__netbox: autogen secretkey and store at remote

The secret key is generated if it is not set via parameter and the
explorer does not return any. It will be saved in the netbox home
directory to easily read the key for the config generation.

type/__netbox/explorer/secretkey

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+# Explorer will output the key if he exists.
+
+secretkey="/opt/netbox/.secretkey"
+if [ -f "$secretkey" ]; then
+    cat "$secretkey"
+fi

type/__netbox/explorer/version

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 
 # output version if exist
 version_path="/opt/netbox/netbox/cdist/version"

type/__netbox/man.rst

@@ -32,16 +32,22 @@ database-user
 database-password
     PostgreSQL database password.
 
-secret-key
-    Random secret key of at least 50 alphanumeric characters. This key must be
-    unique to this installation and must not be shared outside the local
-    system.
-
 host
     Hostname (domain or IP address) on which the application is served.
 
 OPTIONAL PARAMETERS
 -------------------
+secret-key
+    Random secret key of at least 50 alphanumeric characters and symbols. This
+    key must be unique to this installation and must not be shared outside the
+    local system. If no secret key is given, the type generates an own 50 chars
+    long key and saves it on the remote host to remember it for the next run.
+
+    The secret, random string is used to assist in the creation new
+    cryptographic hashes for passwords and HTTP cookies. It is not directly
+    used for hasing user passwords or for encrpted storage. It can be changed
+    at any time, but will invalidate all existing sessions.
+
 database-host
     PostgreSQL database hostname. Defaults to ``localhost``.
 

type/__netbox/manifest

@@ -37,7 +37,18 @@ export DATABASE_PORT
 
 ALLOWED_HOST=$(cat "$__object/parameter/host")
 export ALLOWED_HOST
-SECRET_KEY=$(cat "$__object/parameter/secret-key")
+
+if [ -f "$__object/parameter/secret-key" ]; then
+    SECRET_KEY=$(cat "$__object/parameter/secret-key")
+elif [ -s "$__object/explorer/secretkey" ]; then
+    # Can be done over netbox/generate_secret_key.py too, but it's to
+    # complicated with the variable setup (can't generated right now!).
+    # Generates a 50-character long key (without ' cause of python quotes)
+    SECRET_KEY="$(tr -cd '[:graph:]' < /dev/random | tr -d \' | head -c50)"
+else
+    # take the key that is already used
+    SECRET_KEY="$(cat "$__object/explorer/secretkey")"
+fi
 export SECRET_KEY
 
 if [ -f "$__object/parameter/ldap-server" ]; then
@@ -177,6 +188,12 @@ if [ -f "$__object/parameter/ldap-server" ]; then
         --source "$__object/files/ldap_config.py"
 fi
 
+# save secret
+require="__user/netbox" __file /opt/netbox/.secretkey --mode 400 \
+    --owner netbox --source - << SECRET
+$SECRET_KEY
+SECRET
+
 
 # Upload systemd units and gunicorn configuration.
 for unit in netbox netbox-rq; do

type/__netbox/parameter/optional

@@ -1,3 +1,4 @@
+secret-key
 database-host
 database-port
 ldap-server

type/__netbox/parameter/required

@@ -2,5 +2,4 @@ version
 database
 database-user
 database-password
-secret-key
 host