From 92650a89cf82caf199aceaeff8d5a26f7f8e0551 Mon Sep 17 00:00:00 2001 From: Joerg Deckert Date: Wed, 5 Mar 2025 12:29:24 +0100 Subject: [PATCH] first release --- LICENSE | 2 +- Makefile | 29 ++++++++++++ appliance/02firstboot.start | 80 ++++++++++++++++++++++++++++++++++ appliance/PostgreSQL-Backup.sh | 35 +++++++++++++++ appliance/backup.service | 8 ++++ appliance/backup.timer | 12 +++++ appliance/cert-renew.service | 8 ++++ appliance/cert-renew.sh | 55 +++++++++++++++++++++++ appliance/cert-renew.timer | 12 +++++ nginx/nginx.conf | 78 +++++++++++++++++++++++++++++++++ package.accept_keywords | 38 ++++++++++++++++ package.use | 9 ++++ va-netbox.cfg | 3 ++ world | 8 ++++ 14 files changed, 376 insertions(+), 1 deletion(-) create mode 100644 Makefile create mode 100755 appliance/02firstboot.start create mode 100755 appliance/PostgreSQL-Backup.sh create mode 100644 appliance/backup.service create mode 100644 appliance/backup.timer create mode 100644 appliance/cert-renew.service create mode 100755 appliance/cert-renew.sh create mode 100644 appliance/cert-renew.timer create mode 100644 nginx/nginx.conf create mode 100644 package.accept_keywords create mode 100644 package.use create mode 100644 va-netbox.cfg create mode 100644 world diff --git a/LICENSE b/LICENSE index a4e9dc9..a357808 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT No Attribution -Copyright +Copyright 2025 Unitas Network GmbH Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..54afa63 --- /dev/null +++ b/Makefile @@ -0,0 +1,29 @@ +02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start +cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig + +systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer + mkdir -p $(CHROOT)/usr/local/bin + cp appliance/PostgreSQL-Backup.sh $(CHROOT)/usr/local/bin/ + cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ + +$(02firstboot): appliance/02firstboot.start + mkdir -p $(CHROOT)/usr/local/bin + cp $< $@ + touch $(CHROOT)/02firstboot + +$(cert-renew.sh): appliance/cert-renew.sh + mkdir -p $(CHROOT)/etc/ssl + cp $< $@ + +$(nginx_conf): nginx/nginx.conf + mv $(CHROOT)/etc/nginx/nginx.conf $@ + cp $< $(CHROOT)/etc/nginx/nginx.conf + +preinstall: + +postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(nginx_conf) + # configure postgresql + sed -i 's#^PG_INITDB_OPTS=.*#PG_INITDB_OPTS="--encoding=UTF8 --locale=de_DE.UTF-8"#' $(CHROOT)/etc/conf.d/postgresql-* + rm -rf $(CHROOT)/var/lib/postgresql/* + RUN emerge --config dev-db/postgresql diff --git a/appliance/02firstboot.start b/appliance/02firstboot.start new file mode 100755 index 0000000..fec7b7b --- /dev/null +++ b/appliance/02firstboot.start @@ -0,0 +1,80 @@ +#!/bin/bash + +# variables +LABEL="DATA" +HOST="netbox" +TLD="example.com" +ORGNAME="Netbox example" +DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) + +# start +set -e + +PGVER=$(eselect postgresql show) + +[ -e /01firstboot ] && exit 0 +[ -e /02firstboot ] || exit 0 + +# Database +systemctl stop postgresql-$PGVER +if [ ! -d "/$LABEL/var/lib/postgresql" ]; then + echo 'Create database directory...' + mkdir -p "/$LABEL/var/lib" + rm -rf "/$LABEL/var/lib/postgresql.orig" + cp -a "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig" + mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql" + ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql" +else + echo 'start PostgreSQL DB...' + if [ ! -L /var/lib/postgresql ]; then + rm -rf "/$LABEL/var/lib/postgresql.orig" + mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig" + ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql" + fi +fi +systemctl start postgresql-$PGVER + +# Certificate +if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then + echo 'Create certificates...' + mkdir -p "/$LABEL/CERTS/KEYS/" + mkdir -p "/$LABEL/CERTS/$HOST.