From db54b03aa8a5f408f9def45133667f9edf993966 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 12 Feb 2025 06:47:37 -0600
Subject: [PATCH 1/8] r/unifi: Switching to custom container image

The _linuxserver.io_ image for UniFi Network is deprecated.  It sucked
anyway.  I've created a simple image based on Debian that installs the
_unifi_ package from the upstream apt repository.  This image doesn't
require running anything as _root_, so it doesn't need a user namespace.
---
 hosts                                    |  5 +++
 roles/unifi/defaults/main.yml            |  2 +-
 roles/unifi/tasks/deploy.yml             | 45 ------------------------
 roles/unifi/templates/unifi.container.j2 | 11 +++---
 4 files changed, 13 insertions(+), 50 deletions(-)

diff --git a/hosts b/hosts
index fd6b5fe..982b023 100644
--- a/hosts
+++ b/hosts
@@ -227,6 +227,11 @@ vps
 
 [unifi]
 
+[unifi-test]
+
+[unifi:children]
+unifi-test
+
 [vm-hosts]
 vmhost0.pyrocufflink.blue
 vmhost1.pyrocufflink.blue
diff --git a/roles/unifi/defaults/main.yml b/roles/unifi/defaults/main.yml
index 4336ec6..ecfc0a9 100644
--- a/roles/unifi/defaults/main.yml
+++ b/roles/unifi/defaults/main.yml
@@ -1,5 +1,5 @@
 unifi_version: latest
-unifi_container_image: lscr.io/linuxserver/unifi-controller
+unifi_container_image: git.pyrocufflink.net/containerimages/unifi
 unifi_storage_path: /var/lib/unifi
 
 unifi_exporter_container_image: docker.io/jessestuart/unifi_exporter
diff --git a/roles/unifi/tasks/deploy.yml b/roles/unifi/tasks/deploy.yml
index 64e7f7d..e93c8f1 100644
--- a/roles/unifi/tasks/deploy.yml
+++ b/roles/unifi/tasks/deploy.yml
@@ -1,48 +1,3 @@
-- name: ensure unifi group exists
-  group:
-    name: unifi
-    gid: 911
-    system: true
-    state: present
-  tags:
-  - user
-  - group
-- name: ensure unifi user exists
-  user:
-    name: unifi
-    uid: 911
-    group: unifi
-    home: /var/lib/unifi
-    createhome: false
-    system: true
-    state: present
-  tags:
-  - user
-
-- name: ensure containers subuid is configured
-  lineinfile:
-    path: /etc/subuid
-    create: true
-    line: containers:39290640:1048576
-  tags:
-  - user
-- name: ensure containers subgid is configured
-  lineinfile:
-    path: /etc/subgid
-    line: containers:39290640:1048576
-  tags:
-  - user
-
-- name: ensure unifi storage path exists
-  file:
-    path: '{{ unifi_storage_path }}'
-    owner: unifi
-    group: unifi
-    mode: u=rwx,go=
-    state: directory
-  tags:
-  - datadir
-
 - name: ensure unifi.container systemd unit exists
   template:
     src: unifi.container.j2
diff --git a/roles/unifi/templates/unifi.container.j2 b/roles/unifi/templates/unifi.container.j2
index ee51929..012d0b7 100644
--- a/roles/unifi/templates/unifi.container.j2
+++ b/roles/unifi/templates/unifi.container.j2
@@ -5,14 +5,17 @@ After=network.target
 
 [Container]
 Image={{ unifi_container_image }}:{{ unifi_version }}
-Volume={{ unifi_storage_path }}:/config:rw,Z
+Volume=%S/%N:/var/lib/unifi:rw,U,Z
+Volume=%L/%N:/var/log/unifi:rw,U,Z
 Network=host
 NoNewPrivileges=yes
-UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
-VolatileTmp=yes
+ReadOnly=yes
+ReadOnlyTmpfs=true
 Notify=yes
 
 [Service]
+StateDirectory=%N
+LogsDirectory=%N
 TimeoutStartSec=5min
 Restart=always
 PrivateTmp=yes
@@ -23,7 +26,7 @@ ProtectProc=invisible
 ProtectSystem=strict
 ReadWritePaths=/run
 ReadWritePaths=/var/lib/containers/storage
-ReadWritePaths={{ unifi_storage_path }}
+ReadWritePaths=%S/%N
 RestrictRealtime=yes
 UMask=0077
 

