Merge branch 'netbox' into 'netbox'
__netbox type improvements See merge request ungleich-public/cdist-contrib!17
This commit is contained in:
commit
e8c731c384
56 changed files with 1487 additions and 179 deletions
8
type/__netbox/explorer/secretkey
Executable file
8
type/__netbox/explorer/secretkey
Executable file
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Explorer will output the key if he exists.
|
||||||
|
|
||||||
|
secretkey="/opt/netbox/cdist/secretkey"
|
||||||
|
if [ -f "$secretkey" ]; then
|
||||||
|
cat "$secretkey"
|
||||||
|
fi
|
5
type/__netbox/explorer/version
Executable file
5
type/__netbox/explorer/version
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# output version if exist
|
||||||
|
version_path="/opt/netbox/cdist/version"
|
||||||
|
if [ -f "$version_path" ]; then cat "$version_path"; fi
|
|
@ -11,7 +11,7 @@ cat << EOF
|
||||||
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
|
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
|
||||||
#
|
#
|
||||||
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
|
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
|
||||||
ALLOWED_HOSTS = [ '$ALLOWED_HOST' ]
|
ALLOWED_HOSTS = [$ALLOWED_HOSTS ]
|
||||||
|
|
||||||
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
|
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
|
||||||
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
|
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
|
||||||
|
@ -19,8 +19,8 @@ DATABASE = {
|
||||||
'NAME': '$DATABASE_NAME', # Database name
|
'NAME': '$DATABASE_NAME', # Database name
|
||||||
'USER': '$DATABASE_USER', # PostgreSQL username
|
'USER': '$DATABASE_USER', # PostgreSQL username
|
||||||
'PASSWORD': '$DATABASE_PASSWORD', # PostgreSQL password
|
'PASSWORD': '$DATABASE_PASSWORD', # PostgreSQL password
|
||||||
'HOST': 'localhost', # Database server
|
'HOST': '$DATABASE_HOST', # Database server
|
||||||
'PORT': '', # Database port (leave blank for default)
|
'PORT': '$DATABASE_PORT', # Database port (leave blank for default)
|
||||||
'CONN_MAX_AGE': 300, # Max database connection age
|
'CONN_MAX_AGE': 300, # Max database connection age
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -29,28 +29,27 @@ DATABASE = {
|
||||||
# to use two separate database IDs.
|
# to use two separate database IDs.
|
||||||
REDIS = {
|
REDIS = {
|
||||||
'tasks': {
|
'tasks': {
|
||||||
'HOST': 'localhost',
|
'HOST': '$REDIS_HOST',
|
||||||
'PORT': 6379,
|
'PORT': $REDIS_PORT,
|
||||||
# Comment out \`HOST\` and \`PORT\` lines and uncomment the following if using Redis Sentinel
|
# Comment out \`HOST\` and \`PORT\` lines and uncomment the following if using Redis Sentinel
|
||||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
||||||
# 'SENTINEL_SERVICE': 'netbox',
|
# 'SENTINEL_SERVICE': 'netbox',
|
||||||
'PASSWORD': '',
|
'PASSWORD': '$REDIS_PASSWORD',
|
||||||
'DATABASE': 0,
|
'DATABASE': $((REDIS_DBID_OFFSET + 0)),
|
||||||
'DEFAULT_TIMEOUT': 300,
|
'SSL': $REDIS_SSL,
|
||||||
'SSL': False,
|
|
||||||
},
|
},
|
||||||
'caching': {
|
'caching': {
|
||||||
'HOST': 'localhost',
|
'HOST': '$REDIS_HOST',
|
||||||
'PORT': 6379,
|
'PORT': $REDIS_PORT,
|
||||||
# Comment out \`HOST\` and \`PORT\` lines and uncomment the following if using Redis Sentinel
|
# Comment out \`HOST\` and \`PORT\` lines and uncomment the following if using Redis Sentinel
|
||||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
||||||
# 'SENTINEL_SERVICE': 'netbox',
|
# 'SENTINEL_SERVICE': 'netbox',
|
||||||
'PASSWORD': '',
|
'PASSWORD': '$REDIS_PASSWORD',
|
||||||
'DATABASE': 1,
|
'DATABASE': $((REDIS_DBID_OFFSET + 1)),
|
||||||
'DEFAULT_TIMEOUT': 300,
|
'SSL': $REDIS_SSL,
|
||||||
'SSL': False,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
RQ_DEFAULT_TIMEOUT = 300
|
||||||
|
|
||||||
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
|
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
|
||||||
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
|
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
|
||||||
|
@ -86,7 +85,7 @@ BANNER_LOGIN = ''
|
||||||
|
|
||||||
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
|
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
|
||||||
# BASE_PATH = 'netbox/'
|
# BASE_PATH = 'netbox/'
|
||||||
BASE_PATH = ''
|
BASE_PATH = '$BASEPATH'
|
||||||
|
|
||||||
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
|
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
|
||||||
CACHE_TIMEOUT = 900
|
CACHE_TIMEOUT = 900
|
||||||
|
@ -112,14 +111,14 @@ DEBUG = False
|
||||||
|
|
||||||
# Email settings
|
# Email settings
|
||||||
EMAIL = {
|
EMAIL = {
|
||||||
'SERVER': 'localhost',
|
'SERVER': '$SMTP_HOST',
|
||||||
'PORT': 25,
|
'PORT': $SMTP_PORT,
|
||||||
'USERNAME': '',
|
'USERNAME': '$SMTP_USER',
|
||||||
'PASSWORD': '',
|
'PASSWORD': '$SMTP_PASSWORD',
|
||||||
'USE_SSL': False,
|
'USE_SSL': $SMTP_USE_SSL,
|
||||||
'USE_TLS': False,
|
'USE_TLS': $SMTP_USE_TLS,
|
||||||
'TIMEOUT': 10, # seconds
|
'TIMEOUT': 10, # seconds
|
||||||
'FROM_EMAIL': '',
|
'FROM_EMAIL': '$SMTP_FROM_EMAIL',
|
||||||
}
|
}
|
||||||
|
|
||||||
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
|
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
|
||||||
|
@ -134,12 +133,29 @@ EXEMPT_VIEW_PERMISSIONS = [
|
||||||
# 'ipam.prefix',
|
# 'ipam.prefix',
|
||||||
]
|
]
|
||||||
|
|
||||||
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
|
EOF
|
||||||
# HTTP_PROXIES = {
|
|
||||||
# 'http': 'http://10.10.1.10:3128',
|
|
||||||
# 'https': 'http://10.10.1.10:1080',
|
|
||||||
# }
|
|
||||||
|
|
||||||
|
if [ "$HTTP_PROXY" != "" ] || [ "$HTTPS_PROXY" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
|
||||||
|
HTTP_PROXIES = {
|
||||||
|
EOF
|
||||||
|
if [ "$HTTP_PROXY" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
'http': '$HTTP_PROXY',
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
if [ "$HTTPS_PROXY" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
'https': '$HTTPS_PROXY',
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
cat << EOF
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
|
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
|
||||||
# NetBox from an internal IP.
|
# NetBox from an internal IP.
|
||||||
INTERNAL_IPS = ('127.0.0.1', '::1')
|
INTERNAL_IPS = ('127.0.0.1', '::1')
|
||||||
|
@ -150,7 +166,7 @@ LOGGING = {}
|
||||||
|
|
||||||
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
||||||
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
|
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
|
||||||
LOGIN_REQUIRED = False
|
LOGIN_REQUIRED = $LOGIN_REQUIRED
|
||||||
|
|
||||||
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
||||||
# re-authenticate. (Default: 1209600 [14 days])
|
# re-authenticate. (Default: 1209600 [14 days])
|
||||||
|
@ -164,10 +180,18 @@ MAINTENANCE_MODE = False
|
||||||
# all objects by specifying "?limit=0".
|
# all objects by specifying "?limit=0".
|
||||||
MAX_PAGE_SIZE = 1000
|
MAX_PAGE_SIZE = 1000
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "$MEDIA_ROOT" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
||||||
# the default value of this setting is derived from the installed location.
|
# the default value of this setting is derived from the installed location.
|
||||||
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
MEDIA_ROOT = '$MEDIA_ROOT'
|
||||||
|
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
|
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
|
||||||
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
|
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
|
||||||
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
|
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
|
||||||
|
@ -215,30 +239,67 @@ PREFER_IPV4 = False
|
||||||
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
|
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
|
||||||
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
|
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "$USE_LDAP" ]; then
|
||||||
|
cat << EOF
|
||||||
|
# Remote authentication support with ldap
|
||||||
|
REMOTE_AUTH_ENABLED = True
|
||||||
|
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
cat << EOF
|
||||||
# Remote authentication support
|
# Remote authentication support
|
||||||
REMOTE_AUTH_ENABLED = False
|
REMOTE_AUTH_ENABLED = False
|
||||||
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
|
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
||||||
REMOTE_AUTH_AUTO_CREATE_USER = True
|
REMOTE_AUTH_AUTO_CREATE_USER = True
|
||||||
REMOTE_AUTH_DEFAULT_GROUPS = []
|
REMOTE_AUTH_DEFAULT_GROUPS = []
|
||||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
|
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
|
||||||
|
|
||||||
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
|
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
|
||||||
RELEASE_CHECK_TIMEOUT = 24 * 3600
|
RELEASE_CHECK_TIMEOUT = 24 * 3600
|
||||||
|
|
||||||
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
||||||
# version check or use the URL below to check for release in the official NetBox repository.
|
# version check or use the URL below to check for release in the official NetBox repository.
|
||||||
RELEASE_CHECK_URL = None
|
|
||||||
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
|
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "$UPDATE_CHECK" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
|
||||||
|
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
cat << EOF
|
||||||
|
RELEASE_CHECK_URL = None
|
||||||
|
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$REPORTS_ROOT" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
|
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
|
||||||
# this setting is derived from the installed location.
|
# this setting is derived from the installed location.
|
||||||
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
REPORTS_ROOT = '$REPORTS_ROOT'
|
||||||
|
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SCRIPTS_ROOT" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
||||||
# this setting is derived from the installed location.
|
# this setting is derived from the installed location.
|
||||||
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
SCRIPTS_ROOT = '$SCRIPTS_ROOT'
|
||||||
|
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
||||||
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
||||||
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
||||||
|
|
|
@ -1,5 +1,19 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
# no configuration if there are no ldap parameters
|
||||||
|
if [ -z "$USE_LDAP" ]; then
|
||||||
|
# skip
|
||||||
|
cat << EOF
|
||||||
|
##############################
|
||||||
|
# LDAP-backed authentication #
|
||||||
|
##############################
|
||||||
|
|
||||||
|
# no options set
|
||||||
|
EOF
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
cat << EOF
|
cat << EOF
|
||||||
##############################
|
##############################
|
||||||
# LDAP-backed authentication #
|
# LDAP-backed authentication #
|
||||||
|
@ -29,7 +43,7 @@ AUTH_LDAP_USER_ATTR_MAP = {
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$LDAP_GROUP_BASE" != "" ]; then
|
if [ "$LDAP_GROUP_BASE" != "" ]; then
|
||||||
cat << EOF
|
cat << EOF
|
||||||
|
|
||||||
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
|
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
|
||||||
# hierarchy.
|
# hierarchy.
|
||||||
|
@ -39,23 +53,30 @@ AUTH_LDAP_GROUP_TYPE = PosixGroupType()
|
||||||
|
|
||||||
# Mirror LDAP group assignments.
|
# Mirror LDAP group assignments.
|
||||||
AUTH_LDAP_MIRROR_GROUPS = True
|
AUTH_LDAP_MIRROR_GROUPS = True
|
||||||
|
# For more granular permissions, map LDAP groups to Django groups.
|
||||||
|
AUTH_LDAP_FIND_GROUP_PERMS = True
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$LDAP_REQUIRE_GROUP" != "" ]; then
|
if [ "$LDAP_REQUIRE_GROUP" != "" ]; then
|
||||||
cat << EOF
|
cat << EOF
|
||||||
|
|
||||||
# Define a group required to login.
|
# Define a group required to login.
|
||||||
AUTH_LDAP_REQUIRE_GROUP = "$LDAP_REQUIRE_GROUP"
|
AUTH_LDAP_REQUIRE_GROUP = "$LDAP_REQUIRE_GROUP"
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$LDAP_SUPERUSER_GROUP" != "" ]; then
|
cat << EOF
|
||||||
cat << EOF
|
|
||||||
|
|
||||||
# Define special user types using groups. Exercise great caution when assigning superuser status.
|
# Define special user types using groups. Exercise great caution when assigning superuser status.
|
||||||
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
||||||
"is_superuser": "$LDAP_SUPERUSER_GROUP",
|
|
||||||
}
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
# superuser
|
||||||
|
if [ "$LDAP_SUPERUSER_GROUP" != "" ]; then
|
||||||
|
echo " \"is_superuser\": \"$LDAP_SUPERUSER_GROUP\","
|
||||||
|
fi
|
||||||
|
# staff user
|
||||||
|
if [ "$LDAP_STAFF_GROUP" != "" ]; then
|
||||||
|
echo " \"is_staff\": \"$LDAP_STAFF_GROUP\","
|
||||||
|
fi
|
||||||
|
echo "}"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1,8 +1,11 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=NetBox Request Queue Worker
|
Description=NetBox Request Queue Worker
|
||||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||||
After=network-online.target
|
PartOf=netbox.service
|
||||||
Wants=network-online.target
|
Wants=network.target
|
||||||
|
After=netbox.service
|
||||||
|
After=network.target
|
||||||
|
After=redis-server.service postgresql.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
|
|
@ -1,22 +1,13 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=NetBox WSGI Service
|
Description=NetBox Service Wrapper
|
||||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||||
After=network-online.target
|
Wants=network.target
|
||||||
Wants=network-online.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
User=netbox
|
ExecStart=/bin/true
|
||||||
Group=netbox
|
|
||||||
PIDFile=/var/tmp/netbox.pid
|
|
||||||
WorkingDirectory=/opt/netbox
|
|
||||||
|
|
||||||
ExecStart=/opt/netbox/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi
|
|
||||||
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=30
|
|
||||||
PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
33
type/__netbox/files/netbox.socket.sh
Executable file
33
type/__netbox/files/netbox.socket.sh
Executable file
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
# __netbox/files/netbox.socket.sh
|
||||||
|
|
||||||
|
# This is shared between all WSGI-server types.
|
||||||
|
|
||||||
|
# Arguments:
|
||||||
|
# 1: File which list all sockets to listen on (sepearated by \n)
|
||||||
|
|
||||||
|
if [ $# -ne 1 ]; then
|
||||||
|
printf "netbox.socket.sh: argument \$1 missing or too much given!\n" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
cat << UNIT
|
||||||
|
[Unit]
|
||||||
|
Description=Socket for NetBox via $TYPE
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
UNIT
|
||||||
|
|
||||||
|
# read all sockets to listen to
|
||||||
|
while read -r line; do
|
||||||
|
printf "ListenStream=%s\n" "$line"
|
||||||
|
done < "$1"
|
||||||
|
|
||||||
|
cat << UNIT
|
||||||
|
SocketUser=netbox
|
||||||
|
SocketGroup=www-data
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
||||||
|
UNIT
|
|
@ -1,5 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
old_version="$(cat "$__object/explorer/version")"
|
||||||
VERSION=$(cat "$__object/parameter/version")
|
VERSION=$(cat "$__object/parameter/version")
|
||||||
|
|
||||||
src="netbox-$VERSION"
|
src="netbox-$VERSION"
|
||||||
|
@ -7,9 +8,8 @@ archive="v$VERSION.tar.gz"
|
||||||
url="https://github.com/netbox-community/netbox/archive/$archive"
|
url="https://github.com/netbox-community/netbox/archive/$archive"
|
||||||
install_dir=/opt/netbox/netbox
|
install_dir=/opt/netbox/netbox
|
||||||
|
|
||||||
cat << EOF
|
if [ "$VERSION" != "$old_version" ]; then
|
||||||
set -e
|
cat << EOF
|
||||||
|
|
||||||
# Ensure that coreutils is installed.
|
# Ensure that coreutils is installed.
|
||||||
if [ ! -x \$(which mktemp) ]; then
|
if [ ! -x \$(which mktemp) ]; then
|
||||||
echo "mktemp is not available on the remote host." >&2
|
echo "mktemp is not available on the remote host." >&2
|
||||||
|
@ -21,45 +21,100 @@ tmpdir=\$(mktemp -d)
|
||||||
cd "\$tmpdir"
|
cd "\$tmpdir"
|
||||||
|
|
||||||
# Download and extract sources.
|
# Download and extract sources.
|
||||||
curl -L '$url' > '$archive'
|
curl -sS -L '$url' > '$archive'
|
||||||
tar xf '$archive'
|
tar xf '$archive'
|
||||||
|
|
||||||
# Save cdist-upload configuration file.
|
|
||||||
cp '$install_dir/cdist/configuration.py' "\$tmpdir/configuration.py"
|
|
||||||
cp '$install_dir/cdist/ldap_config.py' "\$tmpdir/ldap_config.py"
|
|
||||||
|
|
||||||
# Deploy sources and restore configuration.
|
# virtualenv is given already by __pyvenv, just using it
|
||||||
rm -r '$install_dir'
|
|
||||||
cp -r '$src/netbox' '$install_dir'
|
|
||||||
cp \$tmpdir/configuration.py '$install_dir/netbox/configuration.py'
|
|
||||||
cp \$tmpdir/ldap_config.py '$install_dir/netbox/ldap_config.py'
|
|
||||||
|
|
||||||
# Setup & enter python virtualenv.
|
# backup requirement files
|
||||||
virtualenv /opt/netbox/venv
|
if [ -f /opt/netbox/requirements.txt ]; then
|
||||||
|
mv /opt/netbox/requirements.txt /opt/netbox/old-requirements.txt
|
||||||
|
else
|
||||||
|
# preseve file-not-found errors and warnings
|
||||||
|
touch /opt/netbox/old-requirements.txt
|
||||||
|
fi
|
||||||
|
cp '$src/requirements.txt' /opt/netbox/
|
||||||
|
|
||||||
# Install python dependencies.
|
# Uninstall packages not required anymore
|
||||||
/opt/netbox/venv/bin/pip3 install -r "\$tmpdir/$src/requirements.txt"
|
# if versions not be shortend, they will be ignored by pip, but not by comm
|
||||||
EOF
|
# all of this could be done with grep, too, but it's still must be shortend with awk
|
||||||
|
awk -F== '{print \$1}' '/opt/netbox/requirements.txt' | sort > "\$tmpdir/curr-reqs.txt"
|
||||||
|
awk -F== '{print \$1}' '/opt/netbox/old-requirements.txt' | sort > "\$tmpdir/old-reqs.txt"
|
||||||
|
comm -23 "\$tmpdir/old-reqs.txt" "\$tmpdir/curr-reqs.txt" > "\$tmpdir/pip-uninstall.txt"
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-server" ]; then
|
# only uninstall if something is available (to avoid errors cause of this)
|
||||||
echo "/opt/netbox/venv/bin/pip3 install django-auth-ldap"
|
if [ -s "\$tmpdir/pip-uninstall.txt" ]; then
|
||||||
|
/opt/netbox/venv/bin/pip3 uninstall -qy -r "\$tmpdir/pip-uninstall.txt"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat << EOF
|
# Install python dependencies.
|
||||||
|
# avoid gunicorn, because it will be done in an other type
|
||||||
|
grep -v "^gunicorn==" "\$tmpdir/$src/requirements.txt" \
|
||||||
|
| xargs /opt/netbox/venv/bin/pip3 install -q
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/ldap-server" ]; then
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 install -q django-auth-ldap"
|
||||||
|
else
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 uninstall -qy django-auth-ldap"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
# Deploy sources and restore configuration.
|
||||||
|
rm -rf '$install_dir'
|
||||||
|
cp -r '$src/netbox' '$install_dir'
|
||||||
|
# force links to the cdist directory
|
||||||
|
ln -fs /opt/netbox/cdist/configuration.py '$install_dir/netbox/configuration.py'
|
||||||
|
ln -fs /opt/netbox/cdist/ldap_config.py '$install_dir/netbox/ldap_config.py'
|
||||||
|
|
||||||
# Set final permissions.
|
# Set final permissions.
|
||||||
chown -R netbox /opt/netbox
|
chown -R netbox /opt/netbox
|
||||||
|
|
||||||
|
|
||||||
|
# NetBox manage scripts
|
||||||
# Run database migrations.
|
# Run database migrations.
|
||||||
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py migrate
|
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py migrate
|
||||||
|
|
||||||
# Generate static assets.
|
# Generate static assets.
|
||||||
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py collectstatic --no-input
|
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py collectstatic --no-input
|
||||||
|
# Delete any stale content types
|
||||||
|
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py remove_stale_contenttypes --no-input
|
||||||
|
# Delete any expired user sessions
|
||||||
|
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py clearsessions
|
||||||
|
# Clear all cached data
|
||||||
|
sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py invalidate all
|
||||||
|
|
||||||
# Remove temporary working directory.
|
# Remove temporary working directory.
|
||||||
cd /
|
cd /
|
||||||
rm -r "\$tmpdir"
|
rm -rf "\$tmpdir"
|
||||||
|
|
||||||
|
# Save version after successful installation
|
||||||
|
printf "%s\\n" "$VERSION" > /opt/netbox/cdist/version
|
||||||
|
|
||||||
# Restart services.
|
|
||||||
service netbox restart
|
|
||||||
service netbox-rq restart
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# meta
|
||||||
|
printf "installed %s\n" "$VERSION" >> "$__messages_out"
|
||||||
|
changes=yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
# check if configuration changed
|
||||||
|
if grep -q "^__file/opt/netbox/" "$__messages_in"; then
|
||||||
|
# meta
|
||||||
|
printf "configured\n" >> "$__messages_out"
|
||||||
|
changes=yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Check for changes
|
||||||
|
if [ "$changes" = "yes" ]; then
|
||||||
|
# After the upstream upgrade.sh script, it's ok to migrate while the
|
||||||
|
# application is running ;)
|
||||||
|
|
||||||
|
# restarting after changes
|
||||||
|
cat << EOF
|
||||||
|
# Restart service. All required services are included with netbox.service.
|
||||||
|
systemctl restart netbox
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
|
@ -9,54 +9,194 @@ cdist-type__netbox - Install and configure NetBox
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
This (singleton) type installs and configures a NetBox instance, a web
|
This (singleton) type installs and configures a NetBox instance, a web
|
||||||
application to help manage and document computer networks
|
application to help manage and document computer networks.
