first release

2025-03-05 12:29:24 +01:00 · 2025-03-05 12:29:24 +01:00 · 92650a89cf
commit 92650a89cf
parent c67995e0f8
14 changed files with 376 additions and 1 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT No Attribution
-Copyright <YEAR> <COPYRIGHT HOLDER>
+Copyright 2025 Unitas Network GmbH
 Permission is hereby granted, free of charge, to any person obtaining a copy of this
 software and associated documentation files (the "Software"), to deal in the Software
--- a/29
+++ b/29
@ -0,0 +1,29 @@
 02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
 cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
 nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig
 systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
 	mkdir -p $(CHROOT)/usr/local/bin
 	cp appliance/PostgreSQL-Backup.sh $(CHROOT)/usr/local/bin/
 	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
 $(02firstboot): appliance/02firstboot.start
 	mkdir -p $(CHROOT)/usr/local/bin
 	cp $< $@
 	touch $(CHROOT)/02firstboot
 $(cert-renew.sh): appliance/cert-renew.sh
 	mkdir -p $(CHROOT)/etc/ssl
 	cp $< $@
 $(nginx_conf): nginx/nginx.conf
 	mv $(CHROOT)/etc/nginx/nginx.conf $@
 	cp $< $(CHROOT)/etc/nginx/nginx.conf
 preinstall:
 postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(nginx_conf)
 	# configure postgresql
 	sed -i 's#^PG_INITDB_OPTS=.*#PG_INITDB_OPTS="--encoding=UTF8 --locale=de_DE.UTF-8"#' $(CHROOT)/etc/conf.d/postgresql-*
 	rm -rf $(CHROOT)/var/lib/postgresql/*
 	RUN emerge --config dev-db/postgresql
--- a/appliance/02firstboot.start
+++ b/appliance/02firstboot.start
@ -0,0 +1,80 @@
 #!/bin/bash
 # variables
 LABEL="DATA"
 HOST="netbox"
 TLD="example.com"
 ORGNAME="Netbox example"
 DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
 # start
 set -e
 PGVER=$(eselect postgresql show)
 [ -e /01firstboot ] && exit 0
 [ -e /02firstboot ] || exit 0
 # Database
 systemctl stop postgresql-$PGVER
 if [ ! -d "/$LABEL/var/lib/postgresql" ]; then
 	echo 'Create database directory...'
 	mkdir -p "/$LABEL/var/lib"
 	rm -rf "/$LABEL/var/lib/postgresql.orig"
 	cp -a "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
 	mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql"
 	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
 else
 	echo 'start PostgreSQL DB...'
 	if [ ! -L /var/lib/postgresql ]; then
 		rm -rf "/$LABEL/var/lib/postgresql.orig"
 		mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
 		ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
 	fi
 fi
 systemctl start postgresql-$PGVER
 # Certificate
 if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then
 	echo 'Create certificates...'
 	mkdir -p "/$LABEL/CERTS/KEYS/"
 	mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
 	echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
 	echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
 	echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
 	echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
 	echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
 	echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
 	openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
 	cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
 	touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
 fi
 rm -rf /etc/ssl/nginx
 mkdir -p /etc/ssl
 ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
 /etc/ssl/cert-renew.sh
 # Netbox configuration
 if [ -f "/$LABEL/etc/netbox/configuration.py" ]; then
 	ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py"
 fi
 emerge --config www-apps/netbox
 if [ ! -f "/$LABEL/etc/netbox/configuration.py" ]; then
 	mkdir -p "/$LABEL/etc/netbox"
