Setup UniFi Controller v8.x+ on Ubuntu

unifi-ubuntu-jammy.sh

#!/usr/bin/env bash

### Setup UniFi Controller Software on Ubuntu ###

# - Download Ubuntu 22.04: https://releases.ubuntu.com/jammy/
# - UniFi Controller Software Releases: https://community.ui.com/releases
# - Updating and Installing Self-Hosted UniFi Network Servers (Linux): https://help.ui.com/hc/en-us/articles/220066768
# - Self-Hosting a UniFi Network Server: https://help.ui.com/hc/en-us/articles/360012282453
# - UniFi - Repairing Database Issues on the UniFi Network Application: https://help.ui.com/hc/en-us/articles/360006634094
# - UISP Installation Guide: https://help.ui.com/hc/en-us/articles/115012196527-UNMS-Installation-Guide
# - https://community.ui.com/releases/UniFi-Network-Application-8-4-59/d3ba4443-ad36-4566-b1e6-2d21d8b4f225

### LXD/LXC/Incus ###

# lxc init -p default -p br0 images:ubuntu/22.04 unifi-controller
# lxc init -p default images:ubuntu/22.04 unifi-controller
# lxc config set unifi-controller limits.cpu=2
# lxc config set unifi-controller limits.memory.enforce=hard limits.memory=2048MB
# lxc config device override unifi-controller root size=20GB
# lxc config set unifi-controller boot.autostart=1 boot.autostart.delay=0 boot.host_shutdown_timeout=30
# lxc config show unifi-controller --expanded
#
# lxc start unifi-controller
#
# lxc exec unifi-controller -- apt-get update
# lxc exec unifi-controller -- apt-get -y install ca-certificates apt-transport-https gnupg
#
# lxc exec unifi-controller /bin/bash

### Docker ###

# https://docs.linuxserver.io/images/docker-unifi-network-application/
# https://github.com/GiuseppeGalilei/Ubiquiti-Tips-and-Tricks
# https://forums.unraid.net/topic/147455-support-unifi-controller-unifi-unraid-reborn/

DEBUG="off"

function debug_mode() {
  [ ${DEBUG} == "on" ] && "${@}"
};

debug_mode set -e

# Check if this script was run as a non-root user
function is_root() {
  if [[ ${EUID} -ne 0 ]]; then
    echo "This script must be run as root."
    exit 1
  fi
};
is_root

# Check if this script is being run on Ubuntu
function is_ubuntu() {
  local distro
  distro=$(awk '/^ID=/' /etc/*-release | tr -d '"' | awk -F'=' '{ print tolower($2) }')
  
  case "${distro}" in
    ubuntu) echo 'This is Ubuntu Linux' ;;
         *) echo 'This is not Ubuntu Linux.'; exit 1 ;; 
  esac
};
is_ubuntu

mkdir -p /etc/apt/{apt.conf,trusted.gpg,sources.list}.d

# Disable phased updates found in Ubuntu 21.10 and newer
cat <<'EOF' | tee /etc/apt/apt.conf.d/99custom-disable-phased-updates
// To have all your machines phase the same, set the same string in this field
// If commented out, apt will use /etc/machine-id to seed the random number generator
APT::Machine-ID "aaaabbbbccccddddeeeeffff";

// Always include phased updates.
// For example, after your initial build, you would comment this out.
// If left in place you will *always* include phased updates instead of phasing all machines together.
Update-Manager::Always-Include-Phased-Updates;
APT::Get::Always-Include-Phased-Updates: True;

EOF

# Disable apt install of recommended software
cat <<'EOF' | tee /etc/apt/apt.conf.d/99custom-no-install-recommends
// Disable the automatic install of recommended packages.
APT::Install-Recommends "false";

// Disable the install of suggested packages
//APT::Install-Suggests "false";

EOF

# Disable apt advertisements.
command -v pro >/dev/null 2>&1 \
  && pro config set apt_news=false
  
# Disable MOTD advertisements on login.
test -f /etc/default/motd-news \
  && sed -i -e 's/ENABLED=1/ENABLED=0/g' /etc/default/motd-news

# Disable needrestart found in 22.04 and newer as it causes issues for scripts and automation solutions.
test -f /etc/needrestart/needrestart.conf \
  && sed -i "/#\$nrconf{restart} = 'i';/s/.*/\$nrconf{restart} = 'a';/" /etc/needrestart/needrestart.conf

# Enable universe repoistory
function enable_universe() {
  command -v apt-add-repository >/dev/null 2>&1 && apt-add-repository universe
}

# Enable multiverse repository
function enable_multiverse() {
  command -v apt-add-repository >/dev/null 2>&1 && apt-add-repositor multiverse
}

# Enable restricted repository
function enable_restricted() {
  command -v apt-add-repository >/dev/null 2>&1 && apt-add-repositor restricted
}

enable_universe
#enable_multiverse
#enable_restricted

function aptup() {
  # Perform a upgrade and refresh of existing installed packages
  apt-get update -y \
    && apt-get -o APT::Get::Always-Include-Phased-Updates=true upgrade -y
}
aptup

function snapref() {  
  command -v snap >/dev/null 2>&1 && snap refresh
}
snapref

# Install the following packages
apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y binutils \
  coreutils \
  curl \
  wget \
  lsb-release \
  ca-certificates \
  apt-transport-https \
  software-properties-common \
  gnupg \
  tzdata

### Optional packages
#apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y haveged
apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y \
  vim-tiny \
  net-tools \
  dnsutils \
  mtr-tiny

### (Optional) install openSSH Server
#apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y openssh-server

### (Optional) install UFW
#apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y ufw

# If UFW installed, create applicate profile for the unifi controller service
test -d /etc/ufw/applications.d && cat << 'EOF' | tee /etc/ufw/applications.d/unifi-controller
[unifi-controller]
title=UniFi Controller Software
description=UniFi Controller Software
ports=22/tcp|80/tcp|443/tcp|8080/tcp|8443/tcp|3478/udp|5514/udp|6789/tcp|10001/udp|1900/udp|5656:5699/tcp

EOF

if command -v ufw >/dev/null 2>&1; then
  test -f /etc/ufw/applications.d/unifi-controller && ufw allow unifi-controller
  
  # Allow SSH
  #ufw allow 22/tcp comment "Allow ssh, tcp port 22"
  #ufw limit 22/tcp
  
  # Configure default policy for UFW
  ufw default allow outgoing
  ufw default deny incoming
  
  # Configure UFW for minimal logging
  ufw logging on low
  
  # Enable UFW
  ufw enable
  #ufw status
  
fi;

### Set timezone for UTC
timedatectl set-timezone UTC

### Java ###

# UniFi Network Application 7.5.174 requires Java 17
#
# - https://adoptium.net/en-GB/temurin/releases/?version=17

## OpenJDK 17 ##

apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y openjdk-17-jre-headless
#apt-mark hold openjdk-17-*

## OpenJDK 11 ##

#apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y openjdk-11-jre-headless
#apt-mark hold openjdk-11-*

# Set the JAVA_HOME environment variable for the UniFi service
#mkdir -p /etc/systemd/system/unifi.service.d

#printf "[Service]\nEnvironment=\"JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64\"\n" \
#  | tee /etc/systemd/system/unifi.service.d/10-override.conf > /dev/null

#systemctl daemon-reload

# This is a workaround for OpenJDK 11 issues as the jsvc 
# expects to find libjvm.so at lib/amd64/server/libjvm.so
#ln -s /usr/lib/jvm/java-11-openjdk-amd64/lib/ /usr/lib/jvm/java-11-openjdk-amd64/lib/amd64

## OpenJDK 8 ##

#apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y openjdk-8-jre-headless
#apt-mark hold openjdk-8-*

### UniFi Controller Software ###

# UniFi Network Application 7.5 and newer requires MongoDB 3.6 and Java 17.
# Version 7.5 till 8.0 supports up to MongoDB 4.4.
# Version 8.1 and newer supports up to MongoDB 7.0.
#
# https://community.ui.com/releases
# https://dl.ui.com/unifi/7.5.174/unifi_sysvinit_all.deb
# https://dl.ui.com/unifi/7.5.174/UniFi.unix.zip
# https://dl.ui.com/unifi/7.5.174/unifi_sh_api

# Add the UniFi Stable repo to the host
wget -qO- https://dl.ui.com/unifi/unifi-repo.gpg \
  | tee /etc/apt/trusted.gpg.d/unifi-repo.gpg > /dev/null

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/trusted.gpg.d/unifi-repo.gpg] \
https://www.ui.com/downloads/unifi/debian stable ubiquiti" \
  | tee /etc/apt/sources.list.d/ubnt-unifi-stable.list > /dev/null

### MongoDB ###

# UniFi Network Application 7.5.174 requires MongoDB 3.6 or newer.
# UniFi 7.5.X will require 3.6.0 up to (excluding) 5.0.0, so in total: 3.6, 4.0, 4.2 and 4.4 (max).
# UniFi 7.4.X drops support for anything below 2.6.0, so requires min 2.6.0 and max 3.6.
# UniFi 6.X and 7.X up to excluding 7.4 mainly required 2.4.10 or 2.6.0 as min and anything below 3.0, 3.2, 3.4 and 3.6 (max).

