CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 0
Code Issues4 Pull requests1 Wiki Activity Actions

Merge branch 'main' of git.hamburg.ccc.de:CCCHH/ansible-infra

Browse source
This commit is contained in:
Stefan Bethke 2025-02-16 22:09:29 +01:00
commit f0e345b15a
25 changed files with 767 additions and 180 deletions

5
README.md
View file

@ -45,3 +45,8 @@ Im Ansible-Repo müssen diese Sachen hinzugefügt werden:
* Individuelle Config für den Service. Wenn Docker Compose, hier weiterleiten auf den eigentlichen Dienst in Compose. * Individuelle Config für den Service. Wenn Docker Compose, hier weiterleiten auf den eigentlichen Dienst in Compose.
* Cert-Dateinamen anpassen * Cert-Dateinamen anpassen
* `resources/chaosknoten/`*host*`/docker_compose/compose.yaml.j2`: Config für Docker Compose (wenn verwendet) * `resources/chaosknoten/`*host*`/docker_compose/compose.yaml.j2`: Config für Docker Compose (wenn verwendet)
## License
This CCCHH ansible-ccchh repository is licensed under the [MIT License](./LICENSE).
[`custom_pipeline_oidc_group_and_role_mapping.py`](./roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py) is licensed under the Creative Commons: CC BY-SA 4.0 license.

16
inventories/chaosknoten/host_vars/netbox.yaml Normal file
View file

@ -0,0 +1,16 @@
netbox__version: "v4.1.7"
netbox__db_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/DATABASE_PASSWORD', create=false, missing='error') }}"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true
nginx__version_spec: ""
nginx__configurations:
- name: netbox.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
certbot__certificate_domains:
- "netbox.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"

