diff --git a/roles/netbox/tasks/app.yml b/roles/netbox/tasks/app.yml deleted file mode 100644 index 2a65094..0000000 --- a/roles/netbox/tasks/app.yml +++ /dev/null @@ -1,147 +0,0 @@ -- name: Install dependencies - package: - name: - - git - - python3 - - python3-dev - - py3-pip - - py3-virtualenv - - bash # for upgrade script - - build-base # to build psycopg if not available - - postgresql-dev # likewise - -- name: Checkout repo - become: yes - become_user: '{{ user }}' - git: - repo: https://github.com/netbox-community/netbox.git - dest: '{{ user_info.home }}/app' - version: 'v{{ netbox_version }}' - notify: run migrations - -- name: Copy default config - copy: - dest: '{{ user_info.home }}/app/netbox/netbox/configuration.py' - src: '{{ user_info.home }}/app/netbox/netbox/configuration_example.py' - remote_src: yes - owner: '{{ user_info.uid }}' - group: '{{ user_info.group }}' - force: no - notify: run migrations - -- name: Restrict access to config - file: - path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' - mode: 0600 - -- name: Configure secret key - lineinfile: - path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' - regexp: "^SECRET_KEY = ''" - line: "SECRET_KEY = '{{ lookup('password', '/dev/null', length=50) }}'" - backrefs: yes # don’t set if set already - -- name: Configure base settings and database - lineinfile: - path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' - regexp: '{{ item.key }}' - line: '{{ item.line }}' - loop: - - key: '^ALLOWED_HOSTS = ' - line: "ALLOWED_HOSTS = ['{{ dns_name }}']" - - key: 'USER.*PostgreSQL username' - line: " 'USER': '{{ user }}', # PostgreSQL username" - # XXX unnecessary? - #- key: '(OPTIONS|PASSWORD).*PostgreSQL password' - # line: " 'OPTIONS': { 'passfile': '{{ user_info.home }}/.pgpass' }, # PostgreSQL password" - # not yet compatible, see https://github.com/netbox-community/netbox-topology-views/issues/503 - #- key: '^PLUGINS = ' - # line: "PLUGINS = ['netbox_topology_views']" - notify: run migrations - -- name: Configure OIDC authentication - lineinfile: - path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' - regexp: '{{ item.key }}' - line: '{{ item.line }}' - loop: - - key: "^REMOTE_AUTH_ENABLED =" - line: "REMOTE_AUTH_ENABLED = True" - - key: "^REMOTE_AUTH_BACKEND =" - line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'" - - key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT =" - line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_endpoint') }}'" - - key: "^SOCIAL_AUTH_OIDC_KEY =" - line: "SOCIAL_AUTH_OIDC_KEY = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_id') }}'" - - key: "^SOCIAL_AUTH_OIDC_SECRET =" - line: "SOCIAL_AUTH_OIDC_SECRET = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_secret') }}'" - # TODO the key should really be upn but it doesn’t seem to work - - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY =" - line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'" - notify: run migrations - -- name: Set additional requirements - become: yes - become_user: '{{ user }}' - copy: - dest: '{{ user_info.home }}/app/' - src: local_requirements.txt - notify: run migrations - -- meta: flush_handlers - -- name: Create superuser - become: yes - become_user: '{{ user }}' - command: - cmd: '{{ user_info.home }}/app/venv/bin/python {{ user_info.home }}/app/netbox/manage.py shell --interface python' - stdin: | - import sys - from users.models import User - #from django.contrib.auth.models import User - username = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_user') }}' - if not User.objects.filter(username=username): - User.objects.create_superuser(username, '', # TODO email - '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_pass') }}') - sys.exit(1) - register: result - changed_when: result.rc != 0 - -- name: Set up gunicorn - copy: - dest: /srv/netbox/gunicorn.py - src: /srv/netbox/app/contrib/gunicorn.py - remote_src: yes - force: no - owner: netbox - group: netbox - -- name: Set up cron job - file: - dest: /etc/periodic/daily/netbox-housekeeping.sh - src: /srv/netbox/app/contrib/netbox-housekeeping.sh - state: link - -- name: Install services - template: - dest: '/etc/init.d/{{ item }}' - src: '{{ item }}.initd.j2' - mode: 0755 - loop: - - netbox - - netbox-rq - -- name: Enable services - service: - name: '{{ item }}' - enabled: true - state: started - loop: - - netbox - - netbox-rq - -- name: Set up nginx site - template: - dest: '/etc/nginx/http.d/netbox.conf' - src: 'netbox.conf.j2' - notify: reload nginx diff --git a/roles/netbox/tasks/main.yml b/roles/netbox/tasks/main.yml index 0a96ca7..275a77d 100644 --- a/roles/netbox/tasks/main.yml +++ b/roles/netbox/tasks/main.yml @@ -1,12 +1,14 @@ -- name: Install redis +- name: Install dependencies package: - name: redis - -- name: Enable redis service - service: - name: redis - enabled: true - state: started + name: + - git + - python3 + - python3-dev + - py3-pip + - py3-virtualenv + - bash # for upgrade script + - build-base # to build psycopg if not available + - postgresql-dev # likewise - name: Create group for web service group: @@ -22,5 +24,138 @@ system: yes register: user_info -- name: Set up app - import_tasks: app.yml +- name: Checkout repo + become: yes + become_user: '{{ user }}' + git: + repo: https://github.com/netbox-community/netbox.git + dest: '{{ user_info.home }}/app' + version: 'v{{ netbox_version }}' + notify: run migrations + +- name: Copy default config + copy: + dest: '{{ user_info.home }}/app/netbox/netbox/configuration.py' + src: '{{ user_info.home }}/app/netbox/netbox/configuration_example.py' + remote_src: yes + owner: '{{ user_info.uid }}' + group: '{{ user_info.group }}' + force: no + notify: run migrations + +- name: Restrict access to config + file: + path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' + mode: 0600 + +- name: Configure secret key + lineinfile: + path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' + regexp: "^SECRET_KEY = ''" + line: "SECRET_KEY = '{{ lookup('password', '/dev/null', length=50) }}'" + backrefs: yes # don’t set if set already + +- name: Configure base settings and database + lineinfile: + path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' + regexp: '{{ item.key }}' + line: '{{ item.line }}' + loop: + - key: '^ALLOWED_HOSTS = ' + line: "ALLOWED_HOSTS = ['{{ dns_name }}']" + - key: 'USER.*PostgreSQL username' + line: " 'USER': '{{ user }}', # PostgreSQL username" + # XXX unnecessary? + #- key: '(OPTIONS|PASSWORD).*PostgreSQL password' + # line: " 'OPTIONS': { 'passfile': '{{ user_info.home }}/.pgpass' }, # PostgreSQL password" + # not yet compatible, see https://github.com/netbox-community/netbox-topology-views/issues/503 + #- key: '^PLUGINS = ' + # line: "PLUGINS = ['netbox_topology_views']" + notify: run migrations + +- name: Configure OIDC authentication + lineinfile: + path: '{{ user_info.home }}/app/netbox/netbox/configuration.py' + regexp: '{{ item.key }}' + line: '{{ item.line }}' + loop: + - key: "^REMOTE_AUTH_ENABLED =" + line: "REMOTE_AUTH_ENABLED = True" + - key: "^REMOTE_AUTH_BACKEND =" + line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'" + - key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT =" + line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_endpoint') }}'" + - key: "^SOCIAL_AUTH_OIDC_KEY =" + line: "SOCIAL_AUTH_OIDC_KEY = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_id') }}'" + - key: "^SOCIAL_AUTH_OIDC_SECRET =" + line: "SOCIAL_AUTH_OIDC_SECRET = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_secret') }}'" + # TODO the key should really be upn but it doesn’t seem to work + - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY =" + line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'" + notify: run migrations + +- name: Set additional requirements + become: yes + become_user: '{{ user }}' + copy: + dest: '{{ user_info.home }}/app/' + src: local_requirements.txt + notify: run migrations + +- meta: flush_handlers + +- name: Create superuser + become: yes + become_user: '{{ user }}' + command: + cmd: '{{ user_info.home }}/app/venv/bin/python {{ user_info.home }}/app/netbox/manage.py shell --interface python' + stdin: | + import sys + from users.models import User + #from django.contrib.auth.models import User + username = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_user') }}' + if not User.objects.filter(username=username): + User.objects.create_superuser(username, '', # TODO email + '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_pass') }}') + sys.exit(1) + register: result + changed_when: result.rc != 0 + +- name: Set up gunicorn + copy: + dest: /srv/netbox/gunicorn.py + src: /srv/netbox/app/contrib/gunicorn.py + remote_src: yes + force: no + owner: netbox + group: netbox + +- name: Set up cron job + file: + dest: /etc/periodic/daily/netbox-housekeeping.sh + src: /srv/netbox/app/contrib/netbox-housekeeping.sh + state: link + +- name: Install services + template: + dest: '/etc/init.d/{{ item }}' + src: '{{ item }}.initd.j2' + mode: 0755 + loop: + - netbox + - netbox-rq + +- name: Enable services + service: + name: '{{ item }}' + enabled: true + state: started + loop: + - netbox + - netbox-rq + +- name: Set up nginx site + template: + dest: '/etc/nginx/http.d/netbox.conf' + src: 'netbox.conf.j2' + notify: reload nginx diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml new file mode 100644 index 0000000..83ba893 --- /dev/null +++ b/roles/redis/tasks/main.yml @@ -0,0 +1,9 @@ +- name: Install redis + package: + name: redis + +- name: Enable redis service + service: + name: redis + enabled: true + state: started diff --git a/setup.yml b/setup.yml index 6225f38..c250bf7 100644 --- a/setup.yml +++ b/setup.yml @@ -25,6 +25,7 @@ roles: - alpine - postgres + - redis - nginx - netbox vars: