Puppet Class: netbox

Defined in:
modules/netbox/manifests/init.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • service_hostname (Stdlib::Fqdn)

    The external hostname for this service.

  • discovery_name (Stdlib::Fqdn) (defaults to: $facts['networking']['fqdn'])

    The fqdn name used internally

  • secret_key (String)

    Django secret key

  • ldap_password (String)

    Password of the LDAP bind user

  • db_host (Stdlib::Fqdn)

    The database host address.

  • db_password (String)

    Password of the database user

  • db_port (Stdlib::Port) (defaults to: 5432)

    The port on which the database is listening.

  • db_user (String) (defaults to: 'netbox')

    The user to connect to the database as.

  • debug (Boolean) (defaults to: false)

    Turn on django debugging

  • port (Stdlib::Port) (defaults to: 8001)

    Port the python app listen on

  • config_path (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox/deploy')

    Path to the deploy directory

  • venv_path (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox/venv')

    Path to the python virtualenv

  • directory (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox/deploy/src')

    Path to the netbox app

  • extras_path (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox-extras')

    The path which the extras repository will be cloned to

  • scap_repo (String) (defaults to: 'netbox/deploy')

    The repo to use for scap deploys

  • ensure (Wmflib::Ensure) (defaults to: 'present')

    installs/removes config files

  • local_redis_port (Stdlib::Port) (defaults to: 6380)

    The port (as a string) that the required local Redis instance should listen on

  • local_redis_maxmem (Integer) (defaults to: 1610612736)

    The amount of memory in bytes that the local Redis instance should use

  • ldap_server (Optional[Stdlib::Fqdn]) (defaults to: undef)

    The LDAP server to specify in the configuration

  • enable_ldap (Boolean) (defaults to: false)

    Enable/disable LDAP authentication

  • authentication_provider (Optional[Enum['ldap', 'cas']]) (defaults to: undef)

    which auth provider to use ldap/cas

  • swift_auth_url (Optional[Stdlib::HTTPUrl]) (defaults to: undef)

    The authentication URL to be used for image storage.

  • http_proxy (Optional[Stdlib::HTTPUrl]) (defaults to: undef)

    the proxy for netbox to use for outbound connections

  • cas_rename_attributes (Hash[String, String]) (defaults to: {})

    hash of attributes to rename

  • cas_group_attribute_mapping (Hash[String, Array]) (defaults to: {})

    hash of cas attributes to map

  • cas_group_mapping (Hash[String, Array]) (defaults to: {})

    hash of nextbox group mappings

  • cas_group_required (Array) (defaults to: [])

    list of required groups

  • cas_server_url (Stdlib::HTTPSUrl) (defaults to: 'https://cas.example.org')

    The cas service url

  • cas_username_attribute (Optional[String]) (defaults to: undef)

    The cas username attribute

  • swift_user (Optional[String]) (defaults to: undef)

    The user to connect to SWIFT for image storage as.

  • swift_key (Optional[String]) (defaults to: undef)

    The key for the above user.

  • swift_container (Optional[String]) (defaults to: undef)

    The name of the SWIFT container to store images to

  • swift_url_key (Optional[String]) (defaults to: undef)

    The swift url key

  • ca_certs (Optional[Stdlib::Unixpath]) (defaults to: undef)

    The path to the CA certificates that signs internal certs.

  • changelog_retention (Integer[0]) (defaults to: 90)
  • jobresult_retention (Integer[0]) (defaults to: 90)
  • prefer_ipv4 (Boolean) (defaults to: false)


38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# File 'modules/netbox/manifests/init.pp', line 38

class netbox(
    Stdlib::Fqdn                  $service_hostname,
    String                        $secret_key,
    String                        $ldap_password,
    Stdlib::Fqdn                  $db_host,
    String                        $db_password,
    Stdlib::Fqdn                  $discovery_name              = $facts['networking']['fqdn'],
    Wmflib::Ensure                $ensure                      = 'present',
    Stdlib::Port                  $db_port                     = 5432,
    String                        $db_user                     = 'netbox',
    Boolean                       $debug                       = false,
    Stdlib::Port                  $port                        = 8001,
    Stdlib::Unixpath              $config_path                 = '/srv/deployment/netbox/deploy',
    Stdlib::Unixpath              $venv_path                   = '/srv/deployment/netbox/venv',
    Stdlib::Unixpath              $directory                   = '/srv/deployment/netbox/deploy/src',
    Stdlib::Unixpath              $extras_path                 = '/srv/deployment/netbox-extras',
    String                        $scap_repo                   = 'netbox/deploy',
    Stdlib::Port                  $local_redis_port            = 6380,
    Integer                       $local_redis_maxmem          = 1610612736,  # 1.5Gb
    Integer[0]                    $changelog_retention         = 90,
    Integer[0]                    $jobresult_retention         = 90,
    Boolean                       $prefer_ipv4                 = false,
    Optional[Stdlib::Fqdn]        $ldap_server                 = undef,
    Boolean                       $enable_ldap                 = false,
    Optional[Enum['ldap', 'cas']] $authentication_provider     = undef,
    Optional[Stdlib::HTTPUrl]     $swift_auth_url              = undef,
    Optional[Stdlib::HTTPUrl]     $http_proxy                  = undef,
    # Cas specific config
    Hash[String, String]          $cas_rename_attributes       = {},
    Hash[String, Array]           $cas_group_attribute_mapping = {},
    Hash[String, Array]           $cas_group_mapping           = {},
    Array                         $cas_group_required          = [],
    Stdlib::HTTPSUrl              $cas_server_url              = 'https://cas.example.org',
    Optional[String]              $cas_username_attribute      = undef,
    # Swift specific config
    Optional[String]              $swift_user                  = undef,
    Optional[String]              $swift_key                   = undef,
    Optional[String]              $swift_container             = undef,
    Optional[String]              $swift_url_key               = undef,
    Optional[Stdlib::Unixpath]    $ca_certs                    = undef,
) {
    ensure_packages(['virtualenv', 'python3-pip', 'python3-pynetbox'])
    $home_path = '/var/lib/netbox'

    file { $home_path:
        ensure => directory,
        owner  => 'netbox',
        group  => 'netbox',
        mode   => '0755',
    }

    # Configure REDIS to be memory-only (no persistance) and to only accept local
    # connections
    redis::instance { String($local_redis_port):  # cast as int's are not valid titles
      settings => {
        # below setting prevents persistance
        save                     => '""',
        bind                     => '127.0.0.1 ::1',
        maxmemory                => $local_redis_maxmem,
        maxmemory_policy         => 'volatile-lru',
        maxmemory_samples        => 5,
        lazyfree-lazy-eviction   => 'yes',
        lazyfree-lazy-expire     => 'yes',
        lazyfree-lazy-server-del => 'yes',
        lua-time-limit           => 5000,
        databases                => 3,
        protected-mode           => 'yes',
        dbfilename               => '""',
        appendfilename           => '""',
      },
    }
    prometheus::redis_exporter { String($local_redis_port): }

    user { 'netbox':
        ensure  => $ensure,
        comment => 'This is the global owner for all Netbox things.',
        system  => true,
        home    => $home_path,
        shell   => '/bin/bash',
    }

    file { '/etc/netbox/configuration.py':
        ensure  => $ensure,
        owner   => 'netbox',
        group   => 'www-data',
        mode    => '0440',
        content => template('netbox/configuration.py.erb'),
        require => Scap::Target[$scap_repo],
        before  => Uwsgi::App['netbox'],
        notify  => [Service['uwsgi-netbox'], Service['rq-netbox']],
    }

    file { '/etc/netbox/ldap.py':
        ensure  => $ensure,
        owner   => 'netbox',
        group   => 'www-data',
        mode    => '0440',
        content => template('netbox/ldap_config.py.erb'),
        require => Scap::Target[$scap_repo],
        before  => Uwsgi::App['netbox'],
        notify  => [Service['uwsgi-netbox'], Service['rq-netbox']],
    }
    file { '/etc/netbox/cas_configuration.py':
        ensure  => $ensure,
        owner   => 'netbox',
        group   => 'www-data',
        mode    => '0440',
        content => template('netbox/cas_configuration.py.erb'),
        require => Scap::Target[$scap_repo],
        before  => Uwsgi::App['netbox'],
        notify  => [Service['uwsgi-netbox'], Service['rq-netbox']],
    }

    # Netbox is controlled via a custom systemd unit (uwsgi-netbox),
    # so avoid the generic uwsgi sysvinit script shipped in the package
    exec { 'mask_default_uwsgi':
        command => '/bin/systemctl mask uwsgi.service',
        creates => '/etc/systemd/system/uwsgi.service',
    }

  $uwsgi_environ=[
      'LANG=C.UTF-8',
      'PYTHONENCODING=utf-8',
      "REQUESTS_CA_BUNDLE=${ca_certs}",
  ]
  service::uwsgi { 'netbox':
      port            => $port,
      deployment_user => 'netbox',
      repo            => $scap_repo,
      config          => {
          need-plugins => 'python3',
          chdir        => "${directory}/netbox",
          venv         => $venv_path,
          wsgi         => 'netbox.wsgi',
          vacuum       => true,
          http-socket  => "127.0.0.1:${port}",
          # T170189: make sure Python has a sane default encoding
          env          => $uwsgi_environ,
          max-requests => 300,
      },
      healthcheck_url => '/login/',
      icinga_check    => false,
      sudo_rules      => [
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox restart',
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox start',
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox status',
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox stop',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox restart',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox start',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox status',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox stop',

      ],
      core_limit      => '30G',
  }

  systemd::service { 'rq-netbox':
    ensure  => $ensure,
    content => file('netbox/rq-netbox.service'),
  }

  profile::auto_restarts::service { 'uwsgi-netbox': }
  profile::auto_restarts::service { 'rq-netbox': }

}