13 KiB
NetBox
NetBox is an open-source web application that provides IP address management (IPAM) and data center infrastructure management (DCIM) functionality.
Dependencies
This service requires the following other services:
Configuration
To enable this service, add the following configuration to your vars.yml
file and re-run the installation process:
########################################################################
# #
# netbox #
# #
########################################################################
netbox_enabled: true
netbox_hostname: mash.example.com
netbox_path_prefix: /netbox
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
netbox_environment_variable_secret_key: ''
# The following superuser will be created upon launch.
netbox_environment_variable_superuser_name: your_username_here
netbox_environment_variable_superuser_email: your.email@example.com
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way.
# Changing the password subsequently will not affect the user's password.
netbox_environment_variable_superuser_password: ''
# Redis configuration, as described below
########################################################################
# #
# /netbox #
# #
########################################################################
URL
In the example configuration above, we configure the service to be hosted at https://mash.example.com/netbox
.
You can remove the netbox_path_prefix
variable definition, to make it default to /
, so that the service is served at https://mash.example.com/
.
Authentication
If netbox_environment_variable_superuser_*
variables are specified, NetBox will try to create the user (if missing).
Single-Sign-On is also supported.
Redis
As described on the Redis documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See Creating a Redis instance dedicated to NetBox.
If you're only running NetBox on this server and don't need to use Redis for anything else, you can use a single Redis instance.
Using the shared Redis instance for NetBox
To install a single (non-dedicated) Redis instance (mash-redis
) and hook NetBox to it, add the following additional configuration:
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
########################################################################
# #
# netbox #
# #
########################################################################
# Base configuration as shown above
# Point NetBox to the shared Redis instance
netbox_config_redis_hostname: "{{ redis_identifier }}"
# Make sure the NetBox service (mash-netbox.service) starts after the shared Redis service (mash-redis.service)
netbox_systemd_required_services_list_custom:
- "{{ redis_identifier }}.service"
# Make sure the NetBox container is connected to the container network of the shared Redis service (mash-redis)
netbox_container_additional_networks_custom:
- "{{ redis_identifier }}"
########################################################################
# #
# /netbox #
# #
########################################################################
This will create a mash-redis
Redis instance on this host.
This is only recommended if you won't be installing other services which require Redis. Alternatively, go for Creating a Redis instance dedicated to NetBox.
Creating a Redis instance dedicated to NetBox
The following instructions are based on the Running multiple instances of the same service on the same host documentation.
Adjust your inventory/hosts
file as described in Re-do your inventory to add supplementary hosts, adding a new supplementary host (e.g. if netbox.example.com
is your main one, create netbox.example.com-deps
).
Then, create a new vars.yml
file for the
inventory/host_vars/netbox.example.com-deps/vars.yml
:
---
########################################################################
# #
# Playbook #
# #
########################################################################
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
# Various other secrets will be derived from this secret automatically.
mash_playbook_generic_secret_key: ''
# Override service names and directory path prefixes
mash_playbook_service_identifier_prefix: 'mash-netbox-'
mash_playbook_service_base_directory_name_prefix: 'netbox-'
########################################################################
# #
# /Playbook #
# #
########################################################################
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
This will create a mash-netbox-redis
instance on this host with its data in /mash/netbox-redis
.
Then, adjust your main inventory host's variables file (inventory/host_vars/netbox.example.com/vars.yml
) like this:
########################################################################
# #
# netbox #
# #
########################################################################
# Base configuration as shown above
# Point NetBox to its dedicated Redis instance
netbox_environment_variable_redis_host: mash-netbox-redis
netbox_environment_variable_redis_cache_host: mash-netbox-redis
# Make sure the NetBox service (mash-netbox.service) starts after its dedicated Redis service (mash-netbox-redis.service)
netbox_systemd_required_services_list_custom:
- "mash-netbox-redis.service"
# Make sure the NetBox container is connected to the container network of its dedicated Redis service (mash-netbox-redis)
netbox_container_additional_networks_custom:
- "mash-netbox-redis"
########################################################################
# #
# /netbox #
# #
########################################################################
Single-Sign-On (SSO) integration
NetBox supports different Remote Authentication backends, including those provided by the Python Social Auth library. This library is included in the NetBox container image by default, so you can invoke any backend provided by it.
Each module's Python file contains detailed information about how to configure it. It should be noted that module-specific configuration is passed as Python configuration (via netbox_configuration_extra_python
), and not as environment variables.
We have detailed information about integrating with Keycloak below. You can use the configuration in the Keycloak section as a template for configuring other backends.
Keycloak
To integrate with Keycloak use the following additional configuration:
netbox_environment_variables_additional_variables: |
REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2
netbox_configuration_extra_python: |
# These need to match your Client app information in Keycloak. See below
SOCIAL_AUTH_KEYCLOAK_KEY = ''
SOCIAL_AUTH_KEYCLOAK_SECRET = ''
# The value for this is retrieved from Keycloak -> Realm Settings -> Keys tab -> Public key button for RS256
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = ''
# The value for these are retrieved from Keycloak -> Realm Settings -> General tab -> OpenID Endpoint Configuration button
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/auth'
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/token'
# If Keycloak is running on the same server, uncomment the lines below
# and replace HOSTNAME with the hostname of the Keycloak server (e.g. mash.example.com or keycloak.example.com).
# netbox_container_extra_arguments:
# - --add-host=HOSTNAME:{{ ansible_host }}
The Client app needs to be created and configured in a special way on the Keycloak side by:
- activating Client authentication
- in Advanced, changing the following settings:
- Request object signature algorithm =
RS256
- Request object signature algorithm =
RS256
- Request object signature algorithm =
- in Client scopes (for this Client app via the Client scopes tab, not for all apps via the left-most menu), configure the
*-dedicated
scope (e.g.netbox-dedicated
if you named your Client appnetbox
) and add a new mapper with the following settings:- Name = anything you like (e.g.
netbox-audience
) - Included Client Audience = the key of this Client app (e.g.
netbox
) - Add to access token = On
- Name = anything you like (e.g.
Installation
If you've decided to install a dedicated Redis instance for NetBox, make sure to first do installation for the supplementary inventory host (e.g. netbox.example.com-deps
), before running installation for the main one (e.g. netbox.example.com
).
Usage
After installation, you can go to the NetBox URL, as defined in netbox_hostname
and netbox_path_prefix
.
You can log in with the username (not email) and password specified in the netbox_environment_variable_superuser*
variables.