309
inventories/chaosknoten/hosts.yaml
View file

@ -1,148 +1,163 @@
all: all:
children: hosts:
debian_12: ccchoir:
hosts: ansible_host: ccchoir-intern.hamburg.ccc.de
ccchoir: ansible_user: chaos
ansible_host: ccchoir-intern.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_user: chaos chaosknoten:
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_host: chaosknoten.hamburg.ccc.de
cloud: cloud:
ansible_host: cloud-intern.hamburg.ccc.de ansible_host: cloud-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
eh22-wiki: eh22-wiki:
ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_host: eh22-wiki-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
grafana: grafana:
ansible_host: grafana-intern.hamburg.ccc.de ansible_host: grafana-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
tickets: tickets:
ansible_host: tickets-intern.hamburg.ccc.de ansible_host: tickets-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
keycloak: keycloak:
ansible_host: keycloak-intern.hamburg.ccc.de ansible_host: keycloak-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
lists: lists:
ansible_host: lists.hamburg.ccc.de ansible_host: lists.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
mumble: mumble:
ansible_host: mumble.hamburg.ccc.de ansible_host: mumble.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
onlyoffice: netbox:
ansible_host: onlyoffice-intern.hamburg.ccc.de ansible_host: netbox-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
pad: onlyoffice:
ansible_host: pad-intern.hamburg.ccc.de ansible_host: onlyoffice-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
pretalx: pad:
ansible_host: pretalx-intern.hamburg.ccc.de ansible_host: pad-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
public-reverse-proxy: pretalx:
ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_host: pretalx-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
wiki: ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_host: wiki-intern.hamburg.ccc.de public-reverse-proxy:
ansible_user: chaos ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_user: chaos
zammad: wiki:
ansible_host: zammad-intern.hamburg.ccc.de ansible_host: wiki-intern.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
base_config_hosts: zammad:
hosts: ansible_host: zammad-intern.hamburg.ccc.de
ccchoir: ansible_user: chaos
cloud: ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
eh22-wiki: hypervisors:
grafana: hosts:
keycloak: chaosknoten:
lists: base_config_hosts:
mumble: hosts:
onlyoffice: ccchoir:
pad: cloud:
pretalx: eh22-wiki:
public-reverse-proxy: grafana:
tickets: keycloak:
wiki: lists:
zammad: mumble:
docker_compose_hosts: netbox:
hosts: onlyoffice:
ccchoir: pad:
grafana: pretalx:
tickets: public-reverse-proxy:
keycloak: tickets:
lists: wiki:
onlyoffice: zammad:
pad: docker_compose_hosts:
pretalx: hosts:
zammad: ccchoir:
nextcloud_hosts: grafana:
hosts: tickets:
cloud: keycloak:
nginx_hosts: lists:
hosts: onlyoffice:
ccchoir: pad:
eh22-wiki: pretalx:
grafana: zammad:
tickets: nextcloud_hosts:
keycloak: hosts:
lists: cloud:
mumble: nginx_hosts:
onlyoffice: hosts:
pad: ccchoir:
pretalx: eh22-wiki:
public-reverse-proxy: grafana:
wiki: tickets:
zammad: keycloak:
public_reverse_proxy_hosts: lists:
hosts: mumble:
public-reverse-proxy: netbox:
certbot_hosts: onlyoffice:
hosts: pad:
ccchoir: pretalx:
eh22-wiki: public-reverse-proxy:
grafana: wiki:
tickets: zammad:
keycloak: public_reverse_proxy_hosts:
lists: hosts:
mumble: public-reverse-proxy:
onlyoffice: certbot_hosts:
pad: hosts:
pretalx: ccchoir:
wiki: eh22-wiki:
zammad: grafana:
prometheus_node_exporter_hosts: tickets:
hosts: keycloak:
ccchoir: lists:
eh22-wiki: mumble:
tickets: netbox:
keycloak: onlyoffice:
onlyoffice: pad:
pad: pretalx:
pretalx: wiki:
wiki: zammad:
zammad: prometheus_node_exporter_hosts:
infrastructure_authorized_keys_hosts: hosts:
hosts: ccchoir:
ccchoir: eh22-wiki:
eh22-wiki: tickets:
grafana: keycloak:
tickets: netbox:
cloud: onlyoffice:
keycloak: pad:
onlyoffice: pretalx:
pad: wiki:
pretalx: zammad:
public-reverse-proxy: infrastructure_authorized_keys_hosts:
wiki: hosts:
zammad: ccchoir:
wiki_hosts: eh22-wiki:
hosts: grafana:
eh22-wiki: tickets:
wiki: cloud:
keycloak:
netbox:
onlyoffice:
pad:
pretalx:
public-reverse-proxy:
wiki:
zammad:
wiki_hosts:
hosts:
eh22-wiki:
wiki:
netbox_hosts:
hosts:
netbox:

44
inventories/z9/hosts.yaml
View file

@ -1,25 +1,21 @@
all: all:
children: hosts:
debian_11: light:
hosts: ansible_host: light.z9.ccchh.net
light: ansible_user: chaos
ansible_host: light.z9.ccchh.net authoritative-dns:
ansible_user: chaos ansible_host: authoritative-dns.z9.ccchh.net
authoritative-dns: ansible_user: chaos
ansible_host: authoritative-dns.z9.ccchh.net nginx_hosts:
ansible_user: chaos hosts:
debian_12: light:
hosts: ola_hosts:
nginx_hosts: hosts:
hosts: light:
light: foobazdmx_hosts:
ola_hosts: hosts:
hosts: light:
light: infrastructure_authorized_keys_hosts:
foobazdmx_hosts: hosts:
hosts: light:
light: authoritative-dns:
infrastructure_authorized_keys_hosts:
hosts:
light:
authoritative-dns:

9
playbooks/deploy.yaml
View file

@ -29,6 +29,11 @@
roles: roles:
- dokuwiki - dokuwiki
- name: Ensure NetBox deployment on netbox_hosts
hosts: netbox_hosts
roles:
- netbox
- name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs - name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs
hosts: nginx_hosts:&public_reverse_proxy_hosts hosts: nginx_hosts:&public_reverse_proxy_hosts
roles: roles:
@ -54,8 +59,8 @@
roles: roles:
- prometheus_node_exporter - prometheus_node_exporter
- name: Configure unattended upgrades - name: Configure unattended upgrades for all non-hypervisors
hosts: all hosts: all:!hypervisors
become: true become: true
roles: roles:
- role: debops.debops.unattended_upgrades - role: debops.debops.unattended_upgrades

