From 8ba69590651f644aa120443368c0a58559f0ecce Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Thu, 15 Aug 2024 12:57:15 +0200
Subject: [PATCH 1/2] postgres: store DB password with other secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
---
 roles/netbox/tasks/main.yml   |  2 ++
 roles/postgres/tasks/main.yml | 29 +----------------------------
 2 files changed, 3 insertions(+), 28 deletions(-)

diff --git a/roles/netbox/tasks/main.yml b/roles/netbox/tasks/main.yml
index cc8e41a..5475b0c 100644
--- a/roles/netbox/tasks/main.yml
+++ b/roles/netbox/tasks/main.yml
@@ -65,6 +65,8 @@
       line: "ALLOWED_HOSTS = ['{{ dns_name }}']"
     - key: 'USER.*PostgreSQL username'
       line: "    'USER': '{{ user }}', # PostgreSQL username"
+    - key: 'PASSWORD.*PostgreSQL password'
+      line: "    'PASSWORD': '{{ password.db_pass }}', # PostgreSQL password"
     # XXX unnecessary?
     #- key: '(OPTIONS|PASSWORD).*PostgreSQL password'
     #  line: "    'OPTIONS': { 'passfile': '{{ user_info.home }}/.pgpass' }, # PostgreSQL password"
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index ced677a..a746103 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -10,32 +10,6 @@
     enabled: true
     state: started
 
-- name: Check for existing database password
-  become: yes
-  become_user: '{{ user }}'
-  slurp:
-    path: '~/.pgpass'
-  register: pgpass
-  failed_when: false
-
-- name: Get database password
-  when: '"content" in pgpass'
-  set_fact: db_password='{{ pgpass.content | b64decode | split(":") | last }}'
-
-- name: Create database password
-  when: '"content" not in pgpass'
-  set_fact: db_password='{{ lookup("password", "/dev/null", chars=["ascii_letters", "digits"]) }}'
-
-- name: Create .pgpass
-  become: yes
-  become_user: '{{ user }}'
-  copy:
-    dest: '~/.pgpass'
-    content: |
-      localhost:5432:{{ user }}:{{ user }}:{{ db_password }}
-    force: no
-    mode: 0600
-
 - become: yes
   become_user: postgres
   block:
@@ -47,8 +21,7 @@
       postgresql_user:
         db: '{{ database | default(user) }}'
         name: '{{ user }}'
-        password: '{{ db_password }}'
-        no_password_changes: '{{ "content" in pgpass }}'
+        password: '{{ password.db_pass }}'
 
     - name: Set schema owner
       postgresql_owner:

From 9084f25319bcf16fe1e5e9e4dfa0c16628a76521 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Thu, 15 Aug 2024 17:09:11 +0200
Subject: [PATCH 2/2] netbox: allow registered users to view everything

And others nothing. Also clean up.
---
 roles/netbox/tasks/main.yml | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/roles/netbox/tasks/main.yml b/roles/netbox/tasks/main.yml
index 5475b0c..04fa6c6 100644
--- a/roles/netbox/tasks/main.yml
+++ b/roles/netbox/tasks/main.yml
@@ -67,12 +67,8 @@
       line: "    'USER': '{{ user }}', # PostgreSQL username"
     - key: 'PASSWORD.*PostgreSQL password'
       line: "    'PASSWORD': '{{ password.db_pass }}', # PostgreSQL password"
-    # XXX unnecessary?
-    #- key: '(OPTIONS|PASSWORD).*PostgreSQL password'
-    #  line: "    'OPTIONS': { 'passfile': '{{ user_info.home }}/.pgpass' }, # PostgreSQL password"
-    # not yet compatible, see https://github.com/netbox-community/netbox-topology-views/issues/503
-    #- key: '^PLUGINS = '
-    #  line: "PLUGINS = ['netbox_topology_views']"
+    - key: '^PLUGINS = '
+      line: "PLUGINS = ['netbox_topology_views']"
   notify: run migrations
 
 - name: Configure OIDC authentication
@@ -91,11 +87,22 @@
       line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'"
     - key: "^SOCIAL_AUTH_OIDC_SECRET ="
       line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'"
-    # TODO the key should really be upn but it doesn’t seem to work
     - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY ="
       line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'"
   notify: run migrations
 
+- name: Configure various settings
+  lineinfile:
+    path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
+    regexp: '{{ item.key }}'
+    line: '{{ item.line }}'
+  loop:
+    - key: "^LOGIN_REQUIRED ="
+      line: "LOGIN_REQUIRED = True"
+    - key: "^EXEMPT_VIEW_PERMISSIONS = \\[$"
+      line: "EXEMPT_VIEW_PERMISSIONS = ['*',"
+  notify: restart netbox
+
 - name: Set additional requirements
   become: yes
   become_user: '{{ user }}'
@@ -117,8 +124,7 @@
       #from django.contrib.auth.models import User
       username = '{{ password.admin_user }}'
       if not User.objects.filter(username=username):
-          User.objects.create_superuser(username, '', # TODO email
-              '{{ password.admin_pass }}')
+          User.objects.create_superuser(username, password='{{ password.admin_pass }}')
           sys.exit(1)
   register: result
   changed_when: result.rc != 0