From f0c55693a874ae1e7684582b979d91e1d007384e Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Wed, 14 Jul 2021 17:38:28 +0200
Subject: [PATCH] new host: epona (running netbox)

---
 group_vars/all/vars.yml                       |   6 +
 group_vars/all/vault.yml                      | 132 ++++-----
 hosts                                         |   1 +
 .../bind/23.172.in-addr.arpa.zone.j2          |   3 +-
 .../templates/bind/binary.kitchen.zone.j2     |   4 +-
 roles/netbox/defaults/main.yml                |   5 +
 roles/netbox/handlers/main.yml                |  13 +
 roles/netbox/meta/main.yml                    |   5 +
 roles/netbox/tasks/main.yml                   | 141 ++++++++++
 roles/netbox/templates/certs.j2               |  18 ++
 roles/netbox/templates/configuration.py.j2    | 255 ++++++++++++++++++
 roles/netbox/templates/gunicorn.py.j2         |  16 ++
 roles/netbox/templates/netbox-rq.service.j2   |  21 ++
 roles/netbox/templates/netbox.service.j2      |  22 ++
 roles/netbox/templates/vhost.j2               |  38 +++
 site.yml                                      |   5 +
 16 files changed, 620 insertions(+), 65 deletions(-)
 create mode 100644 roles/netbox/defaults/main.yml
 create mode 100644 roles/netbox/handlers/main.yml
 create mode 100644 roles/netbox/meta/main.yml
 create mode 100644 roles/netbox/tasks/main.yml
 create mode 100644 roles/netbox/templates/certs.j2
 create mode 100644 roles/netbox/templates/configuration.py.j2
 create mode 100644 roles/netbox/templates/gunicorn.py.j2
 create mode 100644 roles/netbox/templates/netbox-rq.service.j2
 create mode 100644 roles/netbox/templates/netbox.service.j2
 create mode 100644 roles/netbox/templates/vhost.j2

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 411cecb..346d3cf 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -111,6 +111,12 @@ matrix_dbpass: "{{ vault_matrix_dbpass }}"
 
 mc_domain: minecraft.binary-kitchen.de
 
+netbox_domain: netbox.binary.kitchen
+netbox_dbname: netbox
+netbox_dbuser: netbox
+netbox_dbpass: "{{ vault_netbox_dbpass }}"
+netbox_secret: "{{ vault_netbox_secret }}"
+
 nextcloud_domain: oc.binary-kitchen.de
 nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 446c550..97607c3 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,64 +1,70 @@
 $ANSIBLE_VAULT;1.1;AES256
-37623239353765633630353337643231343235623233303064653262333865643730663763633465
-6461396231656335313364383239346532643962663661630a643262633934623265646166666635
-35376235616335303335616139306136633736363332376462303839306632643438363332363065
-6232376662313062310a343835363535383638613232333038636563393263363736343134343333
-63633061626639623265626237323234636166323934396533356565333838373130353031323839
-35326439353930383865326163323363393734633239623566383265613339653237613364356562
-30666366656437633236353036663534356637643938376234616464346538393637393830666232
-62303962376332323966373837376239343061393834636536316137643365376436353034393838
-33346430353034663235333165333536303538396631663039353534323531393064663566366334
-38623461643633373533326636393962333534336631653139383034653933356162366561386362
-66313662653136333137633930346363386363346630636631623165346539376135326264333836
-62333735343763353764346433323965646539656332353564313031653436353639363434643132
-62616462623539303933343139313665353734313062313065316565303262393036643238636432
-63323462613339353664663565373466633833343836646533353639636534393364353065393964
-65663363646163663332646430653433636365343531336436343664396564343538373336666434
-37633832386537383438666263303562643236313931373864333236383033653861663332383663
-38396435663636643366626233366161643231386162636438613638363161396466666163356232
-62373861633366363435366635323162613866643039386665303164303861626665363362653864
-64653533626561313232666665613566666562623430323037623162626462323133663432356333
-63393363336563346336643566356662336131393961643735646337336632363733333764346233
-38333862343562616261373239343565336565663933383261656131323834633333363135623335
-63326335323532326431313930643061303564653636663331663265653039653031626139356566
-62616533373765386561393632306236393939316139333530356339373130326265616635623563
-61366164626131613664633236366233316432653163336461306132353662313636653166643562
-62636362626333643030323164323733613735376235303366633136333064393566613463653236
-64653838653932653931353835663030623339653066616534633732333636636435313761623631
-32393261646135626363363362366436366637303866623461396665393163363163373737396336
-30623936653136396439313833373565663432636263383262333562613262613632343165633964
-34383531653864393165393039333239376463633565333337646639636138376134653238626166
-64616663643062373933323138326261353632323864643730313433373536373964663064383538
-62666366383630386430383930343634623064633930383634393765633363313765343039663933
-62383362356162356364373535383066326462373563306338316634393762633235323431626330
-36313765353339613036613761363032636539363830353538633536653161636334303362633161
-39393063633231323335663066373463303233373062616237366432303733653030663066626236
-62643739346463396339363739306231363266366664393037343630366430626362656365656439
-32323765666233353861613362663061313239353033336166346431346635383566383931313861
-36333731346630663431643761366139356166656130383633303939643737663637346162306466
-30303061383832383334366330326133383538633333383839353630303131333662303236656665
-37356266333038386565343363346635653263393665623931313337383962343261636339363764
-35643666373335613165626463363830666566303236396362346130303566323434303965366164
-65353531333134646366343538623434353662393439336362353366303534616233346633363130
-31393131643863303537376166343534356436313235353532646137623664376638666334363731
-31323033616663613839336661333237323231623830303531343438633739326435613535366433
-33306364366433383939343931393838633866363761346361663538383533653235383233393737
-38663037663263383732646131356461323861393961663965336437333139363066356564373837
-65373835356164643163633331343437366533316565663330313631376138343538366233663934
-64373862643934663332323532663266653932366633303038353639663466306661663333646232
-39613630613736306362616238653533313830326661656433373731653165616637636661393138
-39623036366465346362616639633232656136656535306334646361353937663335613039303738
-61613262643637633033353564326633613364353637616535313439636535353632393265313964
-64626535626230373361353937323362363636353466656237613862366261626166633530383862
-63366561313637386362653636333537383539326661383232613961313534386633626133363438
-30343634666336316539333261653065626562613865636335383564393664333962343334663339
-66383232333837323461336462333535626434383731383331613030363131366230396264363964
-34646232366337356265393235623565306562323337663438383239353837393437643635633164
-34376465343837633233313065653031383563356537366439306633306361613830616165633932
-31663361363032353261373163666138643536353335656438356165616235313563393733396238
-37343534353739366163646237303737373738623761623038313962373739353638646564396439
-39346663643861653030373334363836346336643764373261393436313564343930376137396130
-62356335363636333866393935316139376363623234646533363665613862366630653963613466
-31376435323165653964383266323463396361383533666261346166663036656536653361666133
-32376334613533353362383938643639633366636134353038643564633062663934643765613262
-356330333364636633373065346138313131
+39316232613634343830643461396530306634313466313837613964663431373865373035653433
+6265376565646564306666623636313130666437343230640a663762663137333466343732666635
+63666363393037316430393738636462313162346465316237666566613337306538366432326462
+6631323763636237350a613837366362386663356463333161643837666664353938633432623662
+33656566633435343964313966333063313432666531633962636533326262346166356237373261
+35323463323364643734356630366539346534323838653237383632363861633434306166306363
+37363362656337623966323933653266393835346136306337663030336266336261366465393465
+36336530633334356435616639623935313437663435366464663462393465336461313236633461
+63303436393361326163396636386137393261366266363066623633383734376435636666356663
+61663730623332356636643434393466356265383136656562633035616232613662353063643138
+64323665366438306339623064393661633939306136313235643465653635623363376239393965
+31623039373330333534396133363663316364316463653733393539633439653934613035626366
+39636164633061303665353732363038643435393430666438646633383638343839633336313338
+32316163663838323730356336636666336165643636313665363032303765653435633831356338
+36626666333432323031373131396466663233373266333635336566313837366137376536376138
+64333764366536343137613532616431643532653364343763343138633735303030393066383938
+36626633323634613538383762666239653865363033303338666638323839386461393037313562
+31643365303833363265353663383365336231636562626536663330623163633063623961346139
+39353432366235663033623930656463323032333034326562343139376439366230356261616233
+34363464376133623232666334663366333833326531313363393935356666323739353030613666
+36383861323664613833613034616264636538353762376661336431373735376563343137376230
+37383066373439336564353639633736373161346465323965323330616233386366633366356636
+39663361313865346634313764636137363265343466626437643434633266316137613233383138
+66313634303164643662386339396163313335373863656462323561666464636632616436346230
+35376536393235366134363234333638396134633635636132643031346461343266643137666365
+34666165623837343865313265653762363531646230333033373730623866343539663030306563
+38353761656162623561643038653461323361323362383335316562323036373564623632353061
+31363337316131323561633264353233666135393633623962346464653261653065316337333835
+38656233316532336336353331303131353033386233633862316561343563326636303539663866
+64373563666463616335393865623063653462626133643763366239623239663430616539336637
+64333866623733363930313562346231346238623132393862623130393637343265343835383133
+63643037333531666366323965333333643133663330666434316536306165396365623063356530
+62383638616630333163353833376239633839653565346531366539383339376464326437326337
+66363238336462336634613163303037646138323865613237656163386162353666616334323435
+33343133366138636538613939363434343930333265663861346366353863383830313231333938
+62323962333433303539646661363930393136616635343262383739623162616561393335313865
+36643536633466656635653836636161356365303239343036363335326232353931343138353263
+36396331643930663731656432353462613933623733343333343338323831343232393139323664
+34393634323437313162613465376563616636326639643061386362373365323637343262333238
+31383438663933373765646561666233636263373561656336313133616334373766356436303863
+36643730383330633561313131396635653330663837316662383762373932306164336637396530
+63666639366136646364333039373630643662613837356335653334383836373862636539336261
+33663462316666306662323161373161653664333566623437383865373862323836633436636238
+64376661363731306330326631663130366365373564313435633962353137343738363835336464
+61303963386130353230393733663937613336616161353438623531613662363930616433343535
+62633963623037343831353531306537613437663339383064376566366463363461336262633131
+38633031346666393235666464613066353537323134386163333965376638613534623764396635
+34633339663234386562663636626661383839306333616362316264366132343634363761633438
+61616432326465306366333962626164383238373161306533323737326532616166616636393735
+37303032653630666537643238613637626261386536306534643734623430376231633939376263
+35396235633538386632383166653865653535643663353431366361633661306561346137383930
+36626262346165396238626336616437636332386335306135396665333639363165383563616538
+38623330643661646162613734656630633337353638343666613939353063316434656530386262
+65393439333663323063356633616665666535386539323536366535356466353938663035326333
+61303265373136333536653732306231636263343831323532306132653465383732303931386161
+36393564313039336636613562363066373461336439343434333937343664373437386236633332
+33376136613837336365396339396463363665373865323265653438656537613566616531373536
+30313834396564323861386335383863353730663831373262653636373734323232343866303061
+62613534326261383263613535363364663739393836393963346562366339323338373237636661
+61393032366362373236626536663231343566313739386531656434386635336237396632663231
+36303135356539323665333037386237663730643737653962633161663834306538326532303566
+61316563373632643836613831613362613936633630623263363963373132356437303934333035
+35323039386231363265303738643638643864313037386632386539346465643539383533366131
+30313565613161663730626433383334623939323161393061353062333931643930353832626561
+32643134306533386139633837316134653239656334306662653061646331353865343864343730
+38623035376631646662626131333061306331336538636230626535393631343038323962346137
+39346561646361373735326565363936366263376330326334616231636232343862303564383237
+65363334663734313532393338363933646432396434613665316163373838613064663331373536
+3465
diff --git a/hosts b/hosts
index 9518249..1d797cc 100644
--- a/hosts
+++ b/hosts
@@ -4,6 +4,7 @@ bacon.binary.kitchen ansible_host=172.23.2.3
 aveta.binary.kitchen ansible_host=172.23.2.4
 sulis.binary.kitchen ansible_host=172.23.2.5
 nabia.binary.kitchen ansible_host=172.23.2.6
+epona.binary.kitchen ansible_host=172.23.2.7
 pizza.binary.kitchen ansible_host=172.23.2.33
 bob.binary.kitchen ansible_host=172.23.2.37
 bowle.binary.kitchen ansible_host=172.23.2.62
diff --git a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
index cb40234..f2b8630 100644
--- a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
+++ b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021070501; serial
+					2021071401; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -41,6 +41,7 @@ $TTL 1h				; default time-to-live
 4.2				IN	PTR	aveta.binary.kitchen.
 5.2				IN	PTR	sulis.binary.kitchen.
 6.2				IN	PTR	nabia.binary.kitchen.
+7.2				IN	PTR	epona.binary.kitchen.
 11.2				IN	PTR	homer.binary.kitchen.
 12.2				IN	PTR	lock.binary.kitchen.
 13.2				IN	PTR	matrix.binary.kitchen.
diff --git a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
index cbfe8cd..48bb5aa 100644
--- a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
+++ b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
@@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021070501; serial
+					2021071401; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -25,6 +25,7 @@ ldap1				IN	A	172.23.2.3
 ldap2				IN	A	172.23.2.4
 ldapm				IN	A	213.166.246.2
 librenms			IN	A	172.23.2.6
+netbox				IN	A	172.23.2.7
 ns1				IN	A	172.23.2.3
 ns2				IN	A	172.23.2.4
 racktables			IN	A	172.23.2.6
@@ -62,6 +63,7 @@ bacon				IN	A	172.23.2.3
 aveta				IN	A	172.23.2.4
 sulis				IN	A	172.23.2.5
 nabia				IN	A	172.23.2.6
+epona				IN	A	172.23.2.7
 homer				IN	A	172.23.2.11
 lock				IN	A	172.23.2.12
 matrix				IN	A	172.23.2.13
diff --git a/roles/netbox/defaults/main.yml b/roles/netbox/defaults/main.yml
new file mode 100644
index 0000000..a87800e
--- /dev/null
+++ b/roles/netbox/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+
+netbox_group: netbox
+netbox_user: netbox
+netbox_version: 2.11.9
diff --git a/roles/netbox/handlers/main.yml b/roles/netbox/handlers/main.yml
new file mode 100644
index 0000000..4547559
--- /dev/null
+++ b/roles/netbox/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart netbox
+  service: name=netbox state=restarted
+
+- name: Restart netbox-rq
+  service: name=netbox-rq state=restarted
diff --git a/roles/netbox/meta/main.yml b/roles/netbox/meta/main.yml
new file mode 100644
index 0000000..8fcf724
--- /dev/null
+++ b/roles/netbox/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/netbox/tasks/main.yml b/roles/netbox/tasks/main.yml
new file mode 100644
index 0000000..b41746e
--- /dev/null
+++ b/roles/netbox/tasks/main.yml
@@ -0,0 +1,141 @@
+---
+
+- name: Create group
+  group: name={{ netbox_group }}
+
+- name: Create user
+  user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
+
+- name: Install dependencies
+  apt:
+    name:
+    - build-essential
+    - libffi-dev
+    - libpq-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - python3-setuptools
+    - python3-dev
+    - python3-pip
+    - python3-venv
+    - zlib1g-dev
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python3-psycopg2
+
+- name: Configure PostgreSQL database
+  postgresql_db:
+    name: '{{ netbox_dbname }}'
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user:
+    db: '{{ netbox_dbname }}'
+    name: '{{ netbox_dbuser }}'
+    password: '{{ netbox_dbpass }}'
+    priv: ALL
+    state: present
+  become: true
+  become_user: postgres
+
+- name: Install redis
+  apt: name=redis-server
+
+# TODO configure redis?
+
+- name: Unpack netbox
+  unarchive:
+    src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
+    dest: /opt
+    remote_src: yes
+    creates: '/opt/netbox-{{ netbox_version }}'
+  register: netbox_unarchive
+
+- name: Configure netbox
+  template:
+    src: configuration.py.j2
+    dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
+    owner: '{{ netbox_user }}'
+    group: '{{ netbox_group }}'
+
+- name: Configure gunicorn
+  template:
+    src: gunicorn.py.j2
+    dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py'
+    owner: '{{ netbox_user }}'
+    group: '{{ netbox_group }}'
+
+- name: Netbox file permissions
+  file:
+    path: '/opt/netbox-{{ netbox_version }}'
+    owner: '{{ netbox_user }}'
+    group: '{{ netbox_group }}'
+    recurse: yes
+
+- name: Run upgrade script
+  command:
+    cmd: ./upgrade.sh
+    chdir: '/opt/netbox-{{ netbox_version }}'
+  become: true
+  become_user: '{{ netbox_user }}'
+  when: netbox_unarchive.changed
+
+# TODO - still manual work
+# * Create a super user
+# * Migrate media files
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
+      -days 730 -subj "/CN={{ netbox_domain }}"
+    creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ netbox_domain }}"
+  when: "'kitchen' in group_names"
+
+- name: Configure certificate manager for netbox
+  template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template:
+    src: vhost.j2
+    dest: /etc/nginx/sites-available/netbox
+    owner: root
+    mode: '0644'
+  notify: Restart nginx
+
+- name: Enable vhost
+  file:
+    src: /etc/nginx/sites-available/netbox
+    dest: /etc/nginx/sites-enabled/netbox
+    state: link
+  notify: Restart nginx
+
+- name: Install systemd units
+  template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
+  with_items:
+  - netbox
+  - netbox-rq
+  notify:
+  - Reload systemd
+  - Restart netbox
+  - Restart netbox-rq
+
+- name: Enable services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - netbox
+  - netbox-rq
diff --git a/roles/netbox/templates/certs.j2 b/roles/netbox/templates/certs.j2
new file mode 100644
index 0000000..aac44e9
--- /dev/null
+++ b/roles/netbox/templates/certs.j2
@@ -0,0 +1,18 @@
+---
+
+{{ netbox_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ netbox_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/netbox/templates/configuration.py.j2 b/roles/netbox/templates/configuration.py.j2
new file mode 100644
index 0000000..1e2d764
--- /dev/null
+++ b/roles/netbox/templates/configuration.py.j2
@@ -0,0 +1,255 @@
+#########################
+#                       #
+#   Required settings   #
+#                       #
+#########################
+
+# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
+# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
+#
+# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
+ALLOWED_HOSTS = ['{{ netbox_domain }}']
+
+# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
+#   https://docs.djangoproject.com/en/stable/ref/settings/#databases
+DATABASE = {
+    'NAME': '{{ netbox_dbname }}',               # Database name
+    'USER': '{{ netbox_dbuser }}',               # PostgreSQL username
+    'PASSWORD': '{{ netbox_dbpass }}',           # PostgreSQL password
+    'HOST': 'localhost',      # Database server
+    'PORT': '',               # Database port (leave blank for default)
+    'CONN_MAX_AGE': 300,      # Max database connection age
+}
+
+# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
+# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
+# to use two separate database IDs.
+REDIS = {
+    'tasks': {
+        'HOST': 'localhost',
+        'PORT': 6379,
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '',
+        'DATABASE': 0,
+        'SSL': False,
+    },
+    'caching': {
+        'HOST': 'localhost',
+        'PORT': 6379,
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '',
+        'DATABASE': 1,
+        'SSL': False,
+    }
+}
+
+# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
+# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
+# symbols. NetBox will not run without this defined. For more information, see
+# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
+SECRET_KEY = '{{ netbox_secret }}'
+
+
+#########################
+#                       #
+#   Optional settings   #
+#                       #
+#########################
+
+# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
+# application errors (assuming correct email settings are provided).
+ADMINS = [
+    # ['John Doe', 'jdoe@example.com'],
+]
+
+# URL schemes that are allowed within links in NetBox
+ALLOWED_URL_SCHEMES = (
+    'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+)
+
+# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
+# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
+BANNER_TOP = ''
+BANNER_BOTTOM = ''
+
+# Text to include on the login page above the login form. HTML is allowed.
+BANNER_LOGIN = ''
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
+# BASE_PATH = 'netbox/'
+BASE_PATH = ''
+
+# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
+CACHE_TIMEOUT = 900
+
+# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
+CHANGELOG_RETENTION = 90
+
+# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
+# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
+# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
+CORS_ORIGIN_ALLOW_ALL = False
+CORS_ORIGIN_WHITELIST = [
+    # 'https://hostname.example.com',
+]
+CORS_ORIGIN_REGEX_WHITELIST = [
+    # r'^(https?://)?(\w+\.)?example\.com$',
+]
+
+# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
+# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
+# on a production system.
+DEBUG = False
+
+# Email settings
+EMAIL = {
+    'SERVER': 'localhost',
+    'PORT': 25,
+    'USERNAME': '',
+    'PASSWORD': '',
+    'USE_SSL': False,
+    'USE_TLS': False,
+    'TIMEOUT': 10,  # seconds
+    'FROM_EMAIL': '',
+}
+
+# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
+# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
+ENFORCE_GLOBAL_UNIQUE = False
+
+# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
+# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
+EXEMPT_VIEW_PERMISSIONS = [
+    # 'dcim.site',
+    # 'dcim.region',
+    # 'ipam.prefix',
+]
+
+# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
+# HTTP_PROXIES = {
+#     'http': 'http://10.10.1.10:3128',
+#     'https': 'http://10.10.1.10:1080',
+# }
+
+# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
+# NetBox from an internal IP.
+INTERNAL_IPS = ('127.0.0.1', '::1')
+
+# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
+#   https://docs.djangoproject.com/en/stable/topics/logging/
+LOGGING = {}
+
+# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
+# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
+LOGIN_REQUIRED = True
+
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 1209600 [14 days])
+LOGIN_TIMEOUT = None
+
+# Setting this to True will display a "maintenance mode" banner at the top of every page.
+MAINTENANCE_MODE = False
+
+# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
+# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
+# all objects by specifying "?limit=0".
+MAX_PAGE_SIZE = 1000
+
+# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
+# the default value of this setting is derived from the installed location.
+# MEDIA_ROOT = '/opt/netbox/netbox/media'
+
+# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
+# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
+# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+# STORAGE_CONFIG = {
+#     'AWS_ACCESS_KEY_ID': 'Key ID',
+#     'AWS_SECRET_ACCESS_KEY': 'Secret',
+#     'AWS_STORAGE_BUCKET_NAME': 'netbox',
+#     'AWS_S3_REGION_NAME': 'eu-west-1',
+# }
+
+# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
+METRICS_ENABLED = False
+
+# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
+NAPALM_USERNAME = ''
+NAPALM_PASSWORD = ''
+
+# NAPALM timeout (in seconds). (Default: 30)
+NAPALM_TIMEOUT = 30
+
+# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
+# be provided as a dictionary.
+NAPALM_ARGS = {}
+
+# Determine how many objects to display per page within a list. (Default: 50)
+PAGINATE_COUNT = 50
+
+# Enable installed plugins. Add the name of each plugin to the list.
+PLUGINS = []
+
+# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
+# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
+# PLUGINS_CONFIG = {
+#     'my_plugin': {
+#         'foo': 'bar',
+#         'buzz': 'bazz'
+#     }
+# }
+
+# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
+# prefer IPv4 instead.
+PREFER_IPV4 = False
+
+# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
+RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
+RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
+
+# Remote authentication support
+REMOTE_AUTH_ENABLED = False
+REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
+RELEASE_CHECK_TIMEOUT = 24 * 3600
+
+# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
+# version check or use the URL below to check for release in the official NetBox repository.
+RELEASE_CHECK_URL = None
+# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
+
+# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# REPORTS_ROOT = '/opt/netbox/netbox/reports'
+
+# Maximum execution time for background tasks, in seconds.
+RQ_DEFAULT_TIMEOUT = 300
+
+# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
+
+# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
+# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
+# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
+SESSION_FILE_PATH = None
+
+# Time zone (default: UTC)
+TIME_ZONE = 'Europe/Berlin'
+
+# Date/time formatting. See the following link for supported formats:
+# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
+DATE_FORMAT = 'N j, Y'
+SHORT_DATE_FORMAT = 'Y-m-d'
+TIME_FORMAT = 'g:i a'
+SHORT_TIME_FORMAT = 'H:i:s'
+DATETIME_FORMAT = 'N j, Y g:i a'
+SHORT_DATETIME_FORMAT = 'Y-m-d H:i'
diff --git a/roles/netbox/templates/gunicorn.py.j2 b/roles/netbox/templates/gunicorn.py.j2
new file mode 100644
index 0000000..363dbc2
--- /dev/null
+++ b/roles/netbox/templates/gunicorn.py.j2
@@ -0,0 +1,16 @@
+# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
+bind = '127.0.0.1:8001'
+
+# Number of gunicorn workers to spawn. This should typically be 2n+1, where
+# n is the number of CPU cores present.
+workers = 5
+
+# Number of threads per worker process
+threads = 3
+
+# Timeout (in seconds) for a request to complete
+timeout = 120
+
+# The maximum number of requests a worker can handle before being respawned
+max_requests = 5000
+max_requests_jitter = 500
diff --git a/roles/netbox/templates/netbox-rq.service.j2 b/roles/netbox/templates/netbox-rq.service.j2
new file mode 100644
index 0000000..b35a7f5
--- /dev/null
+++ b/roles/netbox/templates/netbox-rq.service.j2
@@ -0,0 +1,21 @@
+[Unit]
+Description=NetBox Request Queue Worker
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User=netbox
+Group=netbox
+WorkingDirectory=/opt/netbox-{{ netbox_version }}
+
+ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/netbox/templates/netbox.service.j2 b/roles/netbox/templates/netbox.service.j2
new file mode 100644
index 0000000..5fae0f9
--- /dev/null
+++ b/roles/netbox/templates/netbox.service.j2
@@ -0,0 +1,22 @@
+[Unit]
+Description=NetBox WSGI Service
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User=netbox
+Group=netbox
+PIDFile=/var/tmp/netbox.pid
+WorkingDirectory=/opt/netbox-{{ netbox_version }}
+
+ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/netbox/templates/vhost.j2 b/roles/netbox/templates/vhost.j2
new file mode 100644
index 0000000..35082b5
--- /dev/null
+++ b/roles/netbox/templates/vhost.j2
@@ -0,0 +1,38 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ netbox_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ netbox_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ netbox_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
+
+	location /static/ {
+		alias /opt/netbox-{{ netbox_version }}/netbox/static/;
+	}
+
+	location / {
+		client_max_body_size 32M;
+
+		proxy_set_header X-Forwarded-Host $http_host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_pass http://localhost:8001;
+	}
+}
diff --git a/site.yml b/site.yml
index 0c16cc5..69434b4 100644
--- a/site.yml
+++ b/site.yml
@@ -38,6 +38,11 @@
   - librenms
   - prometheus
 
+- name: Setup netbox server
+  hosts: epona.binary.kitchen
+  roles:
+  - netbox
+
 - name: Setup drone runner
   hosts: bob.binary.kitchen
   roles: