pivot out host_vars

README.md

@@ -8,5 +8,5 @@ ansible, `sshpass`
 λ ~/git/comfy.lab/inf-aux
 » ansible-playbook bootstrap.yml --extra-vars "unprepped=raspberrypi.lab.uncomfortably.online provision_hostname=aux" -i inventory
 # ...
-» ansible-playbook provision.yml -i inventory
+» ansible-playbook provision.yml -i inventory --vault-password-file=~/.ansiblevault
 ```

host_vars/aux.lab.uncomfortably.online/vars.yml

@@ -0,0 +1,22 @@
+netbox_pg_password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      66303538363739656566343635613761653931306635346435383264633230313966323464326239
+      3661376639383866633930393065333336353136663233320a323639363164633833303631333931
+      64356634616563343837393965656331393832366237306139656436666637653534363661326161
+      3434613835343339380a323032336630353162643361366637616562383137623031386631656462
+      34633866636262336665393961313364656435643736616164346262326230383064
+netbox_secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      35346664643362336338323039326535343866333864313739366237653438323736376537633562
+      3131373533343330663461333832633330373034616563320a383739313535663331306666666462
+      63363239623933326163346537616665313665373765363464633238636262356635616230396362
+      3563633139333336630a613736363730373761353366613531663532396666623862623262353265
+      61313463623430626163383166626466393561636239333762666231343332396439
+netbox_host: netbox.lab.uncomfortably.online
+netbox_superuser_email: erin@hecke.rs
+netbox_superuser_username: erin
+netbox_superuser_password: "{{ lookup('passwordstore', 'infra/{{netbox_superuser_username}}@netbox' + ' create=true length=20')
+                    | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
+
+
+unifi_host: unifi.lab.uncomfortably.online

provision.yml

@@ -1,4 +1,6 @@
 - hosts: aux.lab.uncomfortably.online
   tasks:
-    - include_role:
-        name: unifi
+    - import_role:
+        name: unifi
+    - import_role:
+        name: netbox

roles/netbox/defaults/main.yml

@@ -0,0 +1,4 @@
+netbox_db: netbox
+netbox_pg_username: netbox
+netbox_release: '2.6.1'
+netbox_user: netbox

roles/netbox/tasks/main.yml

@@ -0,0 +1,165 @@
+- name: install postgres
+  apt:
+    package: [postgresql, libpq-dev, python-psycopg2]
+    state: present
+  become: yes
+
+- name: create netbox database
+  postgresql_db:
+    name: "{{netbox_db}}"
+    state: present
+  become: yes
+  become_user: postgres
+
+- name: create netbox postgres user
+  postgresql_user:
+    db: "{{netbox_db}}"
+    name: "{{netbox_pg_username}}"
+    password: "{{netbox_pg_password}}"
+  become: yes
+  become_user: postgres
+
+- name: install dependencies
+  apt:
+    package: [python3, python3-setuptools, python-setuptools, python3-dev, build-essential, libxml2-dev, libxslt1-dev,
+              libffi-dev, graphviz, libpq-dev, libssl-dev, redis-server, zlib1g-dev, libopenjp2-7, supervisor, nginx]
+    state: present
+  become: yes
+
+- name: remove system pip
+  apt:
+    package: python3-pip
+    state: absent
+  become: yes
+
+- name: install pip via get-pip.py
+  shell: curl https://bootstrap.pypa.io/get-pip.py | python3 -
+  become: yes
+
+- name: grab the netbox release
+  unarchive:
+    src: https://github.com/digitalocean/netbox/archive/v{{netbox_release}}.tar.gz
+    remote_src: yes
+    dest: /opt
+    owner: root
+    group: root
+    mode: u=rwX,g=rX,o=rX
+  become: yes
+
+- name: alias it to /opt/netbox
+  file:
+    src: /opt/netbox-{{netbox_release}}
+    dest: /opt/netbox
+    state: link
+  become: yes
+
+- name: create netbox user
+  user:
+    name: "{{netbox_user}}"
+    state: present
+  become: yes
+
+- name: chown netbox/media to netbox user
+  file:
+    path: /opt/netbox/netbox/media
+    recurse: yes
+    owner: "{{netbox_user}}"
+    group: "{{netbox_user}}"
+  become: yes
+
+- name: install dependencies via pip
+  pip:
+    requirements: /opt/netbox/requirements.txt
+    executable: pip3
+  become: yes
+
+- name: install napalm, Pillow, gunicorn
+  pip:
+    name: [napalm, Pillow, gunicorn]
+    state: present
+    executable: pip3
+  become: yes
+
+- name: template netbox config
+  template:
+    src: netbox/configuration.py
+    dest: /opt/netbox/netbox/netbox/configuration.py
+    owner: "{{netbox_user}}"
+    group: "{{netbox_user}}"
+  become: yes
+
+- name: run migrations
+  shell: python3 manage.py migrate
+  args:
+    chdir: /opt/netbox/netbox/
+  become: yes
+  become_user: "{{netbox_user}}"
+
+- name: create netbox superuser
+  shell: >
