depot/nixos/modules/services/web-apps/netbox.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

392 lines
11 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.services.netbox;
pythonFmt = pkgs.formats.pythonVars {};
staticDir = cfg.dataDir + "/static";
settingsFile = pythonFmt.generate "netbox-settings.py" cfg.settings;
extraConfigFile = pkgs.writeTextFile {
name = "netbox-extraConfig.py";
text = cfg.extraConfig;
};
configFile = pkgs.concatText "configuration.py" [ settingsFile extraConfigFile ];
pkg = (cfg.package.overrideAttrs (old: {
installPhase = old.installPhase + ''
ln -s ${configFile} $out/opt/netbox/netbox/netbox/configuration.py
'' + lib.optionalString cfg.enableLdap ''
ln -s ${cfg.ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py
'';
})).override {
inherit (cfg) plugins;
};
netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" ''
#!${stdenv.shell}
export PYTHONPATH=${pkg.pythonPath}
sudo -u netbox ${pkg}/bin/netbox "$@"
'');
in {
options.services.netbox = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Netbox.
This module requires a reverse proxy that serves `/static` separately.
See this [example](https://github.com/netbox-community/netbox/blob/develop/contrib/nginx.conf/) on how to configure this.
'';
};
settings = lib.mkOption {
description = ''
Configuration options to set in `configuration.py`.
See the [documentation](https://docs.netbox.dev/en/stable/configuration/) for more possible options.
'';
default = { };
type = lib.types.submodule {
freeformType = pythonFmt.type;
options = {
ALLOWED_HOSTS = lib.mkOption {
type = with lib.types; listOf str;
default = ["*"];
description = ''
A list of valid fully-qualified domain names (FQDNs) and/or IP
addresses that can be used to reach the NetBox service.
'';
};
};
};
};
listenAddress = lib.mkOption {
type = lib.types.str;
default = "[::1]";
description = ''
Address the server will listen on.
'';
};
package = lib.mkOption {
type = lib.types.package;
default =
if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7
else pkgs.netbox_3_6;
defaultText = lib.literalExpression ''
if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7
else pkgs.netbox_3_6;
'';
description = ''
NetBox package to use.
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 8001;
description = ''
Port the server will listen on.
'';
};
plugins = lib.mkOption {
type = with lib.types; functionTo (listOf package);
default = _: [];
defaultText = lib.literalExpression ''
python3Packages: with python3Packages; [];
'';
description = ''
List of plugin packages to install.
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/netbox";
description = ''
Storage path of netbox.
'';
};
secretKeyFile = lib.mkOption {
type = lib.types.path;
description = ''
Path to a file containing the secret key.
'';
};
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
Additional lines of configuration appended to the `configuration.py`.
See the [documentation](https://docs.netbox.dev/en/stable/configuration/) for more possible options.
'';
};
enableLdap = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable LDAP-Authentication for Netbox.
This requires a configuration file being pass through `ldapConfigPath`.
'';
};
ldapConfigPath = lib.mkOption {
type = lib.types.path;
default = "";
description = ''
Path to the Configuration-File for LDAP-Authentication, will be loaded as `ldap_config.py`.
See the [documentation](https://netbox.readthedocs.io/en/stable/installation/6-ldap/#configuration) for possible options.
'';
example = ''
import ldap
from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTH_LDAP_SERVER_URI = "ldaps://ldap.example.com/"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"ou=accounts,ou=posix,dc=example,dc=com",
ldap.SCOPE_SUBTREE,
"(uid=%(user)s)",
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"ou=groups,ou=posix,dc=example,dc=com",
ldap.SCOPE_SUBTREE,
"(objectClass=posixGroup)",
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType()
# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
'';
};
keycloakClientSecret = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
File that contains the keycloak client secret.
'';
};
};
config = lib.mkIf cfg.enable {
services.netbox = {
plugins = lib.mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]);
settings = {
STATIC_ROOT = staticDir;
MEDIA_ROOT = "${cfg.dataDir}/media";
REPORTS_ROOT = "${cfg.dataDir}/reports";
SCRIPTS_ROOT = "${cfg.dataDir}/scripts";
GIT_PATH = "${pkgs.gitMinimal}/bin/git";
DATABASE = {
NAME = "netbox";
USER = "netbox";
HOST = "/run/postgresql";
};
