gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(tei): uni

Browse source
This commit is contained in:
arcnmx 2024-02-27 12:10:55 -08:00
parent ba282098d7
commit 19c5462037
5 changed files with 148 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

99
nixos/access/unifi.nix Normal file
View file

@ -0,0 +1,99 @@
{
config,
lib,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
inherit (lib.lists) concatMap;
inherit (config.services) nginx tailscale unifi;
access = nginx.access.unifi;
in {
options.services.nginx.access.unifi = with lib.types; {
global.enable = mkEnableOption "global access" // {
default = access.useACMEHost != null;
};
host = mkOption {
type = str;
};
url = mkOption {
type = str;
default = "https://${access.host}:${toString access.managementPort}";
};
managementPort = mkOption {
type = port;
default = 8443;
};
domain = mkOption {
type = str;
default = "unifi.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "unifi.local.${config.networking.domain}";
};
tailDomain = mkOption {
type = str;
default = "unifi.tail.${config.networking.domain}";
};
useACMEHost = mkOption {
type = nullOr str;
default = null;
};
};
config.services.nginx = {
access.unifi = mkIf unifi.enable {
host = mkOptionDefault "localhost";
};
virtualHosts = let
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
'';
locations = {
"/" = {
proxyPass = access.url;
};
};
streamListen = { config, ... }: {
listen = concatMap (addr: [
{
inherit addr;
port = 80;
ssl = false;
}
(mkIf (config.addSSL || config.forceSSL) {
inherit addr;
port = 443;
ssl = true;
})
(mkIf (config.addSSL || config.forceSSL) {
inherit addr;
port = access.managementPort;
ssl = true;
})
]) nginx.defaultListenAddresses;
};
in {
${access.domain} = mkIf access.global.enable (mkMerge [ {
vouch.enable = true;
forceSSL = mkDefault true;
kTLS = mkDefault true;
useACMEHost = mkDefault access.useACMEHost;
inherit locations extraConfig;
} streamListen ]);
${access.localDomain} = mkMerge [ {
serverAliases = mkIf tailscale.enable [ access.tailDomain ];
useACMEHost = mkDefault access.useACMEHost;
addSSL = mkDefault (access.useACMEHost != null);
kTLS = mkDefault true;
local.enable = true;
inherit locations extraConfig;
} streamListen ];
};
};
config.networking.firewall = {
interfaces.local.allowedTCPPorts = [ access.managementPort ];
allowedTCPPorts = mkIf access.global.enable [ access.managementPort ];
};
}

32
nixos/unifi.nix Normal file
View file

@ -0,0 +1,32 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkDefault;
cfg = config.services.unifi;
in {
services.unifi = {
enable = mkDefault true;
unifiPackage = mkDefault pkgs.unifi8;
};
networking.firewall.interfaces.local = mkIf cfg.enable {
allowedTCPPorts = mkMerge [
[
8443 # remote login
]
(mkIf (!cfg.openFirewall) [
8080 # Port for UAP to inform controller.
8880 # Port for HTTP portal redirect, if guest portal is enabled.
8843 # Port for HTTPS portal redirect, ditto.
6789 # Port for UniFi mobile speed test.
])
];
allowedUDPPorts = mkIf (!cfg.openFirewall) [
3478 # UDP port used for STUN.
10001 # UDP port used for device discovery.
];
};
}

14
systems/hakurei/nixos.nix
View file

@ -31,6 +31,7 @@ in {
nixos.access.vouch nixos.access.vouch
nixos.access.kanidm nixos.access.kanidm
nixos.access.freeipa nixos.access.freeipa
nixos.access.unifi
nixos.access.kitchencam nixos.access.kitchencam
nixos.access.proxmox nixos.access.proxmox
nixos.access.plex nixos.access.plex
@ -84,6 +85,15 @@ in {
]) ])
]; ];
}; };
${access.unifi.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[access.unifi.localDomain]
(mkIf tailscale.enable [
access.unifi.tailDomain
])
];
};
${access.freeipa.domain} = { ${access.freeipa.domain} = {
inherit (nginx) group; inherit (nginx) group;
extraDomainNames = mkMerge [ extraDomainNames = mkMerge [
@ -151,6 +161,10 @@ in {
host = tei.lib.access.hostnameForNetwork.local; host = tei.lib.access.hostnameForNetwork.local;
ldapEnable = false; ldapEnable = false;
}; };
access.unifi = {
host = tei.lib.access.hostnameForNetwork.local;
useACMEHost = access.unifi.domain;
};
access.freeipa = { access.freeipa = {
host = "idp.local.${config.networking.domain}"; host = "idp.local.${config.networking.domain}";
}; };

1
systems/tei/nixos.nix
View file

@ -20,6 +20,7 @@ in {
nixos.access.home-assistant nixos.access.home-assistant
nixos.vouch nixos.vouch
nixos.kanidm nixos.kanidm
nixos.unifi
nixos.mosquitto nixos.mosquitto
nixos.home-assistant nixos.home-assistant
nixos.zigbee2mqtt nixos.zigbee2mqtt

2
tf/cloudflare_records.tf
View file

@ -21,6 +21,7 @@ module "hakurei_system_records" {
"login", "login",
"ldap", "ldap",
"freeipa", "freeipa",
"unifi",
"smb", "smb",
"kitchen", "kitchen",
"yt", "yt",
@ -29,6 +30,7 @@ module "hakurei_system_records" {
"plex", "plex",
"idp", "idp",
"ldap", "ldap",
"unifi",
"smb", "smb",
"kitchen", "kitchen",
"yt", "yt",