first release

This commit is contained in:
Jörg Deckert 2025-03-05 12:29:24 +01:00
parent c67995e0f8
commit 92650a89cf
14 changed files with 376 additions and 1 deletions

View File

@ -1,6 +1,6 @@
MIT No Attribution MIT No Attribution
Copyright <YEAR> <COPYRIGHT HOLDER> Copyright 2025 Unitas Network GmbH
Permission is hereby granted, free of charge, to any person obtaining a copy of this Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software software and associated documentation files (the "Software"), to deal in the Software

29
Makefile Normal file
View File

@ -0,0 +1,29 @@
02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig
systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
mkdir -p $(CHROOT)/usr/local/bin
cp appliance/PostgreSQL-Backup.sh $(CHROOT)/usr/local/bin/
cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
$(02firstboot): appliance/02firstboot.start
mkdir -p $(CHROOT)/usr/local/bin
cp $< $@
touch $(CHROOT)/02firstboot
$(cert-renew.sh): appliance/cert-renew.sh
mkdir -p $(CHROOT)/etc/ssl
cp $< $@
$(nginx_conf): nginx/nginx.conf
mv $(CHROOT)/etc/nginx/nginx.conf $@
cp $< $(CHROOT)/etc/nginx/nginx.conf
preinstall:
postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(nginx_conf)
# configure postgresql
sed -i 's#^PG_INITDB_OPTS=.*#PG_INITDB_OPTS="--encoding=UTF8 --locale=de_DE.UTF-8"#' $(CHROOT)/etc/conf.d/postgresql-*
rm -rf $(CHROOT)/var/lib/postgresql/*
RUN emerge --config dev-db/postgresql

80
appliance/02firstboot.start Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
# variables
LABEL="DATA"
HOST="netbox"
TLD="example.com"
ORGNAME="Netbox example"
DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
# start
set -e
PGVER=$(eselect postgresql show)
[ -e /01firstboot ] && exit 0
[ -e /02firstboot ] || exit 0
# Database
systemctl stop postgresql-$PGVER
if [ ! -d "/$LABEL/var/lib/postgresql" ]; then
echo 'Create database directory...'
mkdir -p "/$LABEL/var/lib"
rm -rf "/$LABEL/var/lib/postgresql.orig"
cp -a "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql"
ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
else
echo 'start PostgreSQL DB...'
if [ ! -L /var/lib/postgresql ]; then
rm -rf "/$LABEL/var/lib/postgresql.orig"
mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
fi
fi
systemctl start postgresql-$PGVER
# Certificate
if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then
echo 'Create certificates...'
mkdir -p "/$LABEL/CERTS/KEYS/"
mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
fi
rm -rf /etc/ssl/nginx
mkdir -p /etc/ssl
ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
/etc/ssl/cert-renew.sh
# Netbox configuration
if [ -f "/$LABEL/etc/netbox/configuration.py" ]; then
ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py"
fi
emerge --config www-apps/netbox
if [ ! -f "/$LABEL/etc/netbox/configuration.py" ]; then
mkdir -p "/$LABEL/etc/netbox"
mv "/etc/netbox/configuration.py" "/$LABEL/etc/netbox/configuration.py"
ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py"
fi
# Service enabling
systemctl enable postgresql-$PGVER
systemctl enable redis.service
systemctl enable netbox.service
systemctl enable netbox-rq.service
systemctl enable netbox-housekeeping.timer
systemctl enable nginx.service
systemctl restart redis.service
systemctl restart netbox.service netbox-rq.service
systemctl restart nginx.service
rm /02firstboot

35
appliance/PostgreSQL-Backup.sh Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
DIR="/DATA/Backup/PostgreSQL"
USER="postgres"
##PASS="gentoo"
if [ -z $1 ]; then
echo "database name missing! use --all for all db's"
exit 1;
elif [ $1 = '--all' ]; then
echo "full backup"
## for i in `psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'`; do
for i in $(psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'); do
if [ "$i" != "postgres" ] && [ "$i" != "template0" ] && [ "$i" != "template1" ] && [ "$i" != "template_postgis" ]; then
if test -f ${DIR}/${i}.sql; then
echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
fi
echo "dump ${i} to ${DIR}/${i}.sql"
pg_dump -U $USER $i > ${DIR}/${i}.sql
chmod 600 ${DIR}/${i}.sql
fi
done;
elif [ -n $1 ]; then
echo "Starting backup of $1"
if test -f $DIR/$1.sql; then
echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
fi
pg_dump -U $USER $1 > ${DIR}/${1}.sql
chmod 600 ${DIR}/${1}.sql
fi
echo "Done"
exit 0;

8
appliance/backup.service Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=execute backup tasks
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/usr/local/bin/PostgreSQL-Backup.sh --all

12
appliance/backup.timer Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=execute backup tasks
RefuseManualStart=no
RefuseManualStop=no
[Timer]
Persistent=false
OnCalendar=Sun *-*-* 02:19:00
Unit=backup.service
[Install]
WantedBy=default.target