|
||||||
|
|
||||||
|
It installs it with the user ``netbox`` at ``/opt/netbox`` with `python-venv`.
|
||||||
|
It setup systemd unit files for the services `netbox` and `netbox-rq`. The
|
||||||
|
`netbox` service only wrap all netbox related services, e.g. restarting and
|
||||||
|
so one will be delegated to all related services.
|
||||||
|
|
||||||
|
The application is still not accessable because a WSGI server is required. To
|
||||||
|
access the application through WSGI, uWSGI or Gunicorn can be used. The setup
|
||||||
|
can be done via there own types `__netbox_gunicorn` and `__netbox_uwsgi`.
|
||||||
|
|
||||||
|
The Gunicorn setup is recommended from the NetBox documentation. Consult each
|
||||||
|
manual page to decide. The types must be called after the `__netbox` type.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
version
|
version
|
||||||
NetBox version to be installed.
|
NetBox version to be installed. You can find the correct and newest version
|
||||||
|
on GitHub at the NetBox project page under
|
||||||
|
"`Releases <https://github.com/netbox-community/netbox/releases>`_".
|
||||||
|
|
||||||
database
|
database
|
||||||
PostgreSQL database name.
|
PostgreSQL database name.
|
||||||
|
|
||||||
|
database-user
|
||||||
|
PostgreSQL database user.
|
||||||
|
|
||||||
database-password
|
database-password
|
||||||
PostgreSQL database password.
|
PostgreSQL database password.
|
||||||
|
|
||||||
secret-key
|
|
||||||
Random secret key of at least 50 alphanumeric characters. This key must be
|
|
||||||
unique to this installation and must not be shared outside the local
|
|
||||||
system.
|
|
||||||
|
|
||||||
host
|
host
|
||||||
Hostname (domain or IP address) on which the application is served.
|
Hostname (domain or IP address) on which the application is served.
|
||||||
|
Multiple hostnames are possible; given as multiple arguments.
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
secret-key
|
||||||
|
Random secret key of at least 50 alphanumeric characters and symbols. This
|
||||||
|
key must be unique to this installation and must not be shared outside the
|
||||||
|
local system. If no secret key is given, the type generates an own 50 chars
|
||||||
|
long key and saves it on the remote host to remember it for the next run.
|
||||||
|
|
||||||
|
The secret, random string is used to assist in the creation new
|
||||||
|
cryptographic hashes for passwords and HTTP cookies. It is not directly
|
||||||
|
used for hasing user passwords or for encrpted storage. It can be changed
|
||||||
|
at any time, but will invalidate all existing sessions.
|
||||||
|
|
||||||
|
database-host
|
||||||
|
PostgreSQL database hostname. Defaults to ``localhost``.
|
||||||
|
|
||||||
|
database-port
|
||||||
|
PostgreSQL database port. Defaults to empty (uses the default port).
|
||||||
|
|
||||||
ldap-server
|
ldap-server
|
||||||
LDAP server URI. Enables LDAP-backed authentication if specified.
|
LDAP server URI. Enables LDAP-backed authentication if specified.
|
||||||
|
|
||||||
ldap-bind-dn
|
ldap-bind-dn
|
||||||
DN for the NetBox service account. Required for LDAP authentication.
|
DN for the NetBox service account. Required for LDAP authentication.
|
||||||
|
|
||||||
ldap-bind-password
|
ldap-bind-password
|
||||||
Password for the NetBox service account. Required for LDAP authentication.
|
Password for the NetBox service account. Required for LDAP authentication.
|
||||||
|
|
||||||
ldap-user-base
|
ldap-user-base
|
||||||
Base used for searching user entries. Required for LDAP authentication.
|
Base used for searching user entries. Required for LDAP authentication.
|
||||||
|
|
||||||
ldap-group-base
|
ldap-group-base
|
||||||
Base used for searching group entries.
|
Base used for searching group entries.
|
||||||
|
|
||||||
ldap-require-group
|
ldap-require-group
|
||||||
Group required to login.
|
Group required to login.
|
||||||
|
|
||||||
|
ldap-staff-group
|
||||||
|
Make members of this group to "staff". This gives the users "Admin Access",
|
||||||
|
which means access to the "NetBox Administration" site.
|
||||||
|
|
||||||
ldap-superuser-group
|
ldap-superuser-group
|
||||||
Make members of this groups superusers.
|
Make members of this groups superusers.
|
||||||
|
|
||||||
|
redis-host
|
||||||
|
Redis database hostname. Defaults to ``localhost``.
|
||||||
|
|
||||||
|
redis-port
|
||||||
|
Redis database port. Defaults to ``6379``.
|
||||||
|
|
||||||
|
redis-password
|
||||||
|
Redis password. Defaults to empty password.
|
||||||
|
|
||||||
|
redis-dbid-offset
|
||||||
|
Offset to set the redis database id's. The `tasks` database id is
|
||||||
|
`offset + 0` and `caching` is `offset + 1`. The offset defaults to ``0``.
|
||||||
|
|
||||||
|
smtp-host
|
||||||
|
Host of the SMTP email server. Defaults to ``localhost``.
|
||||||
|
|
||||||
|
smtp-port
|
||||||
|
Port of the SMTP email server. Defaults to ``25``.
|
||||||
|
|
||||||
|
smtp-user
|
||||||
|
Username to access the SMTP email server. Defaults to empty.
|
||||||
|
|
||||||
|
smtp-password
|
||||||
|
Password to access the SMTP email server. Defaults to empty.
|
||||||
|
|
||||||
|
smtp-from-email
|
||||||
|
Email from which NetBox will be sent of. Defaults to empty.
|
||||||
|
|
||||||
|
basepath
|
||||||
|
Base URL path if accessing netbox within a directory instead of directly the
|
||||||
|
webroot ``/``. For example, if installed at https://example.com/netbox/, set
|
||||||
|
the value ``netbox/``.
|
||||||
|
|
||||||
|
http-proxy
|
||||||
|
https-proxy
|
||||||
|
Proxy which will be used with any HTTP request like webhooks.
|
||||||
|
|
||||||
|
data-root
|
||||||
|
This parameter set's the media, reports and scripts root to subdirectories
|
||||||
|
of the given directory. Values can be overwritten by special parameters like
|
||||||
|
`--media-root` for example. Use this option if you want to store persistant
|
||||||
|
data of netbox on an other partition. A trailing slash is not needed.
|
||||||
|
|
||||||
|
The data directories have following predefined sub-directory names:
|
||||||
|
|
||||||
|
media root:
|
||||||
|
``$data_root/media``
|
||||||
|
reports root:
|
||||||
|
``$data_root/reports``
|
||||||
|
scripts root:
|
||||||
|
``$data_root/scripts``
|
||||||
|
|
||||||
|
To preserve all data from installation upgrades - which just replace the
|
||||||
|
installation directory - the data will be kept in the netbox home directory
|
||||||
|
rather than the installation directory by default (``/opt/netbox/data/``).
|
||||||
|
This way, no data will be deleted after the installation directory
|
||||||
|
replacement because it remains outside of the installation directory.
|
||||||
|
|
||||||
|
media-root
|
||||||
|
The file path to where media files (like image attachments) are stored.
|
||||||
|
Change this path if you require to store data on an other partiotion.
|
||||||
|
A trailing slash is not needed. Defaults to ``$data_root/media``.
|
||||||
|
|
||||||
|
reports-root
|
||||||
|
The file path of where custom reports are kept. Change this path if you
|
||||||
|
require to store data on an other partition. A trailing slash is not
|
||||||
|
needed. Defaults to ``$data_root/reports``.
|
||||||
|
|
||||||
|
scripts-root
|
||||||
|
The file path of where custom scripts are kept. Change this path if you
|
||||||
|
require to store data on an other partition. A trailing slash is not
|
||||||
|
needed. Defaults to ``$data_root/scripts``.
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
BOOLEAN PARAMETERS
|
||||||
------------------
|
------------------
|
||||||
None.
|
redis-ssl
|
||||||
|
Enables a secure TLS/SSL connection to the redis database. By default, ssl
|
||||||
|
is disabled.
|
||||||
|
|
||||||
|
smtp-use-tls
|
||||||
|
Uses TLS to connect to the SMTP email server. `See documentation
|
||||||
|
<https://docs.djangoproject.com/en/3.1/ref/settings/#email-use-tls>`_
|
||||||
|
for more information.
|
||||||
|
|
||||||
|
smtp-use-ssl
|
||||||
|
Uses implicit TLS with the SMTP email server. `See documentation
|
||||||
|
<https://docs.djangoproject.com/en/3.1/ref/settings/#email-use-ssl>`_
|
||||||
|
for more information.
|
||||||
|
|
||||||
|
login-required
|
||||||
|
Sets if a login is required to access all sites. By default, anonymous
|
||||||
|
users can see most data (excluding secrets) but not make any changes.
|
||||||
|
|
||||||
|
update-notify
|
||||||
|
Enables the NetBox version check for new upstream updates. It checks every
|
||||||
|
24 hours for new releases and notify the admin users in the gui if any.
|
||||||
|
|
||||||
|
|
||||||
|
MESSAGES
|
||||||
|
--------
|
||||||
|
installed $VERSION
|
||||||
|
Netbox was fresh installed or updated. The new version number is appended.
|
||||||
|
|
||||||
|
configured
|
||||||
|
Some configuration files got updated and therefore the service was
|
||||||
|
restarted. This message will not be echoed if configuration got updated due
|
||||||
|
a standard installation.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
|
@ -65,30 +205,71 @@ EXAMPLES
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
||||||
__netbox --version 2.8.7 --database netbox \
|
__netbox --version 2.8.7 --database netbox \
|
||||||
--database-password "secretsecretsecret" \
|
--database-password "secretsecretsecret" \
|
||||||
--secret-key "secretsecretsecret" \
|
--secret-key "secretsecretsecret" \
|
||||||
--host "${__target_host:?}" \
|
--host "${__target_host:?}" \
|
||||||
--ldap-server "ldaps://ldap.domain.tld" \
|
--host "cool-netbox.xyz" \
|
||||||
--ldap-bind-dn "uid=netbox,ou=services,dc=domain,dc=tld" \
|
--ldap-server "ldaps://ldap.domain.tld" \
|
||||||
--ldap-bind-password "secretsecretsecret" \
|
--ldap-bind-dn "uid=netbox,ou=services,dc=domain,dc=tld" \
|
||||||
--ldap-user-base "ou=users,dc=domain,dc=tld" \
|
--ldap-bind-password "secretsecretsecret" \
|
||||||
--ldap-group-base "ou=groups,dc=domain,dc=tld" \
|
--ldap-user-base "ou=users,dc=domain,dc=tld" \
|
||||||
--ldap-require-group "cn=netbox-login,ou=groups,dc=domain,dc=tld" \
|
--ldap-group-base "ou=groups,dc=domain,dc=tld" \
|
||||||
--ldap-superuser-group "cn=netbox-admin,ou=groups,dc=domain,dc=tld"
|
--ldap-require-group "cn=netbox-login,ou=groups,dc=domain,dc=tld" \
|
||||||
|
--ldap-superuser-group "cn=netbox-admin,ou=groups,dc=domain,dc=tld"
|
||||||
|
# using recommended gunicorn setup
|
||||||
|
require="__netbox" __netbox_gunicorn
|
||||||
|
|
||||||
|
|
||||||
|
NOTES
|
||||||
|
-----
|
||||||
|
The configuration of NetBox contains more optional settings than that what can
|
||||||
|
be set with this type. If you think an important setting is missing or there
|
||||||
|
is a more good way to inject python code for dynamic configuration variables,
|
||||||
|
you are welcome to contribute!
