__netbox: autogen secretkey and store at remote

The secret key is generated if it is not set via parameter and the
explorer does not return any. It will be saved in the netbox home
directory to easily read the key for the config generation.
This commit is contained in:
matze 2020-08-23 16:52:02 +02:00
parent f5c8c26db6
commit 49bb527dea
6 changed files with 39 additions and 8 deletions

View file

@ -0,0 +1,8 @@
#!/bin/sh -e
# Explorer will output the key if he exists.
secretkey="/opt/netbox/.secretkey"
if [ -f "$secretkey" ]; then
cat "$secretkey"
fi

View file

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/sh -e
# output version if exist # output version if exist
version_path="/opt/netbox/netbox/cdist/version" version_path="/opt/netbox/netbox/cdist/version"

View file

@ -32,16 +32,22 @@ database-user
database-password database-password
PostgreSQL database password. PostgreSQL database password.
secret-key
Random secret key of at least 50 alphanumeric characters. This key must be
unique to this installation and must not be shared outside the local
system.
host host
Hostname (domain or IP address) on which the application is served. Hostname (domain or IP address) on which the application is served.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
secret-key
Random secret key of at least 50 alphanumeric characters and symbols. This
key must be unique to this installation and must not be shared outside the
local system. If no secret key is given, the type generates an own 50 chars
long key and saves it on the remote host to remember it for the next run.
The secret, random string is used to assist in the creation new
cryptographic hashes for passwords and HTTP cookies. It is not directly
used for hasing user passwords or for encrpted storage. It can be changed
at any time, but will invalidate all existing sessions.
database-host database-host
PostgreSQL database hostname. Defaults to ``localhost``. PostgreSQL database hostname. Defaults to ``localhost``.

View file

@ -37,7 +37,18 @@ export DATABASE_PORT
ALLOWED_HOST=$(cat "$__object/parameter/host") ALLOWED_HOST=$(cat "$__object/parameter/host")
export ALLOWED_HOST export ALLOWED_HOST
if [ -f "$__object/parameter/secret-key" ]; then
SECRET_KEY=$(cat "$__object/parameter/secret-key") SECRET_KEY=$(cat "$__object/parameter/secret-key")
elif [ -s "$__object/explorer/secretkey" ]; then
# Can be done over netbox/generate_secret_key.py too, but it's to
# complicated with the variable setup (can't generated right now!).
# Generates a 50-character long key (without ' cause of python quotes)
SECRET_KEY="$(tr -cd '[:graph:]' < /dev/random | tr -d \' | head -c50)"
else
# take the key that is already used
SECRET_KEY="$(cat "$__object/explorer/secretkey")"
fi
export SECRET_KEY export SECRET_KEY
if [ -f "$__object/parameter/ldap-server" ]; then if [ -f "$__object/parameter/ldap-server" ]; then
@ -177,6 +188,12 @@ if [ -f "$__object/parameter/ldap-server" ]; then
--source "$__object/files/ldap_config.py" --source "$__object/files/ldap_config.py"
fi fi
# save secret
require="__user/netbox" __file /opt/netbox/.secretkey --mode 400 \
--owner netbox --source - << SECRET
$SECRET_KEY
SECRET
# Upload systemd units and gunicorn configuration. # Upload systemd units and gunicorn configuration.
for unit in netbox netbox-rq; do for unit in netbox netbox-rq; do

View file

@ -1,3 +1,4 @@
secret-key
database-host database-host
database-port database-port
ldap-server ldap-server

View file

@ -2,5 +2,4 @@ version
database database
database-user database-user
database-password database-password
secret-key
host host