Ayounsi has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/387880 )
Change subject: Netbox: initial puppet commit ...................................................................... Netbox: initial puppet commit Change-Id: Ia3354fcf251952a27d58eba3487043d8d4bd26fe --- M hieradata/role/common/deployment_server.yaml M manifests/site.pp A modules/netbox/manifests/init.pp A modules/netbox/templates/configuration.py.erb A modules/netbox/templates/gunicorn.erb A modules/netbox/templates/ldap_config.py.erb A modules/profile/manifests/netbox.pp A modules/role/manifests/netbox.pp A modules/role/templates/netbox/netbox.wikimedia.org.erb 9 files changed, 366 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/80/387880/1 diff --git a/hieradata/role/common/deployment_server.yaml b/hieradata/role/common/deployment_server.yaml index 8eac2e3..865799c 100644 --- a/hieradata/role/common/deployment_server.yaml +++ b/hieradata/role/common/deployment_server.yaml @@ -173,6 +173,9 @@ # Librenms software librenms/librenms: repository: operations/software/librenms + # Netbox software + netbox/deploy: + repository: operations/software/netbox-deploy relforge/mjolnir: repository: search/MjoLniR statsv/statsv: diff --git a/manifests/site.pp b/manifests/site.pp index 0861aed..091fab0 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1954,7 +1954,7 @@ # network monitoring tools, stretch (T125020, T166180) node /^netmon(1002|2001)\.wikimedia\.org$/ { - role(network::monitor, librenms, rancid, smokeping) + role(network::monitor, librenms, rancid, smokeping, netbox) interface::add_ip6_mapped { 'main': } } diff --git a/modules/netbox/manifests/init.pp b/modules/netbox/manifests/init.pp new file mode 100644 index 0000000..d2b073f --- /dev/null +++ b/modules/netbox/manifests/init.pp @@ -0,0 +1,58 @@ +# == Class: netbox::base +# +# Installs Netbox +# +class netbox( + $secret_key, + $ldap_password, + $db_password, + $debug=false, + $port=8001, + $config_path = '/srv/deployment/netbox/deploy', + $venv_path = '/srv/deployment/netbox/venv', + $directory = '/srv/deployment/netbox/netbox' + $ensure='present', + +) { + +require_package('virtualenv', 'python3-dev', + 'gunicorn', 'libldap2-dev', + 'build-essential', 'python3-pip', + 'libsasl2-dev', 'libssl-dev') + +# If new install, postgres user needs to be manually added, see: +# http://netbox.readthedocs.io/en/stable/installation/postgresql/#database-creation +require_package('postgresql', 'libpq-dev') + +} + +file { "${directory}/netbox/netbox/configuration.py": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0555', + content => template('netbox/configuration.py.erb'), +} + +file { "${directory}/netbox/netbox/ldap_config.py": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0555', + content => template('netbox/ldap_config.py.erb'), +} + +service { 'gunicorn': + ensure => ensure_service($ensure), + enable => true, + hasstatus => false, +} + +file { '/etc/gunicorn.d/netbox': + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0555', + content => template('netbox/gunicorn.erb'), + require => Package['gunicorn'], +} diff --git a/modules/netbox/templates/configuration.py.erb b/modules/netbox/templates/configuration.py.erb new file mode 100644 index 0000000..402e4c9 --- /dev/null +++ b/modules/netbox/templates/configuration.py.erb @@ -0,0 +1,145 @@ +######################### +# # +# Required settings # +# # +######################### + +# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write +# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. +# +# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] +# We are behind an apache httpd server, so use X-Forwarded_Host header +USE_X_FORWARDED_HOST = True +ALLOWED_HOSTS = ['netbox.wikimedia.org'] + +# PostgreSQL database configuration. +DATABASE = { + 'NAME': 'netbox', # Database name + 'USER': 'netbox', # PostgreSQL username + 'PASSWORD': '<%= @db_password %>', # PostgreSQL password + 'HOST': 'localhost', # Database server + 'PORT': '', # Database port (leave blank for default) +} + +# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. +# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and +# symbols. NetBox will not run without this defined. For more information, see +# https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY +SECRET_KEY = '<%= @secret_key %>' + + +######################### +# # +# Optional settings # +# # +######################### + +# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of +# application errors (assuming correct email settings are provided). +ADMINS = ( +<%- if @admins -%> + <%= @admins%> +<%- else -%> + # ('Your Name', 'your_em...