Netbox

Postgresql

Installation

apk add --update postgresql16

Configuration

rc-service postgresql setup
rc-service postgresql start
psql -U postgres

CREATE DATABASE netbox;
CREATE USER netbox WITH PASSWORD 'METTRE_UN_MOT_DE_PASSE';
ALTER DATABASE netbox OWNER TO netbox;

\connect netbox;
GRANT CREATE ON SCHEMA public TO netbox;
\q

Démarrer le service

rc-update add postgresql

Redis

Installation

apk add --update redis

Démarrer le service

rc-service redis start
rc-update add redis

NetBox

Pré-requis

apk add --update python3 py3-pip py3-virtualenv python3-dev git

Installation

git clone -b master --depth 1 https://github.com/netbox-community/netbox.git /opt/netbox

Configuration

addgroup -S netbox
adduser --system netbox -G netbox

cp /opt/netbox/netbox/netbox/configuration_example.py /opt/netbox/netbox/netbox/configuration.py
python3 /opt/netbox/netbox/generate_secret_key.py

nano /opt/netbox/netbox/netbox/configuration.py

Remplacer :

ALLOWED_HOSTS = ['*']

DATABASE = {
    'NAME': 'netbox',               # Database name
    'USER': 'netbox',               # PostgreSQL username
    'PASSWORD': 'J5brHrAXFLQSif0K', # PostgreSQL password
    'HOST': 'localhost',            # Database server
    'PORT': '',                     # Database port (leave blank for default)
    'CONN_MAX_AGE': 300,            # Max database connection age (seconds)
}

REDIS = {
    'tasks': {
        'HOST': 'localhost',      # Redis server
        'PORT': 6379,             # Redis port
        'PASSWORD': '',           # Redis password (optional)
        'DATABASE': 0,            # Database ID
        'SSL': False,             # Use SSL (optional)
    },
    'caching': {
        'HOST': 'localhost',
        'PORT': 6379,
        'PASSWORD': '',
        'DATABASE': 1,            # Unique ID for second database
        'SSL': False,
    }
}

SECRET_KEY

Installation

/opt/netbox/upgrade.sh

Configuration

source /opt/netbox/venv/bin/activate
python3 /opt/netbox/netbox/manage.py createsuperuser

crontab

ln -s /opt/netbox/contrib/netbox-housekeeping.sh /etc/periodic/daily/netbox-housekeeping

Gunicorn

cp /opt/netbox/contrib/gunicorn.py /opt/netbox/gunicorn.py

nano /opt/netbox/gunicorn.py

Changer 127.0.0.1 par 0.0.0.0

Création des services OpenRC

netbox

nano /etc/init.d/netbox

#!/sbin/openrc-run

name="netbox"
command="/opt/netbox/venv/bin/gunicorn"
command_args="--pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi"
command_background="true"
pidfile="/var/run/${name}.pid"
: ${directory:=/opt/netbox}
: ${command_user:=netbox:netbox}

depend() {
  need net
}

chmod +x /etc/init.d/netbox

Lancer le service

rc-service netbox start
rc-update add netbox

netbox-rq

nano /etc/init.d/netbox-rq

#!/sbin/openrc-run

name="netbox-rq"
command="/opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py rqworker high default low"
command_background="true"
pidfile="/var/run/${name}.pid"
: ${directory:=/opt/netbox}
: ${command_user:=netbox:netbox}

depend() {
  need net
}

chmod +x /etc/init.d/netbox-rq

Lancer le service

rc-service netbox-rq start
rc-update add netbox-rq

nginx

Installation

apk add --update nginx

Configuration

mv /etc/nginx/nginx.conf /etc/nginx/[old]-nginx.conf
nano /etc/nginx/nginx.conf

user nginx;
worker_processes auto;

# Configures default error logger.
error_log /var/log/nginx/error.log warn; # Log warn, error, crit, alert, emerg

events {
    # The maximum number of simultaneous connections that can be opened by a worker process.
    worker_connections 1024; # increase if you need more connections
}

http {
    # server_names_hash_bucket_size controls the maximum length
    # of a virtual host entry (ie the length of the domain name).
    server_names_hash_bucket_size   64; # controls the maximum length of a virtual host entry (ie domain name)
    server_tokens                   off; # hide who we are, don't show nginx version to clients
    sendfile                        on; # can cause issues

    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;

    # nginx will find this file in the config directory set at nginx build time
    # Includes mapping of file name extensions to MIME types of responses
    include mime.types;

    # fallback in case we can't determine a type
    default_type application/octet-stream;

    # buffering causes issues, disable it
    # increase buffer size. still useful even when buffering is off
    proxy_buffering off;
    proxy_buffer_size 4k;

    # allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
    reset_timedout_connection on;

    # Specifies the main log format.
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" "$http_x_forwarded_for"';

    # Sets the path, format, and configuration for a buffered log write.
    # Buffer log writes to speed up IO, or disable them altogether
    access_log /var/log/nginx/access.log main buffer=16k;
    #access_log off;

    # Include files with config snippets into the root context.
    include conf.d/*.conf;

    # Includes virtual hosts configs.
    include http.d/*.conf;
}

En-tête

nano /etc/nginx/conf.d/proxy_set_header.inc

proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host  $http_host;
proxy_set_header X-Real-IP         $remote_addr;

Configuration SSL

mkdir /etc/nginx/conf.d
nano /etc/nginx/conf.d/ssl-params.inc

# secure nginx, see https://cipherli.st/

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver_timeout 5s;

# https://hstspreload.org
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

Génération du fichier ssl_dhparam

openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096

générer un certificat

openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

netbox.conf

mv /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf.old
nano /etc/nginx/http.d/netbox.conf

server {
    listen                  80;
    listen                  [::]:80;
    server_name             netbox.exemple.fr;
    return 301 https://$host$request_uri;
}

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             netbox.exemple.fr;
    ssl_certificate         /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key     /etc/ssl/private/nginx-selfsigned.key;

    include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        include     conf.d/proxy_set_header.inc;
        proxy_pass http://127.0.0.1:8001;
        proxy_cache_bypass  $http_upgrade;
    }
}

Lancer le service

rc-service nginx start
rc-update add nginx