unifi: Deploy Unifi Network controller

Since Ubiquiti only publishes Debian packages for the Unifi Network
controller software, running it on Fedora has historically been neigh
impossible.  Fortunately, a modern solution is available: containers.
The *linuxserver.io* project publishes a container image for the
controller software, making it fairly easy to deploy on any host with an
OCI runtime.  I briefly considered creating my own image, since theirs
must be run as root, but I decided the maintenance burden would not be
worth it.  Using Podman's user namespace functionality, I was able to
work around this requirement anyway.

roles/unifi/tasks/deploy.yml

@@ -0,0 +1,97 @@
+- name: ensure unifi group exists
+  group:
+    name: unifi
+    gid: 911
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure unifi user exists
+  user:
+    name: unifi
+    uid: 911
+    group: unifi
+    home: /var/lib/unifi
+    createhome: false
+    system: true
+    state: present
+  tags:
+  - user
+
+- name: ensure containers subuid is configured
+  lineinfile:
+    path: /etc/subuid
+    create: true
+    line: containers:39290640:1048576
+  tags:
+  - user
+- name: ensure containers subgid is configured
+  lineinfile:
+    path: /etc/subgid
+    line: containers:39290640:1048576
+  tags:
+  - user
+
+- name: ensure unifi storage path exists
+  file:
+    path: '{{ unifi_storage_path }}'
+    owner: unifi
+    group: unifi
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure unifi.container systemd unit exists
+  template:
+    src: unifi.container.j2
+    dest: /etc/containers/systemd/unifi.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart unifi
+  tags:
+  - systemd
+- name: flush_handlers
+  meta: flush_handlers
+
+- name: ensure unifi.service is running
+  systemd:
+    name: unifi.service
+    state: started
+  tags:
+  - service
+
+- name: ensure firewall is configured for unifi
+  firewalld:
+    port: 8080/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+  when: host_uses_firewalld|d(true)|bool
+  tags:
+  - firewalld
+
+- name: ensure nginx is configured to proxy for unifi
+  template:
+    src: unifi.nginx.conf.j2
+    dest: /etc/nginx/default.d/unifi.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload nginx
+  tags:
+  - nginx
+
+- name: ensure selinux allows nginx to proxy for unifi
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+  tags:
+  - nginx
+  - selinux

roles/unifi/tasks/install.yml

@@ -0,0 +1,12 @@
+- name: ensure podman is installed
+  dnf:
+    name:
+    - container-selinux
+    - podman
+    install_weak_deps: false
+    state: present
+
+- name: ensure unifi container image is present
+  podman_image:
+    name: '{{ unifi_container_image }}:{{ unifi_version }}'
+    state: present

roles/unifi/tasks/main.yml

@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - unifi