@example.com'), +<%- end -%> +) + +# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same +# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP. +BANNER_TOP = '' +BANNER_BOTTOM = '' + +# Text to include on the login page above the login form. HTML is allowed. +BANNER_LOGIN = '' + +# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: +# BASE_PATH = 'netbox/' +BASE_PATH = '' + +# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be +# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or +# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers +CORS_ORIGIN_ALLOW_ALL = False +CORS_ORIGIN_WHITELIST = [ + # 'hostname.example.com', +] +CORS_ORIGIN_REGEX_WHITELIST = [ + # r'^(https?://)?(\w+\.)?example\.com$', +] + +# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal +# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging +# on a production system. +<%- if @debug -%> +DEBUG = True +<%- else -%> +DEBUG = False +<%- end -%> + +# Email settings +EMAIL = { + 'SERVER': 'localhost', + 'PORT': 25, + 'USERNAME': '', + 'PASSWORD': '', + 'TIMEOUT': 10, # seconds + 'FROM_EMAIL': '', +} + +# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table +# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True. +ENFORCE_GLOBAL_UNIQUE = True + +# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: +# https://docs.djangoproject.com/en/1.11/topics/logging/ +LOGGING = {} + +# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users +# are permitted to access most data in NetBox (excluding secrets) but not make any changes. +LOGIN_REQUIRED = True + +# Setting this to True will display a "maintenance mode" banner at the top of every page. +MAINTENANCE_MODE = False + +# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g. +# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request +# all objects by specifying "?limit=0". +MAX_PAGE_SIZE = 1000 + +# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that +# the default value of this setting is derived from the installed location. +# MEDIA_ROOT = '/opt/netbox/netbox/media' + +# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM. +NAPALM_USERNAME = '' +NAPALM_PASSWORD = '' + +# NAPALM timeout (in seconds). (Default: 30) +NAPALM_TIMEOUT = 30 + +# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must +# be provided as a dictionary. +NAPALM_ARGS = {} + +# Determine how many objects to display per page within a list. (Default: 50) +PAGINATE_COUNT = 50 + +# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to +# prefer IPv4 instead. +PREFER_IPV4 = False + +# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +# REPORTS_ROOT = '/opt/netbox/netbox/reports' + +# Time zone (default: UTC) +TIME_ZONE = 'UTC' + +# Date/time formatting. See the following link for supported formats: +# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date +DATE_FORMAT = 'N j, Y' +SHORT_DATE_FORMAT = 'Y-m-d' +TIME_FORMAT = 'g:i a' +SHORT_TIME_FORMAT = 'H:i:s' +DATETIME_FORMAT = 'N j, Y g:i a' +SHORT_DATETIME_FORMAT = 'Y-m-d H:i' diff --git a/modules/netbox/templates/gunicorn.erb b/modules/netbox/templates/gunicorn.erb new file mode 100644 index 0000000..87883ff --- /dev/null +++ b/modules/netbox/templates/gunicorn.erb @@ -0,0 +1,11 @@ +CONFIG = { + 'mode': 'wsgi', + 'working_dir': '<%= @directory %>/netbox', + 'python': '<%= @venv %>/bin/python', + 'args': ( + '--bind=127.0.0.1:<%= @port %>', + '--workers=4', + '--timeout=10', + 'wsgi', + ), +} diff --git a/modules/netbox/templates/ldap_config.py.erb b/modules/netbox/templates/ldap_config.py.erb new file mode 100644 index 0000000..1761905 --- /dev/null +++ b/modules/netbox/templates/ldap_config.py.erb @@ -0,0 +1,42 @@ +import ldap +from django_auth_ldap.config import LDAPSearch, GroupOfNamesType + +# Server URI +AUTH_LDAP_SERVER_URI = "ldap-labs.eqiad.wikimedia.org" + +# The following may be needed if you are binding to Active Directory. +AUTH_LDAP_CONNECTION_OPTIONS = { + ldap.OPT_REFERRALS: 0 +} + +# Set the DN and password for the NetBox service account. +AUTH_LDAP_BIND_DN = "cn=proxyagent,ou=profile,dc=wikimedia,dc=org" +AUTH_LDAP_BIND_PASSWORD = "<%= @ldap_password %>" + +# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert. +# Note that this is a NetBox-specific setting which sets: +# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) +LDAP_IGNORE_CERT_ERRORS = False + + +# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group +# heirarchy. +AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=people,dc=wikimedia,dc=org", ldap.SCOPE_SUBTREE, + "(objectClass=group)") +AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() + +# Define a group required to login. +AUTH_LDAP_REQUIRE_GROUP = "cn=ops,ou=groups,dc=wikimedia,dc=org" + +# Define special user types using groups. Exercise great caution when assigning superuser status. +AUTH_LDAP_USER_FLAGS_BY_GROUP = { + "is_active": "cn=librenms-reader,ou=groups,dc=wikimedia,dc=org" + "is_superuser": "cn=ops,ou=groups,dc=wikimedia,dc=org" +} + +# For more granular permissions, we can map LDAP groups to Django groups. +AUTH_LDAP_FIND_GROUP_PERMS = True + +# Cache groups for one hour to reduce LDAP traffic +AUTH_LDAP_CACHE_GROUPS = True +AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 diff --git a/modules/profile/manifests/netbox.pp b/modules/profile/manifests/netbox.pp new file mode 100644 index 0000000..305584e --- /dev/null +++ b/modules/profile/manifests/netbox.pp @@ -0,0 +1,46 @@ +# Class: profile::netbox +# +# This profile installs all the Netbox related parts as WMF requires it +# +# Actions: +# Deploy Netbox +# Install apache, gunicorn, configure reverse proxy to gunicorn, LDAP +# authentication +# +# Requires: +# +# Sample Usage: +# include profile::netbox +# + +class profile::netbox { + include ::apache + include ::apache::mod::proxy_http + include ::apache::mod::proxy + + + include passwords::netbox + $db_password = $passwords::netbox::db_password #### NOT DEFINED YET + $secret_key = $passwords::netbox::secret_key #### NOT DEFINED YET + + # Used for LDAP auth + include passwords::ldap::wmf_cluster + $proxypass = $passwords::ldap::wmf_cluster::proxypass + + scap::target { 'netbox/deploy': + deploy_user => 'deploy-librenms', + } + + class { '::netbox': + directory => '/srv/deployment/netbox/netbox', + db_password => $db_password, + secret_key => $secret_key, + ldap_password => $proxypass, + admins => '("Ops Team", "o...@lists.wikimedia.org")', + } + + apache::site { 'netbox.wikimedia.org': + content => template('role/netbox/netbox.wikimedia.org.erb'), + } + +} diff --git a/modules/role/manifests/netbox.pp b/modules/role/manifests/netbox.pp new file mode 100644 index 0000000..c3b0f14 --- /dev/null +++ b/modules/role/manifests/netbox.pp @@ -0,0 +1,20 @@ +# Class: profile::netbox +# +# This profile installs all the Netbox related parts as WMF requires it +# +# Actions: +# Deploy Netbox +# +# Requires: +# +# Sample Usage: +# include role::netbox +# + +class role::netbox { + + system::role { 'netbox': description => 'Netbox server' } + + include ::profile::netbox + +} diff --git a/modules/role/templates/netbox/netbox.wikimedia.org.erb b/modules/role/templates/netbox/netbox.wikimedia.org.erb new file mode 100644 index 0000000..6360c32 --- /dev/null +++ b/modules/role/templates/netbox/netbox.wikimedia.org.erb @@ -0,0 +1,40 @@ +##################################################################### +### THIS FILE IS MANAGED BY PUPPET +##################################################################### +# vim: filetype=apache + +<VirtualHost *:80> + ProxyPreserveHost On + + ServerName netbox.wikimedia.org + + Alias /static <%= @directory%>/static + + # Needed to allow token-based API authentication + WSGIPassAuthorization on + + <Directory <%= @directory%>/static> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + </Directory> + + <Location /static> + ProxyPass ! + </Location> + + <%- if @port -%> + ProxyPass / http://127.0.0.1:<%= @port%>/ + ProxyPassReverse / http://127.0.0.1:<%= @port%>/ + <%- else -%> + ProxyPass / http://127.0.0.1:8001/ + ProxyPassReverse / http://127.0.0.1:8001/ + <%- end -%> + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + CustomLog /var/log/apache2/netbox.wikimedia.org-access.log wmf + ErrorLog /var/log/apache2/netbox.wikimedia.org-error.log + +</VirtualHost> -- To view, visit https://gerrit.wikimedia.org/r/387880 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia3354fcf251952a27d58eba3487043d8d4bd26fe Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ayounsi <ayou...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits