From db54b03aa8a5f408f9def45133667f9edf993966 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 12 Feb 2025 06:47:37 -0600 Subject: [PATCH] r/unifi: Switching to custom container image The _linuxserver.io_ image for UniFi Network is deprecated. It sucked anyway. I've created a simple image based on Debian that installs the _unifi_ package from the upstream apt repository. This image doesn't require running anything as _root_, so it doesn't need a user namespace. --- hosts | 5 +++ roles/unifi/defaults/main.yml | 2 +- roles/unifi/tasks/deploy.yml | 45 ------------------------ roles/unifi/templates/unifi.container.j2 | 11 +++--- 4 files changed, 13 insertions(+), 50 deletions(-) diff --git a/hosts b/hosts index fd6b5fe..982b023 100644 --- a/hosts +++ b/hosts @@ -227,6 +227,11 @@ vps [unifi] +[unifi-test] + +[unifi:children] +unifi-test + [vm-hosts] vmhost0.pyrocufflink.blue vmhost1.pyrocufflink.blue diff --git a/roles/unifi/defaults/main.yml b/roles/unifi/defaults/main.yml index 4336ec6..ecfc0a9 100644 --- a/roles/unifi/defaults/main.yml +++ b/roles/unifi/defaults/main.yml @@ -1,5 +1,5 @@ unifi_version: latest -unifi_container_image: lscr.io/linuxserver/unifi-controller +unifi_container_image: git.pyrocufflink.net/containerimages/unifi unifi_storage_path: /var/lib/unifi unifi_exporter_container_image: docker.io/jessestuart/unifi_exporter diff --git a/roles/unifi/tasks/deploy.yml b/roles/unifi/tasks/deploy.yml index 64e7f7d..e93c8f1 100644 --- a/roles/unifi/tasks/deploy.yml +++ b/roles/unifi/tasks/deploy.yml @@ -1,48 +1,3 @@ -- name: ensure unifi group exists - group: - name: unifi - gid: 911 - system: true - state: present - tags: - - user - - group -- name: ensure unifi user exists - user: - name: unifi - uid: 911 - group: unifi - home: /var/lib/unifi - createhome: false - system: true - state: present - tags: - - user - -- name: ensure containers subuid is configured - lineinfile: - path: /etc/subuid - create: true - line: containers:39290640:1048576 - tags: - - user -- name: ensure containers subgid is configured - lineinfile: - path: /etc/subgid - line: containers:39290640:1048576 - tags: - - user - -- name: ensure unifi storage path exists - file: - path: '{{ unifi_storage_path }}' - owner: unifi - group: unifi - mode: u=rwx,go= - state: directory - tags: - - datadir - - name: ensure unifi.container systemd unit exists template: src: unifi.container.j2 diff --git a/roles/unifi/templates/unifi.container.j2 b/roles/unifi/templates/unifi.container.j2 index ee51929..012d0b7 100644 --- a/roles/unifi/templates/unifi.container.j2 +++ b/roles/unifi/templates/unifi.container.j2 @@ -5,14 +5,17 @@ After=network.target [Container] Image={{ unifi_container_image }}:{{ unifi_version }} -Volume={{ unifi_storage_path }}:/config:rw,Z +Volume=%S/%N:/var/lib/unifi:rw,U,Z +Volume=%L/%N:/var/log/unifi:rw,U,Z Network=host NoNewPrivileges=yes -UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1 -VolatileTmp=yes +ReadOnly=yes +ReadOnlyTmpfs=true Notify=yes [Service] +StateDirectory=%N +LogsDirectory=%N TimeoutStartSec=5min Restart=always PrivateTmp=yes @@ -23,7 +26,7 @@ ProtectProc=invisible ProtectSystem=strict ReadWritePaths=/run ReadWritePaths=/var/lib/containers/storage -ReadWritePaths={{ unifi_storage_path }} +ReadWritePaths=%S/%N RestrictRealtime=yes UMask=0077