CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 0
Code Issues3 Pull requests Wiki Activity Actions

netbox: move NetBox from NixOS to Ansible

Browse source 
Also introduce netbox_hosts group for applying netbox role to multiple
hosts.
This commit is contained in:
June 2025-02-15 19:57:15 +01:00
parent 09a8551c8a
commit 2ec1471d7f
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
7 changed files with 143 additions and 2 deletions
inventories/chaosknoten
host_vars
netbox.yaml
hosts.yaml
playbooks
deploy.yaml
resources/chaosknoten
netbox
netbox
configuration.py.j2
nginx
netbox.hamburg.ccc.de.conf
public-reverse-proxy/nginx
acme_challenge.confnginx.conf

16
inventories/chaosknoten/host_vars/netbox.yaml Normal file
View file

@ -0,0 +1,16 @@
netbox__version: "v4.1.7"
netbox__db_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/DATABASE_PASSWORD', create=false, missing='error') }}"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true
nginx__version_spec: ""
nginx__configurations:
- name: netbox.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
certbot__certificate_domains:
- "netbox.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"

12
inventories/chaosknoten/hosts.yaml
View file

@ -32,6 +32,10 @@ all:
mumble: mumble:
ansible_host: mumble.hamburg.ccc.de ansible_host: mumble.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
netbox:
ansible_host: netbox-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
onlyoffice: onlyoffice:
ansible_host: onlyoffice-intern.hamburg.ccc.de ansible_host: onlyoffice-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
@ -64,6 +68,7 @@ all:
keycloak: keycloak:
lists: lists:
mumble: mumble:
netbox:
onlyoffice: onlyoffice:
pad: pad:
pretalx: pretalx:
@ -94,6 +99,7 @@ all:
keycloak: keycloak:
lists: lists:
mumble: mumble:
netbox:
onlyoffice: onlyoffice:
pad: pad:
pretalx: pretalx:
@ -112,6 +118,7 @@ all:
keycloak: keycloak:
lists: lists:
mumble: mumble:
netbox:
onlyoffice: onlyoffice:
pad: pad:
pretalx: pretalx:
@ -123,6 +130,7 @@ all:
eh22-wiki: eh22-wiki:
tickets: tickets:
keycloak: keycloak:
netbox:
onlyoffice: onlyoffice:
pad: pad:
pretalx: pretalx:
@ -136,6 +144,7 @@ all:
tickets: tickets:
cloud: cloud:
keycloak: keycloak:
netbox:
onlyoffice: onlyoffice:
pad: pad:
pretalx: pretalx:
@ -146,3 +155,6 @@ all:
hosts: hosts:
eh22-wiki: eh22-wiki:
wiki: wiki:
netbox_hosts:
hosts:
netbox:

5
playbooks/deploy.yaml
View file

@ -29,6 +29,11 @@
roles: roles:
- dokuwiki - dokuwiki
- name: Ensure NetBox deployment on netbox_hosts
hosts: netbox_hosts
roles:
- netbox
- name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs - name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs
hosts: nginx_hosts:&public_reverse_proxy_hosts hosts: nginx_hosts:&public_reverse_proxy_hosts
roles: roles:

60
resources/chaosknoten/netbox/netbox/configuration.py.j2 Normal file
View file

@ -0,0 +1,60 @@
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]
DATABASE = {
"HOST": "localhost",
"NAME": "netbox",
"USER": "netbox",
"PASSWORD": "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/DATABASE_PASSWORD', create=false, missing='error') }}",
}
REDIS = {
"tasks": {
"HOST": "localhost",
"PORT": 6379,
"USERNAME": "",
"PASSWORD": "",
"DATABASE": 0,
"SSL": False,
},
"caching": {
"HOST": "localhost",
"PORT": 6379,
"USERNAME": "",
"PASSWORD": "",
"DATABASE": 1,
"SSL": False,
},
}
SECRET_KEY = "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/SECRET_KEY', create=false, missing='error') }}"
SESSION_COOKIE_SECURE = True
# CCCHH ID (Keycloak) integration.
# https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
# https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2"
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = (
"https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"
)
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = (
"https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"
)
SOCIAL_AUTH_KEYCLOAK_KEY = "netbox"
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"
SOCIAL_AUTH_KEYCLOAK_SECRET = "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/SOCIAL_AUTH_KEYCLOAK_SECRET', create=false, missing='error') }}"
# Use custom OIDC group and role mapping pipeline functions added in via
# netbox__custom_pipeline_oidc_group_and_role_mapping.
# The default pipeline this is based on can be found here:
# https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py
SOCIAL_AUTH_PIPELINE = [
"social_core.pipeline.social_auth.social_details",
"social_core.pipeline.social_auth.social_uid",
"social_core.pipeline.social_auth.social_user",
"social_core.pipeline.user.get_username",
"social_core.pipeline.user.create_user",
"social_core.pipeline.social_auth.associate_user",
"netbox.authentication.user_default_groups_handler",
"social_core.pipeline.social_auth.load_extra_data",
"social_core.pipeline.user.user_details",
# Custom OIDC group and role mapping functions.
"netbox.custom_pipeline_oidc_mapping.add_groups",
"netbox.custom_pipeline_oidc_mapping.remove_groups",
"netbox.custom_pipeline_oidc_mapping.set_roles",
]

48
resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf Normal file
View file

@ -0,0 +1,48 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name netbox.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/netbox.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netbox.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/netbox.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
client_max_body_size 25m;
location /static/ {
alias /opt/netbox/netbox/static/;
}
location / {
proxy_pass http://127.0.0.1:8001;
}
}

2
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -17,7 +17,7 @@ map $host $upstream_acme_challenge_host {
invite.hamburg.ccc.de 172.31.17.144:31820; invite.hamburg.ccc.de 172.31.17.144:31820;
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
matrix.hamburg.ccc.de 172.31.17.150:31820; matrix.hamburg.ccc.de 172.31.17.150:31820;
netbox.hamburg.ccc.de 172.31.17.149:31820; netbox.hamburg.ccc.de 172.31.17.167:31820;
onlyoffice.hamburg.ccc.de 172.31.17.147:31820; onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
pad.hamburg.ccc.de 172.31.17.141:31820; pad.hamburg.ccc.de 172.31.17.141:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820;

2
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -32,7 +32,7 @@ stream {
onlyoffice.hamburg.ccc.de 172.31.17.147:8443; onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de 172.31.17.149:8443; netbox.hamburg.ccc.de 172.31.17.167:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443; matrix.hamburg.ccc.de 172.31.17.150:8443;
element.hamburg.ccc.de 172.31.17.151:8443; element.hamburg.ccc.de 172.31.17.151:8443;
branding-resources.hamburg.ccc.de 172.31.17.151:8443; branding-resources.hamburg.ccc.de 172.31.17.151:8443;