first release

2025-03-05 12:29:24 +01:00 · 2025-03-05 12:29:24 +01:00 · 92650a89cf
commit 92650a89cf
parent c67995e0f8
14 changed files with 376 additions and 1 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT No Attribution

-Copyright <YEAR> <COPYRIGHT HOLDER>
+Copyright 2025 Unitas Network GmbH

 Permission is hereby granted, free of charge, to any person obtaining a copy of this
 software and associated documentation files (the "Software"), to deal in the Software
--- a/29
+++ b/29
@ -0,0 +1,29 @@
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig
+
+systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
+	mkdir -p $(CHROOT)/usr/local/bin
+	cp appliance/PostgreSQL-Backup.sh $(CHROOT)/usr/local/bin/
+	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/usr/local/bin
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+$(nginx_conf): nginx/nginx.conf
+	mv $(CHROOT)/etc/nginx/nginx.conf $@
+	cp $< $(CHROOT)/etc/nginx/nginx.conf
+
+preinstall:
+
+postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(nginx_conf)
+	# configure postgresql
+	sed -i 's#^PG_INITDB_OPTS=.*#PG_INITDB_OPTS="--encoding=UTF8 --locale=de_DE.UTF-8"#' $(CHROOT)/etc/conf.d/postgresql-*
+	rm -rf $(CHROOT)/var/lib/postgresql/*
+	RUN emerge --config dev-db/postgresql
--- a/appliance/02firstboot.start
+++ b/appliance/02firstboot.start
@ -0,0 +1,80 @@
+#!/bin/bash
+
+# variables
+LABEL="DATA"
+HOST="netbox"
+TLD="example.com"
+ORGNAME="Netbox example"
+DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
+
+# start
+set -e
+
+PGVER=$(eselect postgresql show)
+
+[ -e /01firstboot ] && exit 0
+[ -e /02firstboot ] || exit 0
+
+# Database
+systemctl stop postgresql-$PGVER
+if [ ! -d "/$LABEL/var/lib/postgresql" ]; then
+	echo 'Create database directory...'
+	mkdir -p "/$LABEL/var/lib"
+	rm -rf "/$LABEL/var/lib/postgresql.orig"
+	cp -a "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
+	mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql"
+	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
+else
+	echo 'start PostgreSQL DB...'
+	if [ ! -L /var/lib/postgresql ]; then
+		rm -rf "/$LABEL/var/lib/postgresql.orig"
+		mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
+		ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
+	fi
+fi
+systemctl start postgresql-$PGVER
+
+# Certificate
+if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then
+	echo 'Create certificates...'
+	mkdir -p "/$LABEL/CERTS/KEYS/"
+	mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+	echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+	echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+	echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+	echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+	echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+	echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+	openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+	cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+	touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+fi
+rm -rf /etc/ssl/nginx
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
+/etc/ssl/cert-renew.sh
+
+# Netbox configuration
+if [ -f "/$LABEL/etc/netbox/configuration.py" ]; then
+	ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py"
+fi
+emerge --config www-apps/netbox
+if [ ! -f "/$LABEL/etc/netbox/configuration.py" ]; then