4
playbooks/maintenance.yaml
View file

@ -26,8 +26,8 @@
vars: vars:
nginx__version_spec: "{{ nextcloud__nginx_version_spec | default('') }}" nginx__version_spec: "{{ nextcloud__nginx_version_spec | default('') }}"
- name: Make Sure System Package Are Up-To-Date - name: Make Sure System Package Are Up-To-Date for all non-hypervisors
hosts: all hosts: all:!hypervisors
roles: roles:
- apt_update_and_upgrade - apt_update_and_upgrade

6
resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
View file

@ -64,6 +64,12 @@ server {
fastcgi_pass unix:/var/run/php/php-fpm-dokuwiki.sock; fastcgi_pass unix:/var/run/php/php-fpm-dokuwiki.sock;
} }
location = /design {
# Disable port in redirect as NGINX would redirect to the PROXY Protocol port 8443 for locations like https://eh22.easterhegg.eu/design
port_in_redirect off;
return 302 /design/;
}
location /design/ { location /design/ {
# Disable port in redirect as NGINX would redirect to the PROXY Protocol port 8443 for locations like https://eh22.easterhegg.eu/design # Disable port in redirect as NGINX would redirect to the PROXY Protocol port 8443 for locations like https://eh22.easterhegg.eu/design
port_in_redirect off; port_in_redirect off;

6
resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml
View file

@ -166,7 +166,7 @@ groups:
# Longer intervals to account for disk intensive hypervisor tasks (backups, moving VMs, etc.). # Longer intervals to account for disk intensive hypervisor tasks (backups, moving VMs, etc.).
- alert: HypervisorHostUnusualDiskReadRate - alert: HypervisorHostUnusualDiskReadRate
expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="chaosknoten"} expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="chaosknoten"}
for: 60m for: 90m
labels: labels:
severity: warning severity: warning
annotations: annotations:
@ -174,7 +174,7 @@ groups:
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}"
- alert: HypervisorHostUnusualDiskWriteRate - alert: HypervisorHostUnusualDiskWriteRate
expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="chaosknoten"} expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="chaosknoten"}
for: 60m for: 90m
labels: labels:
severity: warning severity: warning
annotations: annotations:
@ -256,7 +256,7 @@ groups:
# Since hard disks on the hypervisor can easily have their IO saturated by hypervisor tasks (backups, moving VMs, etc.), alert when the IO is above the regular threshold for a very long time. # Since hard disks on the hypervisor can easily have their IO saturated by hypervisor tasks (backups, moving VMs, etc.), alert when the IO is above the regular threshold for a very long time.
- alert: HypervisorHostUnusualHardDiskIo - alert: HypervisorHostUnusualHardDiskIo
expr: (rate(node_disk_io_time_seconds_total{device=~"s.+"}[1m]) > 0.5) * on(instance) group_left (nodename) node_uname_info{nodename="chaosknoten"} expr: (rate(node_disk_io_time_seconds_total{device=~"s.+"}[1m]) > 0.5) * on(instance) group_left (nodename) node_uname_info{nodename="chaosknoten"}
for: 50m for: 90m
labels: labels:
severity: warning severity: warning
annotations: annotations:

