir -p {{ unifi_root_dir }}/backup/mongo
+mongodump --quiet --port 27117 --out {{ unifi_root_dir }}/backup/mongo
--- a/roles/unifi/templates/system.properties.j2
+++ b/roles/unifi/templates/system.properties.j2
@@ -0,0 +1,10 @@
+unifi.xmx={{ unifi_mem_limit }}
+unifi.xms={{ unifi_mem_limit }}
+unifi.G1GC.enabled=true
+autobackup.dir={{ unifi_root_dir }}/backup
+unifi.http.port={{ unifi_http_port }}
+unifi.https.port={{ unifi_https_port }}
+portal.http.port={{ unifi_portal_http_port }}
+portal.https.port={{ unifi_portal_https_port }}
+is_default=false
+uuid={{ inventory_hostname | to_uuid }}
--- a/roles/unifi/templates/unifi.service.j2
+++ b/roles/unifi/templates/unifi.service.j2
@@ -0,0 +1,21 @@
+[Unit]
+Description=Ubiquiti's UniFi Controller
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User=unifi
+WorkingDirectory={{ unifi_root_dir }}/app
+ExecStart=/usr/bin/java -Djava.awt.headless=true -Xmx{{ unifi_mem_limit }}M -Xms{{ unifi_mem_limit }}M -Djava.net.preferIPv4Stack=true {% if system_proxy is defined and system_proxy != '' %}-Dhttp.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttp.proxyPort={{ system_proxy | urlsplit('port') }} -Dhttps.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttps.proxyPort={{ system_proxy | urlsplit('port') }} {% endif %}-jar {{ unifi_root_dir }}/app/lib/ace.jar start
+ExecStop=/usr/bin/java -jar {{ unifi_root_dir }}/app/lib/ace.jar stop
+SuccessExitStatus=143
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit={{ unifi_mem_limit * 2 }}M
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/unifi/vars/RedHat-7.yml
+++ b/roles/unifi/vars/RedHat-7.yml
@@ -0,0 +1,6 @@
+---
+
+unifi_packages:
+  - java-1.8.0-openjdk-headless
+  - mongodb-org-server
+  - mongodb-org
--- a/roles/unifi/vars/RedHat-8.yml
+++ b/roles/unifi/vars/RedHat-8.yml
@@ -0,0 +1,6 @@
+---
+
+unifi_packages:
+  - java-1.8.0-openjdk-headless
+  - mongodb-org-server
+  - mongodb-org