commit 102472b8dec39c66c5386e8209e08dfac3ccee3c · pyrox.dev/nixpkgs

+27 -2
nixos/modules/services/networking/unifi.nix
···

       46
       46
        
             '';

     

       47
       47
        
           };

     

       48
       48
        
       

     

       49
       49
       +
           services.unifi.openPorts = mkOption {

     

       50
       50
       +
             type = types.bool;

     

       51
       51
       +
             default = true;

     

       52
       52
       +
             description = ''

     

       53
       53
       +
               Whether or not to open the minimum required ports on the firewall.

     

       54
       54
       +
       

     

       55
       55
       +
               This is necessary to allow firmware upgrades and device discovery to

     

       56
       56
       +
               work. For remote login, you should additionally open (or forward) port

     

       57
       57
       +
               8443.

     

       58
       58
       +
             '';

     

       59
       59
       +
           };

     

       60
       60
       +
       

     

       49
       61
        
         };

     

       50
       62
        
       

     

       51
       63
        
         config = mkIf cfg.enable {

     
···

       56
       68
        
             home = "${stateDir}";

     

       57
       69
        
           };

     

       58
       70
        
       

     

       71
       71
       +
           networking.firewall = mkIf cfg.openPorts {

     

       72
       72
       +
             # https://help.ubnt.com/hc/en-us/articles/204910084-UniFi-Change-Default-Ports-for-Controller-and-UAPs

     

       73
       73
       +
             allowedTCPPorts = [

     

       74
       74
       +
               8080  # Port for UAP to inform controller.

     

       75
       75
       +
               8880  # Port for HTTP portal redirect, if guest portal is enabled.

     

       76
       76
       +
               8843  # Port for HTTPS portal redirect, ditto.

     

       77
       77
       +
             ];

     

       78
       78
       +
             allowedUDPPorts = [

     

       79
       79
       +
               3478  # UDP port used for STUN.

     

       80
       80
       +
               10001 # UDP port used for device discovery.

     

       81
       81
       +
             ];

     

       82
       82
       +
           };

     

       83
       83
       +
       

     

       59
       84
        
           # We must create the binary directories as bind mounts instead of symlinks

     

       60
       85
        
           # This is because the controller resolves all symlinks to absolute paths

     

       61
       86
        
           # to be used as the working directory.

     
···

       80
       105
        
       

     

       81
       106
        
             preStart = ''

     

       82
       107
        
               # Ensure privacy of state and data.

     

       83
       83
       -
               chown unifi "${stateDir}" "${dataDir}"

     

       84
       84
       -
               chmod 0700 "${stateDir}" "${dataDir}"

     

       108
       108
       +
               chown unifi "${stateDir}" "${stateDir}/data"

     

       109
       109
       +
               chmod 0700 "${stateDir}" "${stateDir}/data"

     

       85
       110
        
       

     

       86
       111
        
               # Create the volatile webapps

     

       87
       112
        
               rm -rf "${stateDir}/webapps"