unifi5: Follow new mitigation guidelines

Simply disabling lookups isn't enough, and the JndiLookup class must be
removed:

https://web.archive.org/web/20211217085954/https://logging.apache.org/log4j/2.x/security.html

nixos/modules/services/networking/unifi.nix

@@ -7,7 +7,6 @@ let
     @${cfg.jrePackage}/bin/java java \
         ${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \
         ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \
-        ${optionalString (lib.versionOlder cfg.unifiPackage.version "6.5.54") "-Dlog4j2.formatMsgNoLookups=true"} \
         -jar ${stateDir}/lib/ace.jar
   '';
 in

pkgs/servers/unifi/default.nix

@@ -1,10 +1,9 @@
-{ lib, stdenv, dpkg, fetchurl }:
+{ lib, stdenv, dpkg, fetchurl, zip }:
 
 let
-  generic = { version, sha256, suffix ? "" }:
+  generic = { version, sha256, suffix ? "", ... } @ args:
-  stdenv.mkDerivation {
+  stdenv.mkDerivation (args // {
     pname = "unifi-controller";
-    inherit version;
 
     src = fetchurl {
       url = "https://dl.ubnt.com/unifi/${version}${suffix}/unifi_sysvinit_all.deb";
@@ -36,7 +35,7 @@ let
       platforms = platforms.unix;
       maintainers = with maintainers; [ erictapen globin patryk27 pennae ];
     };
-  };
+  });
 
 in rec {
   # see https://community.ui.com/releases / https://www.ui.com/download/unifi
@@ -49,6 +48,11 @@ in rec {
   unifi5 = generic {
     version = "5.14.23";
     sha256 = "1aar05yjm3z5a30x505w4kakbyz35i7mk7xyg0wm4ml6h94d84pv";
+
+    postInstall = ''
+      # Remove when log4j is updated to 2.12.2 or 2.16.0.
+      ${zip}/bin/zip -q -d $out/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+    '';
   };
 
   unifi6 = generic {