hosting/mash-playbook
1
0
Fork 0
Code Pull requests Activity
mash-playbook/docs/services/netbox.md

268 lines
13 KiB
Markdown
Raw Normal View History

Add NetBox service and redo Redis integration for PeerTube
2023-03-26 16:13:57 +02:00
# NetBox
[NetBox](https://docs.netbox.dev/en/stable/) is an open-source web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality.
## Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [Redis](redis.md) data-store, installation details [below](#redis)
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# netbox #
# #
########################################################################
netbox_enabled: true
netbox_hostname: mash.example.com
netbox_path_prefix: /netbox
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
netbox_environment_variable_secret_key: ''
# The following superuser will be created upon launch.
netbox_environment_variable_superuser_name: your_username_here
netbox_environment_variable_superuser_email: your.email@example.com
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way.
# Changing the password subsequently will not affect the user's password.
netbox_environment_variable_superuser_password: ''
# Redis configuration, as described below
########################################################################
# #
# /netbox #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/netbox`.
You can remove the `netbox_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
### Authentication
If `netbox_environment_variable_superuser_*` variables are specified, NetBox will try to create the user (if missing).
Add SSO (Keycloak) information to NetBox docs
2023-04-03 16:11:06 +02:00
[Single-Sign-On](#single-sign-on-sso-integration) is also supported.
Add NetBox service and redo Redis integration for PeerTube
2023-03-26 16:13:57 +02:00
### Redis
As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to NetBox](#creating-a-redis-instance-dedicated-to-netbox).
If you're only running NetBox on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-netbox).
#### Using the shared Redis instance for NetBox
To install a single (non-dedicated) Redis instance (`mash-redis`) and hook NetBox to it, add the following **additional** configuration:
```yaml
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
########################################################################
# #
# netbox #
# #
########################################################################
# Base configuration as shown above
# Point NetBox to the shared Redis instance
Fix NetBox documentation inaccuracies
2023-04-10 14:21:40 +02:00
netbox_environment_variable_redis_host: "{{ redis_identifier }}"
netbox_environment_variable_redis_cache_host: "{{ redis_identifier }}"
Add NetBox service and redo Redis integration for PeerTube
2023-03-26 16:13:57 +02:00
# Make sure the NetBox service (mash-netbox.service) starts after the shared Redis service (mash-redis.service)
netbox_systemd_required_services_list_custom:
- "{{ redis_identifier }}.service"
# Make sure the NetBox container is connected to the container network of the shared Redis service (mash-redis)
netbox_container_additional_networks_custom:
- "{{ redis_identifier }}"
########################################################################
# #
# /netbox #
# #
########################################################################
```
This will create a `mash-redis` Redis instance on this host.
This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to NetBox](#creating-a-redis-instance-dedicated-to-netbox).
#### Creating a Redis instance dedicated to NetBox
The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation.
Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `netbox.example.com` is your main one, create `netbox.example.com-deps`).
Then, create a new `vars.yml` file for the
`inventory/host_vars/netbox.example.com-deps/vars.yml`:
```yaml
---
########################################################################
# #
# Playbook #
# #
########################################################################
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
# Various other secrets will be derived from this secret automatically.
mash_playbook_generic_secret_key: ''
# Override service names and directory path prefixes
mash_playbook_service_identifier_prefix: 'mash-netbox-'
mash_playbook_service_base_directory_name_prefix: 'netbox-'
########################################################################
# #
# /Playbook #
# #
########################################################################
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
```
This will create a `mash-netbox-redis` instance on this host with its data in `/mash/netbox-redis`.
Then, adjust your main inventory host's variables file (`inventory/host_vars/netbox.example.com/vars.yml`) like this:
```yaml
########################################################################
# #
# netbox #
# #
########################################################################
# Base configuration as shown above
# Point NetBox to its dedicated Redis instance
netbox_environment_variable_redis_host: mash-netbox-redis
netbox_environment_variable_redis_cache_host: mash-netbox-redis
# Make sure the NetBox service (mash-netbox.service) starts after its dedicated Redis service (mash-netbox-redis.service)
netbox_systemd_required_services_list_custom:
- "mash-netbox-redis.service"
# Make sure the NetBox container is connected to the container network of its dedicated Redis service (mash-netbox-redis)
netbox_container_additional_networks_custom:
- "mash-netbox-redis"
########################################################################
# #
# /netbox #
# #
########################################################################
```
Add SSO (Keycloak) information to NetBox docs
2023-04-03 16:11:06 +02:00
### Single-Sign-On (SSO) integration
NetBox supports different [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/) backends, including those provided by the [Python Social Auth](https://python-social-auth.readthedocs.io/) library. This library is included in the NetBox container image by default, so you can invoke any [backend](https://github.com/python-social-auth/social-core/tree/master/social_core/backends) provided by it.
Each module's Python file contains detailed information about how to configure it. It should be noted that module-specific configuration is passed as Python configuration (via `netbox_configuration_extra_python`), and **not as environment variables**.
We have detailed information about integrating with [Keycloak](keycloak.md) below.
You can use the configuration in the [Keycloak section](#keycloak) as a template for configuring other backends.
#### Keycloak
To integrate with [Keycloak](keycloak.md) use the following **additional** configuration:
```yaml
netbox_environment_variables_additional_variables: |
REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2
Fix NetBox documentation inaccuracies
2023-04-10 14:21:40 +02:00
# Space-separated names of groups that new users will be assigned to.
# These groups must be created manually (from the Admin panel's Groups section) before use.
REMOTE_AUTH_DEFAULT_GROUPS=
Add SSO (Keycloak) information to NetBox docs
2023-04-03 16:11:06 +02:00
netbox_configuration_extra_python: |
# These need to match your Client app information in Keycloak. See below
SOCIAL_AUTH_KEYCLOAK_KEY = ''
SOCIAL_AUTH_KEYCLOAK_SECRET = ''
# The value for this is retrieved from Keycloak -> Realm Settings -> Keys tab -> Public key button for RS256
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = ''
# The value for these are retrieved from Keycloak -> Realm Settings -> General tab -> OpenID Endpoint Configuration button
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/auth'
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/token'
# If Keycloak is running on the same server, uncomment the lines below
# and replace HOSTNAME with the hostname of the Keycloak server (e.g. mash.example.com or keycloak.example.com).
# netbox_container_extra_arguments:
# - --add-host=HOSTNAME:{{ ansible_host }}
```
The Client app needs to be created and configured in a special way on the Keycloak side by:
- activating **Client authentication**
Fix NetBox documentation inaccuracies
2023-04-10 14:21:40 +02:00
- **Valid redirect URIs**: `https://NETBOX_URL/oauth/complete/keycloak/`
- **Web origins**: `https://NETBOX_URL/`
Add SSO (Keycloak) information to NetBox docs
2023-04-03 16:11:06 +02:00
- in **Advanced**, changing the following settings:
- **Request object signature algorithm** = `RS256`
Fix NetBox documentation inaccuracies
2023-04-10 14:21:40 +02:00
- **User info signed response algorithm** = `RS256`
- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and in the **Mappers** tab, click **Configure a new mapper** add a new **Audience** mapper with the following settings:
Add SSO (Keycloak) information to NetBox docs
2023-04-03 16:11:06 +02:00
- **Name** = anything you like (e.g. `netbox-audience`)
- **Included Client Audience** = the key of this Client app (e.g. `netbox`)
- **Add to access token** = On
Fix NetBox documentation inaccuracies
2023-04-10 14:21:40 +02:00
For additional environment variables controlling groups and permissions for new users (like `REMOTE_AUTH_DEFAULT_GROUPS`), see the NetBox documentation for [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/).
Add NetBox service and redo Redis integration for PeerTube
2023-03-26 16:13:57 +02:00
## Installation
If you've decided to install a dedicated Redis instance for NetBox, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `netbox.example.com-deps`), before running installation for the main one (e.g. `netbox.example.com`).
## Usage
After installation, you can go to the NetBox URL, as defined in `netbox_hostname` and `netbox_path_prefix`.
You can log in with the **username** (**not** email) and password specified in the `netbox_environment_variable_superuser*` variables.
Copy permalink