+	mkdir -p "/$LABEL/etc/netbox"
+	mv "/etc/netbox/configuration.py" "/$LABEL/etc/netbox/configuration.py"
+	ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py"
+fi
+
+# Service enabling
+systemctl enable postgresql-$PGVER
+systemctl enable redis.service
+systemctl enable netbox.service 
+systemctl enable netbox-rq.service
+systemctl enable netbox-housekeeping.timer
+systemctl enable nginx.service
+
+systemctl restart redis.service
+systemctl restart netbox.service netbox-rq.service
+systemctl restart nginx.service
+
+rm /02firstboot
--- a/appliance/PostgreSQL-Backup.sh
+++ b/appliance/PostgreSQL-Backup.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+DIR="/DATA/Backup/PostgreSQL"
+USER="postgres"
+##PASS="gentoo"
+
+if [ -z $1 ]; then
+ echo "database name missing! use --all for all db's"
+ exit 1;
+elif [ $1 = '--all' ]; then
+ echo "full backup"
+## for i in `psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'`; do
+for i in $(psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'); do
+  if [ "$i" != "postgres" ] && [ "$i" != "template0" ] && [ "$i" != "template1" ] && [ "$i" != "template_postgis" ]; then
+   if test -f ${DIR}/${i}.sql; then
+    echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
+    mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
+   fi
+   echo "dump ${i} to ${DIR}/${i}.sql"
+   pg_dump -U $USER $i > ${DIR}/${i}.sql
+   chmod 600 ${DIR}/${i}.sql
+  fi
+ done;
+elif [ -n $1 ]; then
+ echo "Starting backup of $1"
+ if test -f $DIR/$1.sql; then
+  echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
+  mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
+ fi
+ pg_dump -U $USER $1 > ${DIR}/${1}.sql
+ chmod 600 ${DIR}/${1}.sql
+fi
+echo "Done"
+exit 0;
--- a/appliance/backup.service
+++ b/appliance/backup.service
@ -0,0 +1,8 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/PostgreSQL-Backup.sh --all
--- a/appliance/backup.timer
+++ b/appliance/backup.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 02:19:00
+Unit=backup.service
+ 
+[Install]
+WantedBy=default.target
--- a/appliance/cert-renew.service
+++ b/appliance/cert-renew.service
@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh
--- a/appliance/cert-renew.sh
+++ b/appliance/cert-renew.sh
@ -0,0 +1,55 @@
+#!/bin/bash
+
+HOST="netbox"
+TLD="example.com"
+FQDN="$HOST.$TLD"
+LABEL="DATA"
+
+CERT_DIR=/$LABEL/CERTS
+CERT_NGINX=/$LABEL/etc/ssl/nginx
+GETREPO=""
+GETUSER=""
+GETPASS=""
+
+function getCurrentVersion() {
+# Get hash from latest revision
+  git log --format=format:%H -1
+}
+
+cd $CERT_DIR
+
+if [ -z "$GETREPO" ]; then
+  GIT_REVISION=0
+  GIT_NEW_REVISION=1
+  cd $FQDN
+elif [ ! -d "$FQDN" ]; then
+  GIT_REVISION=0
+  git clone "https://$GETUSER:$GETPASS@$GETREPO"
+  cd $FQDN
+  GIT_NEW_REVISION=$(getCurrentVersion)
+else
+  cd $FQDN
+  GIT_REVISION=$(getCurrentVersion)
+  git commit -m "CRON: auto commit"
+  git fetch
+  git merge origin/master -m "Auto Merge"
+  GIT_NEW_REVISION=$(getCurrentVersion)
+fi
+
+echo "old: $GIT_REVISION"
+echo "new: $GIT_NEW_REVISION"
+
+if [ $GIT_REVISION != $GIT_NEW_REVISION ]
+then
+  echo "Update Nginx certificate..."
+  mkdir -p $CERT_NGINX
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
+  chown nginx:nginx $CERT_NGINX/nginx.*
+  chmod 444 $CERT_NGINX/nginx.pem
+  chmod 400 $CERT_NGINX/nginx.key
+  echo "Restarting Nginx..."
+  systemctl is-active --quiet nginx && systemctl restart nginx
+fi
+
+exit 0
--- a/appliance/cert-renew.timer
+++ b/appliance/cert-renew.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 04:03:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -0,0 +1,78 @@
+user nginx nginx;
+worker_processes 1;
+
+error_log /var/log/nginx/error_log info;
+
+events {
+    worker_connections 1024;
+    use epoll;
+}
+
+http {
+    include /etc/nginx/mime.types.nginx;
+    types_hash_max_size 4096;
+    default_type application/octet-stream;
+
+    log_format main
+	'$remote_addr - $remote_user [$time_local] '
+	'"$request" $status $bytes_sent '
+	'"$http_referer" "$http_user_agent" '
+	'"$gzip_ratio"';
+
+    client_header_timeout 10m;
+    client_body_timeout 10m;
+    send_timeout 10m;
+
+    connection_pool_size 256;
+    client_header_buffer_size 1k;
+    large_client_header_buffers 4 2k;
+    request_pool_size 4k;
+
+    gzip off;
+
+    output_buffers 1 32k;
+    postpone_output 1460;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    keepalive_timeout 75 20;
+
+    ignore_invalid_headers on;
+
+    index index.html;
+
+    server {
+	# Redirect HTTP traffic to HTTPS
+	listen [::]:80 ipv6only=off;
+	server_name _;
+	return 301 https://$host$request_uri;
+    }
+
+
+    server {
+	listen [::]:443 ssl ipv6only=off;
+	server_name _;
+
+	ssl_certificate /etc/ssl/nginx/nginx.pem;
+	ssl_certificate_key /etc/ssl/nginx/nginx.key;
+
+	client_max_body_size 25m;
+
+	location /static/ {
+	    alias /usr/lib/netbox/static/;
+	}
+
+	location / {
+	    include uwsgi_params;
+	    uwsgi_pass  127.0.0.1:8001;
+	    uwsgi_param Host $host;
+	    uwsgi_param X-Real-IP $remote_addr;
+	    uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
+	    uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
+	}
+    }
+
+    include /etc/nginx/*_vhost.conf;
+}
--- a/package.accept_keywords
+++ b/package.accept_keywords
@ -0,0 +1,38 @@
+dev-python/django-cors-headers
+dev-python/django-debug-toolbar
+dev-python/django-graphiql-debug-toolbar
+dev-python/django-filter
+dev-python/django-htmx
+dev-python/django-mptt
+dev-python/django-pglocks
+dev-python/django-prometheus
+dev-python/django-redis
+dev-python/django-rich
+dev-python/django-rq
+dev-python/django-tables2
+dev-python/django-taggit
+dev-python/django-timezone-field
+dev-python/djangorestframework
+dev-python/drf-yasg
+dev-python/drf-spectacular
+dev-python/drf-spectacular-sidecar
+dev-python/graphene
+dev-python/graphene-django
+dev-python/graphql-core
+dev-python/graphql-relay
+dev-python/griffe
+dev-python/markdown-include
+dev-python/mkdocstrings
+dev-python/mkdocstrings-python
+dev-python/mkdocs-autorefs
+dev-python/promise
+dev-python/social-auth-core
+dev-python/social-auth-app-django
+dev-python/strawberry-graphql
+dev-python/strawberry-graphql-django
+dev-python/svgwrite
+dev-python/tablib
+dev-python/django-auth-ldap
+dev-python/python3-openid
+dev-python/inflection
+dev-python/django-js-asset
--- a/package.use
+++ b/package.use
@ -0,0 +1,9 @@
+# Netbox
+www-apps/netbox branching ldap
+
+# Nginx / uWSGI
+app-misc/mime-types nginx
+www-servers/uwsgi python
+
+# Redis
+dev-libs/jemalloc stats
--- a/va-netbox.cfg
+++ b/va-netbox.cfg
@ -0,0 +1,3 @@
+REPO_NAMES += unitas-netbox
+REPO_URI_unitas-netbox = https://git.unitas-network.de/Gentoo/unitas-netbox.git
+PROFILES_INSTALL = YES
--- a/8
+++ b/8
@ -0,0 +1,8 @@
+app-crypt/certbot-nginx
+dev-db/postgresql
+dev-db/redis
+www-apps/netbox
+www-apps/netbox-device-type-library-import
+www-plugins/netboxlabs-netbox-branching
+www-servers/nginx
+www-servers/uwsgi