Add Unifi Network

1-nixos-node/configuration.nix

@@ -113,6 +113,50 @@
   networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];
   networking.firewall.allowedUDPPorts = [ 8301 ];
 
+  # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)
+  virtualisation.docker.enable = true;
+
+  # Proper systemd service definition for macvlan network creation
+  systemd.services.docker-macvlan-network = {
+    description = "Ensure macvlan Docker network exists";
+    after = [ "network-online.target" "docker.service" ];
+    wants = [ "network-online.target" "docker.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+    };
+    # Provide required binaries in PATH
+    path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];
+    script = ''
+      set -euo pipefail
+      NET_NAME=macvlan
+      if docker network inspect "$NET_NAME" >/dev/null 2>&1; then
+        echo "Docker network $NET_NAME already exists"
+        exit 0
+      fi
+      echo "Creating Docker macvlan network $NET_NAME on interface ${bind_interface}"
+      # We intentionally do NOT use --ip-range here to avoid allocating the
+      # same reserved pool on every host (which could lead to collisions if
+      # multiple macvlan containers are started across nodes). Instead, we
+      # give critical services (like UniFi) an explicit static IP via the
+      # Nomad job (Docker static assignment) and rely on manual DHCP
+      # reservations to prevent conflicts.
+      #
+      # If you later need multiple macvlan-assigned containers per host,
+      # consider one of these strategies:
+      #  1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)
+      #  2. Parameterize an ip-range per host in Terraform and template here
+      #  3. Keep a registry of allocated static IPs in Consul KV / Nomad vars
+      docker network create -d macvlan \
+        --subnet=192.168.1.0/24 \
+        --gateway=192.168.1.1 \
+        -o parent=${bind_interface} \
+        "$NET_NAME"
+      echo "Docker macvlan network $NET_NAME created"
+    '';
+    restartIfChanged = false; # Don't rerun just because comment changed
+  };
+
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
   # accidentally delete configuration.nix.

2-nomad-config/2-ingress/traefik.nomad.hcl

@@ -112,6 +112,9 @@ EOF
       template {
         data = <<EOF
 http:
+  serversTransports:
+    ignorecert:
+      insecureSkipVerify: true
   middlewares:
     auth:
       forwardAuth:
@@ -173,6 +176,11 @@ http:
     hass-token:
       rule: "Host(`${hass_magic_token}-hass.othrayte.one`)"
       service: hass
+    unifi-network:
+      rule: "Host(`network.othrayte.one`)"
+      service: unifi-network
+      middlewares:
+        - auth
 
   services:
     traefik:
@@ -203,6 +211,11 @@ http:
       loadBalancer:
         servers:
           - url: "http://192.168.1.234:8123"
+    unifi-network:
+      loadBalancer:
+        serversTransport: ignorecert
+        servers:
+          - url: "https://192.168.1.50:8443"
 EOF
 
         destination = "local/configs/nomad.yml"

2-nomad-config/unifi.nomad.hcl

@@ -0,0 +1,50 @@
+job "unifi-network" {
+  group "unifi-network" {
+    count = 1
+
+    task "unifi-controller" {
+      driver = "docker"
+
+      config {
+        image = "jacobalberty/unifi:v9.5.21"
+
+        // Fixed IP on the actual network so that devices can find it
+        network_mode = "macvlan"
+        ipv4_address = "192.168.1.50"
+      }
+
+      env {
+        TZ                 = "Australia/Melbourne"
+        SYSTEM_IP          = "192.168.1.50"
+        JVM_INIT_HEAP_SIZE = "1024M"
+        JVM_MAX_HEAP_SIZE  = "1024M"
+        UNIFI_STDOUT       = "true"
+      }
+
+      volume_mount {
+        volume      = "unraid_appdata_unifi_network"
+        destination = "/unifi" # Expected root directory (contains data, log, cert subdirs)
+        read_only   = false
+      }
+
+      resources {
+        cpu        = 200
+        memory     = 1850
+        memory_max = 2500
+      }
+    }
+
+    # CSI volume for UniFi Controller persistent data/logs
+    volume "unraid_appdata_unifi_network" {
+      type            = "csi"
+      read_only       = false
+      source          = "unraid_appdata_unifi_network"
+      access_mode     = "single-node-writer"
+      attachment_mode = "file-system"
+
+      mount_options {
+        mount_flags = ["uid=0", "gid=0"]
+      }
+    }
+  }
+}

2-nomad-config/unifi.tf

@@ -0,0 +1,32 @@
+
+resource "nomad_job" "unifi_network" {
+  jobspec = file("unifi.nomad.hcl")
+}
+
+
+resource "nomad_csi_volume_registration" "unraid_appdata_unifi_network" {
+  # Note: Before changing the definition of this volume you need to stop the jobs that are using it
+  depends_on = [data.nomad_plugin.smb]
+  plugin_id  = "smb"
+
+  volume_id = "unraid_appdata_unifi_network"
+  name      = "unraid_appdata_unifi_network"
+
+  external_id = "unraid_appdata_unifi_network"
+
+  capability {
+    access_mode     = "single-node-writer"
+    attachment_mode = "file-system"
+  }
+
+  context = {
+    source = "//192.168.1.192/appdata"
+    subDir = "unifi-network" # Note: Needs to be manually created on the share
+  }
+
+  secrets = {
+    "username" = "nomad"
+    "password" = data.sops_file.secrets.data["unraid.nomad"]
+  }
+}
+