mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
feat(tei): uni
This commit is contained in:
arcnmx
parent
ba282098d7
commit
19c5462037
5 changed files with 148 additions and 0 deletions
99
nixos/access/unifi.nix
Normal file
99
nixos/access/unifi.nix
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.options) mkOption mkEnableOption;
|
||||
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
|
||||
inherit (lib.lists) concatMap;
|
||||
inherit (config.services) nginx tailscale unifi;
|
||||
access = nginx.access.unifi;
|
||||
in {
|
||||
options.services.nginx.access.unifi = with lib.types; {
|
||||
global.enable = mkEnableOption "global access" // {
|
||||
default = access.useACMEHost != null;
|
||||
};
|
||||
host = mkOption {
|
||||
type = str;
|
||||
};
|
||||
url = mkOption {
|
||||
type = str;
|
||||
default = "https://${access.host}:${toString access.managementPort}";
|
||||
};
|
||||
managementPort = mkOption {
|
||||
type = port;
|
||||
default = 8443;
|
||||
};
|
||||
domain = mkOption {
|
||||
type = str;
|
||||
default = "unifi.${config.networking.domain}";
|
||||
};
|
||||
localDomain = mkOption {
|
||||
type = str;
|
||||
default = "unifi.local.${config.networking.domain}";
|
||||
};
|
||||
tailDomain = mkOption {
|
||||
type = str;
|
||||
default = "unifi.tail.${config.networking.domain}";
|
||||
};
|
||||
useACMEHost = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
config.services.nginx = {
|
||||
access.unifi = mkIf unifi.enable {
|
||||
host = mkOptionDefault "localhost";
|
||||
};
|
||||
virtualHosts = let
|
||||
extraConfig = ''
|
||||
proxy_redirect off;
|
||||
proxy_buffering off;
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = access.url;
|
||||
};
|
||||
};
|
||||
streamListen = { config, ... }: {
|
||||
listen = concatMap (addr: [
|
||||
{
|
||||
inherit addr;
|
||||
port = 80;
|
||||
ssl = false;
|
||||
}
|
||||
(mkIf (config.addSSL || config.forceSSL) {
|
||||
inherit addr;
|
||||
port = 443;
|
||||
ssl = true;
|
||||
})
|
||||
(mkIf (config.addSSL || config.forceSSL) {
|
||||
inherit addr;
|
||||
port = access.managementPort;
|
||||
ssl = true;
|
||||
})
|
||||
]) nginx.defaultListenAddresses;
|
||||
};
|
||||
in {
|
||||
${access.domain} = mkIf access.global.enable (mkMerge [ {
|
||||
vouch.enable = true;
|
||||
forceSSL = mkDefault true;
|
||||
kTLS = mkDefault true;
|
||||
useACMEHost = mkDefault access.useACMEHost;
|
||||
inherit locations extraConfig;
|
||||
} streamListen ]);
|
||||
${access.localDomain} = mkMerge [ {
|
||||
serverAliases = mkIf tailscale.enable [ access.tailDomain ];
|
||||
useACMEHost = mkDefault access.useACMEHost;
|
||||
addSSL = mkDefault (access.useACMEHost != null);
|
||||
kTLS = mkDefault true;
|
||||
local.enable = true;
|
||||
inherit locations extraConfig;
|
||||
} streamListen ];
|
||||
};
|
||||
};
|
||||
config.networking.firewall = {
|
||||
interfaces.local.allowedTCPPorts = [ access.managementPort ];
|
||||
allowedTCPPorts = mkIf access.global.enable [ access.managementPort ];
|
||||
};
|
||||
}
|
||||
32
nixos/unifi.nix
Normal file
32
nixos/unifi.nix
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.modules) mkIf mkMerge mkDefault;
|
||||
cfg = config.services.unifi;
|
||||
in {
|
||||
services.unifi = {
|
||||
enable = mkDefault true;
|
||||
unifiPackage = mkDefault pkgs.unifi8;
|
||||
};
|
||||
|
||||
networking.firewall.interfaces.local = mkIf cfg.enable {
|
||||
allowedTCPPorts = mkMerge [
|
||||
[
|
||||
8443 # remote login
|
||||
]
|
||||
(mkIf (!cfg.openFirewall) [
|
||||
8080 # Port for UAP to inform controller.
|
||||
8880 # Port for HTTP portal redirect, if guest portal is enabled.
|
||||
8843 # Port for HTTPS portal redirect, ditto.
|
||||
6789 # Port for UniFi mobile speed test.
|
||||
])
|
||||
];
|
||||
allowedUDPPorts = mkIf (!cfg.openFirewall) [
|
||||
3478 # UDP port used for STUN.
|
||||
10001 # UDP port used for device discovery.
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
@ -31,6 +31,7 @@ in {
|
|||
nixos.access.vouch
|
||||
nixos.access.kanidm
|
||||
nixos.access.freeipa
|
||||
nixos.access.unifi
|
||||
nixos.access.kitchencam
|
||||
nixos.access.proxmox
|
||||
nixos.access.plex
|
||||
|
|
@ -84,6 +85,15 @@ in {
|
|||
])
|
||||
];
|
||||
};
|
||||
${access.unifi.domain} = {
|
||||
inherit (nginx) group;
|
||||
extraDomainNames = mkMerge [
|
||||
[access.unifi.localDomain]
|
||||
(mkIf tailscale.enable [
|
||||
access.unifi.tailDomain
|
||||
])
|
||||
];
|
||||
};
|
||||
${access.freeipa.domain} = {
|
||||
inherit (nginx) group;
|
||||
extraDomainNames = mkMerge [
|
||||
|
|
@ -151,6 +161,10 @@ in {
|
|||
host = tei.lib.access.hostnameForNetwork.local;
|
||||
ldapEnable = false;
|
||||
};
|
||||
access.unifi = {
|
||||
host = tei.lib.access.hostnameForNetwork.local;
|
||||
useACMEHost = access.unifi.domain;
|
||||
};
|
||||
access.freeipa = {
|
||||
host = "idp.local.${config.networking.domain}";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ in {
|
|||
nixos.access.home-assistant
|
||||
nixos.vouch
|
||||
nixos.kanidm
|
||||
nixos.unifi
|
||||
nixos.mosquitto
|
||||
nixos.home-assistant
|
||||
nixos.zigbee2mqtt
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ module "hakurei_system_records" {
|
|||
"login",
|
||||
"ldap",
|
||||
"freeipa",
|
||||
"unifi",
|
||||
"smb",
|
||||
"kitchen",
|
||||
"yt",
|
||||
|
|
@ -29,6 +30,7 @@ module "hakurei_system_records" {
|
|||
"plex",
|
||||
"idp",
|
||||
"ldap",
|
||||
"unifi",
|
||||
"smb",
|
||||
"kitchen",
|
||||
"yt",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue