Hey, this sounds like my kind of project!
You’ve already been getting some good advice, so I’ll lay out how I would do it and you can take whatever parts are useful to you.
Gateway/Firewall
Pfsense or OPNsense on a capable, but not overkill 1U server (with AES-NI of course).
This will handle your LAN to WAN traffic, so IDS/IPS (Suricata), basic internet firewall stuff (block private IPs coming in from the internet, blacklists, blah blah), QOS, VPN tunnels, etc.
Router
I think that Unifi makes a lot of sense for you. With the Gateway handling the IPS/IDS and other heavy lifting (which Unifi routers aren’t particularly good at), you can give yourself the gift of easy Unifi deployment/management.
This will just route LAN traffic, so maybe some light vlan/firewall rules to separate admin, management, surveillance, basic users, etc. It’s mainly just there to push packets, unencumbered by WAN concerns.
One caveat here is that if you only have 1 public IP address, you’ll need to manually disable NAT on the Unifi router (presently can’t be done through the management interface) and have the gateway handle NAT. If you have a /29 block of IP’s (or more), you just need to make a point-to-point connection between the gateway and Unifi router, letting Unifi handle NAT (this will consume 3 public IPs).
As far as which model, if price is no object, you might as well get the XG. The Pro gateway is looking a little long in the tooth.
Switches
You should go Unifi all the way here to take full advantage of the centralized management. They should have everything you need in their catalog except for a 10GBASE-T access switch. I don’t know why they don’t have one yet. I believe the Netgear options are decent. You could also just go all in on SFP+ and use the XG-16’s (yes I know they have 4 10GBASE-T ports, but that’s pretty meagre if you’re looking for 10GbE everywhere).
APs
Ubiquiti has an AP for everyone. I’m sure you can figure out what suits each placement best.
Cabling
I would run redundant fiber lines between each building, creating a loop if possible for maximum redundancy.
The CAT6 vs CAT6A thing boils down to an inconsistency in standards. CAT6 lists 10Gb/s, but 10GBASE-T explicitly required CAT6A (I believe it makes no mention of CAT6). For me, I always go with CAT6A for 10GbE. It just eliminates a variable if you have a sketchy connection.
Rolls of CAT6A aren’t that expensive anymore, and the patch cables aren’t expensive at all.
Cameras
You might as well go with the Unifi cameras unless you have something else in mind. IMO, it beats configuring Zoneminder.
It’ll give you an excuse to get one of these babies so you can keep everything rack-mount form factor (no Cloud Key or little NVR).
Anyway, hope some of that helps. Obviously, there’s a few ways to skin a cat here, so you could take none of this advice and still get what you need.