infrastructure/ansible-ops-management
7
1
Fork 0
Code Issues Pull Requests Projects Releases Activity

init netbox playbook

Browse Source
This commit is contained in:
Louis Abel 2024-03-22 23:24:10 -07:00
parent 634f6a7ca7
commit 2f1aa4e4cd
Signed by: label
GPG Key ID: 3331F061D1D9990E
9 changed files with 417 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
role-rocky-netbox.yml Normal file
View File

@ -0,0 +1,54 @@
---
# MirrorManager2
- name: Install and configure netbox
hosts: netbox
become: false
vars_files:
# This playbook requires vaults!
# vars/vaults/hostman.yml
# vars/mounts/netbox.yml # we don't know if we'll have uploads
- vars/vaults/netbox.yml
- vars/netbox.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
#tasks:
#- include_tasks: tasks/efs_mount.yml
# loop: "{{ mounts }}"
# tags: ["mounts"]
roles:
- role: rockylinux.ipagetcert
become: true
state: present
tags: ['certs']
tasks:
- name: Perform netbox installation
ansible.builtin.import_tasks: tasks/netbox/netbox.yml
post_tasks:
- name: Touching run file that ansible has ran here
become: true
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root
...

3
tasks/netbox/cleanup.yml Normal file
View File

@ -0,0 +1,3 @@
---
# no tasks
...

5
tasks/netbox/install.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Download netbox
ansible.builtin.get_url:
url:
...

10
tasks/netbox/netbox.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Pre-game setup
ansible.builtin.import_tasks: presetup.yml
- name: Installation
ansible.builtin.import_tasks: install.yml
- name: Cleanup
ansible.builtin.import_tasks: cleanup.yml
...

29
tasks/netbox/presetup.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: Install git and nginx
become: true
ansible.builtin.package:
name:
- git
- nginx
state: present
- name: Install required software to build python libs
become: true
ansible.builtin.package:
name:
- gcc
- libxml2-devel
- libxslt-devel
- libffi-devel
- libpq-devel
- openssl-devel
- redhat-rpm-config
state: present
- name: Setup initial netbox user
become: true
ansible.builtin.user:
name: netbox
comment: "NetBox"
system: true
...

29
templates/etc/nginx/conf.d/netbox.conf.j2 Normal file
View File

@ -0,0 +1,29 @@
server {
listen [::]:443 ssl ipv6only=off;
# CHANGE THIS TO YOUR SERVER'S NAME
server_name {{ netbox_server_name }};
ssl_certificate /etc/pki/tls/certs/{{ netbox_server_name }}.crt;
ssl_certificate_key /etc/pki/tls/certs/{{ netbox_server_name }}.crt;
client_max_body_size 25m;
location /static/ {
alias /opt/netbox/netbox/static/;
}
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
# Redirect HTTP traffic to HTTPS
listen [::]:80 ipv6only=off;
server_name _;
return 301 https://$host$request_uri;
}

248
templates/opt/netbox/netbox/netbox/configuration.py.j2 Normal file
View File

@ -0,0 +1,248 @@
#########################
# #
# Required settings #
# #
#########################
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
#
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
ALLOWED_HOSTS = ['{{ netbox_server_name }}', '{{ ansible_fqdn }}']
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
DATABASE = {
'ENGINE': 'django.db.backends.postgresql', # Database engine
'NAME': '{{ netbox_db_name }}',
'USER': '{{ netbox_db_user }}',
'PASSWORD': '{{ netbox_db_password }}',
'HOST': '{{ netbox_db_host }}', # Database server
'PORT': '{{ netbox_db_port|default('5432') }}', # Database port (leave blank for default)
'CONN_MAX_AGE': 300, # Max database connection age
}
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
# to use two separate database IDs.
REDIS = {
'tasks': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'USERNAME': '',
'PASSWORD': '',
'DATABASE': 0,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
# Set a path to a certificate authority, typically used with a self signed certificate.
# 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt',
},
'caching': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'USERNAME': '',
'PASSWORD': '',
'DATABASE': 1,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
# Set a path to a certificate authority, typically used with a self signed certificate.
# 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt',
}
}
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
# symbols. NetBox will not run without this defined. For more information, see
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
SECRET_KEY = '{{ netbox_secret_key }}'
#########################
# #
# Optional settings #
# #
#########################
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
('{{ netbox_admin_name }}', '{{ netbox_admin_contact }}'),
]
# Permit the retrieval of API tokens after their creation.
ALLOW_TOKEN_RETRIEVAL = False
# Enable any desired validators for local account passwords below. For a list of included validators, please see the
# Django documentation at https://docs.djangoproject.com/en/stable/topics/auth/passwords/#password-validation.
AUTH_PASSWORD_VALIDATORS = [
# {
# 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
# 'OPTIONS': {
# 'min_length': 10,
# }
# },
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = [
# 'https://hostname.example.com',
]
CORS_ORIGIN_REGEX_WHITELIST = [
# r'^(https?://)?(\w+\.)?example\.com$',
]
# The name to use for the CSRF token cookie.
CSRF_COOKIE_NAME = 'csrftoken'
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
# on a production system.
DEBUG = False
# Set the default preferred language/locale
DEFAULT_LANGUAGE = 'en-us'
# Email settings
EMAIL = {
'SERVER': 'localhost',
'PORT': 25,
'USERNAME': '',
'PASSWORD': '',
'USE_SSL': False,
'USE_TLS': False,
'TIMEOUT': 10, # seconds
'FROM_EMAIL': '',
}
# Localization
ENABLE_LOCALIZATION = False
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
# 'dcim.site',
# 'dcim.region',
# 'ipam.prefix',
]
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
# HTTP_PROXIES = {
# 'http': 'http://10.10.1.10:3128',
# 'https': 'http://10.10.1.10:1080',
# }
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
# NetBox from an internal IP.
INTERNAL_IPS = ('127.0.0.1', '::1')
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox but not make any changes.
LOGIN_REQUIRED = False
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# The view name or URL to which users are redirected after logging out.
LOGOUT_REDIRECT_URL = 'home'
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
# PLUGINS_CONFIG = {
# 'my_plugin': {
# 'foo': 'bar',
# 'buzz': 'bazz'
# }
# }
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
RELEASE_CHECK_URL = None
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
SESSION_FILE_PATH = None
# By default, uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
# STORAGE_CONFIG = {
# 'AWS_ACCESS_KEY_ID': 'Key ID',
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
# 'AWS_S3_REGION_NAME': 'eu-west-1',
# }
# Time zone (default: UTC)
TIME_ZONE = 'UTC'
# Date/time formatting. See the following link for supported formats:
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
DATE_FORMAT = 'N j, Y'
SHORT_DATE_FORMAT = 'Y-m-d'
TIME_FORMAT = 'g:i a'
SHORT_TIME_FORMAT = 'H:i:s'
DATETIME_FORMAT = 'N j, Y g:i a'
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'

15
vars/netbox.yml Normal file
View File

@ -0,0 +1,15 @@
---
netbox_version: "3.7.4"
netbox_checksum: ""
netbox_server_name: "netbox.rockylinux.org"
netbox_admin_name: "Infrastructure Team"
netbox_admin_content: "infrastructure@rockylinux.org"
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: nginx
key_location: "/etc/pki/tls/private/netbox.rockylinux.org.key"
cert_location: "/etc/pki/tls/certs/netbox.rockylinux.org.crt"
postcmd: "/bin/systemctl restart nginx"
cnames:
- "netbox.rockylinux.org"
...

24
vars/rss.yml
View File

@ -1,6 +1,30 @@
---
feeds_output_dir: "/mnt/repos-production/mirror/pub/feeds"
sig_repo_tracking:
- release: 8
contentdir: "pub/sig"
sigs:
- name: core
arch:
- x86_64
- aarch64
repositories:
- name: core-common
- name: core-infra
- release: 9
contentdir: "pub/sig"
sigs:
- name: core
arch:
- x86_64
- aarch64
- ppc64le
- s390x
repositories:
- name: core-common
- name: core-infra
repo_tracking:
- release: 8
contentdir: "pub/rocky"