Compare commits

..

2 commits

Author SHA1 Message Date
Timotej Lazar 9084f25319 netbox: allow registered users to view everything
And others nothing. Also clean up.
2024-08-15 17:09:11 +02:00
Timotej Lazar 8ba6959065 postgres: store DB password with other secrets
Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
2024-08-15 12:58:24 +02:00
2 changed files with 18 additions and 37 deletions

View file

@ -65,12 +65,10 @@
line: "ALLOWED_HOSTS = ['{{ dns_name }}']" line: "ALLOWED_HOSTS = ['{{ dns_name }}']"
- key: 'USER.*PostgreSQL username' - key: 'USER.*PostgreSQL username'
line: " 'USER': '{{ user }}', # PostgreSQL username" line: " 'USER': '{{ user }}', # PostgreSQL username"
# XXX unnecessary? - key: 'PASSWORD.*PostgreSQL password'
#- key: '(OPTIONS|PASSWORD).*PostgreSQL password' line: " 'PASSWORD': '{{ password.db_pass }}', # PostgreSQL password"
# line: " 'OPTIONS': { 'passfile': '{{ user_info.home }}/.pgpass' }, # PostgreSQL password" - key: '^PLUGINS = '
# not yet compatible, see https://github.com/netbox-community/netbox-topology-views/issues/503 line: "PLUGINS = ['netbox_topology_views']"
#- key: '^PLUGINS = '
# line: "PLUGINS = ['netbox_topology_views']"
notify: run migrations notify: run migrations
- name: Configure OIDC authentication - name: Configure OIDC authentication
@ -89,11 +87,22 @@
line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'" line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'"
- key: "^SOCIAL_AUTH_OIDC_SECRET =" - key: "^SOCIAL_AUTH_OIDC_SECRET ="
line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'" line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'"
# TODO the key should really be upn but it doesn’t seem to work
- key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY =" - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY ="
line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'" line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'"
notify: run migrations notify: run migrations
- name: Configure various settings
lineinfile:
path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
regexp: '{{ item.key }}'
line: '{{ item.line }}'
loop:
- key: "^LOGIN_REQUIRED ="
line: "LOGIN_REQUIRED = True"
- key: "^EXEMPT_VIEW_PERMISSIONS = \\[$"
line: "EXEMPT_VIEW_PERMISSIONS = ['*',"
notify: restart netbox
- name: Set additional requirements - name: Set additional requirements
become: yes become: yes
become_user: '{{ user }}' become_user: '{{ user }}'
@ -115,8 +124,7 @@
#from django.contrib.auth.models import User #from django.contrib.auth.models import User
username = '{{ password.admin_user }}' username = '{{ password.admin_user }}'
if not User.objects.filter(username=username): if not User.objects.filter(username=username):
User.objects.create_superuser(username, '', # TODO email User.objects.create_superuser(username, password='{{ password.admin_pass }}')
'{{ password.admin_pass }}')
sys.exit(1) sys.exit(1)
register: result register: result
changed_when: result.rc != 0 changed_when: result.rc != 0

View file

@ -10,32 +10,6 @@
enabled: true enabled: true
state: started state: started
- name: Check for existing database password
become: yes
become_user: '{{ user }}'
slurp:
path: '~/.pgpass'
register: pgpass
failed_when: false
- name: Get database password
when: '"content" in pgpass'
set_fact: db_password='{{ pgpass.content | b64decode | split(":") | last }}'
- name: Create database password
when: '"content" not in pgpass'
set_fact: db_password='{{ lookup("password", "/dev/null", chars=["ascii_letters", "digits"]) }}'
- name: Create .pgpass
become: yes
become_user: '{{ user }}'
copy:
dest: '~/.pgpass'
content: |
localhost:5432:{{ user }}:{{ user }}:{{ db_password }}
force: no
mode: 0600
- become: yes - become: yes
become_user: postgres become_user: postgres
block: block:
@ -47,8 +21,7 @@
postgresql_user: postgresql_user:
db: '{{ database | default(user) }}' db: '{{ database | default(user) }}'
name: '{{ user }}' name: '{{ user }}'
password: '{{ db_password }}' password: '{{ password.db_pass }}'
no_password_changes: '{{ "content" in pgpass }}'
- name: Set schema owner - name: Set schema owner
postgresql_owner: postgresql_owner: