Puppet Class: netbox

Defined in:

modules/netbox/manifests/init.pp

Summary

Installs Netbox

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

• service_hostname (Stdlib::Fqdn) —

  The external hostname for this service.

• discovery_name (Stdlib::Fqdn) (defaults to: $facts['networking']['fqdn']) —

  The fqdn name used internally

• secret_key (String) —

  Django secret key

• ldap_password (String) —

  Password of the LDAP bind user

• db_host (Stdlib::Fqdn) —

  The database host address.

• db_password (String) —

  Password of the database user

• db_port (Stdlib::Port) (defaults to: 5432) —

  The port on which the database is listening.

• db_user (String) (defaults to: 'netbox') —

  The user to connect to the database as.

• debug (Boolean) (defaults to: false) —

  Turn on django debugging

• port (Stdlib::Port) (defaults to: 8001) —

  Port the python app listen on

• config_path (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox/deploy') —

  Path to the deploy directory

• venv_path (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox/venv') —

  Path to the python virtualenv

• directory (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox/deploy/src') —

  Path to the netbox app

• extras_path (Stdlib::Unixpath) (defaults to: '/srv/deployment/netbox-extras') —

  The path which the extras repository will be cloned to

• scap_repo (String) (defaults to: 'netbox/deploy') —

  The repo to use for scap deploys

• ensure (Wmflib::Ensure) (defaults to: 'present') —

  installs/removes config files

• redis_port (Stdlib::Port) (defaults to: 6380) —

  The port (as a string) that the required Redis instance should listen on

• redis_host (Stdlib::Fqdn) (defaults to: 'localhost') —

  the redis host to use

• redis_password (String) (defaults to: '') —

  the redis password to use

• changelog_retention (Integer[0]) (defaults to: 90) —

  how many days to keep the changelog

• jobresult_retention (Integer[0]) (defaults to: 90) —

  how many days to keep the changelog

• prefer_ipv4 (Boolean) (defaults to: false) —

  prefer IPv4 over IPV6

• local_redis_maxmem (Integer) (defaults to: 1610612736) —

  The amount of memory in bytes that the local Redis instance should use

• ldap_server (Optional[Stdlib::Fqdn]) (defaults to: undef) —

  The LDAP server to specify in the configuration

• enable_ldap (Boolean) (defaults to: false) —

  Enable/disable LDAP authentication

• authentication_provider (Optional[Enum['ldap', 'cas', 'oidc']]) (defaults to: undef) —

  which auth provider to use ldap/cas/oidc

• swift_auth_url (Optional[Stdlib::HTTPUrl]) (defaults to: undef) —

  The authentication URL to be used for image storage.

• http_proxy (Optional[Stdlib::HTTPUrl]) (defaults to: undef) —

  the proxy for netbox to use for outbound connections

• cas_rename_attributes (Hash[String, String]) (defaults to: {}) —

  hash of attributes to rename

• cas_group_attribute_mapping (Hash[String, Array]) (defaults to: {}) —

  hash of cas attributes to map

• cas_group_mapping (Hash[String, Array]) (defaults to: {}) —

  hash of nextbox group mappings

• cas_group_required (Array) (defaults to: []) —

  list of required groups

• validators (Array[String[1]]) (defaults to: []) —

  list of custom validators see: docs.netbox.dev/en/stable/customization/custom-validation/

• cas_server_url (Stdlib::HTTPSUrl) (defaults to: 'https://cas.example.org') —

  The cas service url

• cas_username_attribute (Optional[String]) (defaults to: undef) —

  The cas username attribute

• swift_user (Optional[String]) (defaults to: undef) —

  The user to connect to SWIFT for image storage as.

• swift_key (Optional[String]) (defaults to: undef) —

  The key for the above user.

• swift_container (Optional[String]) (defaults to: undef) —

  The name of the SWIFT container to store images to

• swift_url_key (Optional[String]) (defaults to: undef) —

  The swift url key

• ca_certs (Optional[Stdlib::Unixpath]) (defaults to: undef) —

  The path to the CA certificates that signs internal certs.

• oidc_key (Optional[String]) (defaults to: undef)
• oidc_secret (Optional[String]) (defaults to: undef)

# File 'modules/netbox/manifests/init.pp', line 45

class netbox (
    Stdlib::Fqdn                  $service_hostname,
    String                        $secret_key,
    String                        $ldap_password,
    Stdlib::Fqdn                  $db_host,
    String                        $db_password,
    Stdlib::Fqdn                  $discovery_name              = $facts['networking']['fqdn'],
    Wmflib::Ensure                $ensure                      = 'present',
    Stdlib::Port                  $db_port                     = 5432,
    String                        $db_user                     = 'netbox',
    Boolean                       $debug                       = false,
    Stdlib::Port                  $port                        = 8001,
    Stdlib::Unixpath              $config_path                 = '/srv/deployment/netbox/deploy',
    Stdlib::Unixpath              $venv_path                   = '/srv/deployment/netbox/venv',
    Stdlib::Unixpath              $directory                   = '/srv/deployment/netbox/deploy/src',
    Stdlib::Unixpath              $extras_path                 = '/srv/deployment/netbox-extras',
    String                        $scap_repo                   = 'netbox/deploy',
    Stdlib::Port                  $redis_port                  = 6380,
    Integer                       $local_redis_maxmem          = 1610612736,  # 1.5Gb
    Stdlib::Fqdn                  $redis_host                  = 'localhost',
    String                        $redis_password              = '',
    Integer[0]                    $changelog_retention         = 90,
    Integer[0]                    $jobresult_retention         = 90,
    Boolean                       $prefer_ipv4                 = false,
    Optional[Stdlib::Fqdn]        $ldap_server                 = undef,
    Boolean                       $enable_ldap                 = false,
    Optional[Enum['ldap', 'cas', 'oidc']] $authentication_provider     = undef,
    Optional[Stdlib::HTTPUrl]     $swift_auth_url              = undef,
    Optional[Stdlib::HTTPUrl]     $http_proxy                  = undef,
    # Cas specific config
    Hash[String, String]          $cas_rename_attributes       = {},
    Hash[String, Array]           $cas_group_attribute_mapping = {},
    Hash[String, Array]           $cas_group_mapping           = {},
    Array                         $cas_group_required          = [],
    Array[String[1]]              $validators                  = [],
    Stdlib::HTTPSUrl              $cas_server_url              = 'https://cas.example.org',
    Optional[String]              $oidc_key                    = undef,
    Optional[String]              $oidc_secret                 = undef,
    Optional[String]              $cas_username_attribute      = undef,
    # Swift specific config
    Optional[String]              $swift_user                  = undef,
    Optional[String]              $swift_key                   = undef,
    Optional[String]              $swift_container             = undef,
    Optional[String]              $swift_url_key               = undef,
    Optional[Stdlib::Unixpath]    $ca_certs                    = undef,
) {
    ensure_packages(['virtualenv', 'python3-pip', 'python3-pynetbox'])
    $home_path = '/var/lib/netbox'

    file { $home_path:
        ensure => directory,
        owner  => 'netbox',
        group  => 'netbox',
        mode   => '0755',
    }

    if $redis_host == 'localhost' {
        # Configure REDIS to be memory-only (no persistance) and to only accept local
        # connections
        redis::instance { String($redis_port):  # cast as int's are not valid titles
        settings => {
            # below setting prevents persistance
            save                     => '""',
            bind                     => '127.0.0.1 ::1',
            maxmemory                => $local_redis_maxmem,
            maxmemory_policy         => 'volatile-lru',
            maxmemory_samples        => 5,
            lazyfree-lazy-eviction   => 'yes',
            lazyfree-lazy-expire     => 'yes',
            lazyfree-lazy-server-del => 'yes',
            lua-time-limit           => 5000,
            databases                => 3,
            protected-mode           => 'yes',
            dbfilename               => '""',
            appendfilename           => '""',
        },
        }
        prometheus::redis_exporter { String($redis_port): }
    }

    systemd::sysuser { 'netbox':
        ensure   => $ensure,
        home_dir => $home_path,
        shell    => '/bin/bash',
    }

    file { '/etc/netbox/configuration.py':
        ensure  => $ensure,
        owner   => 'netbox',
        group   => 'www-data',
        mode    => '0440',
        content => template('netbox/configuration.py.erb'),
        require => Scap::Target[$scap_repo],
        before  => Uwsgi::App['netbox'],
        notify  => [Service['uwsgi-netbox'], Service['rq-netbox']],
    }

    file { '/etc/netbox/ldap.py':
        ensure  => $ensure,
        owner   => 'netbox',
        group   => 'www-data',
        mode    => '0440',
        content => template('netbox/ldap_config.py.erb'),
        require => Scap::Target[$scap_repo],
        before  => Uwsgi::App['netbox'],
        notify  => [Service['uwsgi-netbox'], Service['rq-netbox']],
    }
    file { '/etc/netbox/cas_configuration.py':
        ensure  => stdlib::ensure($authentication_provider == 'cas', file),
        owner   => 'netbox',
        group   => 'www-data',
        mode    => '0440',
        content => template('netbox/cas_configuration.py.erb'),
        require => Scap::Target[$scap_repo],
        before  => Uwsgi::App['netbox'],
        notify  => [Service['uwsgi-netbox'], Service['rq-netbox']],
    }

    # Netbox is controlled via a custom systemd unit (uwsgi-netbox),
    # so avoid the generic uwsgi sysvinit script shipped in the package
    exec { 'mask_default_uwsgi':
        command => '/bin/systemctl mask uwsgi.service',
        creates => '/etc/systemd/system/uwsgi.service',
    }

  $uwsgi_environ = [
      'LANG=C.UTF-8',
      'PYTHONENCODING=utf-8',
      "REQUESTS_CA_BUNDLE=${ca_certs}",
  ]
  service::uwsgi { 'netbox':
      port            => $port,
      deployment_user => 'netbox',
      repo            => $scap_repo,
      config          => {
          need-plugins => 'python3',
          chdir        => "${directory}/netbox",
          venv         => $venv_path,
          wsgi         => 'netbox.wsgi',
          vacuum       => true,
          http-socket  => "127.0.0.1:${port}",
          # T170189: make sure Python has a sane default encoding
          env          => $uwsgi_environ,
          max-requests => 300,
      },
      healthcheck_url => '/login/',
      icinga_check    => false,
      sudo_rules      => [
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox restart',
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox start',
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox status',
          'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-netbox stop',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox restart',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox start',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox status',
          'ALL=(root) NOPASSWD: /usr/sbin/service rq-netbox stop',
      ],
      core_limit      => '30G',
  }

  systemd::service { 'rq-netbox':
    ensure  => $ensure,
    content => file('netbox/rq-netbox.service'),
  }

  profile::auto_restarts::service { 'uwsgi-netbox': }
  profile::auto_restarts::service { 'rq-netbox': }
}