From 21cf9bdcdd9280dab01c4bbdc0e8c936a76ff11d Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Fri, 15 Nov 2024 14:44:17 +0000 Subject: [PATCH] feat: add unifi controller --- modules/hetzner/networks.tf | 152 ++++++++++++------ registry/clusters/dev/components/unifi.yaml | 53 ++++++ registry/clusters/prod/components/unifi.yaml | 24 +++ .../components/ingress-nginx/application.yaml | 3 + registry/components/unifi/application.yaml | 76 +++++++++ registry/components/unifi/kustomization.yaml | 5 + registry/components/unifi/namespace.yaml | 6 + 7 files changed, 267 insertions(+), 52 deletions(-) create mode 100644 registry/clusters/dev/components/unifi.yaml create mode 100644 registry/clusters/prod/components/unifi.yaml create mode 100644 registry/components/unifi/application.yaml create mode 100644 registry/components/unifi/kustomization.yaml create mode 100644 registry/components/unifi/namespace.yaml diff --git a/modules/hetzner/networks.tf b/modules/hetzner/networks.tf index 86e0570..1522698 100644 --- a/modules/hetzner/networks.tf +++ b/modules/hetzner/networks.tf @@ -12,6 +12,105 @@ # See the License for the specific language governing permissions and # limitations under the License. +locals { + firewall = [ + { + description = "SSH port" + port = var.ssh_port + source_ips = var.firewall_allow_ssh_access + }, + { + description = "Allow ICMP (ping)" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + protocol = "icmp" + port = null + }, + { + description = "Allow all TCP traffic on private network" + source_ips = [ + hcloud_network.network.ip_range + ] + }, + { + description = "Allow all UDP traffic on private network" + source_ips = [ + hcloud_network.network.ip_range + ] + protocol = "udp" + }, + { + description = "Allow TCP access to port 80" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 80 + }, + { + description = "Allow TCP access to port 443" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 443 + }, + # Unifi ports + { + description = "Unifi controller" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 8080 + }, + { + description = "Unifi speedtest" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 6789 + }, + { + description = "Unifi stun" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 3478 + protocol = "udp" + }, + { + description = "Unifi syslog" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 5514 + protocol = "udp" + }, + { + description = "Unifi discovery" + source_ips = [ + local.global_ipv4_cidr, + local.global_ipv6_cidr, + ] + port = 10001 + protocol = "udp" + }, + # Direct public access only allowed if single manager node + { + description = "Allow access to Kubernetes API" + port = local.kubernetes_api_port + source_ips = var.firewall_allow_api_access + disabled = var.k3s_manager_pool.count > 1 + } + ] +} + resource "hcloud_network" "network" { name = format(local.name_format, "network") ip_range = var.network_subnet @@ -30,58 +129,7 @@ resource "hcloud_firewall" "firewall" { name = format(local.name_format, "firewall") dynamic "rule" { - for_each = [for each in [ - { - description = "SSH port" - port = var.ssh_port - source_ips = var.firewall_allow_ssh_access - }, - { - description = "Allow ICMP (ping)" - source_ips = [ - local.global_ipv4_cidr, - local.global_ipv6_cidr, - ] - protocol = "icmp" - port = null - }, - { - description = "Allow all TCP traffic on private network" - source_ips = [ - hcloud_network.network.ip_range - ] - }, - { - description = "Allow all UDP traffic on private network" - source_ips = [ - hcloud_network.network.ip_range - ] - protocol = "udp" - }, - { - description = "Allow TCP access to port 80" - source_ips = [ - local.global_ipv4_cidr, - local.global_ipv6_cidr, - ] - port = 80 - }, - { - description = "Allow TCP access to port 443" - source_ips = [ - local.global_ipv4_cidr, - local.global_ipv6_cidr, - ] - port = 443 - }, - # Direct public access only allowed if single manager node - { - description = "Allow access to Kubernetes API" - port = local.kubernetes_api_port - source_ips = var.firewall_allow_api_access - disabled = var.k3s_manager_pool.count > 1 - } - ] : each if lookup(each, "disabled", false) != true] + for_each = [for each in local.firewall : each if lookup(each, "disabled", false) != true] content { description = lookup(rule.value, "description", "") diff --git