## MongoDB v3.6 ##

# Add the MongoDB v3.6 repo to the host
wget -qO- https://www.mongodb.org/static/pgp/server-3.6.asc \
  | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-org-server-3.6-archive-keyring.gpg > /dev/null

echo "#deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/trusted.gpg.d/mongodb-org-server-3.6-archive-keyring.gpg] \
https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/3.6 multiverse" \
  | tee /etc/apt/sources.list.d/mongodb-org-3.6.list > /dev/null

## MongoDB v4.4 ##

# Add the MongoDB v4.4 repo to the host
wget -qO- https://www.mongodb.org/static/pgp/server-4.4.asc \
  | gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-org-server-4.4-archive-keyring.gpg > /dev/null

echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/mongodb-org-server-4.4-archive-keyring.gpg] \
https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" \
  | tee /etc/apt/sources.list.d/mongodb-org-4.4.list > /dev/null

## MongoDB v7.0 ##


### OpenSSL (libss1.1) ###

# http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/
# http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb
curl -sSfL 'http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb' \
  -o libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb
test -f ./libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb && dpkg -i libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb
test -f ./libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb && rm -f ./libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb
  
### Caddy Webserver

#apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y debian-keyring debian-archive-keyring

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
  | gpg --dearmor -o /etc/apt/trusted.gpg.d/caddy-stable.gpg > /dev/null

cat <<EOF | tee /etc/apt/sources.list.d/caddy-stable.list
# https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/trusted.gpg.d/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
#deb-src [dpkg --print-architecture) signed-by=/etc/apt/trusted.gpg.d/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main

EOF

# Install and enable the MongoDB server service
apt-get update -y \
  && apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y mongodb-org-server

systemctl enable --now mongod.service
#systemctl status --no-pager --full mongod.service

# Install and enable the UniFi controller software
apt-get -o APT::Get::Always-Include-Phased-Updates=true install -y unifi

systemctl enable --now unifi.service
#systemctl status --no-pager --full unifi.service

# Verify
#journalctl --no-pager --unit unifi.service
#dpkg -s unifi | grep -i version
#curl -k -sL https://127.0.0.1:8443/status | python3 -m json.tool
#tail -n 25 /usr/lib/unifi/logs/server.log
#tail -n 25 /usr/lib/unifi/logs/mongod.log

# Cleanup
apt-get clean && apt-get autoclean

This worked with two caveats / recent updates -

• /etc/apt/trusted.gpg.d/keyrings last dir needed creating (lines 103, 111)
• libssl1.1_1.1.1f-1ubuntu2.16_amd64.deb is now libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb (line 119-120)

@flrichar ty for sharing. I've updated script to include newer libssl1.1 deb package, updated openjdk jre from 11 to 17, mongodb server 3.6 to 4.4 and fixed the bug regarding the keyrings directory.

I didn't use your script but your command to install libssl1.1 which cannot get resolved by apt in ubuntu 22.04. Together with the official steps I got it running, so thank you! :)

edit: sorry for the font, i don't understand why :-(

Something is wrong on my fresh Ubuntu server 22-04 with all recent updates at Dec 19 2023 10:30 UTC
The source of the problem is the usual libssl 1.1
Ty for your work and help
V.S.

{cut}

--2023-12-19 10:32:19-- http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.81, 185.125.190.36, 91.189.91.82, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.81|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-12-19 10:32:19 ERROR 404: Not Found.

{cut}

Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
mongodb-org-server : Depends: libssl1.1 (>= 1.1.0) but it is not installable
E: Unable to correct problems, you have held broken packages.
Failed to enable unit: Unit file mongod.service does not exist.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
mongodb-org-server : Depends: libssl1.1 (>= 1.1.0) but it is not installable
E: Unable to correct problems, you have held broken packages.
Failed to enable unit: Unit file unifi.service does not exist.

I linked the libssl-steps of the original author above, but the link doesn't work anymore since it was updated:
here's what i did:
1.

wget -c http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb \
  && dpkg -i libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb \
  && rm -f ./libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb

2. follow the official steps linked here
   the first step should solve your error mongodb-org-server : Depends: libssl1.1 (>= 1.1.0) but it is not installable

@thimslugga @niemsoen Unfortunately that wget for libssl 1.1 fails with a 404 error now.

$wget -c http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb

--2023-12-23 22:55:48--  http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.19_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.83, 91.189.91.81, 185.125.190.36, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.83|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-12-23 22:55:49 ERROR 404: Not Found.

EDIT: Ok, the command should now be: wget -c http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb (so the end bit is ubuntu2.20 instead of 2.19).

For future people who end up here, if this step is giving you issue, then go the your browser and browse to http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/ this will give you a list of packages, just scroll down and look for libssl1.1_1.1.1f-1ubuntu2. and then take note of the number after the 2. (as of this comment, it's 20) and modify the line in the scripts appropriately, or just manually do this step with wget and dpkg.

@jarrodCoombes ty for sharing, I've updated the gist with the new libssl1.1 url.

@thimslugga Just a reminder that the script will need to be updated with ubuntu version 2.23

http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.23_amd64.deb

@Engineer152 thank you for sharing. I've updated the gist with the new url.