60
resources/chaosknoten/netbox/netbox/configuration.py.j2 Normal file
View file

@ -0,0 +1,60 @@
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]
DATABASE = {
"HOST": "localhost",
"NAME": "netbox",
"USER": "netbox",
"PASSWORD": "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/DATABASE_PASSWORD', create=false, missing='error') }}",
}
REDIS = {
"tasks": {
"HOST": "localhost",
"PORT": 6379,
"USERNAME": "",
"PASSWORD": "",
"DATABASE": 0,
"SSL": False,
},
"caching": {
"HOST": "localhost",
"PORT": 6379,
"USERNAME": "",
"PASSWORD": "",
"DATABASE": 1,
"SSL": False,
},
}
SECRET_KEY = "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/SECRET_KEY', create=false, missing='error') }}"
SESSION_COOKIE_SECURE = True
# CCCHH ID (Keycloak) integration.
# https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
# https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2"
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = (
"https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"
)
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = (
"https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"
)
SOCIAL_AUTH_KEYCLOAK_KEY = "netbox"
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"
SOCIAL_AUTH_KEYCLOAK_SECRET = "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/netbox/SOCIAL_AUTH_KEYCLOAK_SECRET', create=false, missing='error') }}"
# Use custom OIDC group and role mapping pipeline functions added in via
# netbox__custom_pipeline_oidc_group_and_role_mapping.
# The default pipeline this is based on can be found here:
# https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py
SOCIAL_AUTH_PIPELINE = [
"social_core.pipeline.social_auth.social_details",
"social_core.pipeline.social_auth.social_uid",
"social_core.pipeline.social_auth.social_user",
"social_core.pipeline.user.get_username",
"social_core.pipeline.user.create_user",
"social_core.pipeline.social_auth.associate_user",
"netbox.authentication.user_default_groups_handler",
"social_core.pipeline.social_auth.load_extra_data",
"social_core.pipeline.user.user_details",
# Custom OIDC group and role mapping functions.
"netbox.custom_pipeline_oidc_mapping.add_groups",
"netbox.custom_pipeline_oidc_mapping.remove_groups",
"netbox.custom_pipeline_oidc_mapping.set_roles",
]

48
resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf Normal file
View file

@ -0,0 +1,48 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name netbox.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/netbox.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netbox.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/netbox.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
client_max_body_size 25m;
location /static/ {
alias /opt/netbox/netbox/static/;
}
location / {
proxy_pass http://127.0.0.1:8001;
}
}

2
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -17,7 +17,7 @@ map $host $upstream_acme_challenge_host {
invite.hamburg.ccc.de 172.31.17.144:31820; invite.hamburg.ccc.de 172.31.17.144:31820;
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
matrix.hamburg.ccc.de 172.31.17.150:31820; matrix.hamburg.ccc.de 172.31.17.150:31820;
netbox.hamburg.ccc.de 172.31.17.149:31820; netbox.hamburg.ccc.de 172.31.17.167:31820;
onlyoffice.hamburg.ccc.de 172.31.17.147:31820; onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
pad.hamburg.ccc.de 172.31.17.141:31820; pad.hamburg.ccc.de 172.31.17.141:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820;

2
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -32,7 +32,7 @@ stream {
onlyoffice.hamburg.ccc.de 172.31.17.147:8443; onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de 172.31.17.149:8443; netbox.hamburg.ccc.de 172.31.17.167:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443; matrix.hamburg.ccc.de 172.31.17.150:8443;
element.hamburg.ccc.de 172.31.17.151:8443; element.hamburg.ccc.de 172.31.17.151:8443;
branding-resources.hamburg.ccc.de 172.31.17.151:8443; branding-resources.hamburg.ccc.de 172.31.17.151:8443;

