Merge pull request #17782 from Baughn/unifi-fix

Unifi controller fixes

nixos/modules/services/networking/unifi.nix

@@ -46,6 +46,18 @@ in
       '';
     };
 
+    services.unifi.openPorts = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether or not to open the minimum required ports on the firewall.
+
+        This is necessary to allow firmware upgrades and device discovery to
+        work. For remote login, you should additionally open (or forward) port
+        8443.
+      '';
+    };
+
   };
 
   config = mkIf cfg.enable {
@@ -56,6 +68,19 @@ in
       home = "${stateDir}";
     };
 
+    networking.firewall = mkIf cfg.openPorts {
+      # https://help.ubnt.com/hc/en-us/articles/204910084-UniFi-Change-Default-Ports-for-Controller-and-UAPs
+      allowedTCPPorts = [
+        8080  # Port for UAP to inform controller.
+        8880  # Port for HTTP portal redirect, if guest portal is enabled.
+        8843  # Port for HTTPS portal redirect, ditto.
+      ];
+      allowedUDPPorts = [
+        3478  # UDP port used for STUN.
+        10001 # UDP port used for device discovery.
+      ];
+    };
+
     # We must create the binary directories as bind mounts instead of symlinks
     # This is because the controller resolves all symlinks to absolute paths
     # to be used as the working directory.
@@ -79,9 +104,9 @@ in
       environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib";
 
       preStart = ''
-        # Ensure privacy of state
+        # Ensure privacy of state and data.
-        chown unifi "${stateDir}"
+        chown unifi "${stateDir}" "${stateDir}/data"
-        chmod 0700 "${stateDir}"
+        chmod 0700 "${stateDir}" "${stateDir}/data"
 
         # Create the volatile webapps
         rm -rf "${stateDir}/webapps"