diff --git a/role-rocky-netbox.yml b/role-rocky-netbox.yml new file mode 100644 index 0000000..26ef241 --- /dev/null +++ b/role-rocky-netbox.yml @@ -0,0 +1,54 @@ +--- +# MirrorManager2 +- name: Install and configure netbox + hosts: netbox + become: false + vars_files: + # This playbook requires vaults! + # vars/vaults/hostman.yml + # vars/mounts/netbox.yml # we don't know if we'll have uploads + - vars/vaults/netbox.yml + - vars/netbox.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + ansible.builtin.assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + #tasks: + #- include_tasks: tasks/efs_mount.yml + # loop: "{{ mounts }}" + # tags: ["mounts"] + + roles: + - role: rockylinux.ipagetcert + become: true + state: present + tags: ['certs'] + + tasks: + - name: Perform netbox installation + ansible.builtin.import_tasks: tasks/netbox/netbox.yml + + post_tasks: + - name: Touching run file that ansible has ran here + become: true + ansible.builtin.file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/tasks/netbox/cleanup.yml b/tasks/netbox/cleanup.yml new file mode 100644 index 0000000..45d436a --- /dev/null +++ b/tasks/netbox/cleanup.yml @@ -0,0 +1,3 @@ +--- +# no tasks +... diff --git a/tasks/netbox/install.yml b/tasks/netbox/install.yml new file mode 100644 index 0000000..c8e6c8a --- /dev/null +++ b/tasks/netbox/install.yml @@ -0,0 +1,5 @@ +--- +- name: Download netbox + ansible.builtin.get_url: + url: +... diff --git a/tasks/netbox/netbox.yml b/tasks/netbox/netbox.yml new file mode 100644 index 0000000..18eae4f --- /dev/null +++ b/tasks/netbox/netbox.yml @@ -0,0 +1,10 @@ +--- +- name: Pre-game setup + ansible.builtin.import_tasks: presetup.yml + +- name: Installation + ansible.builtin.import_tasks: install.yml + +- name: Cleanup + ansible.builtin.import_tasks: cleanup.yml +... diff --git a/tasks/netbox/presetup.yml b/tasks/netbox/presetup.yml new file mode 100644 index 0000000..80a9405 --- /dev/null +++ b/tasks/netbox/presetup.yml @@ -0,0 +1,29 @@ +--- +- name: Install git and nginx + become: true + ansible.builtin.package: + name: + - git + - nginx + state: present + +- name: Install required software to build python libs + become: true + ansible.builtin.package: + name: + - gcc + - libxml2-devel + - libxslt-devel + - libffi-devel + - libpq-devel + - openssl-devel + - redhat-rpm-config + state: present + +- name: Setup initial netbox user + become: true + ansible.builtin.user: + name: netbox + comment: "NetBox" + system: true +... diff --git a/templates/etc/nginx/conf.d/netbox.conf.j2 b/templates/etc/nginx/conf.d/netbox.conf.j2 new file mode 100644 index 0000000..97499d6 --- /dev/null +++ b/templates/etc/nginx/conf.d/netbox.conf.j2 @@ -0,0 +1,29 @@ +server { + listen [::]:443 ssl ipv6only=off; + + # CHANGE THIS TO YOUR SERVER'S NAME + server_name {{ netbox_server_name }}; + + ssl_certificate /etc/pki/tls/certs/{{ netbox_server_name }}.crt; + ssl_certificate_key /etc/pki/tls/certs/{{ netbox_server_name }}.crt; + + client_max_body_size 25m; + + location /static/ { + alias /opt/netbox/netbox/static/; + } + + location / { + proxy_pass http://127.0.0.1:8001; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +server { + # Redirect HTTP traffic to HTTPS + listen [::]:80 ipv6only=off; + server_name _; + return 301 https://$host$request_uri; +} diff --git a/templates/opt/netbox/netbox/netbox/configuration.py.j2 b/templates/opt/netbox/netbox/netbox/configuration.py.j2 new file mode 100644 index 0000000..7784bce --- /dev/null +++ b/templates/opt/netbox/netbox/netbox/configuration.py.j2 @@ -0,0 +1,248 @@ +######################### +# # +# Required settings # +# # +######################### + +# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write +# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. +# +# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] +ALLOWED_HOSTS = ['{{ netbox_server_name }}', '{{ ansible_fqdn }}'] + +# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters: +# https://docs.djangoproject.com/en/stable/ref/settings/#databases +DATABASE = { + 'ENGINE': 'django.db.backends.postgresql', # Database engine + 'NAME': '{{ netbox_db_name }}', + 'USER': '{{ netbox_db_user }}', + 'PASSWORD': '{{ netbox_db_password }}', + 'HOST': '{{ netbox_db_host }}', # Database server + 'PORT': '{{ netbox_db_port|default('5432') }}', # Database port (leave blank for default) + 'CONN_MAX_AGE': 300, # Max database connection age +} + +# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate +# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended +# to use two separate database IDs. +REDIS = { + 'tasks': { + 'HOST': 'localhost', + 'PORT': 6379, + # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel + # 'SENTINELS': [('mysentinel.redis.example.com', 6379)], + # 'SENTINEL_SERVICE': 'netbox', + 'USERNAME': '', + 'PASSWORD': '', + 'DATABASE': 0, + 'SSL': False, + # Set this to True to skip TLS certificate verification + # This can expose the connection to attacks, be careful + # 'INSECURE_SKIP_TLS_VERIFY': False, + # Set a path to a certificate authority, typically used with a self signed certificate. + # 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt', + }, + 'caching': { + 'HOST': 'localhost', + 'PORT': 6379, + # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel + # 'SENTINELS': [('mysentinel.redis.example.com', 6379)], + # 'SENTINEL_SERVICE': 'netbox', + 'USERNAME': '', + 'PASSWORD': '', + 'DATABASE': 1, + 'SSL': False, + # Set this to True to skip TLS certificate verification + # This can expose the connection to attacks, be careful + # 'INSECURE_SKIP_TLS_VERIFY': False, + # Set a path to a certificate authority, typically used with a self signed certificate. + # 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt', + } +} + +# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. +# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and +# symbols. NetBox will not run without this defined. For more information, see +# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY +SECRET_KEY = '{{ netbox_secret_key }}' + + +######################### +# # +# Optional settings # +# # +######################### + +# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of +# application errors (assuming correct email settings are provided). +ADMINS = [ + ('{{ netbox_admin_name }}', '{{ netbox_admin_contact }}'), +] + +# Permit the retrieval of API tokens after their creation. +ALLOW_TOKEN_RETRIEVAL = False + +# Enable any desired validators for local account passwords below. For a list of included validators, please see the +# Django documentation at https://docs.djangoproject.com/en/stable/topics/auth/passwords/#password-validation. +AUTH_PASSWORD_VALIDATORS = [ + # { + # 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', + # 'OPTIONS': { + # 'min_length': 10, + # } + # }, +] + +# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set: +# BASE_PATH = 'netbox/' +BASE_PATH = '' + +# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be +# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or +# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers +CORS_ORIGIN_ALLOW_ALL = False +CORS_ORIGIN_WHITELIST = [ + # 'https://hostname.example.com', +] +CORS_ORIGIN_REGEX_WHITELIST = [ + # r'^(https?://)?(\w+\.)?example\.com$', +] + +# The name to use for the CSRF token cookie. +CSRF_COOKIE_NAME = 'csrftoken' + +# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal +# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging +# on a production system. +DEBUG = False + +# Set the default preferred language/locale +DEFAULT_LANGUAGE = 'en-us' + +# Email settings +EMAIL = { + 'SERVER': 'localhost', + 'PORT': 25, + 'USERNAME': '', + 'PASSWORD': '', + 'USE_SSL': False, + 'USE_TLS': False, + 'TIMEOUT': 10, # seconds + 'FROM_EMAIL': '', +} + +# Localization +ENABLE_LOCALIZATION = False + +# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and +# by anonymous users. List models in the form `.