View File

@ -0,0 +1,8 @@
[Unit]
Description=renew certificates from git store
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/etc/ssl/cert-renew.sh

55
appliance/cert-renew.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
HOST="netbox"
TLD="example.com"
FQDN="$HOST.$TLD"
LABEL="DATA"
CERT_DIR=/$LABEL/CERTS
CERT_NGINX=/$LABEL/etc/ssl/nginx
GETREPO=""
GETUSER=""
GETPASS=""
function getCurrentVersion() {
# Get hash from latest revision
git log --format=format:%H -1
}
cd $CERT_DIR
if [ -z "$GETREPO" ]; then
GIT_REVISION=0
GIT_NEW_REVISION=1
cd $FQDN
elif [ ! -d "$FQDN" ]; then
GIT_REVISION=0
git clone "https://$GETUSER:$GETPASS@$GETREPO"
cd $FQDN
GIT_NEW_REVISION=$(getCurrentVersion)
else
cd $FQDN
GIT_REVISION=$(getCurrentVersion)
git commit -m "CRON: auto commit"
git fetch
git merge origin/master -m "Auto Merge"
GIT_NEW_REVISION=$(getCurrentVersion)
fi
echo "old: $GIT_REVISION"
echo "new: $GIT_NEW_REVISION"
if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then
echo "Update Nginx certificate..."
mkdir -p $CERT_NGINX
cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
chown nginx:nginx $CERT_NGINX/nginx.*
chmod 444 $CERT_NGINX/nginx.pem
chmod 400 $CERT_NGINX/nginx.key
echo "Restarting Nginx..."
systemctl is-active --quiet nginx && systemctl restart nginx
fi
exit 0

View File

@ -0,0 +1,12 @@
[Unit]
Description=renew certificates from git store
RefuseManualStart=no
RefuseManualStop=no
[Timer]
Persistent=false
OnCalendar=Sun *-*-* 04:03:00
Unit=cert-renew.service
[Install]
WantedBy=default.target

78
nginx/nginx.conf Normal file
View File

@ -0,0 +1,78 @@
user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types.nginx;
types_hash_max_size 4096;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip off;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
server {
# Redirect HTTP traffic to HTTPS
listen [::]:80 ipv6only=off;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl ipv6only=off;
server_name _;
ssl_certificate /etc/ssl/nginx/nginx.pem;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
client_max_body_size 25m;
location /static/ {
alias /usr/lib/netbox/static/;
}
location / {
include uwsgi_params;
uwsgi_pass 127.0.0.1:8001;
uwsgi_param Host $host;
uwsgi_param X-Real-IP $remote_addr;
uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
}
}
include /etc/nginx/*_vhost.conf;
}

38
package.accept_keywords Normal file
View File

@ -0,0 +1,38 @@
dev-python/django-cors-headers
dev-python/django-debug-toolbar
dev-python/django-graphiql-debug-toolbar
dev-python/django-filter
dev-python/django-htmx
dev-python/django-mptt
dev-python/django-pglocks
dev-python/django-prometheus
dev-python/django-redis
dev-python/django-rich
dev-python/django-rq
dev-python/django-tables2
dev-python/django-taggit
dev-python/django-timezone-field
dev-python/djangorestframework
dev-python/drf-yasg
dev-python/drf-spectacular
dev-python/drf-spectacular-sidecar
dev-python/graphene
dev-python/graphene-django
dev-python/graphql-core
dev-python/graphql-relay
dev-python/griffe
dev-python/markdown-include
dev-python/mkdocstrings
dev-python/mkdocstrings-python
dev-python/mkdocs-autorefs
dev-python/promise
dev-python/social-auth-core
dev-python/social-auth-app-django
dev-python/strawberry-graphql
dev-python/strawberry-graphql-django
dev-python/svgwrite
dev-python/tablib
dev-python/django-auth-ldap
dev-python/python3-openid
dev-python/inflection
dev-python/django-js-asset

9
package.use Normal file
View File

@ -0,0 +1,9 @@
# Netbox
www-apps/netbox branching ldap
# Nginx / uWSGI
app-misc/mime-types nginx
www-servers/uwsgi python
# Redis
dev-libs/jemalloc stats

3
va-netbox.cfg Normal file
View File

@ -0,0 +1,3 @@
REPO_NAMES += unitas-netbox
REPO_URI_unitas-netbox = https://git.unitas-network.de/Gentoo/unitas-netbox.git
PROFILES_INSTALL = YES

8
world Normal file
View File

@ -0,0 +1,8 @@
app-crypt/certbot-nginx
dev-db/postgresql
dev-db/redis
www-apps/netbox
www-apps/netbox-device-type-library-import
www-plugins/netboxlabs-netbox-branching
www-servers/nginx
www-servers/uwsgi