From fe5e6cebdc0f0df330b0541c1756cdfc859f1bec Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 00:02:31 +0100 Subject: [PATCH] netbox: remove because of migration to ansible-infra --- .sops.yaml | 17 -- config/hosts/netbox/configuration.nix | 7 - config/hosts/netbox/default.nix | 12 - config/hosts/netbox/netbox.nix | 61 ----- config/hosts/netbox/networking.nix | 22 -- config/hosts/netbox/nginx.nix | 67 ----- config/hosts/netbox/postgresql.nix | 7 - config/hosts/netbox/secrets.yaml | 234 ------------------ config/hosts/netbox/sops.nix | 7 - deployment_configuration.json | 3 - flake.nix | 19 -- ...oup_and_role_mapping_custom_pipeline.patch | 61 ----- 12 files changed, 517 deletions(-) delete mode 100644 config/hosts/netbox/configuration.nix delete mode 100644 config/hosts/netbox/default.nix delete mode 100644 config/hosts/netbox/netbox.nix delete mode 100644 config/hosts/netbox/networking.nix delete mode 100644 config/hosts/netbox/nginx.nix delete mode 100644 config/hosts/netbox/postgresql.nix delete mode 100644 config/hosts/netbox/secrets.yaml delete mode 100644 config/hosts/netbox/sops.nix delete mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch diff --git a/.sops.yaml b/.sops.yaml index dedf3c12..9a6ae2de 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,7 +13,6 @@ keys: - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7 - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae @@ -68,22 +67,6 @@ creation_rules: - *admin_gpg_dante age: - *host_age_matrix - - path_regex: config/hosts/netbox/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - - *admin_gpg_dante - age: - - *host_age_netbox - path_regex: config/hosts/public-web-static/.* key_groups: - pgp: diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix deleted file mode 100644 index 50a584ed..00000000 --- a/config/hosts/netbox/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "netbox"; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix deleted file mode 100644 index 6ef34697..00000000 --- a/config/hosts/netbox/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./configuration.nix - ./netbox.nix - ./networking.nix - ./nginx.nix - ./postgresql.nix - ./sops.nix - ]; -} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix deleted file mode 100644 index f816016c..00000000 --- a/config/hosts/netbox/netbox.nix +++ /dev/null @@ -1,61 +0,0 @@ -# Sources for this configuration: -# - https://docs.netbox.dev/en/stable/configuration/ -# - https://colmena.cli.rs/unstable/features/keys.html -# - https://colmena.cli.rs/unstable/reference/deployment.html -# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix - -{ config, pkgs, ... }: - -{ - services.netbox = { - enable = true; - # Explicitly use the patched NetBox package. - package = pkgs.netbox_4_1; - secretKeyFile = "/run/secrets/netbox_secret_key"; - keycloakClientSecret = "/run/secrets/netbox_keycloak_secret"; - settings = { - ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]; - SESSION_COOKIE_SECURE = true; - # CCCHH ID (Keycloak) integration. - # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7 - # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html - REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2"; - SOCIAL_AUTH_KEYCLOAK_KEY = "netbox"; - # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option. - SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"; - SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"; - SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"; - SOCIAL_AUTH_PIPELINE = [ - # The default pipeline as can be found in: - # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py - "social_core.pipeline.social_auth.social_details" - "social_core.pipeline.social_auth.social_uid" - "social_core.pipeline.social_auth.social_user" - "social_core.pipeline.user.get_username" - "social_core.pipeline.user.create_user" - "social_core.pipeline.social_auth.associate_user" - "netbox.authentication.user_default_groups_handler" - "social_core.pipeline.social_auth.load_extra_data" - "social_core.pipeline.user.user_details" - # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay. - # See: https://docs.goauthentik.io/integrations/services/netbox/ - "netbox.custom_pipeline.add_groups" - "netbox.custom_pipeline.remove_groups" - "netbox.custom_pipeline.set_roles" - ]; - }; - }; - - sops.secrets."netbox_secret_key" = { - mode = "0440"; - owner = "netbox"; - group = "netbox"; - restartUnits = [ "netbox.service" "netbox-rq.service" ]; - }; - sops.secrets."netbox_keycloak_secret" = { - mode = "0440"; - owner = "netbox"; - group = "netbox"; - restartUnits = [ "netbox.service" "netbox-rq.service" ]; - }; -} diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix deleted file mode 100644 index a0abcfe3..00000000 --- a/config/hosts/netbox/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.149"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "62:ED:44:20:7C:C1"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix deleted file mode 100644 index 2673cdc4..00000000 --- a/config/hosts/netbox/nginx.nix +++ /dev/null @@ -1,67 +0,0 @@ -# Sources for this configuration: -# - https://nixos.org/manual/nixos/stable/#module-security-acme -# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix -# - https://docs.netbox.dev/en/stable/installation/5-http-server/ -# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf - -{ config, pkgs, ... }: - -{ - services.nginx = { - enable = true; - # So nginx can access the Netbox static files. - user = "netbox"; - - virtualHosts."acme-netbox.hamburg.ccc.de" = { - default = true; - enableACME = true; - serverName = "netbox.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - virtualHosts."netbox.hamburg.ccc.de" = { - default = true; - forceSSL = true; - useACMEHost = "netbox.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/static/" = { - alias = "${config.services.netbox.dataDir}/static/"; - }; - - locations."/" = { - proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - client_max_body_size 25m; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix deleted file mode 100644 index 5f49f30e..00000000 --- a/config/hosts/netbox/postgresql.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, config, ... }: - -{ - services.postgresql = { - package = pkgs.postgresql_15; - }; -} diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml deleted file mode 100644 index 831a7a18..00000000 --- a/config/hosts/netbox/secrets.yaml +++ /dev/null @@ -1,234 +0,0 @@ -netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str] -netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX - c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5 - dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU - V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw - a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-08T23:54:23Z" - mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str] - pgp: - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul - UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb - YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9 - e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb - fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8 - 29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9 - g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME - Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4 - 2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG - ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS - 7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU - aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p - Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p - 6PA24RxtGxVm - =ES/O - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr - kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+ - UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6 - t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7 - 2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK - MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra - PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI - Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4 - W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM - Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6 - NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS - XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB - zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc= - =zG3F - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm - wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8 - o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ - yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va - y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs - vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O - OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM - xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu - +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J - 9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY - 9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS - XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa - CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg= - =PqbF - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6 - eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una - 5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E - /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N - E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI - aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN - U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT - 5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT - vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D - Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/ - PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS - XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF - 9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U= - =o7cj - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY - QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6 - 2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY - NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM - vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu - PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW - FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B - n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8 - nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM - TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa - ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS - XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH - fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY= - =4agQ - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G - H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ - JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn - ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv - blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm - fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg - APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/ - H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ - dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+ - VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho - FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS - XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw - Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g= - =x1QX - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ - RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH - I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz - GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw - Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg - arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF - dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA - cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj - 6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG - jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC - rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S - XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq - pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc= - =FXTF - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq - /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo - FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j - wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h - 3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC - Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a - 6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8 - wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf - wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C - 7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM - N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS - XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS - z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE= - =7WGw - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ - nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu - 3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO - 07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92 - fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W - 24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb - QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi - BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U - 3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP - zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe - RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS - XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ - yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs= - =pFkW - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw - kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58 - 0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16 - 5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN - =Lvnj - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB - 77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg - XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7 - 4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/ - T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV - k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug - QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o - 9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk - U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2 - kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX - 1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS - XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU - 02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow= - =WqHP - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix deleted file mode 100644 index b4548edb..00000000 --- a/config/hosts/netbox/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/deployment_configuration.json b/deployment_configuration.json index 20b9f00b..6ac52544 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -3,9 +3,6 @@ "targetUser": "colmena-deploy" }, "hosts": { - "netbox": { - "targetHostname": "netbox-intern.hamburg.ccc.de" - }, "matrix": { "targetHostname": "matrix-intern.hamburg.ccc.de" }, diff --git a/flake.nix b/flake.nix index 347294b0..7c7cfe02 100644 --- a/flake.nix +++ b/flake.nix @@ -40,13 +40,6 @@ proxmox-vm = ./config/proxmox-vm; prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; - overlays = { - netbox41OIDCMappingOverlay = final: prev: { - netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: { - patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ]; - }); - }; - }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system specialArgs; @@ -84,18 +77,6 @@ ]; }; - netbox = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/netbox - { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; } - ]; - }; - matrix = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch deleted file mode 100644 index 89f805a7..00000000 --- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py -new file mode 100644 -index 000000000..470f388dc ---- /dev/null -+++ b/netbox/netbox/custom_pipeline.py -@@ -0,0 +1,55 @@ -+# Licensed under Creative Commons: CC BY-SA 4.0 license. -+# https://github.com/goauthentik/authentik/blob/main/LICENSE -+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md -+# https://docs.goauthentik.io/integrations/services/netbox/ -+from netbox.authentication import Group -+ -+class AuthFailed(Exception): -+ pass -+ -+def add_groups(response, user, backend, *args, **kwargs): -+ try: -+ groups = response['groups'] -+ except KeyError: -+ pass -+ -+ # Add all groups from oAuth token -+ for group in groups: -+ group, created = Group.objects.get_or_create(name=group) -+ user.groups.add(group) -+ -+def remove_groups(response, user, backend, *args, **kwargs): -+ try: -+ groups = response['groups'] -+ except KeyError: -+ # Remove all groups if no groups in oAuth token -+ user.groups.clear() -+ pass -+ -+ # Get all groups of user -+ user_groups = [item.name for item in user.groups.all()] -+ # Get groups of user which are not part of oAuth token -+ delete_groups = list(set(user_groups) - set(groups)) -+ -+ # Delete non oAuth token groups -+ for delete_group in delete_groups: -+ group = Group.objects.get(name=delete_group) -+ user.groups.remove(group) -+ -+ -+def set_roles(response, user, backend, *args, **kwargs): -+ # Remove Roles temporary -+ user.is_superuser = False -+ user.is_staff = False -+ try: -+ groups = response['groups'] -+ except KeyError: -+ # When no groups are set -+ # save the user without Roles -+ user.save() -+ pass -+ -+ # Set roles is role (superuser or staff) is in groups -+ user.is_superuser = True if 'superusers' in groups else False -+ user.is_staff = True if 'staff' in groups else False -+ user.save()