|
||||||
|
|
||||||
|
- `Possible optional settings
|
||||||
|
<https://netbox.readthedocs.io/en/stable/configuration/optional-settings/>`_
|
||||||
|
|
||||||
|
If you not setup ldap authentification, you may be interested into how to
|
||||||
|
`setting up a super user
|
||||||
|
<https://netbox.readthedocs.io/en/stable/installation/3-netbox/#create-a-super-user>`_
|
||||||
|
directly on the machine to be able to access and use NetBox.
|
||||||
|
|
||||||
|
You may also be interested of writing a own type which handles the creation of
|
||||||
|
the super user. To do this non-interactivly, see the ansible role as `reference
|
||||||
|
<https://github.com/lae/ansible-role-netbox/blob/18f46a3345f100936c5116abe716c480e1886676/vars/main.yml#L15>`_.
|
||||||
|
|
||||||
|
If you change the secret key while the netbox instance is running, there is a
|
||||||
|
time frame where the access to the application corrupts the whole database.
|
||||||
|
Then, you need to restore a backup or wipe the database.
|
||||||
|
|
||||||
|
Currently, the cause is not clear, but it should work if you do not touch
|
||||||
|
netbox while the configuration is done (do not shut it down, too). It only
|
||||||
|
applies for changes of the secret key, which not happen normally.
|
||||||
|
|
||||||
|
Maybe the `--restart` flag for the `__systemd_unit` types is not the best idea,
|
||||||
|
but avoids that the changes will not be applied. It could be solved if the type
|
||||||
|
would send messages from his actions.
|
||||||
|
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
- `NetBox documentation <https://netbox.readthedocs.io/en/stable/>`_
|
`NetBox documentation <https://netbox.readthedocs.io/en/stable/>`_
|
||||||
|
|
||||||
|
:strong:`cdist-type__netbox_gunicorn`\ (7)
|
||||||
|
:strong:`cdist-type__netbox_uwsgi`\ (7)
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Timothée Floure <t.floure@e-durable.ch>
|
Timothée Floure <t.floure@e-durable.ch>
|
||||||
|
Matthias Stecher <matthiasstecher@gmx.de>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2020 Timothée Floure. You can redistribute it
|
Copyright \(C) 2020 Timothée Floure.
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
Copyright \(C) 2020 Matthias Stecher.
|
||||||
published by the Free Software Foundation, either version 3 of the
|
You can redistribute it and/or modify it under the terms of the GNU
|
||||||
License, or (at your option) any later version.
|
General Public License as published by the Free Software Foundation,
|
||||||
|
either version 3 of the License, or (at your option) any later version.
|
||||||
|
|
241
type/__netbox/manifest
Normal file → Executable file
241
type/__netbox/manifest
Normal file → Executable file
|
@ -1,99 +1,226 @@
|
||||||
#!/bin/sh
|
#!/bin/sh -e
|
||||||
|
|
||||||
os=$(cat "$__global/explorer/os")
|
os=$(cat "$__global/explorer/os")
|
||||||
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
debian|ubuntu)
|
debian|ubuntu)
|
||||||
# Install netbox dependencies.
|
# Install netbox dependencies.
|
||||||
for pkg in python3-pip python3-venv python3-dev build-essential libxml2-dev \
|
for pkg in python3-pip python3-venv python3-dev build-essential libxml2-dev \
|
||||||
libxslt1-dev libffi-dev libpq-dev libssl-dev zlib1g-dev curl virtualenv; do
|
libxslt1-dev libffi-dev libpq-dev libssl-dev zlib1g-dev curl sudo; do
|
||||||
__package $pkg
|
__package $pkg
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-server" ]; then
|
if [ -f "$__object/parameter/ldap-server" ]; then
|
||||||
for pkg in libldap2-dev libsasl2-dev libssl-dev; do
|
for pkg in libldap2-dev libsasl2-dev libssl-dev; do
|
||||||
__package $pkg
|
__package $pkg
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
|
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
|
||||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
||||||
DATABASE_NAME=$(cat "$__object/parameter/database")
|
DATABASE_NAME=$(cat "$__object/parameter/database")
|
||||||
export DATABASE_NAME
|
export DATABASE_NAME
|
||||||
|
DATABASE_USER="$(cat "$__object/parameter/database-user")"
|
||||||
|
export DATABASE_USER
|
||||||
DATABASE_PASSWORD=$(cat "$__object/parameter/database-password")
|
DATABASE_PASSWORD=$(cat "$__object/parameter/database-password")
|
||||||
export DATABASE_PASSWORD
|
export DATABASE_PASSWORD
|
||||||
ALLOWED_HOST=$(cat "$__object/parameter/host")
|
DATABASE_HOST="$(cat "$__object/parameter/database-host")"
|
||||||
export ALLOWED_HOST
|
export DATABASE_HOST
|
||||||
SECRET_KEY=$(cat "$__object/parameter/secret-key")
|
DATABASE_PORT="$(cat "$__object/parameter/database-port")"
|
||||||
|
export DATABASE_PORT
|
||||||
|
|
||||||
|
# list of hosts
|
||||||
|
ALLOWED_HOSTS=""
|
||||||
|
while read -r hostname; do
|
||||||
|
# shellcheck disable=SC2089
|
||||||
|
ALLOWED_HOSTS="$ALLOWED_HOSTS '$hostname',"
|
||||||
|
done < "$__object/parameter/host"
|
||||||
|
# shellcheck disable=SC2090
|
||||||
|
export ALLOWED_HOSTS
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/secret-key" ]; then
|
||||||
|
SECRET_KEY=$(cat "$__object/parameter/secret-key")
|
||||||
|
elif [ -s "$__object/explorer/secretkey" ]; then
|
||||||
|
# take the key that is already used
|
||||||
|
SECRET_KEY="$(cat "$__object/explorer/secretkey")"
|
||||||
|
else
|
||||||
|
# Can be done over netbox/generate_secret_key.py too, but it can't be
|
||||||
|
# generated right now where it's required (only if it's preloaded for
|
||||||
|
# this type to execute it now).
|
||||||
|
# Generates a 50-character long key with the same character set like
|
||||||
|
# the helper script. Must escape the '-' to be no character range.
|
||||||
|
SECRET_KEY="$(tr -cd '!@#$%^&*(\-_=+)[:alnum:]' < /dev/urandom | head -c50)"
|
||||||
|
fi
|
||||||
export SECRET_KEY
|
export SECRET_KEY
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-server" ]; then
|
if [ -f "$__object/parameter/ldap-server" ]; then
|
||||||
LDAP_SERVER=$(cat "$__object/parameter/ldap-server")
|
LDAP_SERVER=$(cat "$__object/parameter/ldap-server")
|
||||||
export LDAP_SERVER
|
USE_LDAP=yes
|
||||||
|
export LDAP_SERVER
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-bind-dn" ]; then
|
if [ -f "$__object/parameter/ldap-bind-dn" ]; then
|
||||||
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
|
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
|
||||||
export LDAP_BIND_DN
|
USE_LDAP=yes
|
||||||
|
export LDAP_BIND_DN
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-bind-password" ]; then
|
if [ -f "$__object/parameter/ldap-bind-password" ]; then
|
||||||
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
||||||
export LDAP_BIND_PASSWORD
|
USE_LDAP=yes
|
||||||
|
export LDAP_BIND_PASSWORD
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-user-base" ]; then
|
if [ -f "$__object/parameter/ldap-user-base" ]; then
|
||||||
LDAP_USER_BASE=$(cat "$__object/parameter/ldap-user-base")
|
LDAP_USER_BASE=$(cat "$__object/parameter/ldap-user-base")
|
||||||
export LDAP_USER_BASE
|
USE_LDAP=yes
|
||||||
|
export LDAP_USER_BASE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-group-base" ]; then
|
if [ -f "$__object/parameter/ldap-group-base" ]; then
|
||||||
LDAP_GROUP_BASE=$(cat "$__object/parameter/ldap-group-base")
|
LDAP_GROUP_BASE=$(cat "$__object/parameter/ldap-group-base")
|
||||||
export LDAP_GROUP_BASE
|
export LDAP_GROUP_BASE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-require-group" ]; then
|
if [ -f "$__object/parameter/ldap-require-group" ]; then
|
||||||
LDAP_REQUIRE_GROUP=$(cat "$__object/parameter/ldap-require-group")
|
LDAP_REQUIRE_GROUP=$(cat "$__object/parameter/ldap-require-group")
|
||||||
export LDAP_REQUIRE_GROUP
|
export LDAP_REQUIRE_GROUP
|
||||||
|
fi
|
||||||
|
if [ -f "$__object/parameter/ldap-superuser-group" ]; then
|
||||||
|
LDAP_SUPERUSER_GROUP=$(cat "$__object/parameter/ldap-superuser-group")
|
||||||
|
export LDAP_SUPERUSER_GROUP
|
||||||
|
fi
|
||||||
|
if [ -f "$__object/parameter/ldap-staff-group" ]; then
|
||||||
|
LDAP_STAFF_GROUP="$(cat "$__object/parameter/ldap-staff-group")"
|
||||||
|
export LDAP_STAFF_GROUP
|
||||||
|
fi
|
||||||
|
# export if base ldap parameters are used
|
||||||
|
export USE_LDAP
|
||||||
|
|
||||||
|
# have default values
|
||||||
|
REDIS_HOST="$(cat "$__object/parameter/redis-host")"
|
||||||
|
export REDIS_HOST
|
||||||
|
REDIS_PORT="$(cat "$__object/parameter/redis-port")"
|
||||||
|
export REDIS_PORT
|
||||||
|
REDIS_PASSWORD="$(cat "$__object/parameter/redis-password")"
|
||||||
|
export REDIS_PASSWORD
|
||||||
|
REDIS_DBID_OFFSET="$(cat "$__object/parameter/redis-dbid-offset")"
|
||||||
|
export REDIS_DBID_OFFSET
|
||||||
|
if [ -f "$__object/parameter/redis-ssl" ]; then
|
||||||
|
REDIS_SSL="True"
|
||||||
|
else
|
||||||
|
REDIS_SSL="False"
|
||||||
|
fi
|
||||||
|
export REDIS_SSL
|
||||||
|
|
||||||
|
SMTP_HOST="$(cat "$__object/parameter/smtp-host")"
|
||||||
|
export SMTP_HOST
|
||||||
|
SMTP_PORT="$(cat "$__object/parameter/smtp-port")"
|
||||||
|
export SMTP_PORT
|
||||||
|
SMTP_USER="$(cat "$__object/parameter/smtp-user")"
|
||||||
|
export SMTP_USER
|
||||||
|
SMTP_PASSWORD="$(cat "$__object/parameter/smtp-password")"
|
||||||
|
export SMTP_PASSWORD
|
||||||
|
SMTP_FROM_EMAIL="$(cat "$__object/parameter/smtp-from-email")"
|
||||||
|
export SMTP_FROM_EMAIL
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/smtp-use-ssl" ]; then
|
||||||
|
SMTP_USE_SSL="True"
|
||||||
|
else
|
||||||
|
SMTP_USE_SSL="False"
|
||||||
|
fi
|
||||||
|
export SMTP_USE_SSL
|
||||||
|
if [ -f "$__object/parameter/smtp-use-tls" ]; then
|
||||||
|
if [ "$SMTP_USE_SSL" = "True" ]; then
|
||||||
|
echo "options --smtp-use-ssl and --smtp-use-tls are not compatible" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
SMTP_USE_TLS="True"
|
||||||
|
else
|
||||||
|
SMTP_USE_TLS="False"
|
||||||
|
fi
|
||||||
|
export SMTP_USE_TLS
|
||||||
|
|
||||||
|
BASEPATH="$(cat "$__object/parameter/basepath")"
|
||||||
|
export BASEPATH
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/http-proxy" ]; then
|
||||||
|
HTTP_PROXY=$(cat "$__object/parameter/http-proxy")
|
||||||
|
export HTTP_PROXY
|
||||||
|
fi
|
||||||
|
if [ -f "$__object/parameter/https-proxy" ]; then
|
||||||
|
HTTPS_PROXY=$(cat "$__object/parameter/https-proxy")
|
||||||
|
export HTTPS_PROXY
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-superuser-group" ]; then
|
if [ -f "$__object/parameter/login-required" ]; then
|
||||||
LDAP_SUPERUSER_GROUP=$(cat "$__object/parameter/ldap-superuser-group")
|
LOGIN_REQUIRED="True"
|
||||||
export LDAP_SUPERUSER_GROUP
|
else
|
||||||
|
LOGIN_REQUIRED="False"
|
||||||
fi
|
fi
|
||||||
|
export LOGIN_REQUIRED
|
||||||
|
|
||||||
|
data_root="$(cat "$__object/parameter/data-root")"
|
||||||
|
MEDIA_ROOT="$data_root/media"
|
||||||
|
REPORTS_ROOT="$data_root/reports"
|
||||||
|
SCRIPTS_ROOT="$data_root/scripts"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/media-root" ]; then
|
||||||
|
MEDIA_ROOT="$(cat "$__object/parameter/media-root")"
|
||||||
|
fi
|
||||||
|
export MEDIA_ROOT
|
||||||
|
if [ -f "$__object/parameter/reports-root" ]; then
|
||||||
|
REPORTS_ROOT="$(cat "$__object/parameter/reports-root")"
|
||||||
|
fi
|
||||||
|
export REPORTS_ROOT
|
||||||
|
if [ -f "$__object/parameter/scripts-root" ]; then
|
||||||
|
SCRIPTS_ROOT="$(cat "$__object/parameter/scripts-root")"
|
||||||
|
fi
|
||||||
|
export SCRIPTS_ROOT
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/update-notify" ]; then
|
||||||
|
UPDATE_CHECK="yes"
|
||||||
|
export UPDATE_CHECK
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Create system user used to run netbox.