88
roles/netbox/README.md Normal file
View file

@ -0,0 +1,88 @@
# `netbox` role
A role for setting up NetBox.
It automatically pulls in all required dependencies like Redis and PostgreSQL, deploys the provided systemd services and gunicorn config and sets up a PostgreSQL database named `netbox` with an owner named `netbox` and the specified password.
However providing the [NetBox configuration](#netbox-configuration), [setting up a web server like nginx to proxy to gunicorn](#web-server-setup) and tasks like creating users, etc. you have to do yourself.
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
- `netbox__version`: The NetBox version to deploy.
- `netbox__db_password`: The password to use for connection to the database.
This is required since the upgrade script runs as root and therefore peer authentication doesn't work.
- `netbox__config`: The NetBox config to deploy.
See [NetBox Configuration](#netbox-configuration) for more infos.
## Optional Arguments
- `netbox__custom_pipeline_oidc_group_and_role_mapping`: Whether or not to have custom pipeline code for OIDC group and role mapping present.
See [Custom Pipeline Code for OIDC Group and Role Mapping](#custom-pipeline-code-for-oidc-group-and-role-mapping) for more infos.
Defaults to `false`.
## NetBox Configuration
The NetBox configuration should include a connection to Redis as well as a connection to PostgreSQL.
Configuration for the Redis connection:
```python
REDIS = {
"tasks": {
"HOST": "localhost",
"PORT": 6379,
"USERNAME": "",
"PASSWORD": "",
"DATABASE": 0,
"SSL": False,
},
"caching": {
"HOST": "localhost",
"PORT": 6379,
"USERNAME": "",
"PASSWORD": "",
"DATABASE": 1,
"SSL": False,
},
}
```
Configuration for the PostgreSQL connection:
```python
DATABASE = {
"HOST": "localhost",
"NAME": "netbox",
"USER": "netbox",
"PASSWORD": "<same as netbox__db_password>",
}
```
Further configuration should take place. Some relevant resources can be found here:
- Installation guide configuration docs: <https://netboxlabs.com/docs/netbox/en/stable/installation/3-netbox/#configuration>
- Configuration docs: <https://netboxlabs.com/docs/netbox/en/stable/configuration/>
- Example configuration: <https://github.com/netbox-community/netbox/blob/main/netbox/netbox/configuration_example.py>
## Web Server Setup
As this role just sets up gunicorn, but doesn't set up a web server, you need to do that yourself.
The relevant documentation on how to do that can be found here:
- Web server setup docs: <https://netboxlabs.com/docs/netbox/en/stable/installation/5-http-server/>
- Example base nginx config: <https://github.com/netbox-community/netbox/blob/main/contrib/nginx.conf>
## Custom Pipeline Code for OIDC Group and Role Mapping
Setting the option `netbox__custom_pipeline_oidc_group_and_role_mapping` to `true` makes this role ensure custom pipeline code for OIDC group and role mapping is present.
Note that this role uses code for NetBox >= 4.0.0.
The code is available in `files/custom_pipeline_oidc_group_and_role_mapping.py`, licensed under the CC BY-SA 4.0 license and taken from [this authentik NetBox documentation](https://docs.goauthentik.io/integrations/services/netbox/).
The documentation also shows how to use the pipeline code by defining a custom `SOCIAL_AUTH_PIPELINE`, which you also need to do, as the configuration isn't provided by this role.
However instead of under `netbox.custom_pipeline.` the functions are available under `netbox.custom_pipeline_oidc_mapping.` with this role.
See also [the default settings.py](https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py) for the default `SOCIAL_AUTH_PIPELINE`.
## Links & Resources
- The NetBox Git Repo: <https://github.com/netbox-community/netbox>
- The NetBox installation docs: <https://netboxlabs.com/docs/netbox/en/stable/installation/>

1
roles/netbox/defaults/main.yaml Normal file
View file

@ -0,0 +1 @@
netbox__custom_pipeline_oidc_group_and_role_mapping: false

55
roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py Normal file
View file

@ -0,0 +1,55 @@
# Licensed under Creative Commons: CC BY-SA 4.0 license.
# https://github.com/goauthentik/authentik/blob/main/LICENSE
# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
# https://docs.goauthentik.io/integrations/services/netbox/
from netbox.authentication import Group
class AuthFailed(Exception):
pass
def add_groups(response, user, backend, *args, **kwargs):
try:
groups = response['groups']
except KeyError:
pass
# Add all groups from oAuth token
for group in groups:
group, created = Group.objects.get_or_create(name=group)
user.groups.add(group)
def remove_groups(response, user, backend, *args, **kwargs):
try:
groups = response['groups']
except KeyError:
# Remove all groups if no groups in oAuth token
user.groups.clear()
pass
# Get all groups of user
user_groups = [item.name for item in user.groups.all()]
# Get groups of user which are not part of oAuth token
delete_groups = list(set(user_groups) - set(groups))
# Delete non oAuth token groups
for delete_group in delete_groups:
group = Group.objects.get(name=delete_group)
user.groups.remove(group)
def set_roles(response, user, backend, *args, **kwargs):
# Remove Roles temporary
user.is_superuser = False
user.is_staff = False
try:
groups = response['groups']
except KeyError:
# When no groups are set
# save the user without Roles
user.save()
pass
# Set roles is role (superuser or staff) is in groups
user.is_superuser = True if 'superusers' in groups else False
user.is_staff = True if 'staff' in groups else False
user.save()