From fbbe86c651ce66c6b7e77030838b51db7c0dbac0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 12 Feb 2025 07:05:19 -0600
Subject: [PATCH 2/8] r/unifi: Do not deploy exporter

The _unifi_exporter_ has been broken since several versions of UniFi
Network ago.
---
 roles/unifi/tasks/main.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/roles/unifi/tasks/main.yml b/roles/unifi/tasks/main.yml
index c462f21..5072050 100644
--- a/roles/unifi/tasks/main.yml
+++ b/roles/unifi/tasks/main.yml
@@ -3,8 +3,5 @@
     tags:
     - install
   - import_tasks: deploy.yml
-  - import_tasks: exporter.yml
-    tags:
-    - unifi-exporter
   tags:
   - unifi

From db5d1fb91a724386864f7c6a1beb7562732c105f Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Mar 2025 16:39:42 -0500
Subject: [PATCH 3/8] unifi: Switch from nginx to Caddy

Mostly for built-in ACME support.
---
 group_vars/unifi-test.yml                 |  1 +
 group_vars/unifi/main.yml                 |  6 +++++-
 roles/unifi/tasks/deploy.yml              | 21 +++++----------------
 roles/unifi/templates/unifi.caddyfile.j2  | 13 +++++++++++++
 roles/unifi/templates/unifi.nginx.conf.j2 |  9 ---------
 unifi.yml                                 |  5 +++--
 6 files changed, 27 insertions(+), 28 deletions(-)
 create mode 100644 group_vars/unifi-test.yml
 create mode 100644 roles/unifi/templates/unifi.caddyfile.j2
 delete mode 100644 roles/unifi/templates/unifi.nginx.conf.j2

diff --git a/group_vars/unifi-test.yml b/group_vars/unifi-test.yml
new file mode 100644
index 0000000..e1972ea
--- /dev/null
+++ b/group_vars/unifi-test.yml
@@ -0,0 +1 @@
+unifi_server_name: '{{ ansible_fqdn }}'
diff --git a/group_vars/unifi/main.yml b/group_vars/unifi/main.yml
index e4535b2..9f13b9a 100644
--- a/group_vars/unifi/main.yml
+++ b/group_vars/unifi/main.yml
@@ -1,4 +1,8 @@
-nginx_redirect_http_https: true
+unifi_server_name: unifi.pyrocufflink.blue
+unifi_caddy_acme:
+  email: unifi@pyrocufflink.net
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
+
 unifi_exporter_site: Pyrocufflink
 unifi_exporter_username: prometheus
 unifi_exporter_password: !vault |
diff --git a/roles/unifi/tasks/deploy.yml b/roles/unifi/tasks/deploy.yml
index e93c8f1..149abc2 100644
--- a/roles/unifi/tasks/deploy.yml
+++ b/roles/unifi/tasks/deploy.yml
@@ -30,23 +30,12 @@
   tags:
   - firewalld
 
-- name: ensure nginx is configured to proxy for unifi
+- name: ensure caddy is configured to proxy for unifi
   template:
-    src: unifi.nginx.conf.j2
-    dest: /etc/nginx/default.d/unifi.conf
-    mode: u=rw,go=r
+    src: unifi.caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/unifi.caddyfile
     owner: root
     group: root
+    mode: u=rw,go=r
   notify:
-  - reload nginx
-  tags:
-  - nginx
-
-- name: ensure selinux allows nginx to proxy for unifi
-  seboolean:
-    name: httpd_can_network_connect
-    persistent: true
-    state: true
-  tags:
-  - nginx
-  - selinux
+  - reload caddy
diff --git a/roles/unifi/templates/unifi.caddyfile.j2 b/roles/unifi/templates/unifi.caddyfile.j2
new file mode 100644
index 0000000..821f0ec
--- /dev/null
+++ b/roles/unifi/templates/unifi.caddyfile.j2
@@ -0,0 +1,13 @@
+{{ unifi_server_name }} {
+    reverse_proxy localhost:8443 {
+        transport http {
+            tls_insecure_skip_verify
+        }
+    }
+{% if unifi_caddy_acme|d %}
+
+    tls {{ unifi_caddy_acme.email }} {
+        ca {{ unifi_caddy_acme.url }}
+    }
+{% endif %}
+}
diff --git a/roles/unifi/templates/unifi.nginx.conf.j2 b/roles/unifi/templates/unifi.nginx.conf.j2
deleted file mode 100644
index ddc1c54..0000000
--- a/roles/unifi/templates/unifi.nginx.conf.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-location / {
-    proxy_pass https://127.0.0.1:8443/;
-    proxy_ssl_verify off;
-    client_max_body_size 50m;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-}
diff --git a/unifi.yml b/unifi.yml
index 2055592..4d23a37 100644
--- a/unifi.yml
+++ b/unifi.yml
@@ -1,5 +1,6 @@
 - hosts: unifi
   roles:
-  - role: nginx
-    tags: nginx
+  - role: caddy
+    tags: caddy
   - role: unifi
+    tags: unifi

