servers/roles/netbox/tasks/main.yml
Timotej Lazar d5db7529dd netbox: allow registered users to view everything
And others nothing. Also clean up. Also enable topology views plugin.
2024-08-15 17:11:29 +02:00

170 lines
4.7 KiB
YAML

- name: Install dependencies
package:
name:
- git
- python3
- python3-dev
- py3-pip
- py3-virtualenv
- bash # for upgrade script
- build-base # to build psycopg if not available
- postgresql-dev # likewise
- name: Create group for web service
group:
name: '{{ user }}'
system: yes
- name: Create user for web service
user:
name: '{{ user }}'
group: '{{ user }}'
home: '/srv/{{ user }}'
shell: /bin/sh
system: yes
register: user_info
- name: Checkout repo
become: yes
become_user: '{{ user }}'
git:
repo: https://github.com/netbox-community/netbox.git
dest: '{{ user_info.home }}/app'
version: 'v{{ netbox_version }}'
notify: run migrations
- name: Copy default config
copy:
dest: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
src: '{{ user_info.home }}/app/netbox/netbox/configuration_example.py'
remote_src: yes
owner: '{{ user_info.uid }}'
group: '{{ user_info.group }}'
force: no
notify: run migrations
- name: Restrict access to config
file:
path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
mode: 0600
- name: Configure secret key
lineinfile:
path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
regexp: "^SECRET_KEY = ''"
line: "SECRET_KEY = '{{ lookup('password', '/dev/null', length=50) }}'"
backrefs: yes # don’t set if set already
- name: Configure base settings and database
lineinfile:
path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
regexp: '{{ item.key }}'
line: '{{ item.line }}'
loop:
- key: '^ALLOWED_HOSTS = '
line: "ALLOWED_HOSTS = ['{{ dns_name }}']"
- key: 'USER.*PostgreSQL username'
line: " 'USER': '{{ user }}', # PostgreSQL username"
- key: 'PASSWORD.*PostgreSQL password'
line: " 'PASSWORD': '{{ password.db_pass }}', # PostgreSQL password"
- key: '^PLUGINS = '
line: "PLUGINS = ['netbox_topology_views']"
notify: run migrations
- name: Configure OIDC authentication
lineinfile:
path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
regexp: '{{ item.key }}'
line: '{{ item.line }}'
loop:
- key: "^REMOTE_AUTH_ENABLED ="
line: "REMOTE_AUTH_ENABLED = True"
- key: "^REMOTE_AUTH_BACKEND ="
line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'"
- key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT ="
line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ password.oidc_endpoint }}'"
- key: "^SOCIAL_AUTH_OIDC_KEY ="
line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'"
- key: "^SOCIAL_AUTH_OIDC_SECRET ="
line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'"
- key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY ="
line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'"
notify: run migrations
- name: Configure various settings
lineinfile:
path: '{{ user_info.home }}/app/netbox/netbox/configuration.py'
regexp: '{{ item.key }}'
line: '{{ item.line }}'
loop:
- key: "^LOGIN_REQUIRED ="
line: "LOGIN_REQUIRED = True"
- key: "^EXEMPT_VIEW_PERMISSIONS = \\[$"
line: "EXEMPT_VIEW_PERMISSIONS = ['*',"
notify: restart netbox
- name: Set additional requirements
become: yes
become_user: '{{ user }}'
copy:
dest: '{{ user_info.home }}/app/'
src: local_requirements.txt
notify: run migrations
- meta: flush_handlers
- name: Create superuser
become: yes
become_user: '{{ user }}'
command:
cmd: '{{ user_info.home }}/app/venv/bin/python {{ user_info.home }}/app/netbox/manage.py shell --interface python'
stdin: |
import sys
from users.models import User
#from django.contrib.auth.models import User
username = '{{ password.admin_user }}'
if not User.objects.filter(username=username):
User.objects.create_superuser(username, password='{{ password.admin_pass }}')
sys.exit(1)
register: result
changed_when: result.rc != 0
- name: Set up gunicorn
copy:
dest: /srv/netbox/gunicorn.py
src: /srv/netbox/app/contrib/gunicorn.py
remote_src: yes
force: no
owner: netbox
group: netbox
- name: Set up cron job
file:
dest: /etc/periodic/daily/netbox-housekeeping.sh
src: /srv/netbox/app/contrib/netbox-housekeeping.sh
state: link
- name: Install services
template:
dest: '/etc/init.d/{{ item }}'
src: '{{ item }}.initd.j2'
mode: 0755
loop:
- netbox
- netbox-rq
- name: Enable services
service:
name: '{{ item }}'
enabled: true
state: started
loop:
- netbox
- netbox-rq
- name: Set up nginx site
template:
dest: '/etc/nginx/http.d/netbox.conf'
src: 'netbox.conf.j2'
notify: reload nginx