diff --git a/group_vars/unifi/main.yml b/group_vars/unifi/main.yml index e4535b2..9f13b9a 100644 --- a/group_vars/unifi/main.yml +++ b/group_vars/unifi/main.yml @@ -1,4 +1,8 @@ -nginx_redirect_http_https: true +unifi_server_name: unifi.pyrocufflink.blue +unifi_caddy_acme: + email: unifi@pyrocufflink.net + url: https://ca.pyrocufflink.blue/acme/acme/directory + unifi_exporter_site: Pyrocufflink unifi_exporter_username: prometheus unifi_exporter_password: !vault | diff --git a/hosts b/hosts index ee3dcf6..b518edc 100644 --- a/hosts +++ b/hosts @@ -223,6 +223,9 @@ vps [unifi] +[unifi:children] +unifi-test + [vm-hosts] vmhost0.pyrocufflink.blue vmhost1.pyrocufflink.blue diff --git a/roles/unifi/tasks/deploy.yml b/roles/unifi/tasks/deploy.yml index 64e7f7d..149abc2 100644 --- a/roles/unifi/tasks/deploy.yml +++ b/roles/unifi/tasks/deploy.yml @@ -1,48 +1,3 @@ -- name: ensure unifi group exists - group: - name: unifi - gid: 911 - system: true - state: present - tags: - - user - - group -- name: ensure unifi user exists - user: - name: unifi - uid: 911 - group: unifi - home: /var/lib/unifi - createhome: false - system: true - state: present - tags: - - user - -- name: ensure containers subuid is configured - lineinfile: - path: /etc/subuid - create: true - line: containers:39290640:1048576 - tags: - - user -- name: ensure containers subgid is configured - lineinfile: - path: /etc/subgid - line: containers:39290640:1048576 - tags: - - user - -- name: ensure unifi storage path exists - file: - path: '{{ unifi_storage_path }}' - owner: unifi - group: unifi - mode: u=rwx,go= - state: directory - tags: - - datadir - - name: ensure unifi.container systemd unit exists template: src: unifi.container.j2 @@ -75,23 +30,12 @@ tags: - firewalld -- name: ensure nginx is configured to proxy for unifi +- name: ensure caddy is configured to proxy for unifi template: - src: unifi.nginx.conf.j2 - dest: /etc/nginx/default.d/unifi.conf - mode: u=rw,go=r + src: unifi.caddyfile.j2 + dest: /etc/caddy/Caddyfile.d/unifi.caddyfile owner: root group: root + mode: u=rw,go=r notify: - - reload nginx - tags: - - nginx - -- name: ensure selinux allows nginx to proxy for unifi - seboolean: - name: httpd_can_network_connect - persistent: true - state: true - tags: - - nginx - - selinux + - reload caddy diff --git a/roles/unifi/templates/unifi.container.j2 b/roles/unifi/templates/unifi.container.j2 index a3e3f40..83f82d4 100644 --- a/roles/unifi/templates/unifi.container.j2 +++ b/roles/unifi/templates/unifi.container.j2 @@ -5,15 +5,14 @@ After=network.target [Container] Image={{ unifi_container_image }}:{{ unifi_version }} -Volume={{ unifi_storage_path }}:/config:rw,Z +Volume=%S/%N:/config:rw,U,Z Network=host NoNewPrivileges=yes -User=911 -Group=911 VolatileTmp=yes Notify=yes [Service] +StateDirectory=%N TimeoutStartSec=5min Restart=always PrivateTmp=yes @@ -24,7 +23,7 @@ ProtectProc=invisible ProtectSystem=strict ReadWritePaths=/run ReadWritePaths=/var/lib/containers/storage -ReadWritePaths={{ unifi_storage_path }} +ReadWritePaths=%S/%N RestrictRealtime=yes UMask=0077 diff --git a/roles/unifi/templates/unifi.nginx.conf.j2 b/roles/unifi/templates/unifi.nginx.conf.j2 deleted file mode 100644 index ddc1c54..0000000 --- a/roles/unifi/templates/unifi.nginx.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -location / { - proxy_pass https://127.0.0.1:8443/; - proxy_ssl_verify off; - client_max_body_size 50m; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -} diff --git a/unifi.yml b/unifi.yml index 2055592..0353640 100644 --- a/unifi.yml +++ b/unifi.yml @@ -1,5 +1,6 @@ - hosts: unifi roles: - - role: nginx - tags: nginx - role: unifi + tags: unifi + - role: caddy + tags: caddy