|
# Create system user used to run netbox.
|
||||||
__user netbox --system --home /opt/netbox --create-home
|
__user netbox --system --home /opt/netbox --create-home
|
||||||
|
# Generate python environment (user will be set by gencode-remote)
|
||||||
|
require="__user/netbox" __pyvenv /opt/netbox/venv/
|
||||||
|
|
||||||
# Generate and upload netbox configuration.
|
# Generate and upload netbox configuration.
|
||||||
mkdir -p "$__object/files"
|
mkdir -p "$__object/files"
|
||||||
"$__type/files/configuration.py.sh" > "$__object/files/configuration.py"
|
"$__type/files/configuration.py.sh" > "$__object/files/configuration.py"
|
||||||
"$__type/files/ldap_config.py.sh" > "$__object/files/ldap_config.py"
|
"$__type/files/ldap_config.py.sh" > "$__object/files/ldap_config.py"
|
||||||
|
|
||||||
require="__user/netbox" __directory /opt/netbox/netbox/cdist --parents
|
require="__user/netbox" __directory /opt/netbox/cdist
|
||||||
require="__directory/opt/netbox/netbox/cdist " __file \
|
require="__directory/opt/netbox/cdist" __file \
|
||||||
/opt/netbox/netbox/cdist/configuration.py --mode 640 --owner netbox \
|
/opt/netbox/cdist/configuration.py --mode 640 --owner netbox \
|
||||||
--source "$__object/files/configuration.py"
|
--source "$__object/files/configuration.py"
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-server" ]; then
|
if [ -f "$__object/parameter/ldap-server" ]; then
|
||||||
require="__directory/opt/netbox/netbox/cdist " __file \
|
require="__directory/opt/netbox/cdist" __file \
|
||||||
/opt/netbox/netbox/cdist/ldap_config.py --mode 640 --owner netbox \
|
/opt/netbox/cdist/ldap_config.py --mode 640 --owner netbox \
|
||||||
--source "$__object/files/ldap_config.py"
|
--source "$__object/files/ldap_config.py"
|
||||||
|
else
|
||||||
|
require="__directory/opt/netbox/cdist" __file \
|
||||||
|
/opt/netbox/cdist/ldap_config.py --state absent
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# save secret
|
||||||
|
require="__directory/opt/netbox/cdist" __file /opt/netbox/cdist/secretkey \
|
||||||
|
--mode 400 --owner netbox --source - << SECRET
|
||||||
|
$SECRET_KEY
|
||||||
|
SECRET
|
||||||
|
|
||||||
# Upload systemd units and gunicorn configuration.
|
|
||||||
for unit in netbox netbox-rq; do
|
|
||||||
__systemd_unit $unit.service \
|
|
||||||
--source "$__type/files/$unit.service" \
|
|
||||||
--enablement-state enabled
|
|
||||||
done
|
|
||||||
|
|
||||||
# Python worker configuration.
|
# Upload systemd unit for worker and wsgi service
|
||||||
require="__user/netbox" __file /opt/netbox/gunicorn.py \
|
# does not restart netbox on change cause it only restart all other services
|
||||||
--mode 644 --source "$__type/files/gunicorn.py"
|
__systemd_unit netbox.service \
|
||||||
|
--source "$__type/files/netbox.service" \
|
||||||
|
--enablement-state enabled
|
||||||
|
__systemd_unit netbox-rq.service \
|
||||||
|
--source "$__type/files/netbox-rq.service" \
|
||||||
|
--enablement-state enabled --restart
|
||||||
|
|
5
type/__netbox/parameter/boolean
Normal file
5
type/__netbox/parameter/boolean
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
redis-ssl
|
||||||
|
smtp-use-ssl
|
||||||
|
smtp-use-tls
|
||||||
|
login-required
|
||||||
|
update-notify
|
1
type/__netbox/parameter/default/basepath
Normal file
1
type/__netbox/parameter/default/basepath
Normal file
|
@ -0,0 +1 @@
|
||||||
|
|
1
type/__netbox/parameter/default/data-root
Normal file
1
type/__netbox/parameter/default/data-root
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/opt/netbox/data
|
1
type/__netbox/parameter/default/database-host
Normal file
1
type/__netbox/parameter/default/database-host
Normal file
|
@ -0,0 +1 @@
|
||||||
|
localhost
|
1
type/__netbox/parameter/default/database-port
Normal file
1
type/__netbox/parameter/default/database-port
Normal file
|
@ -0,0 +1 @@
|
||||||
|
|
1
type/__netbox/parameter/default/redis-dbid-offset
Normal file
1
type/__netbox/parameter/default/redis-dbid-offset
Normal file
|
@ -0,0 +1 @@
|
||||||
|
0
|
1
type/__netbox/parameter/default/redis-host
Normal file
1
type/__netbox/parameter/default/redis-host
Normal file
|
@ -0,0 +1 @@
|
||||||
|
localhost
|
1
type/__netbox/parameter/default/redis-password
Normal file
1
type/__netbox/parameter/default/redis-password
Normal file
|
@ -0,0 +1 @@
|
||||||
|
|
1
type/__netbox/parameter/default/redis-port
Normal file
1
type/__netbox/parameter/default/redis-port
Normal file
|
@ -0,0 +1 @@
|
||||||
|
6379
|
1
type/__netbox/parameter/default/smtp-from-email
Normal file
1
type/__netbox/parameter/default/smtp-from-email
Normal file
|
@ -0,0 +1 @@
|
||||||
|
|
1
type/__netbox/parameter/default/smtp-host
Normal file
1
type/__netbox/parameter/default/smtp-host
Normal file
|
@ -0,0 +1 @@
|
||||||
|
localhost
|
1
type/__netbox/parameter/default/smtp-password
Normal file
1
type/__netbox/parameter/default/smtp-password
Normal file
|
@ -0,0 +1 @@
|
||||||
|
|
1
type/__netbox/parameter/default/smtp-port
Normal file
1
type/__netbox/parameter/default/smtp-port
Normal file
|
@ -0,0 +1 @@
|
||||||
|
25
|
1
type/__netbox/parameter/default/smtp-user
Normal file
1
type/__netbox/parameter/default/smtp-user
Normal file
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -1,7 +1,27 @@
|
||||||
|
secret-key
|
||||||
|
database-host
|
||||||
|
database-port
|
||||||
ldap-server
|
ldap-server
|
||||||
ldap-bind-dn
|
ldap-bind-dn
|
||||||
ldap-bind-password
|
ldap-bind-password
|
||||||
ldap-user-base
|
ldap-user-base
|
||||||
ldap-group-base
|
ldap-group-base
|
||||||
ldap-require-group
|
ldap-require-group
|
||||||
|
ldap-staff-group
|
||||||
ldap-superuser-group
|
ldap-superuser-group
|
||||||
|
redis-host
|
||||||
|
redis-port
|
||||||
|
redis-password
|
||||||
|
redis-dbid-offset
|
||||||
|
smtp-host
|
||||||
|
smtp-port
|
||||||
|
smtp-user
|
||||||
|
smtp-password
|
||||||
|
smtp-from-email
|
||||||
|
basepath
|
||||||
|
http-proxy
|
||||||
|
https-proxy
|
||||||
|
data-root
|
||||||
|
media-root
|
||||||
|
reports-root
|
||||||
|
scripts-root
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
version
|
version
|
||||||
database
|
database
|
||||||
|
database-user
|
||||||
database-password
|
database-password
|
||||||
secret-key
|
|
||||||
host
|
|
||||||
|
|
1
type/__netbox/parameter/required_multiple
Normal file
1
type/__netbox/parameter/required_multiple
Normal file
|
@ -0,0 +1 @@
|
||||||
|
host
|
4
type/__netbox_gunicorn/explorer/installed
Executable file
4
type/__netbox_gunicorn/explorer/installed
Executable file
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# print version if available
|
||||||
|
/opt/netbox/venv/bin/pip3 show gunicorn | awk '/Version:/{print $2}'
|
3
type/__netbox_gunicorn/explorer/should_installed
Executable file
3
type/__netbox_gunicorn/explorer/should_installed
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
awk -v FS="==" '$1 ~ /gunicorn/{print $2}' /opt/netbox/requirements.txt
|
19
type/__netbox/files/gunicorn.py → type/__netbox_gunicorn/files/gunicorn.py.sh
Normal file → Executable file
19
type/__netbox/files/gunicorn.py → type/__netbox_gunicorn/files/gunicorn.py.sh
Normal file → Executable file
|
@ -1,9 +1,23 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Generates gunicorn config
|
||||||
|
# see https://docs.gunicorn.org/en/stable/settings.html
|
||||||
|
|
||||||
|
# fix missing $__explorer
|
||||||
|
# see https://code.ungleich.ch/ungleich-public/cdist/-/issues/834
|
||||||
|
__explorer="$__global/explorer"
|
||||||
|
|
||||||
|
# size workes by cpu
|
||||||
|
cores="$(cat "$__explorer/cpu_cores")"
|
||||||
|
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
||||||
bind = '127.0.0.1:8001'
|
#bind = done via systemd socket 'gunicorn-netbox.socket'
