diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/unifi | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/unifi')
-rw-r--r-- | roles/unifi/files/etc/rsyslog.d/unifi.conf | 4 | ||||
-rw-r--r-- | roles/unifi/handlers/main.yml | 9 | ||||
-rw-r--r-- | roles/unifi/meta/main.yml | 8 | ||||
-rw-r--r-- | roles/unifi/tasks/main.yml | 81 | ||||
-rw-r--r-- | roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2 | 33 | ||||
-rw-r--r-- | roles/unifi/vars/main.yml | 41 |
6 files changed, 176 insertions, 0 deletions
diff --git a/roles/unifi/files/etc/rsyslog.d/unifi.conf b/roles/unifi/files/etc/rsyslog.d/unifi.conf new file mode 100644 index 0000000..9a053cc --- /dev/null +++ b/roles/unifi/files/etc/rsyslog.d/unifi.conf @@ -0,0 +1,4 @@ +input(type="imfile" + addMetadata="on" + file="/var/log/unifi/server.log" + tag="unifi") diff --git a/roles/unifi/handlers/main.yml b/roles/unifi/handlers/main.yml new file mode 100644 index 0000000..00e3a00 --- /dev/null +++ b/roles/unifi/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart unifi + systemd: + name: unifi + state: restarted + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted diff --git a/roles/unifi/meta/main.yml b/roles/unifi/meta/main.yml new file mode 100644 index 0000000..4ceca8e --- /dev/null +++ b/roles/unifi/meta/main.yml @@ -0,0 +1,8 @@ +dependencies: + - role: yum + yum_repositories: + - epel + - rpmfusion-free + - rpmfusion-nonfree + - mongodb-4.4 + tags: yum diff --git a/roles/unifi/tasks/main.yml b/roles/unifi/tasks/main.yml new file mode 100644 index 0000000..683068e --- /dev/null +++ b/roles/unifi/tasks/main.yml @@ -0,0 +1,81 @@ +- name: install packages + dnf: + name: '{{ unifi_packages }}' + state: present + +- name: create SELinux policy for mongodb + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: mongodb_cgroup_memory + selinux_policy_te: '{{ unifi_mongodb_te }}' + tags: selinux + +- name: start unifi controller + systemd: + name: unifi + enabled: yes + state: started + +- name: create default site + file: + path: '/var/lib/unifi/{{ item }}' + owner: unifi + group: unifi + state: directory + mode: 0750 + loop: + - data + - data/sites + - data/sites/default + +- name: opt-out of ubiquiti analytics + lineinfile: + create: yes + path: /var/lib/unifi/data/sites/default/config.properties + regexp: ^config.system_cfg.1=system.analytics.anonymous= + line: config.system_cfg.1=system.analytics.anonymous=disabled + owner: unifi + group: unifi + mode: 0640 + notify: restart unifi + +- name: open firewall ports + firewalld: + permanent: yes + immediate: yes + service: unifi + state: enabled + tags: firewalld + +- name: forward http ports + firewalld: + permanent: yes + immediate: yes + rich_rule: 'rule family={{ item[0] }} forward-port port={{ item[1][0] }} protocol=tcp to-port={{ item[1][1] }}' + state: enabled + loop: "{{ ['ipv4', 'ipv6'] | product([[80, 8080], [443, 8443]]) }}" + tags: firewalld + +- name: generate certificate hook script + template: + src: '{{ unifi_certificate_hook_path[1:] }}.j2' + dest: '{{ unifi_certificate_hook_path }}' + mode: 0555 + +- name: request TLS certificate + include_role: + name: getcert_request + vars: + certificate_service: unifi + certificate_path: '{{ unifi_certificate_path }}' + certificate_key_path: '{{ unifi_certificate_key_path }}' + certificate_hook: '{{ unifi_certificate_hook_path }}' + +- name: log to rsyslog + copy: + src: etc/rsyslog.d/unifi.conf + dest: /etc/rsyslog.d/unifi.conf + notify: restart rsyslog diff --git a/roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2 b/roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2 new file mode 100644 index 0000000..becb349 --- /dev/null +++ b/roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2 @@ -0,0 +1,33 @@ +#!/bin/bash + +exec 1> >(logger -s -t $(basename "$0")) 2>&1 + +UNIFI_KEYSTORE='{{ unifi_keystore }}' +CERT_PATH='{{ unifi_certificate_path }}' +CA_PATH='{{ unifi_certificate_ca_path }}' +KEY_PATH='{{ unifi_certificate_key_path }}' +PKCS12_PATH='/etc/pki/tls/private/unifi.p12' +PASSWORD='aircontrolenterprise' + +openssl pkcs12 \ + -export \ + -in "$CERT_PATH" \ + -inkey "$KEY_PATH" \ + -out "$PKCS12_PATH" \ + -name unifi \ + -CAfile "$CA_PATH" \ + -caname root \ + -password pass:"$PASSWORD" + +keytool \ + -importkeystore \ + -deststorepass "$PASSWORD" \ + -destkeypass "$PASSWORD" \ + -destkeystore "$UNIFI_KEYSTORE" \ + -srckeystore "$PKCS12_PATH" \ + -srcstoretype PKCS12 \ + -srcstorepass "$PASSWORD" \ + -alias unifi \ + -noprompt + +systemctl restart unifi diff --git a/roles/unifi/vars/main.yml b/roles/unifi/vars/main.yml new file mode 100644 index 0000000..ee4362f --- /dev/null +++ b/roles/unifi/vars/main.yml @@ -0,0 +1,41 @@ +unifi_packages: + - java-11-openjdk-headless + - unifi + - mongodb-org-server + +unifi_keystore: /var/lib/unifi/data/keystore +unifi_certificate_hook_path: /usr/local/sbin/unifi-certificate-update.sh +unifi_certificate_path: /etc/pki/tls/certs/unifi.pem +unifi_certificate_key_path: /etc/pki/tls/private/unifi.key +unifi_certificate_ca_path: /etc/ipa/ca.crt + +unifi_autobackup_dir: /var/lib/unifi/data/backup/autobackup + +unifi_archive_shell: >- + cp --preserve=timestamps {{ unifi_autobackup_dir | quote }}/*.unf . + +unifi_mongodb_te: | + require { + type cgroup_t; + type configfs_t; + class dir { search getattr }; + class file { getattr open read }; + type file_type; + type mongod_t; + type proc_net_t; + type sysctl_fs_t; + type sysctl_net_t; + type var_lib_nfs_t; + } + + #============= mongod_t ============== + allow mongod_t cgroup_t:dir { search getattr }; + allow mongod_t cgroup_t:file { getattr open read }; + allow mongod_t configfs_t:dir getattr; + allow mongod_t file_type:dir { getattr search }; + allow mongod_t file_type:file getattr; + allow mongod_t proc_net_t:file { open read }; + allow mongod_t sysctl_fs_t:dir search; + allow mongod_t sysctl_net_t:dir search; + allow mongod_t sysctl_net_t:file { getattr read open }; + allow mongod_t var_lib_nfs_t:dir search; |