# Redis database settings. Redis is used for caching and for queuing
# background tasks such as webhook events. A separate configuration
# exists for each. Full connection details are required in both
# sections, and it is strongly recommended to use two separate database
# IDs.
REDIS = {
tasks = {
URL = "unix://${config.services.redis.servers.netbox.unixSocket}?db=0";
SSL = false;
};
caching = {
URL = "unix://${config.services.redis.servers.netbox.unixSocket}?db=1";
SSL = false;
};
};
REMOTE_AUTH_BACKEND = lib.mkIf cfg.enableLdap "netbox.authentication.LDAPBackend";
LOGGING = lib.mkDefault {
version = 1;
formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
handlers.console = {
class = "logging.StreamHandler";
formatter = "precise";
};
# log to console/systemd instead of file
root = {
level = "INFO";
handlers = [ "console" ];
};
};
};
extraConfig = ''
with open("${cfg.secretKeyFile}", "r") as file:
SECRET_KEY = file.readline()
'' + (lib.optionalString (cfg.keycloakClientSecret != null) ''
with open("${cfg.keycloakClientSecret}", "r") as file:
SOCIAL_AUTH_KEYCLOAK_SECRET = file.readline()
'');
};
services.redis.servers.netbox.enable = true;
services.postgresql = {
enable = true;
ensureDatabases = [ "netbox" ];
ensureUsers = [
{
name = "netbox";
ensureDBOwnership = true;
}
];
};
environment.systemPackages = [ netboxManageScript ];
systemd.targets.netbox = {
description = "Target for all NetBox services";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" "redis-netbox.service" ];
};
systemd.services = let
defaultServiceConfig = {
WorkingDirectory = "${cfg.dataDir}";
User = "netbox";
Group = "netbox";
StateDirectory = "netbox";
StateDirectoryMode = "0750";
Restart = "on-failure";
RestartSec = 30;
};
in {
netbox = {
description = "NetBox WSGI Service";
documentation = [ "https://docs.netbox.dev/" ];
wantedBy = [ "netbox.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
environment.PYTHONPATH = pkg.pythonPath;
preStart = ''
# On the first run, or on upgrade / downgrade, run migrations and related.
# This mostly correspond to upstream NetBox's 'upgrade.sh' script.
versionFile="${cfg.dataDir}/version"
if [[ -e "$versionFile" && "$(cat "$versionFile")" == "${cfg.package.version}" ]]; then
exit 0
fi
${pkg}/bin/netbox migrate
${pkg}/bin/netbox trace_paths --no-input
${pkg}/bin/netbox collectstatic --no-input
${pkg}/bin/netbox remove_stale_contenttypes --no-input
${pkg}/bin/netbox reindex --lazy
${pkg}/bin/netbox clearsessions
${lib.optionalString
# The clearcache command was removed in 3.7.0:
# https://github.com/netbox-community/netbox/issues/14458
(lib.versionOlder cfg.package.version "3.7.0")
"${pkg}/bin/netbox clearcache"}
echo "${cfg.package.version}" > "$versionFile"
'';
serviceConfig = defaultServiceConfig // {
ExecStart = ''
${pkg.gunicorn}/bin/gunicorn netbox.wsgi \
--bind ${cfg.listenAddress}:${toString cfg.port} \
--pythonpath ${pkg}/opt/netbox/netbox
'';
PrivateTmp = true;
TimeoutStartSec = lib.mkDefault "5min";
};
};
netbox-rq = {
description = "NetBox Request Queue Worker";
documentation = [ "https://docs.netbox.dev/" ];
wantedBy = [ "netbox.target" ];
after = [ "netbox.service" ];
environment.PYTHONPATH = pkg.pythonPath;
serviceConfig = defaultServiceConfig // {
ExecStart = ''
${pkg}/bin/netbox rqworker high default low
'';
PrivateTmp = true;
};
};
netbox-housekeeping = {
description = "NetBox housekeeping job";
documentation = [ "https://docs.netbox.dev/" ];
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "netbox.service" ];
wants = [ "network-online.target" ];
environment.PYTHONPATH = pkg.pythonPath;
serviceConfig = defaultServiceConfig // {
Type = "oneshot";
ExecStart = ''
${pkg}/bin/netbox housekeeping
'';
};
};
};
systemd.timers.netbox-housekeeping = {
description = "Run NetBox housekeeping job";
documentation = [ "https://docs.netbox.dev/" ];
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "netbox.service" ];
wants = [ "network-online.target" ];
timerConfig = {
OnCalendar = "daily";
AccuracySec = "1h";
Persistent = true;
};
};
users.users.netbox = {
home = "${cfg.dataDir}";
isSystemUser = true;
group = "netbox";
};
users.groups.netbox = {};
users.groups."${config.services.redis.servers.netbox.user}".members = [ "netbox" ];
};
}