Infrastructure as Code pour déployer UniFi OS Server sur Oracle Cloud Always Free.
Cette configuration Terraform utilise un module externe (terraform-oci-free-tier-instance) pour provisionner :
- Instance Oracle Cloud (VM.Standard.A1.Flex ou VM.Standard.E2.1.Micro)
- Virtual Cloud Network (VCN) avec subnet public
- IP publique réservée (Always Free)
- Security Lists pour tous les ports UniFi OS Server
- Inventaire Ansible dynamique via
ansible_host - Exécution automatique du playbook Ansible via la ressource
ansible_playbook
terraform/
├── main.tf # Appel du module externe unifi_instance
├── locals.tf # Construction des règles de sécurité UniFi
├── variables.tf # Variables UniFi-specific
├── outputs.tf # Outputs (proxy vers module)
├── ansible.tf # Intégration Ansible
└── versions.tf # Providers
Le module OCI est géré dans un dépôt dédié : github.com/gaetanars/terraform-oci-free-tier-instance
Le module terraform-oci-free-tier-instance est universel et réutilisable pour d'autres projets Oracle Cloud Free Tier. Il supporte :
- 3 modes réseau : Full stack, existing network, hybrid
- 3 modes IP publique : Reserved, ephemeral, none
- Security Lists et NSGs : Règles de sécurité flexibles
- Block volumes : Stockage additionnel avec backups
- Cloud-init : Initialisation via templates
- Multiple VNICs : Interfaces réseau secondaires
Voir la documentation du module pour les détails.
# Initialiser Terraform
terraform init
# Planifier les changements
terraform plan
# Appliquer (exécute aussi Ansible automatiquement)
terraform applyNote : terraform apply exécute automatiquement le playbook Ansible grâce à la ressource ansible_playbook avec replayable = true. Cela signifie que chaque fois que vous exécutez terraform apply, Ansible reconfigure le serveur en fonction des variables définies dans ansible_host.
Deux méthodes sont disponibles :
terraform applyLa ressource ansible_playbook exécute automatiquement le playbook avec l'inventaire créé depuis les ressources ansible_host et ansible_group.
cd ../ansible
ansible-playbook playbook.ymlUtilise l'inventaire dynamique qui lit les ressources depuis le state Terraform via le plugin cloud.terraform.terraform_provider.
La documentation des variables, outputs et ressources est générée automatiquement par terraform-docs.
| Name | Version |
|---|---|
| terraform | >= 1.9.0 |
| ansible | ~> 1.3.0 |
| oci | ~> 7.0 |
| Name | Version |
|---|---|
| ansible | 1.3.0 |
| Name | Source | Version |
|---|---|---|
| unifi_instance | github.com/gaetanars/terraform-oci-free-tier-instance | v0.5.0 |
| Name | Type |
|---|---|
| ansible_host.unifi_server | resource |
| ansible_playbook.configure_unifi | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_ssh_cidrs | List of CIDR blocks allowed to SSH | list(string) |
[ |
no |
| allowed_unifi_cidrs | List of CIDR blocks allowed to access UniFi ports (restrict to your network IPs for better security) | list(string) |
[ |
no |
| auto_updates | Enable automatic security updates | bool |
true |
no |
| boot_volume_id | OCID of the boot volume to reuse when source_type = 'bootVolume' | string |
null |
no |
| boot_volume_size_in_gbs | Size of boot volume in GB (max 200 for Always Free) | number |
50 |
no |
| compartment_ocid | OCID of the compartment | string |
n/a | yes |
| ddclient_cmd | Command for IP detection when use=cmd (e.g., curl https://checkipv4.dedyn.io/) | string |
"" |
no |
| ddclient_enabled | Enable ddclient for dynamic DNS updates | bool |
false |
no |
| ddclient_hostname | Hostname to update (e.g., unifi.example.com) | string |
"" |
no |
| ddclient_login | DNS provider login/email (leave empty if not required) | string |
"" |
no |
| ddclient_password | DNS provider API token or password | string |
"" |
no |
| ddclient_protocol | DNS provider protocol (cloudflare, namecheap, googledomains, etc.) | string |
"cloudflare" |
no |
| ddclient_server | DNS provider server (e.g., update.dedyn.io for dyndns2) | string |
"" |
no |
| ddclient_ssl | Enable SSL for ddclient connections | string |
"yes" |
no |
| ddclient_use | IP detection method (web, cmd, if, ip) | string |
"web" |
no |
| ddclient_zone | DNS zone/domain (e.g., example.com) | string |
"" |
no |
| disable_ipv6 | Disable IPv6 on the server (optional, for stability) | bool |
false |
no |
| enable_icmp_ping | Enable ICMP (ping) - Useful for network diagnostics | bool |
true |
no |
| enable_port_device_adoption | Enable Device Adoption (8080/tcp) - Required for device inform/adoption (restrict IPs via allowed_unifi_cidrs) | bool |
true |
no |
| enable_port_device_discovery | Enable Device Discovery (10001/udp) - Required for device discovery during adoption | bool |
true |
no |
| enable_port_hotspot_8880 | Enable Hotspot Portal Redirection (8880/tcp) - Optional, for guest portal HTTP redirect | bool |
true |
no |
| enable_port_hotspot_8881 | Enable Hotspot Portal Redirection (8881/tcp) - Optional, for guest portal HTTP redirect | bool |
true |
no |
| enable_port_hotspot_8882 | Enable Hotspot Portal Redirection (8882/tcp) - Optional, for guest portal HTTP redirect | bool |
false |
no |
| enable_port_http | Enable HTTP (80/tcp) - Required for HTTP-01 challenge (Let's Encrypt SSL certificates) | bool |
false |
no |
| enable_port_https_guest_portal | Enable HTTPS Guest Portal (8843/tcp) - Optional, for guest portal HTTPS redirect | bool |
true |
no |
| enable_port_https_portal | Enable Application GUI/API (8443/tcp) - Required for web UI on UniFi Console | bool |
true |
no |
| enable_port_mobile_speedtest | Enable Mobile Speed Test (6789/tcp) - Required for UniFi mobile app speed test | bool |
true |
no |
| enable_port_remote_logging | Enable Remote Syslog Capture (5514/udp) - Optional, for remote syslog | bool |
false |
no |
| enable_port_secure_portal | Enable Secure Portal for Hotspot (8444/tcp) - Optional, for secure hotspot portal | bool |
true |
no |
| enable_port_stun | Enable STUN Discovery (3478/udp) - Required for remote access and device discovery | bool |
true |
no |
| enable_port_unifi_10003 | Enable UniFi Port 10003 (10003/udp) - Unknown use | bool |
false |
no |
| enable_port_unifi_11084 | Enable UniFi Port 11084 (11084/tcp) - Unknown use | bool |
false |
no |
| enable_port_unifi_5005 | Enable UniFi Port 5005 (5005/tcp) - Unknown use | bool |
false |
no |
| enable_port_unifi_9543 | Enable UniFi Port 9543 (9543/tcp) - Unknown use | bool |
false |
no |
| enable_port_websockets | Enable Application GUI/API (11443/tcp) - Required for web browser access and Remote Management | bool |
true |
no |
| fingerprint | Fingerprint of the API key | string |
n/a | yes |
| instance_display_name | Display name for the instance | string |
"unifi-network-server" |
no |
| instance_memory_in_gbs | Amount of memory in GB (for flexible shapes, max 24 for Always Free) | number |
12 |
no |
| instance_ocpus | Number of OCPUs (for flexible shapes, max 4 for Always Free) | number |
2 |
no |
| instance_shape | Shape of the instance (Always Free: VM.Standard.A1.Flex or VM.Standard.E2.1.Micro) | string |
"VM.Standard.A1.Flex" |
no |
| private_key_path | Path to your private API key | string |
n/a | yes |
| region | Oracle Cloud region | string |
"eu-paris-1" |
no |
| source_type | Boot source for the instance: 'image' (fresh install) or 'bootVolume' (reuse existing boot volume) | string |
"image" |
no |
| ssh_public_key_path | Path to SSH public key | string |
"~/.ssh/id_rsa.pub" |
no |
| subnet_cidr_block | CIDR block for subnet | string |
"10.0.1.0/24" |
no |
| tags | Tags to apply to resources | map(string) |
{ |
no |
| tenancy_ocid | OCID of your tenancy | string |
n/a | yes |
| timezone | Timezone for the server | string |
"Europe/Paris" |
no |
| ubuntu_version | Ubuntu version to use (e.g., 22.04, 24.04) | string |
"24.04" |
no |
| unattended_upgrades_origins | List of origins allowed for unattended upgrades. Use Ubuntu placeholders like ${distro_id} and ${distro_codename} | list(string) |
[ |
no |
| unifi_easy_encrypt_email | Email address for Let's Encrypt notifications | string |
"" |
no |
| unifi_easy_encrypt_enabled | Enable UniFi Easy Encrypt for automatic Let's Encrypt SSL certificates | bool |
false |
no |
| unifi_easy_encrypt_external_dns | External DNS server to resolve the FQDN (e.g., 1.1.1.1, 8.8.8.8) | string |
"" |
no |
| unifi_easy_encrypt_force_renew | Force certificate renewal even if configuration hasn't changed | bool |
false |
no |
| unifi_easy_encrypt_fqdn | Fully Qualified Domain Name for the SSL certificate (e.g., unifi.example.com) | string |
"" |
no |
| unifi_easy_encrypt_run_after_install | Run the script immediately after installation (requires --skip, --email, and --fqdn) | bool |
false |
no |
| unifi_os_server_download_url | URL to download UniFi OS Server installer (ARM64 version) | string |
"https://fw-download.ubnt.com/data/unifi-os-server/df5b-linux-arm64-5.0.6-f35e944c-f4b6-4190-93a8-be61b96c58f4.6-arm64" |
no |
| user_ocid | OCID of the user | string |
n/a | yes |
| vcn_cidr_block | CIDR block for VCN | string |
"10.0.0.0/16" |
no |
| Name | Description |
|---|---|
| installation_complete_check | Command to verify installation is complete |
| installation_status_command | Command to check installation status |
| instance_id | OCID of the UniFi instance |
| instance_private_ip | Private IP of the UniFi instance |
| instance_public_ip | Public IP of the UniFi instance (reserved - Always Free) |
| instance_state | State of the instance |
| next_steps | Next steps after deployment |
| reserved_public_ip_id | OCID of the reserved public IP |
| ssh_command | SSH command to connect to the instance |
| subnet_id | OCID of the subnet |
| unifi_web_url | Unifi OS Server web interface URL |
| vcn_id | OCID of the VCN |