+    echo "from django.contrib.auth import get_user_model; User = get_user_model(); User.objects.create_superuser('{{netbox_superuser_username}}', '{{netbox_superuser_email}}', '{{netbox_superuser_password}}')" \
+      | python3 manage.py shell
+  args:
+    chdir: /opt/netbox/netbox/
+  become: yes
+  become_user: "{{netbox_user}}"
+
+- name: collect static files
+  shell: python3 manage.py collectstatic --no-input
+  args:
+    chdir: /opt/netbox/netbox/
+  become: yes
+
+- name: load seed data
+  shell: python3 manage.py loaddata initial_data
+  args:
+    chdir: /opt/netbox/netbox/
+  become: yes
+
+- name: template nginx config
+  template:
+    src: nginx/netbox.conf
+    dest: /etc/nginx/sites-available/netbox
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: link nginx config
+  file:
+    src: /etc/nginx/sites-available/netbox
+    dest: /etc/nginx/sites-enabled/netbox
+    state: link
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: install gunicorn config
+  template:
+    src: netbox/gunicorn_config.py
+    dest: /opt/netbox/gunicorn_config.py
+    owner: "{{netbox_user}}"
+    group: "{{netbox_user}}"
+  become: yes
+
+- name: install gunicorn supervisord config
+  template:
+    src: supervisor/netbox.conf
+    dest: /etc/supervisor/conf.d/netbox.conf
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: restart supervisord
+  service:
+    name: supervisor
+    state: restarted
+  become: yes
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+  become: yes

roles/netbox/templates/netbox/configuration.py

@@ -0,0 +1,24 @@
+ALLOWED_HOSTS = ['{{netbox_host}}']
+
+DATABASE = {
+    'NAME': '{{netbox_db}}',                        # Database name
+    'USER': '{{netbox_pg_username}}',               # PostgreSQL username
+    'PASSWORD': '{{netbox_pg_password}}',           # PostgreSQL password
+    'HOST': 'localhost',                            # Database server
+    'PORT': '',                                     # Database port (leave blank for default)
+}
+
+SECRET_KEY = '{{netbox_secret_key}}'
+
+# Redis database settings. The Redis database is used for caching and background processing such as webhooks
+REDIS = {
+    'HOST': 'localhost',
+    'PORT': 6379,
+    'PASSWORD': '',
+    'DATABASE': 0,
+    'CACHE_DATABASE': 1,
+    'DEFAULT_TIMEOUT': 300,
+    'SSL': False,
+}
+
+WEBHOOKS_ENABLED = True

roles/netbox/templates/netbox/gunicorn_config.py

@@ -0,0 +1,5 @@
+command = '/usr/bin/gunicorn'
+pythonpath = '/opt/netbox/netbox'
+bind = '127.0.0.1:8001'
+workers = 3
+user = '{{netbox_user}}'

roles/netbox/templates/nginx/netbox.conf

@@ -0,0 +1,19 @@
+server {
+    listen 80;
+
+    server_name {{netbox_host}};
+
+    client_max_body_size 25m;
+
+    location /static/ {
+        alias /opt/netbox/netbox/static/;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:8001;
+        proxy_set_header X-Forwarded-Host $server_name;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
+    }
+}

roles/netbox/templates/supervisor/netbox.conf

@@ -0,0 +1,9 @@
+[program:netbox]
+command = gunicorn -c /opt/netbox/gunicorn_config.py netbox.wsgi
+directory = /opt/netbox/netbox/
+user = {{netbox_user}}
+
+[program:netbox-rqworker]
+command = python3 /opt/netbox/netbox/manage.py rqworker
+directory = /opt/netbox/netbox/
+user = {{netbox_user}}

roles/rpi-base/tasks/access.yml

@@ -9,3 +9,9 @@
     name: ssh
     state: started
     enabled: yes
+
+- name: ACCESS | install acl package
+  apt:
+    package: acl
+    state: present
+  become: yes

roles/unifi/tasks/main.yml

@@ -19,10 +19,35 @@
 - name: install unifi-controller packages
   apt:
     name: unifi
-    state: present
+    state: latest
   become: yes
   notify:
     - restart unifi
 
 # - name: disable default unifi mongodb
-#   lineinfile: 
+#   lineinfile: 
+
+- name: install unifi nginx config
+  template:
+    src: nginx/unifi.conf
+    dest: /etc/nginx/sites-available/unifi
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: link nginx config
+  file:
+    src: /etc/nginx/sites-available/unifi
+    dest: /etc/nginx/sites-enabled/unifi
+    state: link
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+  become: yes

vars/secrets.yml

@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36373864353634383162353562633637656532336132313664303736356664333166316363636132
-3735623235646562373830336265646334316237383539630a373037653463393138663865616364
-64666636336131626337646462636363613036366265646163373231633332663764633864653137
-6537663231356235630a306461396237376466633039323434343366633139356264323862323938
-65643437613533333366313831646231623335643832663836313164663032663432