pyrox.dev
unifi: Open required ports by default.
The controller does not work at all if they aren't, with the exception
of special configurations involving L3 or custom ports.
+27
-2
nixos/modules/services/networking/unifi.nix
+27
-2
nixos/modules/services/networking/unifi.nix
···
46
46
'';
47
47
};
48
48
49
+
services.unifi.openPorts = mkOption {
50
+
type = types.bool;
51
+
default = true;
52
+
description = ''
53
+
Whether or not to open the minimum required ports on the firewall.
54
+
55
+
This is necessary to allow firmware upgrades and device discovery to
56
+
work. For remote login, you should additionally open (or forward) port
57
+
8443.
58
+
'';
59
+
};
60
+
49
61
};
50
62
51
63
config = mkIf cfg.enable {
···
56
68
home = "${stateDir}";
57
69
};
58
70
71
+
networking.firewall = mkIf cfg.openPorts {
72
+
# https://help.ubnt.com/hc/en-us/articles/204910084-UniFi-Change-Default-Ports-for-Controller-and-UAPs
73
+
allowedTCPPorts = [
74
+
8080 # Port for UAP to inform controller.
75
+
8880 # Port for HTTP portal redirect, if guest portal is enabled.
76
+
8843 # Port for HTTPS portal redirect, ditto.
77
+
];
78
+
allowedUDPPorts = [
79
+
3478 # UDP port used for STUN.
80
+
10001 # UDP port used for device discovery.
81
+
];
82
+
};
83
+
59
84
# We must create the binary directories as bind mounts instead of symlinks
60
85
# This is because the controller resolves all symlinks to absolute paths
61
86
# to be used as the working directory.
···
80
105
81
106
preStart = ''
82
107
# Ensure privacy of state and data.
83
-
chown unifi "${stateDir}" "${dataDir}"
84
-
chmod 0700 "${stateDir}" "${dataDir}"
108
+
chown unifi "${stateDir}" "${stateDir}/data"
109
+
chmod 0700 "${stateDir}" "${stateDir}/data"
85
110
86
111
# Create the volatile webapps
87
112
rm -rf "${stateDir}/webapps"