unifi: add unifi on the NAS

1 files changed, 53 insertions, 0 deletions

diff --git a/hosts/common/server/unifi.nix b/hosts/common/server/unifi.nix
new file mode 100644
index 0000000..1da8709
--- /dev/null
+++ b/hosts/common/server/unifi.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+let
+  allowedRules = {
+    # https://help.ubnt.com/hc/en-us/articles/218506997
+    allowedTCPPorts = [
+      8080 # Port for UAP to inform controller.
+      8880 # Port for HTTP portal redirect, if guest portal is enabled.
+      8843 # Port for HTTPS portal redirect, ditto.
+      6789 # Port for UniFi mobile speed test.
+    ];
+    allowedUDPPorts = [
+      3478 # UDP port used for STUN.
+      10001 # UDP port used for device discovery.
+    ];
+  };
+in {
+  config = {
+    networking.firewall.allowedTCPPorts = [ 8443 ];
+    networking.firewall = allowedRules;
+    users.users.unifi.group = "unifi";
+    users.users.unifi.isSystemUser = true;
+    users.groups.unifi = { };
+
+    services.unifi = {
+      enable = true;
+      openPorts = true;
+      openFirewall = true;
+    };
+
+    services.prometheus.exporters.unifi = {
+      enable = true;
+      unifiAddress = "https://localhost:8443/";
+      unifiInsecure = true;
+      influxdb.disable = true;
+      prometheus = { http_listen = ":9130"; };
+    };
+
+    systemd.services.unifi-available = {
+      description = "Wait for Unifi to be available";
+      after = [ "unifi.service" ];
+      before = [ "prometheus-unifi-exporter.service" ];
+      wantedBy = [ "prometheus-unifi-exporter.service" ];
+      serviceConfig = {
+        ExecStart =
+          "${pkgs.curl}/bin/curl --insecure 'https://localhost:8443/'";
+        Restart = "on-failure";
+        RestartSec = "10";
+        Type = "oneshot";
+      };
+    };
+  };
+}