a/registry/clusters/dev/components/unifi.yaml b/registry/clusters/dev/components/unifi.yaml new file mode 100644 index 0000000..023efc1 --- /dev/null +++ b/registry/clusters/dev/components/unifi.yaml @@ -0,0 +1,53 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: unifi-components + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "30" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mrsimonemms/infrastructure + path: registry/components/unifi + targetRevision: HEAD + kustomize: + patches: + - target: + group: argoproj.io + version: v1alpha1 + kind: Application + name: unifi + patch: |- + - op: replace + path: /spec/source/helm/valuesObject/ingress/main/hosts/0/host + value: unifi.dev.simonemms.com + - target: + group: argoproj.io + version: v1alpha1 + kind: Application + name: unifi + patch: |- + - op: replace + path: /spec/source/helm/valuesObject/ingress/main/tls/0/hosts/0 + value: unifi.dev.simonemms.com + - target: + group: argoproj.io + version: v1alpha1 + kind: Application + name: unifi + patch: |- + - op: replace + path: /spec/source/helm/valuesObject/ingress/main/annotations/cert-manager.io~1cluster-issuer + value: letsencrypt-staging + destination: + server: https://kubernetes.default.svc + namespace: unifi + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/clusters/prod/components/unifi.yaml b/registry/clusters/prod/components/unifi.yaml new file mode 100644 index 0000000..dce8f2d --- /dev/null +++ b/registry/clusters/prod/components/unifi.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: unifi-components + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "30" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mrsimonemms/infrastructure + path: registry/components/unifi + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: unifi + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/components/ingress-nginx/application.yaml b/registry/components/ingress-nginx/application.yaml index ccc1939..9e82a9f 100644 --- a/registry/components/ingress-nginx/application.yaml +++ b/registry/components/ingress-nginx/application.yaml @@ -22,6 +22,9 @@ spec: use-proxy-protocol: false extraArgs: enable-ssl-passthrough: true + service: + annotations: + metallb.universe.tf/allow-shared-ip: primary destination: server: https://kubernetes.default.svc namespace: ingress-nginx diff --git a/registry/components/unifi/application.yaml b/registry/components/unifi/application.yaml new file mode 100644 index 0000000..c05fa1d --- /dev/null +++ b/registry/components/unifi/application.yaml @@ -0,0 +1,76 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: unifi + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "10" +spec: + project: default + source: + chart: unifi + repoURL: https://k8s-at-home.com/charts/ + targetRevision: 5.1.2 + helm: + valuesObject: + image: + repository: jacobalberty/unifi + tag: v8.6.9 + service: + main: + annotations: + metallb.universe.tf/allow-shared-ip: primary + type: LoadBalancer + udp: + enabled: false + type: LoadBalancer + annotations: + metallb.universe.tf/allow-shared-ip: primary + ports: + stun: + enabled: true + port: 3478 + protocol: UDP + syslog: + enabled: true + port: 5514 + protocol: UDP + discovery: + enabled: true + port: 10001 + protocol: UDP + ingress: + main: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt + ingressClassName: nginx + hosts: + - host: unifi.simonemms.com + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - unifi.simonemms.com + secretName: unifi-tls + persistence: + data: + enabled: true + accessMode: ReadWriteOnce + size: 10Gi + mongodb: + enabled: true + persistence: + enabled: true + size: 10Gi + destination: + server: https://kubernetes.default.svc + namespace: unifi + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/components/unifi/kustomization.yaml b/registry/components/unifi/kustomization.yaml new file mode 100644 index 0000000..0e0a709 --- /dev/null +++ b/registry/components/unifi/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - application.yaml + - namespace.yaml diff --git a/registry/components/unifi/namespace.yaml b/registry/components/unifi/namespace.yaml new file mode 100644 index 0000000..00e7ee7 --- /dev/null +++ b/registry/components/unifi/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: unifi + annotations: + argocd.argoproj.io/sync-wave: "-1"