$TLD" + echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" + cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" + touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" +fi +rm -rf /etc/ssl/nginx +mkdir -p /etc/ssl +ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx" +/etc/ssl/cert-renew.sh + +# Netbox configuration +if [ -f "/$LABEL/etc/netbox/configuration.py" ]; then + ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py" +fi +emerge --config www-apps/netbox +if [ ! -f "/$LABEL/etc/netbox/configuration.py" ]; then + mkdir -p "/$LABEL/etc/netbox" + mv "/etc/netbox/configuration.py" "/$LABEL/etc/netbox/configuration.py" + ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py" +fi + +# Service enabling +systemctl enable postgresql-$PGVER +systemctl enable redis.service +systemctl enable netbox.service +systemctl enable netbox-rq.service +systemctl enable netbox-housekeeping.timer +systemctl enable nginx.service + +systemctl restart redis.service +systemctl restart netbox.service netbox-rq.service +systemctl restart nginx.service + +rm /02firstboot diff --git a/appliance/PostgreSQL-Backup.sh b/appliance/PostgreSQL-Backup.sh new file mode 100755 index 0000000..3a50d12 --- /dev/null +++ b/appliance/PostgreSQL-Backup.sh @@ -0,0 +1,35 @@ +#!/bin/bash +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +DIR="/DATA/Backup/PostgreSQL" +USER="postgres" +##PASS="gentoo" + +if [ -z $1 ]; then + echo "database name missing! use --all for all db's" + exit 1; +elif [ $1 = '--all' ]; then + echo "full backup" +## for i in `psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'`; do +for i in $(psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'); do + if [ "$i" != "postgres" ] && [ "$i" != "template0" ] && [ "$i" != "template1" ] && [ "$i" != "template_postgis" ]; then + if test -f ${DIR}/${i}.sql; then + echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1" + mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1 + fi + echo "dump ${i} to ${DIR}/${i}.sql" + pg_dump -U $USER $i > ${DIR}/${i}.sql + chmod 600 ${DIR}/${i}.sql + fi + done; +elif [ -n $1 ]; then + echo "Starting backup of $1" + if test -f $DIR/$1.sql; then + echo "Move $DIR/$1.sql to $DIR/$1.sql.1" + mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1 + fi + pg_dump -U $USER $1 > ${DIR}/${1}.sql + chmod 600 ${DIR}/${1}.sql +fi +echo "Done" +exit 0; diff --git a/appliance/backup.service b/appliance/backup.service new file mode 100644 index 0000000..619cd03 --- /dev/null +++ b/appliance/backup.service @@ -0,0 +1,8 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/PostgreSQL-Backup.sh --all diff --git a/appliance/backup.timer b/appliance/backup.timer new file mode 100644 index 0000000..ec59929 --- /dev/null +++ b/appliance/backup.timer @@ -0,0 +1,12 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 02:19:00 +Unit=backup.service + +[Install] +WantedBy=default.target diff --git a/appliance/cert-renew.service b/appliance/cert-renew.service new file mode 100644 index 0000000..59ec86d --- /dev/null +++ b/appliance/cert-renew.service @@ -0,0 +1,8 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/etc/ssl/cert-renew.sh diff --git a/appliance/cert-renew.sh b/appliance/cert-renew.sh new file mode 100755 index 0000000..4876856 --- /dev/null +++ b/appliance/cert-renew.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +HOST="netbox" +TLD="example.com" +FQDN="$HOST.$TLD" +LABEL="DATA" + +CERT_DIR=/$LABEL/CERTS +CERT_NGINX=/$LABEL/etc/ssl/nginx +GETREPO="" +GETUSER="" +GETPASS="" + +function getCurrentVersion() { +# Get hash from latest revision + git log --format=format:%H -1 +} + +cd $CERT_DIR + +if [ -z "$GETREPO" ]; then + GIT_REVISION=0 + GIT_NEW_REVISION=1 + cd $FQDN +elif [ ! -d "$FQDN" ]; then + GIT_REVISION=0 + git clone "https://$GETUSER:$GETPASS@$GETREPO" + cd $FQDN + GIT_NEW_REVISION=$(getCurrentVersion) +else + cd $FQDN + GIT_REVISION=$(getCurrentVersion) + git commit -m "CRON: auto commit" + git fetch + git merge origin/master -m "Auto Merge" + GIT_NEW_REVISION=$(getCurrentVersion) +fi + +echo "old: $GIT_REVISION" +echo "new: $GIT_NEW_REVISION" + +if [ $GIT_REVISION != $GIT_NEW_REVISION ] +then + echo "Update Nginx certificate..." + mkdir -p $CERT_NGINX + cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key + chown nginx:nginx $CERT_NGINX/nginx.* + chmod 444 $CERT_NGINX/nginx.pem + chmod 400 $CERT_NGINX/nginx.key + echo "Restarting Nginx..." + systemctl is-active --quiet nginx && systemctl restart nginx +fi + +exit 0 diff --git a/appliance/cert-renew.timer b/appliance/cert-renew.timer new file mode 100644 index 0000000..fa2ee54 --- /dev/null +++ b/appliance/cert-renew.timer @@ -0,0 +1,12 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 04:03:00 +Unit=cert-renew.service + +[Install] +WantedBy=default.target diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..4d1692f --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,78 @@ +user nginx nginx; +worker_processes 1; + +error_log /var/log/nginx/error_log info; + +events { + worker_connections 1024; + use epoll; +} + +http { + include /etc/nginx/mime.types.nginx; + types_hash_max_size 4096; + default_type application/octet-stream; + + log_format main + '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '"$gzip_ratio"'; + + client_header_timeout 10m; + client_body_timeout 10m; + send_timeout 10m; + + connection_pool_size 256; + client_header_buffer_size 1k; + large_client_header_buffers 4 2k; + request_pool_size 4k; + + gzip off; + + output_buffers 1 32k; + postpone_output 1460; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + keepalive_timeout 75 20; + + ignore_invalid_headers on; + + index index.html; + + server { + # Redirect HTTP traffic to HTTPS + listen [::]:80 ipv6only=off; + server_name _; + return 301 https://$host$request_uri; + } + + + server { + listen [::]:443 ssl ipv6only=off; + server_name _; + + ssl_certificate /etc/ssl/nginx/nginx.pem; + ssl_certificate_key /etc/ssl/nginx/nginx.key; + + client_max_body_size 25m; + + location /static/ { + alias /usr/lib/netbox/static/; + } + + location / { + include uwsgi_params; + uwsgi_pass 127.0.0.1:8001; + uwsgi_param Host $host; + uwsgi_param X-Real-IP $remote_addr; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; + } + } + + include /etc/nginx/*_vhost.conf; +} diff --git a/package.accept_keywords b/package.accept_keywords new file mode 100644 index 0000000..d743e51 --- /dev/null +++ b/package.accept_keywords @@ -0,0 +1,38 @@ +dev-python/django-cors-headers +dev-python/django-debug-toolbar +dev-python/django-graphiql-debug-toolbar +dev-python/django-filter +dev-python/django-htmx +dev-python/django-mptt +dev-python/django-pglocks +dev-python/django-prometheus +dev-python/django-redis +dev-python/django-rich +dev-python/django-rq +dev-python/django-tables2 +dev-python/django-taggit +dev-python/django-timezone-field +dev-python/djangorestframework +dev-python/drf-yasg +dev-python/drf-spectacular +dev-python/drf-spectacular-sidecar +dev-python/graphene +dev-python/graphene-django +dev-python/graphql-core +dev-python/graphql-relay +dev-python/griffe +dev-python/markdown-include +dev-python/mkdocstrings +dev-python/mkdocstrings-python +dev-python/mkdocs-autorefs +dev-python/promise +dev-python/social-auth-core +dev-python/social-auth-app-django +dev-python/strawberry-graphql +dev-python/strawberry-graphql-django +dev-python/svgwrite +dev-python/tablib +dev-python/django-auth-ldap +dev-python/python3-openid +dev-python/inflection +dev-python/django-js-asset diff --git a/package.use b/package.use new file mode 100644 index 0000000..7db6cc9 --- /dev/null +++ b/package.use @@ -0,0 +1,9 @@ +# Netbox +www-apps/netbox branching ldap + +# Nginx / uWSGI +app-misc/mime-types nginx +www-servers/uwsgi python + +# Redis +dev-libs/jemalloc stats diff --git a/va-netbox.cfg b/va-netbox.cfg new file mode 100644 index 0000000..17345ae --- /dev/null +++ b/va-netbox.cfg @@ -0,0 +1,3 @@ +REPO_NAMES += unitas-netbox +REPO_URI_unitas-netbox = https://git.unitas-network.de/Gentoo/unitas-netbox.git +PROFILES_INSTALL = YES diff --git a/world b/world new file mode 100644 index 0000000..aa7d64a --- /dev/null +++ b/world @@ -0,0 +1,8 @@ +app-crypt/certbot-nginx +dev-db/postgresql +dev-db/redis +www-apps/netbox +www-apps/netbox-device-type-library-import +www-plugins/netboxlabs-netbox-branching +www-servers/nginx +www-servers/uwsgi