unifi: Deploy Unifi Network controller

Since Ubiquiti only publishes Debian packages for the Unifi Network
controller software, running it on Fedora has historically been neigh
impossible.  Fortunately, a modern solution is available: containers.
The *linuxserver.io* project publishes a container image for the
controller software, making it fairly easy to deploy on any host with an
OCI runtime.  I briefly considered creating my own image, since theirs
must be run as root, but I decided the maintenance burden would not be
worth it.  Using Podman's user namespace functionality, I was able to
work around this requirement anyway.

roles/unifi/templates/unifi.container.j2

@@ -0,0 +1,29 @@
+[Unit]
+Description=Unifi Network
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ unifi_container_image }}:{{ unifi_version }}
+Volume={{ unifi_storage_path }}:/config:rw,Z
+Network=host
+NoNewPrivileges=yes
+UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
+VolatileTmp=yes
+Notify=yes
+
+[Service]
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run
+ReadWritePaths=/var/lib/containers/storage
+ReadWritePaths={{ unifi_storage_path }}
+RestrictRealtime=yes
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/unifi/templates/unifi.nginx.conf.j2

@@ -0,0 +1,9 @@
+location / {
+    proxy_pass https://127.0.0.1:8443/;
+    proxy_ssl_verify off;
+    client_max_body_size 50m;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}