Fix guest portal and cleanup

deps/common

@@ -1 +1 @@
-Subproject commit df3e7fd52e5758d54c0dcad522260b1416d92884
+Subproject commit a1738a81645748892a34d990c6df07cd1b4815ad

images/unifi/Dockerfile

@@ -2,8 +2,6 @@ FROM alpine:latest AS builder
 
 ARG UNIFI_VERSION=7.4.162
 
-ENV JAVA_OPTS="-Djava.awt.headless=true"
-
 RUN set -eu &&\
     apk --no-cache add curl ca-certificates unzip &&\
     cd /tmp &&\
@@ -14,6 +12,10 @@ RUN set -eu &&\
 FROM [[ .docker.repo ]][[ .docker.base_images.java11.image ]]
 MAINTAINER [[ .docker.maintainer ]]
 
+ENV JAVA_OPTS="-Djava.awt.headless=true" \
+    TZ=[[ .locale.tz ]] \
+    LANG=[[ .locale.lang ]]
+
 COPY --from=builder /tmp/UniFi /opt/unifi
 RUN set -eu &&\
     apk --no-cache upgrade &&\

templates/nginx/nginx.conf.tpl

@@ -9,20 +9,7 @@ server {
   server_tokens off;
   root /usr/share/html;
 
-[[- range $id, $header := slice "X-Forwarded-Client-Cert"
-                                "X-Forwarded-Server"
-                                "X-Envoy-Expected-Rq-Timeout-Ms"
-                                "X-Envoy-Internal"
-                                "Sec-Ch-Ua"
-                                "Sec-Ch-Ua-Mobile"
-                                "Sec-Ch-Ua-Platform"
-                                "Sec-Fetch-Dest"
-                                "Sec-Fetch-Mode"
-                                "Sec-Fetch-Site"
-                                "Sec-Fetch-User"
-                                "Sec-Gpc"
-                                "Upgrade-Insecure-Requests"
-                                "Origin"
+[[- range $id, $header := slice "Origin"
                                 "Authorization" ]]
   proxy_set_header [[ $header ]] "";
 [[- end ]]
@@ -33,7 +20,9 @@ server {
   proxy_socket_keepalive on;
   client_max_body_size 100m;
 
-
+  set_real_ip_from 127.0.0.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
 
   # Inform endpoint
   location ~ ^/(inform|dl/firmware-cached).* {
@@ -50,7 +39,7 @@ server {
       return 405;
     }
     proxy_set_header Host "[[ (urlParse .unifi.guest_portal.public_url).Hostname ]]";
-    proxy_pass http://ubnt.lapiole.org:8880;
+    proxy_pass https://localhost:8843;
   }
 
   # Main console

unifi.nomad.hcl

@@ -6,7 +6,9 @@ job "unifi" {
 
     network {
       mode = "bridge"
-      port "stun" {}
+      port "stun" {
+        to = 3478
+      }
     }
 
     service {
@@ -18,9 +20,8 @@ job "unifi" {
       tags = [
         "[[ .traefik.instance ]].enable=true",
 
-        "[[ .traefik.instance ]].http.routers.unifi-inform[[ .env.suffix ]].rule=Host(`
-          [[- (urlParse .unifi.inform.public_url).Hostname -]]
-            `) && ((Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`))))",
+        # Note : no Host as inform requests are sent without. But it's binded to the dedicated entrypoint anyway
+        "[[ .traefik.instance ]].http.routers.unifi-inform[[ .env.suffix ]].rule=(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))",
         "[[ .traefik.instance ]].http.routers.unifi-inform[[ .env.suffix ]].entrypoints=[[ join (merge .unifi.inform.traefik .traefik).entrypoints "," ]]",
         "[[ .traefik.instance ]].http.routers.unifi-inform[[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .unifi.inform.traefik .traefik ]]",
 
@@ -56,8 +57,6 @@ job "unifi" {
       name = "unifi-mongo[[ .env.suffix ]]"
       port = 27017
 
-[[ template "common/connect.tpl" dict "ctx" . "config" .unifi.mongo ]]
-
       check {
         type     = "script"
         command  = "sh"

variables.yml

@@ -15,7 +15,7 @@ unifi:
     driver: docker
 
     # The image for the controller
-    image: danielberteaud/unifi:7.4.162-1
+    image: danielberteaud/unifi:7.4.162-3
 
     # Resource allocation for the controller
     resources: