diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix new file mode 100644 index 0000000..50a584e --- /dev/null +++ b/config/hosts/netbox/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "netbox"; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix new file mode 100644 index 0000000..6ff0e7a --- /dev/null +++ b/config/hosts/netbox/default.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..85a328a --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,29 @@ +# Sources for this configuration: +# - https://docs.netbox.dev/en/stable/configuration/ +# - https://colmena.cli.rs/unstable/features/keys.html +# - https://colmena.cli.rs/unstable/reference/deployment.html +# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix + +{ config, pkgs, ... }: + +{ + services.netbox = { + enable = true; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + settings = { + ALLOWED_HOSTS = [ "netbox.ccchh.net" "10.31.208.29" ]; + SESSION_COOKIE_SECURE = true; + }; + }; + + deployment.keys."netbox-secret-key.secret" = { + keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ]; + + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0440"; + + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix new file mode 100644 index 0000000..5f73e7b --- /dev/null +++ b/config/hosts/netbox/nginx.nix @@ -0,0 +1,61 @@ +# Sources for this configuration: +# - https://nixos.org/manual/nixos/stable/#module-security-acme +# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix +# - https://docs.netbox.dev/en/stable/installation/5-http-server/ +# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf + +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + # So nginx can access the Netbox static files. + user = "netbox"; + + virtualHosts."acme-netbox.ccchh.net" = { + default = true; + enableACME = true; + serverName = "netbox.ccchh.net"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."netbox.ccchh.net" = { + default = true; + forceSSL = true; + useACMEHost = "netbox.ccchh.net"; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + + extraConfig = '' + client_max_body_size 25m; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 31820 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; +} diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index b9f5ac6..f23e7a9 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -24,7 +24,7 @@ services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; - netbox.ccchh.net 10.31.208.29; + netbox.ccchh.net 10.31.208.29:31820; light.ccchh.net 10.31.208.23; thinkcccore0.ccchh.net 10.31.242.3; thinkcccore1.ccchh.net 10.31.242.4; diff --git a/flake.nix b/flake.nix index 284037b..0feeae8 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,20 @@ ./config/hosts/public-reverse-proxy ]; }; + + netbox = { + deployment = { + targetHost = "netbox.z9.ccchh.net"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "thinkcccluster" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/netbox + ]; + }; }; packages.x86_64-linux = {