ubnt_platform_mgmt - UBNT Platform Management Ansible Roll

An ansible role for managing and providing advanced configuration of UBNT EdgeMAX and UniFI Network Devices.

Description

After doing some research I realized there's a bunch fo scattered material for automating management and taking advantage of the functionatly of these great network devices. The goal is to consolidate that information and simplify the extension of the core platform to enable things like LetsEncrypt, Easy OpenVPN Connectivity, OSPF, MPLS and Other Advanced Configures.

Features

A list features based on the research included here I'm hoping to implement.

Requirements

• Some UBNT (EdgeRouter/UniFI) Devices to Manage.
• unifi_controller_facts

Role Variables

Install SSH Authorized Keys

Provide the location for the SSH keys that will be installed for SSH key based authentication to the ubnt device.

ubnt_ssh_authorized_key: ~/.ssh/id_ed25519.pub

AWS Route53 DNS Update

AWS Credentials and additional information needed for updating Route53 information. This is currently untested.

Example Variables:

aws_access_key_id: < AWS_ACCESS_KEY_ID >
aws_secret_access_key: < AWS_SECRET_ACCESS_KEY >
aws_route53_domain: pouliot.net
aws_route53_network: 192.168.1.0/24
aws_route53_syslog_facility: local7
aws_route53_exclude_host: nothisone.pouliot.net

Get EdgeSwitch Config

Script template to get ERX config.

• get-EdgeSwitch-config.sh

Cloudflared on Unifi/EdgeRouter Devices

Building Cloudflared for Unifi USG

docker run \
  --rm \
  -v ${PWD}:/usr/src/myapp \
  -w /usr/src/myapp \
  -e GOOS=linux \
  -e GOARCH=mips64 \
  golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared ; GOOS=linux GOARCH=mips64 go build -ldflags='-s -w' -v -x github.com/cloudflare/cloudflared/cmd/cloudflared "

Building Cloudflared for Unifi EdgeRouterX

docker run \
  --rm \
  -v ${PWD}:/usr/src/myapp \
  -w /usr/src/myapp \
  -e GOOS=linux \
  -e GOARCH=mipsle \
  golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared ; GOOS=linux GOARCH=mipsle go build -ldflags='-s -w' -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

Pixiecore on Unifi/Edgerouter Devices

Building Pixiecore for Unifi USG

docker run \
  --rm \
  -v ${PWD}:/usr/src/myapp \
  -w /usr/src/myapp \
  -e GOOS=linux \
  -e GOARCH=mips64 \
  golang bash -c "go get -v go.universe.tf/netboot/cmd/pixiecore ; GOOS=linux GOARCH=mips64 go build -ldflags='-s -w' -v -x go.universe.tf/netboot/cmd/pixiecore"

Building Pixiecore for Unifi EdgeRouterX

docker run \
  --rm \
  -v ${PWD}:/usr/src/myapp \
  -w /usr/src/myapp \
  -e GOOS=linux \
  -e GOARCH=mipsle \
  golang bash -c "go get -v go.universe.tf/netboot/cmd/pixiecore ; GOOS=linux GOARCH=mipsle go build -ldflags='-s -w' -v -x go.universe.tf/netboot/cmd/pixiecore"

Example Playbook

Here is a non-working example of typical usage.

- hosts: localhost
  gather_facts: True
  roles:
    - ppouliot.ubnt_platform_mgmt

Resources

Security

• https://networkjutsu.com/hardening-edgerouter-lite-part-1/
• https://miketabor.com/enable-ssh-auto-login-ubiquiti-edgerouter-x/
• https://community.ubnt.com/t5/EdgeRouter/ssh-authorized-keys/td-p/458361
• https://community.ubnt.com/t5/UniFi-Stories/Adding-Let-s-Encrypt-certificate-to-UniFi-Cloud-Key-without/cns-p/2222363
• https://github.com/Ar0xA/USG-DNS-ADBLOCK
• https://github.com/amarcu5/EdgeOS-Blacklist
• https://github.com/britannic/blacklist
• https://github.com/Ar0xA/USG-DNS-ADBLOCK
• https://bendews.com/posts/implement-dns-over-https/
• https://github.com/j-c-m/ubnt-letsencrypt
• https://github.com/neilalexander/vyatta-cjdns
• https://github.com/bettermanbao/erx-shadowsocks-libev
• https://github.com/cmur2/vyatta-sixxs
• A Pi-hole equivalent for the Unifi Security Gateway
• pi-hole conditional forwarding and unifi networking
• catching naughty devices on my home network
• https://github.com/brontide/usg-blacklist

VPN

• Pritunl to USG/Unifi
• https://community.ubnt.com/t5/UniFi-Routing-Switching/OpenVPN-to-Pritunl-using-USG/td-p/2161699
• https://github.com/mafredri/vyatta-wireguard-installer
• https://github.com/whiskerz007/ubnt_get_wireguard

Routing

• https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-PRO-4-amp-MPLS-Outbound-routing-works-but-unable-to-reach/td-p/2450723
• https://github.com/basmeerman/unifi-usg-kpn
• How to build a load balancer with BGP and ECMP

Cloud DNS

• Update AWS Route53
• Install cloudflared on UniFI Controller
• Cloudflare DynDNS
• https://github.com/Twanislas/ubnt-cloudflared
• https://khaz.me/cloudflare-ddns-configuration-for-unifi-usg/
• ubnt_cloudflared
• https://github.com/kchristensen/udm-le

API

• https://github.com/Art-of-WiFi/UniFi-API-client/
• https://github.com/tbyehl/edgerouter-backup
• https://github.com/syncloudsoft/unifi-client
• https://github.com/hobbyquaker/unifi2mqtt
• https://github.com/jens-maus/node-unifi
• https://github.com/KoenZomers/UniFiApi

Captive Portal/Wifi Addons

• https://github.com/davidmaitland/unifi-voucher-generator
• https://gist.github.com/troyfontaine/43f4a978418b845cdbb117ffe1fd30e8
• https://github.com/bsab/django-unifi-portal
• https://github.com/emanuelepaiano/espresso-portal
• https://github.com/SEQUOIIA/unifi-proper-portal
• https://github.com/kaptk2/portal
• http://dl.ubnt.com/unifi/3.2.10/portal_sample_paypal.zip
• https://github.com/PaintSplasher/unifi-voucher-service
• https://github.com/woodjme/unifi-hotspot
• https://github.com/batesta/whoshere

Scripts

• https://github.com/stevejenkins/unifi-linux-utils
• https://github.com/oldsj/edgerouter-automation
• https://github.com/brianredbeard/edgeos_setup
• kenmoini/unifi_controller_facts
• https://github.com/btaub/misc-scripts/blob/master/get-EdgeSwitch-config.sh
• https://github.com/jaysoffian/eap_proxy
• https://github.com/ubiquiti/eot-controller
• https://github.com/Enatec/UniFiTooling
• https://github.com/martbrooks/unifi_ssl_certs
• https://github.com/dmbaturin/scripts/blob/master/usg-config-export.py
• https://github.com/msnelling/ansible-unifi
• https://github.com/boostchicken/udm-utilities
• https://github.com/richardhofman/ansible-role-edgerouter/
• Ansible Example w/ Jinja template

surveillance tools

• https://github.com/unifi-toolbox/unifi-protect-video-downloader
• https://github.com/yuppity/unifi-video-api
• https://github.com/petergeneric/unifi-protect-remux

Backup

• EdgeRouter to git repo backup scripts.
• Oxidized
• https://github.com/gebn/unifibackup
• https://github.com/zhangyoufu/unifi-backup-decrypt

Monitoring, Alerting & Logging

• Nagios Plugin to check Unifi Controller
• Sensu plugin that polls metrics from UBNT Unifi wireless controllers
• Collect your Unifi Controller Data and send it to an InfluxDB instance. Grafana dashboards included
• Periodic monitoring of UBNT EdgeRouter metrics not otherwise available via SNMP and logging to InfluxDB/Grafana
• Simple web server that connects to a Ubiquiti Edge Router to show who is using a substantial amount of data
• Perl Module to output UBNT info
• https://github.com/mikeder/edgerouter-graylog-extractors
• https://github.com/lowfive/graylog-grok-edgerouter
• https://github.com/Graylog2/graylog-guide-ubiquity-unify-ap
• https://github.com/breakandinspect/graylog
• https://github.com/loganmarchione/graylog-edgerouter-lite
• https://github.com/edoput/netjsonconfig-airos
• https://github.com/WaterByWind/grafana-dashboards
• https://github.com/zbx-sadman/unifi_miner
• https://github.com/zbx-sadman/unifi_proxy
• https://github.com/mdlayher/unifi_exporter
• https://github.com/caglar10ur/elk-usg
• https://github.com/custom-components/sensor.unifigateway
• unifi-poller
• https://github.com/tusc/ntopng-udm
• https://github.com/iobroker-community-adapters/ioBroker.unifi
• https://github.com/custom-components/sensor.unifigateway
• https://github.com/finish06/Unifi-Metrics-Collector
• https://github.com/jcoutch/usg-scripts
• https://github.com/Manawyrm/unifirespondd
• https://github.com/tborychowski/unifi-event-monitor

Configuration examples & Documentation

• https://github.com/stevejenkins/UBNT-EdgeRouter-Example-Configs
• https://github.com/ekrunch/ubiquiti_unifi_configs
• https://github.com/psaintemarie/unifi-bytel
• https://github.com/TimoDJatomika/EdgeRouter-Stuff
• Vyatta Network OS High Availability
• 235723207-UniFi-USG-UDM-Port-Forwarding-Configuration-and-Troubleshooting
• https://github.com/chashtag/unifi-8021x-setup

PiHole Integration

• PiHole - Catching and dealing w/ naughty devices
• Unifi Usg dnat rule for pi-hole or other dns redirection
• How To Enable InterVLAN Routing on the UniFi USG
• Firewall-rules-DNS-blocking-except-for-my-local-Pi-Hole
• PiHole across VLANs blocking internet traffic SOLVED

Unifi Data Sheets

• Unifi Access Points Data Sheet
• Unifi AP Mesh Data Sheet

Napalm

• napalm-vyos driver
• napalm-edgeos driver older
• napalm-edgeos driver newer

Troubleshooting

• cloud key wont start controller web UI we do not support upgrading from 5 11 46

Sonos

• VLAN inter-accessibility for MultiCast devices (SONOS, Chromecast, Airtame, etc)
• EdgeRouter Setup IGMP proxy and statistics
• Configure Sonos across subnets on USG
• Unifi Sonos and VLANs
• An optimal configuration for a Unifi Managed Network & Sonos
• Tips Connecting to SONOS speakers on a Unifi Wireless Network.
• Sonos on Unifi Network Gear
• How to configure your UniFi network for Sonos
• Tips: Running Sonos wired and wireless in a pure Unifi (Ubiquiti) network environment
• Getting Sonos and Ubiquiti to play nice

Camera's

• Successfully Installed 2 G4 Doorbells with wiring diagram

Contributors

• Peter Pouliot [email protected]

Copyright and License

Copyright (C) 2018 Peter J. Pouliot

Peter Pouliot can be contacted at: [email protected]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.