`. Add '*' to this list to exempt all models. +EXEMPT_VIEW_PERMISSIONS = [ + # 'dcim.site', + # 'dcim.region', + # 'ipam.prefix', +] + +# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks). +# HTTP_PROXIES = { +# 'http': 'http://10.10.1.10:3128', +# 'https': 'http://10.10.1.10:1080', +# } + +# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing +# NetBox from an internal IP. +INTERNAL_IPS = ('127.0.0.1', '::1') + +# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: +# https://docs.djangoproject.com/en/stable/topics/logging/ +LOGGING = {} + +# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain +# authenticated to NetBox indefinitely. +LOGIN_PERSISTENCE = False + +# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users +# are permitted to access most data in NetBox but not make any changes. +LOGIN_REQUIRED = False + +# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to +# re-authenticate. (Default: 1209600 [14 days]) +LOGIN_TIMEOUT = None + +# The view name or URL to which users are redirected after logging out. +LOGOUT_REDIRECT_URL = 'home' + +# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that +# the default value of this setting is derived from the installed location. +# MEDIA_ROOT = '/opt/netbox/netbox/media' + +# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics' +METRICS_ENABLED = False + +# Enable installed plugins. Add the name of each plugin to the list. +PLUGINS = [] + +# Plugins configuration settings. These settings are used by various plugins that the user may have installed. +# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings. +# PLUGINS_CONFIG = { +# 'my_plugin': { +# 'foo': 'bar', +# 'buzz': 'bazz' +# } +# } + +# Remote authentication support +REMOTE_AUTH_ENABLED = False +REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' +REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' +REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME' +REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME' +REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL' +REMOTE_AUTH_AUTO_CREATE_USER = True +REMOTE_AUTH_DEFAULT_GROUPS = [] +REMOTE_AUTH_DEFAULT_PERMISSIONS = {} + +# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the +# version check or use the URL below to check for release in the official NetBox repository. +RELEASE_CHECK_URL = None +# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases' + +# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +# REPORTS_ROOT = '/opt/netbox/netbox/reports' + +# Maximum execution time for background tasks, in seconds. +RQ_DEFAULT_TIMEOUT = 300 + +# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts' + +# The name to use for the session cookie. +SESSION_COOKIE_NAME = 'sessionid' + +# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use +# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only +# database access.) Note that the user as which NetBox runs must have read and write permissions to this path. +SESSION_FILE_PATH = None + +# By default, uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the +# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example: +# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage' +# STORAGE_CONFIG = { +# 'AWS_ACCESS_KEY_ID': 'Key ID', +# 'AWS_SECRET_ACCESS_KEY': 'Secret', +# 'AWS_STORAGE_BUCKET_NAME': 'netbox', +# 'AWS_S3_REGION_NAME': 'eu-west-1', +# } + +# Time zone (default: UTC) +TIME_ZONE = 'UTC' + +# Date/time formatting. See the following link for supported formats: +# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date +DATE_FORMAT = 'N j, Y' +SHORT_DATE_FORMAT = 'Y-m-d' +TIME_FORMAT = 'g:i a' +SHORT_TIME_FORMAT = 'H:i:s' +DATETIME_FORMAT = 'N j, Y g:i a' +SHORT_DATETIME_FORMAT = 'Y-m-d H:i' diff --git a/vars/netbox.yml b/vars/netbox.yml new file mode 100644 index 0000000..f43a70b --- /dev/null +++ b/vars/netbox.yml @@ -0,0 +1,15 @@ +--- +netbox_version: "3.7.4" +netbox_checksum: "" +netbox_server_name: "netbox.rockylinux.org" +netbox_admin_name: "Infrastructure Team" +netbox_admin_content: "infrastructure@rockylinux.org" +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: nginx + key_location: "/etc/pki/tls/private/netbox.rockylinux.org.key" + cert_location: "/etc/pki/tls/certs/netbox.rockylinux.org.crt" + postcmd: "/bin/systemctl restart nginx" + cnames: + - "netbox.rockylinux.org" +... diff --git a/vars/rss.yml b/vars/rss.yml index 14a2936..3821e52 100644 --- a/vars/rss.yml +++ b/vars/rss.yml @@ -1,6 +1,30 @@ --- feeds_output_dir: "/mnt/repos-production/mirror/pub/feeds" +sig_repo_tracking: + - release: 8 + contentdir: "pub/sig" + sigs: + - name: core + arch: + - x86_64 + - aarch64 + repositories: + - name: core-common + - name: core-infra + - release: 9 + contentdir: "pub/sig" + sigs: + - name: core + arch: + - x86_64 + - aarch64 + - ppc64le + - s390x + repositories: + - name: core-common + - name: core-infra + repo_tracking: - release: 8 contentdir: "pub/rocky"