initial commit

6 files changed, 176 insertions, 0 deletions

diff --git a/roles/unifi/files/etc/rsyslog.d/unifi.conf b/roles/unifi/files/etc/rsyslog.d/unifi.conf
new file mode 100644
index 0000000..9a053cc
--- /dev/null
+++ b/roles/unifi/files/etc/rsyslog.d/unifi.conf
@@ -0,0 +1,4 @@
+input(type="imfile"
+      addMetadata="on"
+      file="/var/log/unifi/server.log"
+      tag="unifi")
diff --git a/roles/unifi/handlers/main.yml b/roles/unifi/handlers/main.yml
new file mode 100644
index 0000000..00e3a00
--- /dev/null
+++ b/roles/unifi/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart unifi
+  systemd:
+    name: unifi
+    state: restarted
+
+- name: restart rsyslog
+  systemd:
+    name: rsyslog
+    state: restarted
diff --git a/roles/unifi/meta/main.yml b/roles/unifi/meta/main.yml
new file mode 100644
index 0000000..4ceca8e
--- /dev/null
+++ b/roles/unifi/meta/main.yml
@@ -0,0 +1,8 @@
+dependencies:
+  - role: yum
+    yum_repositories:
+      - epel
+      - rpmfusion-free
+      - rpmfusion-nonfree
+      - mongodb-4.4
+    tags: yum
diff --git a/roles/unifi/tasks/main.yml b/roles/unifi/tasks/main.yml
new file mode 100644
index 0000000..683068e
--- /dev/null
+++ b/roles/unifi/tasks/main.yml
@@ -0,0 +1,81 @@
+- name: install packages
+  dnf:
+    name: '{{ unifi_packages }}'
+    state: present
+
+- name: create SELinux policy for mongodb
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: mongodb_cgroup_memory
+    selinux_policy_te: '{{ unifi_mongodb_te }}'
+  tags: selinux
+
+- name: start unifi controller
+  systemd:
+    name: unifi
+    enabled: yes
+    state: started
+
+- name: create default site
+  file:
+    path: '/var/lib/unifi/{{ item }}'
+    owner: unifi
+    group: unifi
+    state: directory
+    mode: 0750
+  loop:
+    - data
+    - data/sites
+    - data/sites/default
+
+- name: opt-out of ubiquiti analytics
+  lineinfile:
+    create: yes
+    path: /var/lib/unifi/data/sites/default/config.properties
+    regexp: ^config.system_cfg.1=system.analytics.anonymous=
+    line: config.system_cfg.1=system.analytics.anonymous=disabled
+    owner: unifi
+    group: unifi
+    mode: 0640
+  notify: restart unifi
+
+- name: open firewall ports
+  firewalld:
+    permanent: yes
+    immediate: yes
+    service: unifi
+    state: enabled
+  tags: firewalld
+
+- name: forward http ports
+  firewalld:
+    permanent: yes
+    immediate: yes
+    rich_rule: 'rule family={{ item[0] }} forward-port port={{ item[1][0] }} protocol=tcp to-port={{ item[1][1] }}'
+    state: enabled
+  loop: "{{ ['ipv4', 'ipv6'] | product([[80, 8080], [443, 8443]]) }}"
+  tags: firewalld
+
+- name: generate certificate hook script
+  template:
+    src: '{{ unifi_certificate_hook_path[1:] }}.j2'
+    dest: '{{ unifi_certificate_hook_path }}'
+    mode: 0555
+
+- name: request TLS certificate
+  include_role:
+    name: getcert_request
+  vars:
+    certificate_service: unifi
+    certificate_path: '{{ unifi_certificate_path }}'
+    certificate_key_path: '{{ unifi_certificate_key_path }}'
+    certificate_hook: '{{ unifi_certificate_hook_path }}'
+
+- name: log to rsyslog
+  copy:
+    src: etc/rsyslog.d/unifi.conf
+    dest: /etc/rsyslog.d/unifi.conf
+  notify: restart rsyslog
diff --git a/roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2 b/roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2
new file mode 100644
index 0000000..becb349
--- /dev/null
+++ b/roles/unifi/templates/usr/local/sbin/unifi-certificate-update.sh.j2
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+exec 1> >(logger -s -t $(basename "$0")) 2>&1
+
+UNIFI_KEYSTORE='{{ unifi_keystore }}'
+CERT_PATH='{{ unifi_certificate_path }}'
+CA_PATH='{{ unifi_certificate_ca_path }}'
+KEY_PATH='{{ unifi_certificate_key_path }}'
+PKCS12_PATH='/etc/pki/tls/private/unifi.p12'
+PASSWORD='aircontrolenterprise'
+
+openssl pkcs12         \
+  -export              \
+  -in "$CERT_PATH"     \
+  -inkey "$KEY_PATH"   \
+  -out "$PKCS12_PATH"  \
+  -name unifi          \
+  -CAfile "$CA_PATH"   \
+  -caname root         \
+  -password pass:"$PASSWORD"
+
+keytool                           \
+  -importkeystore                 \
+  -deststorepass "$PASSWORD"      \
+  -destkeypass "$PASSWORD"        \
+  -destkeystore "$UNIFI_KEYSTORE" \
+  -srckeystore "$PKCS12_PATH"     \
+  -srcstoretype PKCS12            \
+  -srcstorepass "$PASSWORD"       \
+  -alias unifi                    \
+  -noprompt
+
+systemctl restart unifi
diff --git a/roles/unifi/vars/main.yml b/roles/unifi/vars/main.yml
new file mode 100644
index 0000000..ee4362f
--- /dev/null
+++ b/roles/unifi/vars/main.yml
@@ -0,0 +1,41 @@
+unifi_packages:
+  - java-11-openjdk-headless
+  - unifi
+  - mongodb-org-server
+
+unifi_keystore: /var/lib/unifi/data/keystore
+unifi_certificate_hook_path: /usr/local/sbin/unifi-certificate-update.sh
+unifi_certificate_path: /etc/pki/tls/certs/unifi.pem
+unifi_certificate_key_path: /etc/pki/tls/private/unifi.key
+unifi_certificate_ca_path: /etc/ipa/ca.crt
+
+unifi_autobackup_dir: /var/lib/unifi/data/backup/autobackup
+
+unifi_archive_shell: >-
+  cp --preserve=timestamps {{ unifi_autobackup_dir | quote }}/*.unf .
+
+unifi_mongodb_te: |
+  require {
+    type cgroup_t;
+    type configfs_t;
+    class dir { search getattr };
+    class file { getattr open read };
+    type file_type;
+    type mongod_t;
+    type proc_net_t;
+    type sysctl_fs_t;
+    type sysctl_net_t;
+    type var_lib_nfs_t;
+  }
+
+  #============= mongod_t ==============
+  allow mongod_t cgroup_t:dir { search getattr };
+  allow mongod_t cgroup_t:file { getattr open read };
+  allow mongod_t configfs_t:dir getattr;
+  allow mongod_t file_type:dir { getattr search };
+  allow mongod_t file_type:file getattr;
+  allow mongod_t proc_net_t:file { open read };
+  allow mongod_t sysctl_fs_t:dir search;
+  allow mongod_t sysctl_net_t:dir search;
+  allow mongod_t sysctl_net_t:file { getattr read open };
+  allow mongod_t var_lib_nfs_t:dir search;