diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 411cecb..346d3cf 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -111,6 +111,12 @@ matrix_dbpass: "{{ vault_matrix_dbpass }}" mc_domain: minecraft.binary-kitchen.de +netbox_domain: netbox.binary.kitchen +netbox_dbname: netbox +netbox_dbuser: netbox +netbox_dbpass: "{{ vault_netbox_dbpass }}" +netbox_secret: "{{ vault_netbox_secret }}" + nextcloud_domain: oc.binary-kitchen.de nextcloud_dbname: owncloud nextcloud_dbuser: owncloud diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 446c550..97607c3 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,64 +1,70 @@ $ANSIBLE_VAULT;1.1;AES256 -37623239353765633630353337643231343235623233303064653262333865643730663763633465 -6461396231656335313364383239346532643962663661630a643262633934623265646166666635 -35376235616335303335616139306136633736363332376462303839306632643438363332363065 -6232376662313062310a343835363535383638613232333038636563393263363736343134343333 -63633061626639623265626237323234636166323934396533356565333838373130353031323839 -35326439353930383865326163323363393734633239623566383265613339653237613364356562 -30666366656437633236353036663534356637643938376234616464346538393637393830666232 -62303962376332323966373837376239343061393834636536316137643365376436353034393838 -33346430353034663235333165333536303538396631663039353534323531393064663566366334 -38623461643633373533326636393962333534336631653139383034653933356162366561386362 -66313662653136333137633930346363386363346630636631623165346539376135326264333836 -62333735343763353764346433323965646539656332353564313031653436353639363434643132 -62616462623539303933343139313665353734313062313065316565303262393036643238636432 -63323462613339353664663565373466633833343836646533353639636534393364353065393964 -65663363646163663332646430653433636365343531336436343664396564343538373336666434 -37633832386537383438666263303562643236313931373864333236383033653861663332383663 -38396435663636643366626233366161643231386162636438613638363161396466666163356232 -62373861633366363435366635323162613866643039386665303164303861626665363362653864 -64653533626561313232666665613566666562623430323037623162626462323133663432356333 -63393363336563346336643566356662336131393961643735646337336632363733333764346233 -38333862343562616261373239343565336565663933383261656131323834633333363135623335 -63326335323532326431313930643061303564653636663331663265653039653031626139356566 -62616533373765386561393632306236393939316139333530356339373130326265616635623563 -61366164626131613664633236366233316432653163336461306132353662313636653166643562 -62636362626333643030323164323733613735376235303366633136333064393566613463653236 -64653838653932653931353835663030623339653066616534633732333636636435313761623631 -32393261646135626363363362366436366637303866623461396665393163363163373737396336 -30623936653136396439313833373565663432636263383262333562613262613632343165633964 -34383531653864393165393039333239376463633565333337646639636138376134653238626166 -64616663643062373933323138326261353632323864643730313433373536373964663064383538 -62666366383630386430383930343634623064633930383634393765633363313765343039663933 -62383362356162356364373535383066326462373563306338316634393762633235323431626330 -36313765353339613036613761363032636539363830353538633536653161636334303362633161 -39393063633231323335663066373463303233373062616237366432303733653030663066626236 -62643739346463396339363739306231363266366664393037343630366430626362656365656439 -32323765666233353861613362663061313239353033336166346431346635383566383931313861 -36333731346630663431643761366139356166656130383633303939643737663637346162306466 -30303061383832383334366330326133383538633333383839353630303131333662303236656665 -37356266333038386565343363346635653263393665623931313337383962343261636339363764 -35643666373335613165626463363830666566303236396362346130303566323434303965366164 -65353531333134646366343538623434353662393439336362353366303534616233346633363130 -31393131643863303537376166343534356436313235353532646137623664376638666334363731 -31323033616663613839336661333237323231623830303531343438633739326435613535366433 -33306364366433383939343931393838633866363761346361663538383533653235383233393737 -38663037663263383732646131356461323861393961663965336437333139363066356564373837 -65373835356164643163633331343437366533316565663330313631376138343538366233663934 -64373862643934663332323532663266653932366633303038353639663466306661663333646232 -39613630613736306362616238653533313830326661656433373731653165616637636661393138 -39623036366465346362616639633232656136656535306334646361353937663335613039303738 -61613262643637633033353564326633613364353637616535313439636535353632393265313964 -64626535626230373361353937323362363636353466656237613862366261626166633530383862 -63366561313637386362653636333537383539326661383232613961313534386633626133363438 -30343634666336316539333261653065626562613865636335383564393664333962343334663339 -66383232333837323461336462333535626434383731383331613030363131366230396264363964 -34646232366337356265393235623565306562323337663438383239353837393437643635633164 -34376465343837633233313065653031383563356537366439306633306361613830616165633932 -31663361363032353261373163666138643536353335656438356165616235313563393733396238 -37343534353739366163646237303737373738623761623038313962373739353638646564396439 -39346663643861653030373334363836346336643764373261393436313564343930376137396130 -62356335363636333866393935316139376363623234646533363665613862366630653963613466 -31376435323165653964383266323463396361383533666261346166663036656536653361666133 -32376334613533353362383938643639633366636134353038643564633062663934643765613262 -356330333364636633373065346138313131 +39316232613634343830643461396530306634313466313837613964663431373865373035653433 +6265376565646564306666623636313130666437343230640a663762663137333466343732666635 +63666363393037316430393738636462313162346465316237666566613337306538366432326462 +6631323763636237350a613837366362386663356463333161643837666664353938633432623662 +33656566633435343964313966333063313432666531633962636533326262346166356237373261 +35323463323364643734356630366539346534323838653237383632363861633434306166306363 +37363362656337623966323933653266393835346136306337663030336266336261366465393465 +36336530633334356435616639623935313437663435366464663462393465336461313236633461 +63303436393361326163396636386137393261366266363066623633383734376435636666356663 +61663730623332356636643434393466356265383136656562633035616232613662353063643138 +64323665366438306339623064393661633939306136313235643465653635623363376239393965 +31623039373330333534396133363663316364316463653733393539633439653934613035626366 +39636164633061303665353732363038643435393430666438646633383638343839633336313338 +32316163663838323730356336636666336165643636313665363032303765653435633831356338 +36626666333432323031373131396466663233373266333635336566313837366137376536376138 +64333764366536343137613532616431643532653364343763343138633735303030393066383938 +36626633323634613538383762666239653865363033303338666638323839386461393037313562 +31643365303833363265353663383365336231636562626536663330623163633063623961346139 +39353432366235663033623930656463323032333034326562343139376439366230356261616233 +34363464376133623232666334663366333833326531313363393935356666323739353030613666 +36383861323664613833613034616264636538353762376661336431373735376563343137376230 +37383066373439336564353639633736373161346465323965323330616233386366633366356636 +39663361313865346634313764636137363265343466626437643434633266316137613233383138 +66313634303164643662386339396163313335373863656462323561666464636632616436346230 +35376536393235366134363234333638396134633635636132643031346461343266643137666365 +34666165623837343865313265653762363531646230333033373730623866343539663030306563 +38353761656162623561643038653461323361323362383335316562323036373564623632353061 +31363337316131323561633264353233666135393633623962346464653261653065316337333835 +38656233316532336336353331303131353033386233633862316561343563326636303539663866 +64373563666463616335393865623063653462626133643763366239623239663430616539336637 +64333866623733363930313562346231346238623132393862623130393637343265343835383133 +63643037333531666366323965333333643133663330666434316536306165396365623063356530 +62383638616630333163353833376239633839653565346531366539383339376464326437326337 +66363238336462336634613163303037646138323865613237656163386162353666616334323435 +33343133366138636538613939363434343930333265663861346366353863383830313231333938 +62323962333433303539646661363930393136616635343262383739623162616561393335313865 +36643536633466656635653836636161356365303239343036363335326232353931343138353263 +36396331643930663731656432353462613933623733343333343338323831343232393139323664 +34393634323437313162613465376563616636326639643061386362373365323637343262333238 +31383438663933373765646561666233636263373561656336313133616334373766356436303863 +36643730383330633561313131396635653330663837316662383762373932306164336637396530 +63666639366136646364333039373630643662613837356335653334383836373862636539336261 +33663462316666306662323161373161653664333566623437383865373862323836633436636238 +64376661363731306330326631663130366365373564313435633962353137343738363835336464 +61303963386130353230393733663937613336616161353438623531613662363930616433343535 +62633963623037343831353531306537613437663339383064376566366463363461336262633131 +38633031346666393235666464613066353537323134386163333965376638613534623764396635 +34633339663234386562663636626661383839306333616362316264366132343634363761633438 +61616432326465306366333962626164383238373161306533323737326532616166616636393735 +37303032653630666537643238613637626261386536306534643734623430376231633939376263 +35396235633538386632383166653865653535643663353431366361633661306561346137383930 +36626262346165396238626336616437636332386335306135396665333639363165383563616538 +38623330643661646162613734656630633337353638343666613939353063316434656530386262 +65393439333663323063356633616665666535386539323536366535356466353938663035326333 +61303265373136333536653732306231636263343831323532306132653465383732303931386161 +36393564313039336636613562363066373461336439343434333937343664373437386236633332 +33376136613837336365396339396463363665373865323265653438656537613566616531373536 +30313834396564323861386335383863353730663831373262653636373734323232343866303061 +62613534326261383263613535363364663739393836393963346562366339323338373237636661 +61393032366362373236626536663231343566313739386531656434386635336237396632663231 +36303135356539323665333037386237663730643737653962633161663834306538326532303566 +61316563373632643836613831613362613936633630623263363963373132356437303934333035 +35323039386231363265303738643638643864313037386632386539346465643539383533366131 +30313565613161663730626433383334623939323161393061353062333931643930353832626561 +32643134306533386139633837316134653239656334306662653061646331353865343864343730 +38623035376631646662626131333061306331336538636230626535393631343038323962346137 +39346561646361373735326565363936366263376330326334616231636232343862303564383237 +65363334663734313532393338363933646432396434613665316163373838613064663331373536 +3465 diff --git a/hosts b/hosts index 9518249..1d797cc 100644 --- a/hosts +++ b/hosts @@ -4,6 +4,7 @@ bacon.binary.kitchen ansible_host=172.23.2.3 aveta.binary.kitchen ansible_host=172.23.2.4 sulis.binary.kitchen ansible_host=172.23.2.5 nabia.binary.kitchen ansible_host=172.23.2.6 +epona.binary.kitchen ansible_host=172.23.2.7 pizza.binary.kitchen ansible_host=172.23.2.33 bob.binary.kitchen ansible_host=172.23.2.37 bowle.binary.kitchen ansible_host=172.23.2.62 diff --git a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 index cb40234..f2b8630 100644 --- a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 +++ b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 @@ -1,7 +1,7 @@ $ORIGIN 23.172.in-addr.arpa. ; base for unqualified names $TTL 1h ; default time-to-live @ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( - 2021070501; serial + 2021071401; serial 1d; refresh 2h; retry 4w; expire @@ -41,6 +41,7 @@ $TTL 1h ; default time-to-live 4.2 IN PTR aveta.binary.kitchen. 5.2 IN PTR sulis.binary.kitchen. 6.2 IN PTR nabia.binary.kitchen. +7.2 IN PTR epona.binary.kitchen. 11.2 IN PTR homer.binary.kitchen. 12.2 IN PTR lock.binary.kitchen. 13.2 IN PTR matrix.binary.kitchen. diff --git a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 index cbfe8cd..48bb5aa 100644 --- a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 +++ b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 @@ -1,7 +1,7 @@ $ORIGIN binary.kitchen ; base for unqualified names $TTL 1h ; default time-to-live @ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( - 2021070501; serial + 2021071401; serial 1d; refresh 2h; retry 4w; expire @@ -25,6 +25,7 @@ ldap1 IN A 172.23.2.3 ldap2 IN A 172.23.2.4 ldapm IN A 213.166.246.2 librenms IN A 172.23.2.6 +netbox IN A 172.23.2.7 ns1 IN A 172.23.2.3 ns2 IN A 172.23.2.4 racktables IN A 172.23.2.6 @@ -62,6 +63,7 @@ bacon IN A 172.23.2.3 aveta IN A 172.23.2.4 sulis IN A 172.23.2.5 nabia IN A 172.23.2.6 +epona IN A 172.23.2.7 homer IN A 172.23.2.11 lock IN A 172.23.2.12 matrix IN A 172.23.2.13 diff --git a/roles/netbox/defaults/main.yml b/roles/netbox/defaults/main.yml new file mode 100644 index 0000000..a87800e --- /dev/null +++ b/roles/netbox/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +netbox_group: netbox +netbox_user: netbox +netbox_version: 2.11.9 diff --git a/roles/netbox/handlers/main.yml b/roles/netbox/handlers/main.yml new file mode 100644 index 0000000..4547559 --- /dev/null +++ b/roles/netbox/handlers/main.yml @@ -0,0 +1,13 @@ +--- + +- name: Run acertmgr + command: /usr/bin/acertmgr + +- name: Reload systemd + systemd: daemon_reload=yes + +- name: Restart netbox + service: name=netbox state=restarted + +- name: Restart netbox-rq + service: name=netbox-rq state=restarted diff --git a/roles/netbox/meta/main.yml b/roles/netbox/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/netbox/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/netbox/tasks/main.yml b/roles/netbox/tasks/main.yml new file mode 100644 index 0000000..b41746e --- /dev/null +++ b/roles/netbox/tasks/main.yml @@ -0,0 +1,141 @@ +--- + +- name: Create group + group: name={{ netbox_group }} + +- name: Create user + user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }} + +- name: Install dependencies + apt: + name: + - build-essential + - libffi-dev + - libpq-dev + - libssl-dev + - libxml2-dev + - libxslt1-dev + - python3-setuptools + - python3-dev + - python3-pip + - python3-venv + - zlib1g-dev + +- name: Install PostgreSQL + apt: + name: + - postgresql + - python3-psycopg2 + +- name: Configure PostgreSQL database + postgresql_db: + name: '{{ netbox_dbname }}' + become: true + become_user: postgres + +- name: Configure PostgreSQL user + postgresql_user: + db: '{{ netbox_dbname }}' + name: '{{ netbox_dbuser }}' + password: '{{ netbox_dbpass }}' + priv: ALL + state: present + become: true + become_user: postgres + +- name: Install redis + apt: name=redis-server + +# TODO configure redis? + +- name: Unpack netbox + unarchive: + src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz' + dest: /opt + remote_src: yes + creates: '/opt/netbox-{{ netbox_version }}' + register: netbox_unarchive + +- name: Configure netbox + template: + src: configuration.py.j2 + dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py' + owner: '{{ netbox_user }}' + group: '{{ netbox_group }}' + +- name: Configure gunicorn + template: + src: gunicorn.py.j2 + dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py' + owner: '{{ netbox_user }}' + group: '{{ netbox_group }}' + +- name: Netbox file permissions + file: + path: '/opt/netbox-{{ netbox_version }}' + owner: '{{ netbox_user }}' + group: '{{ netbox_group }}' + recurse: yes + +- name: Run upgrade script + command: + cmd: ./upgrade.sh + chdir: '/opt/netbox-{{ netbox_version }}' + become: true + become_user: '{{ netbox_user }}' + when: netbox_unarchive.changed + +# TODO - still manual work +# * Create a super user +# * Migrate media files + +- name: Ensure certificates are available + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt + -days 730 -subj "/CN={{ netbox_domain }}" + creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt' + notify: Restart nginx + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ netbox_domain }}" + when: "'kitchen' in group_names" + +- name: Configure certificate manager for netbox + template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf + notify: Run acertmgr + +- name: Configure vhost + template: + src: vhost.j2 + dest: /etc/nginx/sites-available/netbox + owner: root + mode: '0644' + notify: Restart nginx + +- name: Enable vhost + file: + src: /etc/nginx/sites-available/netbox + dest: /etc/nginx/sites-enabled/netbox + state: link + notify: Restart nginx + +- name: Install systemd units + template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service + with_items: + - netbox + - netbox-rq + notify: + - Reload systemd + - Restart netbox + - Restart netbox-rq + +- name: Enable services + service: name={{ item }} state=started enabled=yes + with_items: + - netbox + - netbox-rq diff --git a/roles/netbox/templates/certs.j2 b/roles/netbox/templates/certs.j2 new file mode 100644 index 0000000..aac44e9 --- /dev/null +++ b/roles/netbox/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ netbox_domain }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ netbox_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ netbox_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/netbox/templates/configuration.py.j2 b/roles/netbox/templates/configuration.py.j2 new file mode 100644 index 0000000..1e2d764 --- /dev/null +++ b/roles/netbox/templates/configuration.py.j2 @@ -0,0 +1,255 @@ +######################### +# # +# Required settings # +# # +######################### + +# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write +# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. +# +# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] +ALLOWED_HOSTS = ['{{ netbox_domain }}'] + +# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters: +# https://docs.djangoproject.com/en/stable/ref/settings/#databases +DATABASE = { + 'NAME': '{{ netbox_dbname }}', # Database name + 'USER': '{{ netbox_dbuser }}', # PostgreSQL username + 'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password + 'HOST': 'localhost', # Database server + 'PORT': '', # Database port (leave blank for default) + 'CONN_MAX_AGE': 300, # Max database connection age +} + +# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate +# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended +# to use two separate database IDs. +REDIS = { + 'tasks': { + 'HOST': 'localhost', + 'PORT': 6379, + # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel + # 'SENTINELS': [('mysentinel.redis.example.com', 6379)], + # 'SENTINEL_SERVICE': 'netbox', + 'PASSWORD': '', + 'DATABASE': 0, + 'SSL': False, + }, + 'caching': { + 'HOST': 'localhost', + 'PORT': 6379, + # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel + # 'SENTINELS': [('mysentinel.redis.example.com', 6379)], + # 'SENTINEL_SERVICE': 'netbox', + 'PASSWORD': '', + 'DATABASE': 1, + 'SSL': False, + } +} + +# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. +# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and +# symbols. NetBox will not run without this defined. For more information, see +# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY +SECRET_KEY = '{{ netbox_secret }}' + + +######################### +# # +# Optional settings # +# # +######################### + +# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of +# application errors (assuming correct email settings are provided). +ADMINS = [ + # ['John Doe', 'jdoe@example.com'], +] + +# URL schemes that are allowed within links in NetBox +ALLOWED_URL_SCHEMES = ( + 'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp', +) + +# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same +# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP. +BANNER_TOP = '' +BANNER_BOTTOM = '' + +# Text to include on the login page above the login form. HTML is allowed. +BANNER_LOGIN = '' + +# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: +# BASE_PATH = 'netbox/' +BASE_PATH = '' + +# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes) +CACHE_TIMEOUT = 900 + +# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90) +CHANGELOG_RETENTION = 90 + +# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be +# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or +# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers +CORS_ORIGIN_ALLOW_ALL = False +CORS_ORIGIN_WHITELIST = [ + # 'https://hostname.example.com', +] +CORS_ORIGIN_REGEX_WHITELIST = [ + # r'^(https?://)?(\w+\.)?example\.com$', +] + +# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal +# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging +# on a production system. +DEBUG = False + +# Email settings +EMAIL = { + 'SERVER': 'localhost', + 'PORT': 25, + 'USERNAME': '', + 'PASSWORD': '', + 'USE_SSL': False, + 'USE_TLS': False, + 'TIMEOUT': 10, # seconds + 'FROM_EMAIL': '', +} + +# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table +# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True. +ENFORCE_GLOBAL_UNIQUE = False + +# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and +# by anonymous users. List models in the form `.`. Add '*' to this list to exempt all models. +EXEMPT_VIEW_PERMISSIONS = [ + # 'dcim.site', + # 'dcim.region', + # 'ipam.prefix', +] + +# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks). +# HTTP_PROXIES = { +# 'http': 'http://10.10.1.10:3128', +# 'https': 'http://10.10.1.10:1080', +# } + +# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing +# NetBox from an internal IP. +INTERNAL_IPS = ('127.0.0.1', '::1') + +# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: +# https://docs.djangoproject.com/en/stable/topics/logging/ +LOGGING = {} + +# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users +# are permitted to access most data in NetBox (excluding secrets) but not make any changes. +LOGIN_REQUIRED = True + +# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to +# re-authenticate. (Default: 1209600 [14 days]) +LOGIN_TIMEOUT = None + +# Setting this to True will display a "maintenance mode" banner at the top of every page. +MAINTENANCE_MODE = False + +# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g. +# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request +# all objects by specifying "?limit=0". +MAX_PAGE_SIZE = 1000 + +# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that +# the default value of this setting is derived from the installed location. +# MEDIA_ROOT = '/opt/netbox/netbox/media' + +# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the +# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example: +# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage' +# STORAGE_CONFIG = { +# 'AWS_ACCESS_KEY_ID': 'Key ID', +# 'AWS_SECRET_ACCESS_KEY': 'Secret', +# 'AWS_STORAGE_BUCKET_NAME': 'netbox', +# 'AWS_S3_REGION_NAME': 'eu-west-1', +# } + +# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics' +METRICS_ENABLED = False + +# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM. +NAPALM_USERNAME = '' +NAPALM_PASSWORD = '' + +# NAPALM timeout (in seconds). (Default: 30) +NAPALM_TIMEOUT = 30 + +# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must +# be provided as a dictionary. +NAPALM_ARGS = {} + +# Determine how many objects to display per page within a list. (Default: 50) +PAGINATE_COUNT = 50 + +# Enable installed plugins. Add the name of each plugin to the list. +PLUGINS = [] + +# Plugins configuration settings. These settings are used by various plugins that the user may have installed. +# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings. +# PLUGINS_CONFIG = { +# 'my_plugin': { +# 'foo': 'bar', +# 'buzz': 'bazz' +# } +# } + +# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to +# prefer IPv4 instead. +PREFER_IPV4 = False + +# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1. +RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22 +RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220 + +# Remote authentication support +REMOTE_AUTH_ENABLED = False +REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' +REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' +REMOTE_AUTH_AUTO_CREATE_USER = True +REMOTE_AUTH_DEFAULT_GROUPS = [] +REMOTE_AUTH_DEFAULT_PERMISSIONS = {} + +# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour. +RELEASE_CHECK_TIMEOUT = 24 * 3600 + +# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the +# version check or use the URL below to check for release in the official NetBox repository. +RELEASE_CHECK_URL = None +# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases' + +# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +# REPORTS_ROOT = '/opt/netbox/netbox/reports' + +# Maximum execution time for background tasks, in seconds. +RQ_DEFAULT_TIMEOUT = 300 + +# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts' + +# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use +# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only +# database access.) Note that the user as which NetBox runs must have read and write permissions to this path. +SESSION_FILE_PATH = None + +# Time zone (default: UTC) +TIME_ZONE = 'Europe/Berlin' + +# Date/time formatting. See the following link for supported formats: +# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date +DATE_FORMAT = 'N j, Y' +SHORT_DATE_FORMAT = 'Y-m-d' +TIME_FORMAT = 'g:i a' +SHORT_TIME_FORMAT = 'H:i:s' +DATETIME_FORMAT = 'N j, Y g:i a' +SHORT_DATETIME_FORMAT = 'Y-m-d H:i' diff --git a/roles/netbox/templates/gunicorn.py.j2 b/roles/netbox/templates/gunicorn.py.j2 new file mode 100644 index 0000000..363dbc2 --- /dev/null +++ b/roles/netbox/templates/gunicorn.py.j2 @@ -0,0 +1,16 @@ +# The IP address (typically localhost) and port that the Netbox WSGI process should listen on +bind = '127.0.0.1:8001' + +# Number of gunicorn workers to spawn. This should typically be 2n+1, where +# n is the number of CPU cores present. +workers = 5 + +# Number of threads per worker process +threads = 3 + +# Timeout (in seconds) for a request to complete +timeout = 120 + +# The maximum number of requests a worker can handle before being respawned +max_requests = 5000 +max_requests_jitter = 500 diff --git a/roles/netbox/templates/netbox-rq.service.j2 b/roles/netbox/templates/netbox-rq.service.j2 new file mode 100644 index 0000000..b35a7f5 --- /dev/null +++ b/roles/netbox/templates/netbox-rq.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=NetBox Request Queue Worker +Documentation=https://netbox.readthedocs.io/en/stable/ +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple + +User=netbox +Group=netbox +WorkingDirectory=/opt/netbox-{{ netbox_version }} + +ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker + +Restart=on-failure +RestartSec=30 +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/netbox/templates/netbox.service.j2 b/roles/netbox/templates/netbox.service.j2 new file mode 100644 index 0000000..5fae0f9 --- /dev/null +++ b/roles/netbox/templates/netbox.service.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=NetBox WSGI Service +Documentation=https://netbox.readthedocs.io/en/stable/ +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple + +User=netbox +Group=netbox +PIDFile=/var/tmp/netbox.pid +WorkingDirectory=/opt/netbox-{{ netbox_version }} + +ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi + +Restart=on-failure +RestartSec=30 +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/netbox/templates/vhost.j2 b/roles/netbox/templates/vhost.j2 new file mode 100644 index 0000000..35082b5 --- /dev/null +++ b/roles/netbox/templates/vhost.j2 @@ -0,0 +1,38 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ netbox_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ netbox_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ netbox_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt; + + location /static/ { + alias /opt/netbox-{{ netbox_version }}/netbox/static/; + } + + location / { + client_max_body_size 32M; + + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://localhost:8001; + } +} diff --git a/site.yml b/site.yml index 0c16cc5..69434b4 100644 --- a/site.yml +++ b/site.yml @@ -38,6 +38,11 @@ - librenms - prometheus +- name: Setup netbox server + hosts: epona.binary.kitchen + roles: + - netbox + - name: Setup drone runner hosts: bob.binary.kitchen roles: