feat: add unifi controller

modules/hetzner/networks.tf

@@ -12,6 +12,105 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+locals {
+  firewall = [
+    {
+      description = "SSH port"
+      port        = var.ssh_port
+      source_ips  = var.firewall_allow_ssh_access
+    },
+    {
+      description = "Allow ICMP (ping)"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      protocol = "icmp"
+      port     = null
+    },
+    {
+      description = "Allow all TCP traffic on private network"
+      source_ips = [
+        hcloud_network.network.ip_range
+      ]
+    },
+    {
+      description = "Allow all UDP traffic on private network"
+      source_ips = [
+        hcloud_network.network.ip_range
+      ]
+      protocol = "udp"
+    },
+    {
+      description = "Allow TCP access to port 80"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port = 80
+    },
+    {
+      description = "Allow TCP access to port 443"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port = 443
+    },
+    # Unifi ports
+    {
+      description = "Unifi controller"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port = 8080
+    },
+    {
+      description = "Unifi speedtest"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port = 6789
+    },
+    {
+      description = "Unifi stun"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port     = 3478
+      protocol = "udp"
+    },
+    {
+      description = "Unifi syslog"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port     = 5514
+      protocol = "udp"
+    },
+    {
+      description = "Unifi discovery"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port     = 10001
+      protocol = "udp"
+    },
+    # Direct public access only allowed if single manager node
+    {
+      description = "Allow access to Kubernetes API"
+      port        = local.kubernetes_api_port
+      source_ips  = var.firewall_allow_api_access
+      disabled    = var.k3s_manager_pool.count > 1
+    }
+  ]
+}
+
 resource "hcloud_network" "network" {
   name     = format(local.name_format, "network")
   ip_range = var.network_subnet
@@ -30,58 +129,7 @@ resource "hcloud_firewall" "firewall" {
   name = format(local.name_format, "firewall")
 
   dynamic "rule" {
-    for_each = [for each in [
-      {
-        description = "SSH port"
-        port        = var.ssh_port
-        source_ips  = var.firewall_allow_ssh_access
-      },
-      {
-        description = "Allow ICMP (ping)"
-        source_ips = [
-          local.global_ipv4_cidr,
-          local.global_ipv6_cidr,
-        ]
-        protocol = "icmp"
-        port     = null
-      },
-      {
-        description = "Allow all TCP traffic on private network"
-        source_ips = [
-          hcloud_network.network.ip_range
-        ]
-      },
-      {
-        description = "Allow all UDP traffic on private network"
-        source_ips = [
-          hcloud_network.network.ip_range
-        ]
-        protocol = "udp"
-      },
-      {
-        description = "Allow TCP access to port 80"
-        source_ips = [
-          local.global_ipv4_cidr,
-          local.global_ipv6_cidr,
-        ]
-        port = 80
-      },
-      {
-        description = "Allow TCP access to port 443"
-        source_ips = [
-          local.global_ipv4_cidr,
-          local.global_ipv6_cidr,
-        ]
-        port = 443
-      },
-      # Direct public access only allowed if single manager node
-      {
-        description = "Allow access to Kubernetes API"
-        port        = local.kubernetes_api_port
-        source_ips  = var.firewall_allow_api_access
-        disabled    = var.k3s_manager_pool.count > 1
-      }
-    ] : each if lookup(each, "disabled", false) != true]
+    for_each = [for each in local.firewall : each if lookup(each, "disabled", false) != true]
 
     content {
       description     = lookup(rule.value, "description", "")

registry/clusters/dev/components/unifi.yaml

@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: unifi-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "30"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/mrsimonemms/infrastructure
+    path: registry/components/unifi
+    targetRevision: HEAD
+    kustomize:
+      patches:
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: unifi
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/ingress/main/hosts/0/host
+              value: unifi.dev.simonemms.com
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: unifi
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/ingress/main/tls/0/hosts/0
+              value: unifi.dev.simonemms.com
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: unifi
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/ingress/main/annotations/cert-manager.io~1cluster-issuer
+              value: letsencrypt-staging
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: unifi
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

registry/clusters/prod/components/unifi.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: unifi-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "30"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/mrsimonemms/infrastructure
+    path: registry/components/unifi
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: unifi
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

registry/components/ingress-nginx/application.yaml

@@ -22,6 +22,9 @@ spec:
             use-proxy-protocol: false
           extraArgs:
             enable-ssl-passthrough: true
+          service:
+            annotations:
+              metallb.universe.tf/allow-shared-ip: primary
   destination:
     server: https://kubernetes.default.svc
     namespace: ingress-nginx

registry/components/unifi/application.yaml

@@ -0,0 +1,76 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: unifi
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  project: default
+  source:
+    chart: unifi
+    repoURL: https://k8s-at-home.com/charts/
+    targetRevision: 5.1.2
+    helm:
+      valuesObject:
+        image:
+          repository: jacobalberty/unifi
+          tag: v8.6.9
+        service:
+          main:
+            annotations:
+              metallb.universe.tf/allow-shared-ip: primary
+            type: LoadBalancer
+          udp:
+            enabled: false
+            type: LoadBalancer
+            annotations:
+              metallb.universe.tf/allow-shared-ip: primary
+            ports:
+              stun:
+                enabled: true
+                port: 3478
+                protocol: UDP
+              syslog:
+                enabled: true
+                port: 5514
+                protocol: UDP
+              discovery:
+                enabled: true
+                port: 10001
+                protocol: UDP
+        ingress:
+          main:
+            enabled: true
+            annotations:
+              kubernetes.io/tls-acme: "true"
+              cert-manager.io/cluster-issuer: letsencrypt
+            ingressClassName: nginx
+            hosts:
+              - host: unifi.simonemms.com
+                paths:
+                  - path: /
+                    pathType: Prefix
+            tls:
+              - hosts:
+                  - unifi.simonemms.com
+                secretName: unifi-tls
+        persistence:
+          data:
+            enabled: true
+            accessMode: ReadWriteOnce
+            size: 10Gi
+        mongodb:
+          enabled: true
+          persistence:
+            enabled: true
+            size: 10Gi
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: unifi
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

registry/components/unifi/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml
+  - namespace.yaml

registry/components/unifi/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: unifi
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"