24
roles/netbox/handlers/main.yaml Normal file
View file

@ -0,0 +1,24 @@
- name: Run upgrade script
ansible.builtin.command: /opt/netbox/upgrade.sh
become: true
# When it runs, this should always report changed.
changed_when: true
- name: Ensure netbox systemd services are set up and up-to-date
ansible.builtin.systemd_service:
daemon_reload: true
name: "{{ item }}"
enabled: true
state: restarted
become: true
loop:
- "netbox.service"
- "netbox-rq.service"
- name: Ensure netbox housekeeping timer is set up and up-to-date
ansible.builtin.systemd_service:
daemon_reload: true
name: "netbox-housekeeping.timer"
enabled: true
state: restarted
become: true

16
roles/netbox/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,16 @@
argument_specs:
main:
options:
netbox__version:
type: str
required: true
netbox__db_password:
type: str
required: true
netbox__config:
type: str
required: true
netbox__custom_pipeline_oidc_group_and_role_mapping:
type: bool
required: false
default: false

11
roles/netbox/meta/main.yaml Normal file
View file

@ -0,0 +1,11 @@
---
dependencies:
- role: redis
- role: postgresql
vars:
postgresql__dbs:
- name: netbox
owner: netbox
postgresql__users:
- name: netbox
password: "{{ netbox__db_password }}"

124
roles/netbox/tasks/main.yaml Normal file
View file

@ -0,0 +1,124 @@
- name: Ensure all dependencies are installed
ansible.builtin.apt:
name:
- python3
- python3-pip
- python3-venv
- python3-dev
- build-essential
- libxml2-dev
- libxslt1-dev
- libffi-dev
- libpq-dev
- libssl-dev
- zlib1g-dev
- git
become: true
- name: Ensure NetBox source is present
ansible.builtin.git:
repo: https://github.com/netbox-community/netbox.git
dest: /opt/netbox/
version: "{{ netbox__version }}"
become: true
notify:
- Run upgrade script
- Ensure netbox systemd services are set up and up-to-date
- name: Ensures custom pipeline code for OIDC group and role mapping is present
ansible.builtin.copy:
src: custom_pipeline_oidc_group_and_role_mapping.py
dest: /opt/netbox/netbox/netbox/custom_pipeline_oidc_mapping.py
mode: "0644"
owner: root
group: root
when: netbox__custom_pipeline_oidc_group_and_role_mapping
become: true
notify:
- Ensure netbox systemd services are set up and up-to-date
- name: Ensures custom pipeline code for OIDC group and role mapping is not present
ansible.builtin.file:
path: /opt/netbox/netbox/netbox/custom_pipeline_oidc_mapping.py
state: absent
when: not netbox__custom_pipeline_oidc_group_and_role_mapping
become: true
notify:
- Ensure netbox systemd services are set up and up-to-date
- name: Ensure netbox user
block:
- name: Ensure netbox group exists
ansible.builtin.group:
name: netbox
system: true
become: true
- name: Ensure netbox user exists
ansible.builtin.user:
name: netbox
group: netbox
password: '!'
system: true
become: true
- name: Ensure relevant directories are owned by netbox user
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: netbox
recurse: true
become: true
loop:
- "/opt/netbox/netbox/media/"
- "/opt/netbox/netbox/reports/"
- "/opt/netbox/netbox/scripts/"
- name: Deploy configuration.py
ansible.builtin.copy:
content: "{{ netbox__config }}"
dest: "/opt/netbox/netbox/netbox/configuration.py"
mode: "0644"
owner: root
group: root
become: true
notify: Ensure netbox systemd services are set up and up-to-date
- name: Ensure provided gunicorn config is copied
ansible.builtin.copy:
remote_src: true
src: "/opt/netbox/contrib/gunicorn.py"
dest: "/opt/netbox/gunicorn.py"
mode: "0644"
owner: root
group: root
become: true
notify: Ensure netbox systemd services are set up and up-to-date
- name: Ensure provided netbox systemd service files are copied
ansible.builtin.copy:
remote_src: true
src: "/opt/netbox/contrib/{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: "0644"
owner: root
group: root
become: true
loop:
- "netbox.service"
- "netbox-rq.service"
notify: Ensure netbox systemd services are set up and up-to-date
- name: Ensure provided housekeeping systemd service and timer are copied
ansible.builtin.copy:
remote_src: true
src: "/opt/netbox/contrib/{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: "0644"
owner: root
group: root
become: true
loop:
- "netbox-housekeeping.service"
- "netbox-housekeeping.timer"
notify: Ensure netbox housekeeping timer is set up and up-to-date

