diff options
author | Svein Ove Aas <sveina@gmail.com> | 2016-08-16 20:42:57 +0100 |
---|---|---|
committer | Svein Ove Aas <sveina@gmail.com> | 2016-08-16 21:01:49 +0100 |
commit | 102472b8dec39c66c5386e8209e08dfac3ccee3c (patch) | |
tree | 745f482d2eec7481485b0b4725f81cd81dc9f8d2 /nixos/modules | |
parent | e3f0a09b6dfee8477eccedeb2994643b5852897f (diff) | |
download | nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.tar nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.tar.gz nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.tar.bz2 nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.tar.lz nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.tar.xz nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.tar.zst nixpkgs-102472b8dec39c66c5386e8209e08dfac3ccee3c.zip |
unifi: Open required ports by default.
The controller does not work at all if they aren't, with the exception of special configurations involving L3 or custom ports.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/unifi.nix | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index e1f4755321f..a8cff638d3b 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -46,6 +46,18 @@ in ''; }; + services.unifi.openPorts = mkOption { + type = types.bool; + default = true; + description = '' + Whether or not to open the minimum required ports on the firewall. + + This is necessary to allow firmware upgrades and device discovery to + work. For remote login, you should additionally open (or forward) port + 8443. + ''; + }; + }; config = mkIf cfg.enable { @@ -56,6 +68,19 @@ in home = "${stateDir}"; }; + networking.firewall = mkIf cfg.openPorts { + # https://help.ubnt.com/hc/en-us/articles/204910084-UniFi-Change-Default-Ports-for-Controller-and-UAPs + allowedTCPPorts = [ + 8080 # Port for UAP to inform controller. + 8880 # Port for HTTP portal redirect, if guest portal is enabled. + 8843 # Port for HTTPS portal redirect, ditto. + ]; + allowedUDPPorts = [ + 3478 # UDP port used for STUN. + 10001 # UDP port used for device discovery. + ]; + }; + # We must create the binary directories as bind mounts instead of symlinks # This is because the controller resolves all symlinks to absolute paths # to be used as the working directory. @@ -80,8 +105,8 @@ in preStart = '' # Ensure privacy of state and data. - chown unifi "${stateDir}" "${dataDir}" - chmod 0700 "${stateDir}" "${dataDir}" + chown unifi "${stateDir}" "${stateDir}/data" + chmod 0700 "${stateDir}" "${stateDir}/data" # Create the volatile webapps rm -rf "${stateDir}/webapps" |