From 2e1cc6a1306e4b1404e4bdd123f6b674dbcecd49 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 4 Mar 2025 19:58:15 -0600
Subject: [PATCH 4/8] site: Import UniFi playbook

---
 site.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/site.yml b/site.yml
index ba76b45..9bad63c 100644
--- a/site.yml
+++ b/site.yml
@@ -11,3 +11,4 @@
 - import_playbook: postgresql.yml
 - import_playbook: serterm.yml
 - import_playbook: smtp-relay.yml
+- import_playbook: unifi.yml

From e76bc2c36c7e347b254a387179c949eeef28cf1e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Mar 2025 17:14:49 -0500
Subject: [PATCH 5/8] host-setup: Import users playbook

This ensures that default users are created on all new hosts during
initial provisioning.
---
 host-setup.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/host-setup.yml b/host-setup.yml
index 74bd581..d412cd0 100644
--- a/host-setup.yml
+++ b/host-setup.yml
@@ -1,5 +1,6 @@
 - import_playbook: bootstrap.yml
 
+- import_playbook: users.yml
 - import_playbook: collectd.yml
 - import_playbook: promtail.yml
 - import_playbook: auto-updates.yml

From 3877547c03211231918eda764f5e99a2af03102d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 19 Mar 2025 07:46:28 -0500
Subject: [PATCH 6/8] bootstrap: Import useproxy playbook

Hosts that must use the proxy in order to access the Internet need to
have that configured very early on, before any package installation is
attempted.
---
 bootstrap.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bootstrap.yml b/bootstrap.yml
index 36d49a3..f302864 100644
--- a/bootstrap.yml
+++ b/bootstrap.yml
@@ -1,5 +1,6 @@
 - import_playbook: facts.yml
 - import_playbook: hostname.yml
+- import_playbook: useproxy.yml
 - import_playbook: base.yml
 - import_playbook: firewalld.yml
 - import_playbook: ssh-host-certs.yml

From 78d70af574a8d913aef22482a31d1807ccb2d385 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 19 Mar 2025 07:50:52 -0500
Subject: [PATCH 7/8] hosts: Add Unifi controllers to needproxy group

Since the network device management network does not have access to the
Internet, the Unifi controller machines must access it via the proxy.
---
 hosts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts b/hosts
index 982b023..ea007d9 100644
--- a/hosts
+++ b/hosts
@@ -136,6 +136,9 @@ kubelet
 [needproxy]
 nvr2.pyrocufflink.blue
 
+[needproxy:children]
+unifi
+
 [networkd]
 vmhost0.pyrocufflink.blue
 vmhost1.pyrocufflink.blue

From 0c070c9807500f37a9d18abad7152f056ce20fc2 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 29 Mar 2025 08:01:14 -0500
Subject: [PATCH 8/8] gw1/squid: Allow Unifi controller to internal repos

I've move the Unifi controller back to running on a Fedora Linux
machine.  It therefore needs access to Fedora RPM repositories, as well
as the internal "dch" RPM repository, for system packages.

I also created a new custom container image for the Unifi Network
software (the linuxserver.io one sucks), so the server needs access to
the OCI repo on Gitea.
---
 host_vars/gw1.pyrocufflink.blue/squid.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/host_vars/gw1.pyrocufflink.blue/squid.yml b/host_vars/gw1.pyrocufflink.blue/squid.yml
index c085d1a..df8b5dd 100644
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@@ -87,6 +87,10 @@ squid_http_access:
 - allow unifi_controller dockerhub
 - allow unifi_controller ghcr
 - allow unifi_controller linuxserverio
+- allow unifi_controller gitea
+- allow unifi_controller fedora_repo
+- allow unifi_controller dch_repo
+- allow unifi_controller grafana_rpm
 - allow trusted frigate github_api
 - deny all