37
roles/postgresql/README.md Normal file
View file

@ -0,0 +1,37 @@
# Role `postgresql`
Ensures `postgresql` is installed by installing the distributions package.
Also ensures the optionally given databases and users are set up as specified.
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
None.
## Optional Arguments
- `postgresql__dbs`: List of databases with their owner to ensure are set up.
- `postgresql__dbs.*.name`: Name of the database.
- `postgresql__dbs.*.owner`: Owner of the database.
- `postgresql__users`: List of users to ensure are set up.
- `postgresql__users.*.name`: Name of the user.
- `postgresql__users.*.password`: Optional password for the user.
If left unset, the user will have no password set, but can still connect using [peer authentication](https://www.postgresql.org/docs/current/auth-peer.html) on the local system.
(Peer authentication works when a password is set as well.)
## Example Arguments
```yaml
postgresql__dbs:
- name: netbox
owner: netbox
- name: foo
owner: bar
postgresql__users:
- name: netbox
password: super_secret
- name: bar
```

2
roles/postgresql/defaults/main.yaml Normal file
View file

@ -0,0 +1,2 @@
postgresql__dbs: [ ]
postgresql__users: [ ]

28
roles/postgresql/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,28 @@
argument_specs:
main:
options:
postgresql__dbs:
type: list
elements: dict
required: false
default: [ ]
options:
name:
type: str
required: true
owner:
type: str
required: true
postgresql__users:
type: list
elements: dict
required: false
default: [ ]
options:
name:
type: str
required: true
password:
type: str
required: false
default: ""

30
roles/postgresql/tasks/main.yaml Normal file
View file

@ -0,0 +1,30 @@
- name: Ensure postgresql is installed
ansible.builtin.apt:
name:
- postgresql
become: true
- name: Ensure Python library for community.postgresql is installed if needed
ansible.builtin.apt:
name:
- python3-psycopg
become: true
when: postgresql__dbs != [ ] or postgresql__users != [ ]
- name: Ensure users
community.postgresql.postgresql_user:
name: "{{ item.name }}"
password: "{{ item.password | default('') }}"
become: true
become_user: postgres
loop: "{{ postgresql__users }}"
loop_control:
label: "user {{ item.name }} with {{ 'a password' if item.password is defined else 'no password' }}"
- name: Ensure dbs with owners
community.postgresql.postgresql_db:
name: "{{ item.name }}"
owner: "{{ item.owner }}"
become: true
become_user: postgres
loop: "{{ postgresql__dbs }}"

15
roles/redis/README.md Normal file
View file

@ -0,0 +1,15 @@
# Role `redis`
Ensures `redis` is installed by installing the distributions package.
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
None.
## Optional Arguments
None.

5
roles/redis/tasks/main.yaml Normal file
View file

@ -0,0 +1,5 @@
- name: Ensure redis is installed
ansible.builtin.apt:
name:
- redis
become: true