From 102472b8dec39c66c5386e8209e08dfac3ccee3c Mon Sep 17 00:00:00 2001 From: Svein Ove Aas Date: Tue, 16 Aug 2016 20:42:57 +0100 Subject: [PATCH] unifi: Open required ports by default. The controller does not work at all if they aren't, with the exception of special configurations involving L3 or custom ports. --- nixos/modules/services/networking/unifi.nix | 29 +++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index e1f4755321f..a8cff638d3b 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -46,6 +46,18 @@ in ''; }; + services.unifi.openPorts = mkOption { + type = types.bool; + default = true; + description = '' + Whether or not to open the minimum required ports on the firewall. + + This is necessary to allow firmware upgrades and device discovery to + work. For remote login, you should additionally open (or forward) port + 8443. + ''; + }; + }; config = mkIf cfg.enable { @@ -56,6 +68,19 @@ in home = "${stateDir}"; }; + networking.firewall = mkIf cfg.openPorts { + # https://help.ubnt.com/hc/en-us/articles/204910084-UniFi-Change-Default-Ports-for-Controller-and-UAPs + allowedTCPPorts = [ + 8080 # Port for UAP to inform controller. + 8880 # Port for HTTP portal redirect, if guest portal is enabled. + 8843 # Port for HTTPS portal redirect, ditto. + ]; + allowedUDPPorts = [ + 3478 # UDP port used for STUN. + 10001 # UDP port used for device discovery. + ]; + }; + # We must create the binary directories as bind mounts instead of symlinks # This is because the controller resolves all symlinks to absolute paths # to be used as the working directory. @@ -80,8 +105,8 @@ in preStart = '' # Ensure privacy of state and data. - chown unifi "${stateDir}" "${dataDir}" - chmod 0700 "${stateDir}" "${dataDir}" + chown unifi "${stateDir}" "${stateDir}/data" + chmod 0700 "${stateDir}" "${stateDir}/data" # Create the volatile webapps rm -rf "${stateDir}/webapps"