186 lines
5.0 KiB
YAML
186 lines
5.0 KiB
YAML
---
|
|
|
|
# Unifi controller has several components :
|
|
# - The controller itself (which also include the inform, the guest_portal and the stun service)
|
|
# - A small nginx proxy to expose all the various web service of unifi through a single port
|
|
# - A mongodb server (optional, can use an external mongodb)
|
|
# - A firmware downloader helper : this is because the Unifi Controller can't use an outbound web proxy
|
|
|
|
# The name of the nomad job
|
|
instance: unifi
|
|
|
|
unifi:
|
|
|
|
# This is for the web management console
|
|
controller:
|
|
|
|
# The driver to use (docker or podman)
|
|
driver: docker
|
|
|
|
# Version of the controller to deploy
|
|
version: 8.1.127
|
|
|
|
# The image for the controller
|
|
image: '[[ .docker.repo ]]unifi:[[ .unifi.controller.version ]]-1'
|
|
|
|
vault:
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
|
|
# Resource allocation for the controller
|
|
resources:
|
|
cpu: 200
|
|
memory: 1024
|
|
|
|
wait_for:
|
|
- service: '[[ .unifi.controller.mongo.service_name ]]'
|
|
|
|
# Mongo instance to use
|
|
mongo:
|
|
# The address of the mongo service. Leave the default
|
|
# unless you use an external mongo service
|
|
address: mongodb://127.0.0.1:27017/unifi
|
|
# For stats
|
|
stats_address: mongodb://127.0.0.1:27017/unifi_stats
|
|
|
|
# If username is set, the password must be available in vault at [[ .env.suffix ]]/kv/service/unifi in key mongo_pwd
|
|
# user: unifi
|
|
|
|
# Service name of the mongo service. This is used to wait for mongo to be
|
|
# up before starting the controller
|
|
service_name: unifi-mongo
|
|
|
|
# Set to true if you want to use an external mongo service
|
|
is_external: False
|
|
|
|
# Additional environment vars to pass to the container
|
|
env: {}
|
|
|
|
# Public URL to reach the controller web interface
|
|
public_url: https://unifi.example.org
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# List of entrypoints where the management console will be exposed
|
|
#entrypoints:
|
|
# - https
|
|
|
|
middlewares:
|
|
# Tune inflight and rate-limit as the controller can require a high number of requests
|
|
inflight:
|
|
- inflightreq.amount=300
|
|
rate-limit:
|
|
- ratelimit.average=100
|
|
- ratelimit.burst=200
|
|
|
|
# Volumes
|
|
volumes:
|
|
data:
|
|
type: csi
|
|
source: unifi-data
|
|
|
|
# The inform endpoint is used by the devices to contact the controller
|
|
inform:
|
|
# Public URL of the inform endpoint
|
|
# Note : this MUST be http, not https
|
|
public_url: http://unifi-inform.example.org:8080/inform
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# Traefik router name
|
|
router: inform
|
|
|
|
# Use a custom rule for the inform service
|
|
rule: '(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))'
|
|
|
|
# We do not want Traefik to strip the /inform prefix
|
|
strip_prefix: false
|
|
|
|
# List of entrypoints where the inform endpoint will be exposed.
|
|
# Note : this should be a list of dedicated entrypoint, as there's no Host header sent with the requests
|
|
# This entrypoint must also listen on port 8080
|
|
entrypoints:
|
|
- unifi-inform
|
|
|
|
# There's no need to add CSP headers here
|
|
csp: false
|
|
|
|
# Also, as the inform endpoint is using plain http, remove useless middlewares
|
|
# We also disable compression until Traefik stops compressing when no Accept-Encoding is sent
|
|
middlewares:
|
|
hsts: false
|
|
security: false
|
|
proto: false
|
|
compression: false
|
|
|
|
# The guest portal
|
|
guest_portal:
|
|
|
|
# Public URL where the guest portal will be reachable
|
|
public_url: https://unifi-portal.example.org:8843/guest
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# Name of the router
|
|
router: portal
|
|
|
|
# Do not strip prefix in the auto generated rule
|
|
strip_prefix: false
|
|
|
|
# List of entrypoints on which the service will be exposed
|
|
# Note: UniFi doesn't allow custommisation of the port, this entrypoint must be listening on port 8843
|
|
entrypoints:
|
|
- unifi-portal
|
|
|
|
# List of middlewares to load
|
|
middlewares: {}
|
|
|
|
# The STUN service
|
|
stun:
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# Stun is an UDP service
|
|
proto: udp
|
|
|
|
# Name of the router
|
|
router: stun
|
|
|
|
# List of entrypoints the STUN service wil be exposed on
|
|
# Note: This must be UDP entrypoints !
|
|
entrypoints:
|
|
- unifi-stun
|
|
|
|
# The nginx reverse proxy is used to expose all Unifi service over a single port
|
|
# So we don't need to run one envoy proxy per port
|
|
nginx:
|
|
# The image to use
|
|
image: nginxinc/nginx-unprivileged:alpine
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 10
|
|
memory: 15
|
|
|
|
# MongoDB service.
|
|
# Note : this will be ignored if .unifi.controller.mongo.is_external is set to true
|
|
mongo:
|
|
|
|
# The image to use
|
|
image: '[[ .docker.repo ]][[ .docker.base_images.mongo50.image ]]'
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 100
|
|
memory: 256
|
|
|
|
# Volumes
|
|
volumes:
|
|
mongo:
|
|
type: csi
|
|
source: unifi-mongo
|