---

# Unifi controller has several components :
#   - The controller itself (which also include the inform, the guest_portal and the stun service)
#   - A small nginx proxy to expose all the various web service of unifi through a single port
#   - A mongodb server (optional, can use an external mongodb)
#   - A firmware downloader helper : this is because the Unifi Controller can't use an outbound web proxy

# The name of the nomad job
instance: unifi

unifi:

  # This is for the web management console
  controller:

    # The driver to use (docker or podman)
    driver: docker

    # Version of the controller to deploy
    version: 8.1.127

    # The image for the controller
    image: '[[ .docker.repo ]]unifi:[[ .unifi.controller.version ]]-1'

    vault:
      policies:
        - '[[ .instance ]][[ .consul.suffix ]]'

    # Resource allocation for the controller
    resources:
      cpu: 200
      memory: 1024

    wait_for:
      - service: '[[ .unifi.controller.mongo.service_name ]]'

    # Mongo instance to use
    mongo:
      # The address of the mongo service. Leave the default
      # unless you use an external mongo service
      address: mongodb://127.0.0.1:27017/unifi
      # For stats
      stats_address: mongodb://127.0.0.1:27017/unifi_stats

      # If username is set, the password must be available in vault at [[ .env.suffix ]]/kv/service/unifi in key mongo_pwd
      # user: unifi

      # Service name of the mongo service. This is used to wait for mongo to be
      # up before starting the controller
      service_name: unifi-mongo

      # Set to true if you want to use an external mongo service
      is_external: False

    # Additional environment vars to pass to the container
    env: {}

    # Public URL to reach the controller web interface
    public_url: https://unifi.example.org

    # Traefik settings
    traefik:

      # List of entrypoints where the management console will be exposed
      #entrypoints:
      #  - https

      middlewares:
        # Tune inflight and rate-limit as the controller can require a high number of requests
        inflight:
          - inflightreq.amount=300
        rate-limit:
          - ratelimit.average=100
          - ratelimit.burst=200

    # Volumes
    volumes:
      data:
        type: csi
        source: unifi-data

  # The inform endpoint is used by the devices to contact the controller
  inform:
    # Public URL of the inform endpoint
    # Note : this MUST be http, not https
    public_url: http://unifi-inform.example.org:8080/inform

    # Traefik settings
    traefik:

      # Traefik router name
      router: inform

      # Use a custom rule for the inform service
      rule: '(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))'

      # We do not want Traefik to strip the /inform prefix
      strip_prefix: false

      # List of entrypoints where the inform endpoint will be exposed.
      # Note : this should be a list of dedicated entrypoint, as there's no Host header sent with the requests
      # This entrypoint must also listen on port 8080
      entrypoints:
        - unifi-inform

      # There's no need to add CSP headers here
      csp: false

      # Also, as the inform endpoint is using plain http, remove useless middlewares
      # We also disable compression until Traefik stops compressing when no Accept-Encoding is sent
      middlewares:
        hsts: false
        security: false
        proto: false
        compression: false

  # The guest portal
  guest_portal:
    
    # Public URL where the guest portal will be reachable
    public_url: https://unifi-portal.example.org:8843/guest

    # Traefik settings
    traefik:

      # Name of the router
      router: portal

      # Do not strip prefix in the auto generated rule
      strip_prefix: false

      # List of entrypoints on which the service will be exposed
      # Note: UniFi doesn't allow custommisation of the port, this entrypoint must be listening on port 8843
      entrypoints:
        - unifi-portal

      # List of middlewares to load
      middlewares: {}

  # The STUN service
  stun:

    # Traefik settings
    traefik:

      # Stun is an UDP service
      proto: udp

      # Name of the router
      router: stun

      # List of entrypoints the STUN service wil be exposed on
      # Note: This must be UDP entrypoints !
      entrypoints:
        - unifi-stun

  # The nginx reverse proxy is used to expose all Unifi service over a single port
  # So we don't need to run one envoy proxy per port
  nginx:
    # The image to use
    image: nginxinc/nginx-unprivileged:alpine

    # Resource allocation
    resources:
      cpu: 10
      memory: 15

  # MongoDB service.
  # Note : this will be ignored if .unifi.controller.mongo.is_external is set to true
  mongo:

    # The image to use
    image: '[[ .docker.repo ]][[ .docker.base_images.mongo50.image ]]'

    # Resource allocation
    resources:
      cpu: 100
      memory: 256

    # Volumes
    volumes:
      mongo:
        type: csi
        source: unifi-mongo