|
||||||
|
|
||||||
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
||||||
# n is the number of CPU cores present.
|
# n is the number of CPU cores present.
|
||||||
workers = 3
|
workers = $(( 2*cores + 1 ))
|
||||||
|
|
||||||
# Number of threads per worker process
|
# Number of threads per worker process
|
||||||
threads = 3
|
threads = 3
|
||||||
|
@ -14,3 +28,4 @@ timeout = 120
|
||||||
# The maximum number of requests a worker can handle before being respawned
|
# The maximum number of requests a worker can handle before being respawned
|
||||||
max_requests = 5000
|
max_requests = 5000
|
||||||
max_requests_jitter = 500
|
max_requests_jitter = 500
|
||||||
|
EOF
|
29
type/__netbox_gunicorn/files/netbox.service
Normal file
29
type/__netbox_gunicorn/files/netbox.service
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
[Unit]
|
||||||
|
Description=NetBox Gunicorn WSGI Service
|
||||||
|
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||||
|
PartOf=netbox.service
|
||||||
|
Requires=netbox-rq.service
|
||||||
|
Requires=gunicorn-netbox.socket
|
||||||
|
Wants=network.target
|
||||||
|
After=netbox.service
|
||||||
|
After=network.target
|
||||||
|
After=redis-server.service postgresql.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
|
||||||
|
User=netbox
|
||||||
|
Group=netbox
|
||||||
|
WorkingDirectory=/opt/netbox
|
||||||
|
|
||||||
|
ExecStart=/opt/netbox/venv/bin/gunicorn --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi
|
||||||
|
# signals: https://docs.gunicorn.org/en/stable/signals.html
|
||||||
|
ExecReload=kill -HUP $MAINPID
|
||||||
|
ExecStop=kill -TERM $MAINPID
|
||||||
|
KillSignal=SIGQUIT
|
||||||
|
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=30
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=netbox.service
|
1
type/__netbox_gunicorn/files/netbox.socket.sh
Symbolic link
1
type/__netbox_gunicorn/files/netbox.socket.sh
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../../__netbox/files/netbox.socket.sh
|
50
type/__netbox_gunicorn/gencode-remote
Executable file
50
type/__netbox_gunicorn/gencode-remote
Executable file
|
@ -0,0 +1,50 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# control state
|
||||||
|
state="$(cat "$__object/parameter/state")"
|
||||||
|
|
||||||
|
case "$state" in
|
||||||
|
# install gunicorn
|
||||||
|
enabled|disabled)
|
||||||
|
curr_installed="$(cat "$__object/explorer/installed")"
|
||||||
|
should_installed="$(cat "$__object/explorer/should_installed")"
|
||||||
|
|
||||||
|
# gunicorn version change
|
||||||
|
if [ "$curr_installed" != "$should_installed" ]; then
|
||||||
|
# (re)installing gunicorn
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 install 'gunicorn==$should_installed'"
|
||||||
|
|
||||||
|
if [ "$curr_installed" != "" ]; then
|
||||||
|
printf "updated %s to %s\n" "$curr_installed" "$should_installed" \
|
||||||
|
>> "$__messages_out"
|
||||||
|
else
|
||||||
|
printf "installed\n" >> "$__messages_out"
|
||||||
|
fi
|
||||||
|
do_restart=yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
# configuration changes
|
||||||
|
if grep -q "^__file/opt/netbox/gunicorn.py:" "$__messages_in"; then
|
||||||
|
do_restart=yes
|
||||||
|
printf "configured\n" >> "$__messages_out"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# restart gunicorn
|
||||||
|
if [ "$do_restart" ] && [ "$state" != "disabled" ]; then
|
||||||
|
cat << EOF
|
||||||
|
# Restart service
|
||||||
|
systemctl restart gunicorn-netbox
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# uninstall
|
||||||
|
absent)
|
||||||
|
# check if installed
|
||||||
|
if [ -s "$__object/explorer/installed" ]; then
|
||||||
|
# service already disabled
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 uninstall -y gunicorn"
|
||||||
|
printf "uninstalled\n" >> "$__messages_out"
|
||||||
|
fi
|
||||||
|
esac
|
117
type/__netbox_gunicorn/man.rst
Normal file
117
type/__netbox_gunicorn/man.rst
Normal file
|
@ -0,0 +1,117 @@
|
||||||
|
cdist-type__netbox_gunicorn(7)
|
||||||
|
==============================
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__netbox_gunicorn - Run NetBox with Gunicorn
|
||||||
|
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
This (singleton) type installs Gunicorn into the NetBox `python-venv` to host
|
||||||
|
the NetBox WSGI application. It provides the application as HTTP over the given
|
||||||
|
sockets. Static content must be served independent of Gunicorn. The Gunicorn
|
||||||
|
daemon is available as the `gunicorn-netbox` systemd service, but also
|
||||||
|
available via the `netbox` wrapper service.
|
||||||
|
|
||||||
|
It will use systemd socket activation to listen to the given sockets. This
|
||||||
|
should allow to bind to privileaged ports (all below 1024) and hot reloads.
|
||||||
|
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
None.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
state
|
||||||
|
Represents the state of the Gunciron application. Defaults to ``enabled``.
|
||||||
|
|
||||||
|
enabled
|
||||||
|
The Gunicorn service is enabled and running.
|
||||||
|
disabled
|
||||||
|
The Gunicorn service is installed, but disabled.
|
||||||
|
absent
|
||||||
|
The uWSGI service is not installed and all configuration removed.
|
||||||
|
|
||||||
|
This type does not guarantee anything about the running state of the
|
||||||
|
service. To be sure about the service is stopped or not, use the type
|
||||||
|
:strong:`cdist-type__systemd_service`\ (7) after this execution.
|
||||||
|
|
||||||
|
bind-to
|
||||||
|
The hosts the gunicorn socket should be bind to. Formats are `IP`,
|
||||||
|
`IP:PORT`, `PATH` or anything other that systemd socket units will
|
||||||
|
understand as stream. Parameter can be set multiple times. Defaults
|
||||||
|
to ``127.0.0.1:8001``.
|
||||||
|
|
||||||
|
|
||||||
|
BOOLEAN PARAMETERS
|
||||||
|
------------------
|
||||||
|
None.
|
||||||
|
|
||||||
|
|
||||||
|
MESSAGES
|
||||||
|
--------
|
||||||
|
installed
|
||||||
|
The software was installed.
|
||||||
|
|
||||||
|
upgraded $old to $new
|
||||||
|
The version of the gunicorn software was updated from `$old` to `$new`.
|
||||||
|
|
||||||
|
configured
|
||||||
|
Configuration for gunicorn changed.
|
||||||
|
|
||||||
|
uninstalled
|
||||||
|
The Gunicorn application was removed.
|
||||||
|
|
||||||
|
In all cases where the application is still present, it restarts the service to
|
||||||
|
use the up-to-date version.
|
||||||
|
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
# simple
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_gunicorn
|
||||||
|
|
||||||
|
# with arguments
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_gunicorn \
|
||||||
|
--bind-to 0.0.0.0:8001 \
|
||||||
|
--bind-to 1.2.3.4:5678
|
||||||
|
|
||||||
|
# replace uwsgi with gunicorn
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_uwsgi --state absent
|
||||||
|
# it should depend on __netbox_uwsgi if they use the same socket
|
||||||
|
require="__netbox_uwsgi" __netbox_gunicorn --state enabled
|
||||||
|
|
||||||
|
# be sure the service is disabled
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_gunicorn --state disabled
|
||||||
|
require="__netbox_gunicorn" __systemd_service gunicorn-netbox --state stopped
|
||||||
|
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
`Gunicorn Documentation <https://docs.gunicorn.org/en/stable/>`_
|
||||||
|
|
||||||
|
:strong:`cdist-type__netbox`\ (7)
|
||||||
|
:strong:`cdist-type__netbox_uwsgi`\ (7)
|
||||||
|
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
Matthias Stecher <matthiasstecher@gmx.de>
|
||||||
|
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
57
type/__netbox_gunicorn/manifest
Executable file
57
type/__netbox_gunicorn/manifest
Executable file
|
@ -0,0 +1,57 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
# __netbox_gunicorn/manifest
|
||||||
|
|
||||||
|
# Check states
|
||||||
|
state=""
|
||||||
|
unit_state=""
|
||||||
|
param_state="$(cat "$__object/parameter/state")"
|
||||||
|
|
||||||
|
case "$param_state" in
|
||||||
|
enabled|disabled)
|
||||||
|
state="present"
|
||||||
|
unit_state="$param_state"
|
||||||
|
;;
|
||||||
|
|
||||||
|
absent)
|
||||||
|
state="absent"
|
||||||
|
unit_state="disabled"
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
# does not exist
|
||||||
|
printf "The state '%s' does not exist, can't continue!\n" "$param_state" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
mkdir "$__object/files"
|
||||||
|
|
||||||
|
if [ "$state" = "present" ]; then
|
||||||
|
# process template
|
||||||
|
"$__type/files/gunicorn.py.sh" > "$__object/files/gunicorn.py"
|
||||||
|
|
||||||
|
# gunicorn config file
|
||||||
|
__file /opt/netbox/gunicorn.py \
|
||||||
|
--mode 644 --owner netbox \
|
||||||
|
--source "$__object/files/gunicorn.py"
|
||||||
|
|
||||||
|
else
|
||||||
|
# absent config file
|
||||||
|
__file /opt/netbox/gunicorn.py --state absent
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
TYPE="Gunicorn"
|
||||||
|
export TYPE
|
||||||
|
|
||||||
|
"$__type/files/netbox.socket.sh" "$__object/parameter/bind-to" \
|
||||||
|
> "$__object/files/netbox.socket"
|
||||||
|
|
||||||
|
# install systemd files
|
||||||
|
__systemd_unit gunicorn-netbox.socket \
|
||||||
|
--state "$state" --enablement-state "$unit_state" \
|
||||||
|
--source "$__object/files/netbox.socket" --restart
|
||||||
|
__systemd_unit gunicorn-netbox.service \
|
||||||
|
--state "$state" --enablement-state "$unit_state" \
|
||||||
|
--source "$__type/files/netbox.service" --restart
|
1
type/__netbox_gunicorn/parameter/default/bind-to
Normal file
1
type/__netbox_gunicorn/parameter/default/bind-to
Normal file
|
@ -0,0 +1 @@
|
||||||
|
127.0.0.1:8001
|
1
type/__netbox_gunicorn/parameter/default/state
Normal file
1
type/__netbox_gunicorn/parameter/default/state
Normal file
|
@ -0,0 +1 @@
|
||||||
|
enabled
|
1
type/__netbox_gunicorn/parameter/optional
Normal file
1
type/__netbox_gunicorn/parameter/optional
Normal file
|
@ -0,0 +1 @@
|
||||||
|
state
|
1
type/__netbox_gunicorn/parameter/optional_multiple
Normal file
1
type/__netbox_gunicorn/parameter/optional_multiple
Normal file
|
@ -0,0 +1 @@
|
||||||
|
bind-to
|
0
type/__netbox_gunicorn/singleton
Normal file
0
type/__netbox_gunicorn/singleton
Normal file
12
type/__netbox_uwsgi/explorer/bind-capability
Executable file
12
type/__netbox_uwsgi/explorer/bind-capability
Executable file
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
# explorer/bind-capablility
|
||||||
|
|
||||||
|
# Checks if the uWSGI binary have the capability to bind to privileaged ports
|
||||||
|
# as a non-root user. It's required if no systemd sockets are used (cause of
|
||||||
|
# the use of multiple protocols etc.)
|
||||||
|
|
||||||
|
binary="/opt/netbox/venv/bin/uwsgi"
|
||||||
|
# -v verifies if capability is set
|
||||||
|
if setcap -q -v CAP_NET_BIND_SERVICE+ep "$binary"; then
|
||||||
|
echo set
|
||||||
|
fi
|
4
type/__netbox_uwsgi/explorer/installed
Executable file
4
type/__netbox_uwsgi/explorer/installed
Executable file
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# print version if available
|
||||||
|
/opt/netbox/venv/bin/pip3 show uwsgi | awk '/Version:/{print $2}'
|
4
type/__netbox_uwsgi/explorer/upgradeable
Executable file
4
type/__netbox_uwsgi/explorer/upgradeable
Executable file
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# print latest version if availble
|
||||||
|
/opt/netbox/venv/bin/pip3 list --outdated | awk '$1 == "uwsgi" {print $3}'
|
40
type/__netbox_uwsgi/files/netbox.service.sh
Executable file
40
type/__netbox_uwsgi/files/netbox.service.sh
Executable file
|
@ -0,0 +1,40 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
|
[Unit]
|
||||||
|
Description=Netbox uWSGI WSGI Service
|
||||||
|
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||||
|
PartOf=netbox.service
|
||||||
|
Requires=netbox-rq.service
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# Add dependency to own socket
|
||||||
|
if [ "$(cat "$__object/files/systemd_socket")" = "yes" ]; then
|
||||||
|
echo "Requires=uwsgi-netbox.socket"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
|
Wants=network.target
|
||||||
|
After=netbox.service
|
||||||
|
After=network.target
|
||||||
|
After=redis-server.service postgresql.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
|
||||||
|
User=netbox
|
||||||
|
Group=netbox
|
||||||
|
WorkingDirectory=/opt/netbox
|
||||||
|
|
||||||
|
ExecStart=/opt/netbox/venv/bin/uwsgi --master --chdir /opt/netbox/netbox --module netbox.wsgi uwsgi.ini
|
||||||
|
# signals: https://uwsgi-docs.readthedocs.io/en/latest/Management.html#signals-for-controlling-uwsgi
|
||||||
|
ExecReload=kill -HUP \$MAINPID
|
||||||
|
ExecStop=kill -INT \$MAINPID
|
||||||
|
KillSignal=SIGQUIT
|
||||||
|
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=30
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=netbox.service
|
||||||
|
EOF
|
1
type/__netbox_uwsgi/files/netbox.socket.sh
Symbolic link
1
type/__netbox_uwsgi/files/netbox.socket.sh
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../../__netbox/files/netbox.socket.sh
|
60
type/__netbox_uwsgi/files/uwsgi.ini.sh
Executable file
60
type/__netbox_uwsgi/files/uwsgi.ini.sh
Executable file
|
@ -0,0 +1,60 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# Generates uwsgi config
|
||||||
|
# see https://uwsgi-docs.readthedocs.io/en/latest/Options.html
|
||||||
|
# or https://uwsgi-docs-additions.readthedocs.io/en/latest/Options.html
|
||||||
|
|
||||||
|
# params:
|
||||||
|
# 1: parameter name
|
||||||
|
# 2: parameter value file
|
||||||
|
#
|
||||||
|
# output: the lines for the configuration option
|
||||||
|
multi_options() {
|
||||||
|
while read -r line; do
|
||||||
|
printf "%s = %s\n" "$1" "$line"
|
||||||
|
done < "$2"
|
||||||
|
}
|
||||||
|
|
||||||
|
# fix missing $__explorer
|
||||||
|
# see https://code.ungleich.ch/ungleich-public/cdist/-/issues/834
|
||||||
|
__explorer="$__global/explorer"
|
||||||
|
|
||||||
|
# size workes by cpu
|
||||||
|
cores="$(cat "$__explorer/cpu_cores")"
|
||||||
|
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
|
[uwsgi]
|
||||||
|
; socket(s) to bind
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "$SYSTEMD_SOCKET" != "yes" ]; then
|
||||||
|
# special protocol to bind
|
||||||
|
find "$__object/parameter/" -maxdepth 1 -name "*-bind" -print \
|
||||||
|
| while read -r param; do
|
||||||
|
multi_options "$(basename "$param" | awk -F'-' '{print $1}')-socket" "$param"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
# else, systemd will offer socket
|
||||||
|
echo "; sockets managed via 'uwsgi-netbox.socket'"
|
||||||
|
printf "protocol = %s\n" "$PROTOCOL"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# multi-process settings
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
; processes and threads
|
||||||
|
processes = $(( 2*cores + 1 ))
|
||||||
|
threads = 2
|
||||||
|
EOF
|
||||||
|
|
||||||
|
|
||||||
|
# optional mapping of static content
|
||||||
|
if [ "$STATIC_MAP" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
; map static content
|
||||||
|
static-map = /static=/opt/netbox/netbox/static
|
||||||
|
EOF
|
||||||
|
fi
|
101
type/__netbox_uwsgi/gencode-remote
Executable file
101
type/__netbox_uwsgi/gencode-remote
Executable file
|
@ -0,0 +1,101 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# control state
|
||||||
|
state="$(cat "$__object/parameter/state")"
|
||||||
|
|
||||||
|
# Set capabilities to aquire privileaged ports as netbox user. Two modes are
|
||||||
|
# available to efficiently set capabilites. Assumes libcap-bin is installed as
|
||||||
|
# default on debian systems.
|
||||||
|
#
|
||||||
|
# Arguments:
|
||||||
|
# 1: mode to detect if capabilites are required to set ('set' or 'correct')
|
||||||
|
set_bind_cap() {
|
||||||
|
cap_mode="" # reset variable from the execution before
|
||||||
|
|
||||||
|
# check if capabilites are required after given mode
|
||||||
|
case "$1" in
|
||||||
|
# assumes capabilites are not set (cause of new binaries)
|
||||||
|
set)
|
||||||
|
if [ "$SYSTEMD_SOCKET" != "yes" ]; then
|
||||||
|
cap_mode="+ep"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# check if capabilities have changed
|
||||||
|
correct)
|
||||||
|
if [ -s "$__object/explorer/bind-capability" ]; then
|
||||||
|
# capabilites are set
|
||||||
|
if [ "$SYSTEMD_SOCKET" = "yes" ]; then
|
||||||
|
cap_mode="-ep" # unset
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# capabilities are unset
|
||||||
|
if [ "$SYSTEMD_SOCKET" != "yes" ]; then
|
||||||
|
cap_mode="+ep" # set
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# faulty mode
|
||||||
|
*)
|
||||||
|
echo "called set_bind_cap incorrect (\$1 missing)" >&2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# set capabilities if any
|
||||||
|
if [ "$cap_mode" ]; then
|
||||||
|
printf "setcap -q CAP_NET_BIND_SERVICE%s /opt/netbox/venv/bin/uwsgi\n" "$cap_mode"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
SYSTEMD_SOCKET="$(cat "$__object/files/systemd_socket")"
|
||||||
|
|
||||||
|
|
||||||
|
case "$state" in
|
||||||
|
# install uwsgi
|
||||||
|
enabled|disabled)
|
||||||
|
# not installed
|
||||||
|
if ! [ -s "$__object/explorer/installed" ]; then
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 install -q uwsgi"
|
||||||
|
set_bind_cap set
|
||||||
|
do_restart=yes
|
||||||
|
printf "installed\n" >> "$__messages_out"
|
||||||
|
|
||||||
|
# updates available
|
||||||
|
elif [ -s "$__object/explorer/upgradeable" ]; then
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 install -q --upgrade uwsgi"
|
||||||
|
set_bind_cap set
|
||||||
|
do_restart=yes
|
||||||
|
printf "upgraded\n" >> "$__messages_out"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# changed configuration
|
||||||
|
if grep -q "^__file/opt/netbox/uwsgi.ini:" "$__messages_in"; then
|
||||||
|
do_restart=yes
|
||||||
|
printf "configured\n" >> "$__messages_out"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# if no capabilities were set yet, check if any are required
|
||||||
|
if [ -z "$cap_mode" ]; then
|
||||||
|
set_bind_cap correct
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# restart uwsgi
|
||||||
|
if [ "$do_restart" ] && [ "$state" != "disabled" ]; then
|
||||||
|
cat << EOF
|
||||||
|
# Restart service
|
||||||
|
systemctl restart uwsgi-netbox
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# uninstall
|
||||||
|
absent)
|
||||||
|
# check if installed
|
||||||
|
if [ -s "$__object/explorer/installed" ]; then
|
||||||
|
# service already disabled
|
||||||
|
echo "/opt/netbox/venv/bin/pip3 uninstall -qy uwsgi"
|
||||||
|
printf "uninstalled\n" >> "$__messages_out"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
186
type/__netbox_uwsgi/man.rst
Normal file
186
type/__netbox_uwsgi/man.rst
Normal file
|
@ -0,0 +1,186 @@
|
||||||
|
cdist-type__netbox_uwsgi(7)
|
||||||
|
===========================
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__netbox_uwsgi - Run NetBox with uWSGI
|
||||||
|
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
This (singleton) type installs uWSGI into the NetBox `python-venv`. It hosts
|
||||||
|
the NetBox WSGI application via the WSGI protocol. A further server must be
|
||||||
|
installed to provide it as HTTP and serve static content. It supports multiple
|
||||||
|
protocols like uwsgi, fastcgi or HTTP to comunicate with the proxy server. This
|
||||||
|
application is available via the `uwsgi-netbox` systemd service. It is
|
||||||
|
controllable via the `netbox` wrapper service, too.
|
||||||
|
|
||||||
|
**As uWSGI will be started as netbox user, it does not have privileges to
|
||||||
|
bind to a privileaged port (all ports below 1024).** Because uWSGI will
|
||||||
|
drop privileages anyway before binding to a port, solutions are to use
|
||||||
|
the systemd sockets to activate the ports as root or set linux kernel
|
||||||
|
capabilites to bind to such a privileaged port.
|
||||||
|
|
||||||
|
As systemd sockets (or uwsgi itself) do not allow to distinguish multiple
|
||||||
|
sockets if different protocols are used for different sockets, this type does
|
||||||
|
not use systemd sockets if it is requested from the user. Using the
|
||||||
|
``--bind-to`` and ``--protocol`` parameters, it uses the systemd socket
|
||||||
|
activation. Else, it set the different sockets and protocols natively to uwsgi
|
||||||
|
and add kernel capabilities to be able to listen to privileaged ports.
|
||||||
|
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
None.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
state
|
||||||
|
Represents the state of the uWSGI application. Defaults to ``enabled``.
|
||||||
|
|
||||||
|
enabled
|
||||||
|
The uWSGI service is enabled and running.
|
||||||
|
disabled
|
||||||
|
The uWSGI service is installed, but disabled.
|
||||||
|
absent
|
||||||
|
The uWSGI service is not installed and all configuration removed.
|
||||||
|
|
||||||
|
This type does not guarantee anything about the running state of the
|
||||||
|
service. To be sure about the service is stopped or not, use the type
|
||||||
|
:strong:`cdist-type__systemd_service`\ (7) after this execution.
|
||||||
|
|
||||||
|
|
||||||
|
bind-to
|
||||||
|
The socket uwsgi should bind to. Must be UNIX/TCP (or anything that
|
||||||
|
systemd sockets accept as stream). Defaults to ``127.0.0.1:3031``. Can be
|
||||||
|
set multiple times. The used protocol is defined by ``--protocol``.
|
||||||
|
|
||||||
|
**By setting up the socket via this parameter, it uses systemd sockets to
|
||||||
|
handle these.** This parameter will be ignored if a more detailed paramter
|
||||||
|
is given (``--$proto-bind``).
|
||||||
|
|
||||||
|
protocol
|
||||||
|
The protocol which should be used for the socket given by the ``--bind-to``
|
||||||
|
parameter. Possible values are ``uwsgi``, ``http``, ``fastcgi`` and
|
||||||
|
``scgi``. If nothing given, it defaults to ``uwsgi``.
|
||||||
|
|
||||||
|
uwsgi-bind
|
||||||
|
http-bind
|
||||||
|
fastcgi-bind
|
||||||
|
scgi-bind
|
||||||
|
Bind the application to a specific protocol instead of implicit uwsgi via
|
||||||
|
``--bind-to``. If such parameter given, ``--bind-to`` will be ignored. Must
|
||||||
|
be a UNIX/TCP socket. Can be set multiple times.
|
||||||
|
|
||||||
|
**By using such parameters instead of ``--bind-to``, no systemd sockets
|
||||||
|
will be used because it can not handle sockets for multiple protocols.**
|
||||||
|
Instead, the native socket binding will be used. It will add kernel
|
||||||
|
capabilites to bind to privileaged ports, too. This allow binds to ports
|
||||||
|
like 80 as netbox user.
|
||||||
|
|
||||||
|
|
||||||
|
BOOLEAN PARAMETERS
|
||||||
|
------------------
|
||||||
|
serve-static
|
||||||
|
Setup uWSGI to serve the static content, too. This is generally not
|
||||||
|
recommended for real production setups, as it is the job of the reverse
|
||||||
|
proxy server, who will thread it as static cachable content. This option
|
||||||
|
is only recommended for small setups or direct usage of the uWSGI socket
|
||||||
|
like using it as standalone HTTP server for NetBox.
|
||||||
|
|
||||||
|
**Hint**: This parameter does not work in junction with the `__netbox`
|
||||||
|
parameter ``--basepath``. It is because this type does not know the
|
||||||
|
parameter value and this case is very unlikly to happen; although an
|
||||||
|
implementation is not difficult.
|
||||||
|
|
||||||
|
|
||||||
|
MESSAGES
|
||||||
|
--------
|
||||||
|
installed
|
||||||
|
The uwsgi service was installed.
|
||||||
|
|
||||||
|
upgraded
|
||||||
|
The uwsgi service was upgraded.
|
||||||
|
|
||||||
|
configured
|
||||||
|
The uwsgi configuration got updated.
|
||||||
|
|
||||||
|
uninstalled
|
||||||
|
The uWSGI application was removed.
|
||||||
|
|
||||||
|
In all cases where the application is still present, it restarts the service to
|
||||||
|
use the up-to-date version.
|
||||||
|
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
# simple
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_uwsgi
|
||||||
|
|
||||||
|
# with multiple binds
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_uwsgi --bind-to 0.0.0.0:3032 \
|
||||||
|
--bind-to 0.0.0.0:3033
|
||||||
|
|
||||||
|
# with multiple protocols
|
||||||
|
# parameter `--bind-to` will be ignored
|
||||||
|
# avoids systemd sockets, but can handle multiple protocols
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_uwsgi --uwsgi-bind 0.0.0.0:3031 \
|
||||||
|
--http-bind 0.0.0.0:8080 \
|
||||||
|
--fastcgi-bind 1.2.3.4:5678
|
||||||
|
|
||||||
|
# as standalone server
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_uwsgi --serve-static --http-bind 0.0.0.0:80
|
||||||
|
|
||||||
|
# replace gunicorn with uwsgi
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_gunicorn --state absent
|
||||||
|
# it should depend on __netbox_gunicorn if they use the same socket
|
||||||
|
require="__netbox_gunicorn" __netbox_uwsgi --state enabled
|
||||||
|
|
||||||
|
# be sure the service is disabled
|
||||||
|
__netbox $args
|
||||||
|
require="__netbox" __netbox_uwsgi --state disabled
|
||||||
|
require="__netbox_uwsgi" __systemd_service uwsgi-netbox --state stopped
|
||||||
|
|
||||||
|
|
||||||
|
NOTES
|
||||||
|
-----
|
||||||
|
If systemd sockets are used, uwsgi can not be reloaded because it does not
|
||||||
|
handle the socket correctly. It works by completly restarting uwsgi (because
|
||||||
|
it is near the same cause of the systemd socket) or tweaking the service unit
|
||||||
|
with the line ``StandardInput=socket``, which limits you to only one address
|
||||||
|
to bind to (else, the service will not start).
|
||||||
|
|
||||||
|
Maybe someone is interested in enabling log files, because the "log to stdout"
|
||||||
|
is not the fanciest approach (because it is shown in the journal). See the
|
||||||
|
`uwsgi documentation <https://uwsgi.readthedocs.io/en/latest/Logging.html>` for
|
||||||
|
reference.
|
||||||
|
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
`uWSGI Documentation <https://uwsgi-docs.readthedocs.io/en/latest/>`_
|
||||||
|
|
||||||
|
:strong:`cdist-type__netbox`\ (7)
|
||||||
|
:strong:`cdist-type__netbox_gunicorn`\ (7)
|
||||||
|
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
Matthias Stecher <matthiasstecher@gmx.de>
|
||||||
|
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
86
type/__netbox_uwsgi/manifest
Executable file
86
type/__netbox_uwsgi/manifest
Executable file
|
@ -0,0 +1,86 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
# __netbox_uwsgi/manifest
|
||||||
|
|
||||||
|
# Check states
|
||||||
|
state=""
|
||||||
|
unit_state=""
|
||||||
|
param_state="$(cat "$__object/parameter/state")"
|
||||||
|
|
||||||
|
case "$param_state" in
|
||||||
|
enabled|disabled)
|
||||||
|
state="present"
|
||||||
|
unit_state="$param_state"
|
||||||
|
;;
|
||||||
|
|
||||||
|
absent)
|
||||||
|
state="absent"
|
||||||
|
unit_state="disabled"
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
# does not exist
|
||||||
|
printf "The state '%s' does not exist, can't continue!\n" "$param_state" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
mkdir "$__object/files"
|
||||||
|
|
||||||
|
# check if systemd sockets will be used
|
||||||
|
if [ -f "$__object/parameter/bind-to" ]; then
|
||||||
|
SYSTEMD_SOCKET="yes"
|
||||||
|
fi
|
||||||
|
if find "$__object/parameter/" -maxdepth 1 -name "*-bind" -print -quit | grep -q .; then
|
||||||
|
SYSTEMD_SOCKET="no"
|
||||||
|
fi
|
||||||
|
echo "$SYSTEMD_SOCKET" > "$__object/files/systemd_socket"
|
||||||
|
|
||||||
|
if [ "$state" = "present" ]; then
|
||||||
|
# already checked outside this if-clause
|
||||||
|
export SYSTEMD_SOCKET
|
||||||
|
|
||||||
|
PROTOCOL="$(cat "$__object/parameter/protocol")"
|
||||||
|
export PROTOCOL
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/serve-static" ]; then
|
||||||
|
STATIC_MAP="yes"
|
||||||
|
export STATIC_MAP
|
||||||
|
fi
|
||||||
|
|
||||||
|
# process template
|
||||||
|
"$__type/files/uwsgi.ini.sh" > "$__object/files/uwsgi.ini"
|
||||||
|
|
||||||
|
# uwsgi config file
|
||||||
|
# TODO maybe patching with __key_value cause of .ini ?
|
||||||
|
__file /opt/netbox/uwsgi.ini \
|
||||||
|
--mode 644 --owner netbox \
|
||||||
|
--source "$__object/files/uwsgi.ini"
|
||||||
|
|
||||||
|
else
|
||||||
|
# absent config file
|
||||||
|
__file /opt/netbox/uwsgi.ini --state absent
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# handle the systemd socket
|
||||||
|
if [ "$SYSTEMD_SOCKET" = "yes" ]; then
|
||||||
|
TYPE="uWSGI"
|
||||||
|
export TYPE
|
||||||
|
|
||||||
|
# generate and set the socket unit
|
||||||
|
"$__type/files/netbox.socket.sh" "$__object/parameter/bind-to" \
|
||||||
|
> "$__object/files/netbox.socket"
|
||||||
|
__systemd_unit uwsgi-netbox.socket \
|
||||||
|
--state "$state" --enablement-state "$unit_state" \
|
||||||
|
--source "$__object/files/netbox.socket" --restart
|
||||||
|
else
|
||||||
|
# remove the systemd socket unit
|
||||||
|
__systemd_unit uwsgi-netbox.socket --state absent
|
||||||
|
fi
|
||||||
|
|
||||||
|
# install service file
|
||||||
|
"$__type/files/netbox.service.sh" > "$__object/files/netbox.service"
|
||||||
|
__systemd_unit uwsgi-netbox.service \
|
||||||
|
--state "$state" --enablement-state "$unit_state" \
|
||||||
|
--source "$__object/files/netbox.service" --restart
|
1
type/__netbox_uwsgi/parameter/boolean
Normal file
1
type/__netbox_uwsgi/parameter/boolean
Normal file
|
@ -0,0 +1 @@
|
||||||
|
serve-static
|
1
type/__netbox_uwsgi/parameter/default/bind-to
Normal file
1
type/__netbox_uwsgi/parameter/default/bind-to
Normal file
|
@ -0,0 +1 @@
|
||||||
|
127.0.0.1:3031
|
1
type/__netbox_uwsgi/parameter/default/protocol
Normal file
1
type/__netbox_uwsgi/parameter/default/protocol
Normal file
|
@ -0,0 +1 @@
|
||||||
|
uwsgi
|
1
type/__netbox_uwsgi/parameter/default/state
Normal file
1
type/__netbox_uwsgi/parameter/default/state
Normal file
|
@ -0,0 +1 @@
|
||||||
|
enabled
|
2
type/__netbox_uwsgi/parameter/optional
Normal file
2
type/__netbox_uwsgi/parameter/optional
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
state
|
||||||
|
protocol
|
5
type/__netbox_uwsgi/parameter/optional_multiple
Normal file
5
type/__netbox_uwsgi/parameter/optional_multiple
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
bind-to
|
||||||
|
uwsgi-bind
|
||||||
|
http-bind
|
||||||
|
fastcgi-bind
|
||||||
|
scgi-bind
|
0
type/__netbox_uwsgi/singleton
Normal file
0
type/__netbox_uwsgi/singleton
Normal file
Loading…
Reference in a new issue