 	mv "/etc/netbox/configuration.py" "/$LABEL/etc/netbox/configuration.py"
 	ln -sf "/$LABEL/etc/netbox/configuration.py" "/etc/netbox/configuration.py"
 fi
 # Service enabling
 systemctl enable postgresql-$PGVER
 systemctl enable redis.service
 systemctl enable netbox.service 
 systemctl enable netbox-rq.service
 systemctl enable netbox-housekeeping.timer
 systemctl enable nginx.service
 systemctl restart redis.service
 systemctl restart netbox.service netbox-rq.service
 systemctl restart nginx.service
 rm /02firstboot
--- a/appliance/PostgreSQL-Backup.sh
+++ b/appliance/PostgreSQL-Backup.sh
@ -0,0 +1,35 @@
 #!/bin/bash
 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
 DIR="/DATA/Backup/PostgreSQL"
 USER="postgres"
 ##PASS="gentoo"
 if [ -z $1 ]; then
 echo "database name missing! use --all for all db's"
 exit 1;
 elif [ $1 = '--all' ]; then
 echo "full backup"
 ## for i in `psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'`; do
 for i in $(psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'); do
  if [ "$i" != "postgres" ] && [ "$i" != "template0" ] && [ "$i" != "template1" ] && [ "$i" != "template_postgis" ]; then
   if test -f ${DIR}/${i}.sql; then
    echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
    mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
   fi
   echo "dump ${i} to ${DIR}/${i}.sql"
   pg_dump -U $USER $i > ${DIR}/${i}.sql
   chmod 600 ${DIR}/${i}.sql
  fi
 done;
 elif [ -n $1 ]; then
 echo "Starting backup of $1"
 if test -f $DIR/$1.sql; then
  echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
  mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
 fi
 pg_dump -U $USER $1 > ${DIR}/${1}.sql
 chmod 600 ${DIR}/${1}.sql
 fi
 echo "Done"
 exit 0;
--- a/appliance/backup.service
+++ b/appliance/backup.service
@ -0,0 +1,8 @@
 [Unit]
 Description=execute backup tasks
 RefuseManualStart=no
 RefuseManualStop=yes
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/PostgreSQL-Backup.sh --all
--- a/appliance/backup.timer
+++ b/appliance/backup.timer
@ -0,0 +1,12 @@
 [Unit]
 Description=execute backup tasks
 RefuseManualStart=no
 RefuseManualStop=no
 [Timer]
 Persistent=false
 OnCalendar=Sun *-*-* 02:19:00
 Unit=backup.service
 [Install]
 WantedBy=default.target
--- a/appliance/cert-renew.service
+++ b/appliance/cert-renew.service
@ -0,0 +1,8 @@
 [Unit]
 Description=renew certificates from git store
 RefuseManualStart=no
 RefuseManualStop=yes
 [Service]
 Type=oneshot
 ExecStart=/etc/ssl/cert-renew.sh
--- a/appliance/cert-renew.sh
+++ b/appliance/cert-renew.sh
@ -0,0 +1,55 @@
 #!/bin/bash
 HOST="netbox"
 TLD="example.com"
 FQDN="$HOST.$TLD"
 LABEL="DATA"
 CERT_DIR=/$LABEL/CERTS
 CERT_NGINX=/$LABEL/etc/ssl/nginx
 GETREPO=""
 GETUSER=""
 GETPASS=""
 function getCurrentVersion() {
 # Get hash from latest revision
  git log --format=format:%H -1
 }
 cd $CERT_DIR
 if [ -z "$GETREPO" ]; then
  GIT_REVISION=0
  GIT_NEW_REVISION=1
  cd $FQDN
 elif [ ! -d "$FQDN" ]; then
  GIT_REVISION=0
  git clone "https://$GETUSER:$GETPASS@$GETREPO"
  cd $FQDN
  GIT_NEW_REVISION=$(getCurrentVersion)
 else
  cd $FQDN
  GIT_REVISION=$(getCurrentVersion)
  git commit -m "CRON: auto commit"
  git fetch
  git merge origin/master -m "Auto Merge"
  GIT_NEW_REVISION=$(getCurrentVersion)
 fi
 echo "old: $GIT_REVISION"
 echo "new: $GIT_NEW_REVISION"
 if [ $GIT_REVISION != $GIT_NEW_REVISION ]
 then
  echo "Update Nginx certificate..."
  mkdir -p $CERT_NGINX
  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
  chown nginx:nginx $CERT_NGINX/nginx.*
  chmod 444 $CERT_NGINX/nginx.pem
  chmod 400 $CERT_NGINX/nginx.key
  echo "Restarting Nginx..."
  systemctl is-active --quiet nginx && systemctl restart nginx
 fi
 exit 0
--- a/appliance/cert-renew.timer
+++ b/appliance/cert-renew.timer
@ -0,0 +1,12 @@
 [Unit]
 Description=renew certificates from git store
 RefuseManualStart=no
 RefuseManualStop=no
 [Timer]
 Persistent=false
 OnCalendar=Sun *-*-* 04:03:00
 Unit=cert-renew.service
 [Install]
 WantedBy=default.target
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -0,0 +1,78 @@
 user nginx nginx;
 worker_processes 1;
 error_log /var/log/nginx/error_log info;
 events {
    worker_connections 1024;
    use epoll;
 }
 http {
    include /etc/nginx/mime.types.nginx;
    types_hash_max_size 4096;
    default_type application/octet-stream;
    log_format main
 	'$remote_addr - $remote_user [$time_local] '
 	'"$request" $status $bytes_sent '
 	'"$http_referer" "$http_user_agent" '
 	'"$gzip_ratio"';
    client_header_timeout 10m;
    client_body_timeout 10m;
    send_timeout 10m;
    connection_pool_size 256;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 2k;
    request_pool_size 4k;
    gzip off;
    output_buffers 1 32k;
    postpone_output 1460;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 75 20;
    ignore_invalid_headers on;
    index index.html;
    server {
 	# Redirect HTTP traffic to HTTPS
 	listen [::]:80 ipv6only=off;
 	server_name _;
 	return 301 https://$host$request_uri;
    }
    server {
 	listen [::]:443 ssl ipv6only=off;
 	server_name _;
 	ssl_certificate /etc/ssl/nginx/nginx.pem;
 	ssl_certificate_key /etc/ssl/nginx/nginx.key;
 	client_max_body_size 25m;
 	location /static/ {
 	    alias /usr/lib/netbox/static/;
 	}
 	location / {
 	    include uwsgi_params;
 	    uwsgi_pass  127.0.0.1:8001;
 	    uwsgi_param Host $host;
 	    uwsgi_param X-Real-IP $remote_addr;
 	    uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
 	    uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
 	}
    }
    include /etc/nginx/*_vhost.conf;
 }
--- a/package.accept_keywords
+++ b/package.accept_keywords
@ -0,0 +1,38 @@
 dev-python/django-cors-headers
 dev-python/django-debug-toolbar
 dev-python/django-graphiql-debug-toolbar
 dev-python/django-filter
 dev-python/django-htmx
 dev-python/django-mptt
 dev-python/django-pglocks
 dev-python/django-prometheus
 dev-python/django-redis
 dev-python/django-rich
 dev-python/django-rq
 dev-python/django-tables2
 dev-python/django-taggit
 dev-python/django-timezone-field
 dev-python/djangorestframework
 dev-python/drf-yasg
 dev-python/drf-spectacular
 dev-python/drf-spectacular-sidecar
 dev-python/graphene
 dev-python/graphene-django
 dev-python/graphql-core
 dev-python/graphql-relay
 dev-python/griffe
 dev-python/markdown-include
 dev-python/mkdocstrings
 dev-python/mkdocstrings-python
 dev-python/mkdocs-autorefs
 dev-python/promise
 dev-python/social-auth-core
 dev-python/social-auth-app-django
 dev-python/strawberry-graphql
 dev-python/strawberry-graphql-django
 dev-python/svgwrite
 dev-python/tablib
 dev-python/django-auth-ldap
 dev-python/python3-openid
 dev-python/inflection
 dev-python/django-js-asset
--- a/package.use
+++ b/package.use
@ -0,0 +1,9 @@
 # Netbox
 www-apps/netbox branching ldap
 # Nginx / uWSGI
 app-misc/mime-types nginx
 www-servers/uwsgi python
 # Redis
 dev-libs/jemalloc stats
--- a/va-netbox.cfg
+++ b/va-netbox.cfg
@ -0,0 +1,3 @@
 REPO_NAMES += unitas-netbox
 REPO_URI_unitas-netbox = https://git.unitas-network.de/Gentoo/unitas-netbox.git
 PROFILES_INSTALL = YES
--- a/8
+++ b/8
@ -0,0 +1,8 @@
 app-crypt/certbot-nginx
 dev-db/postgresql
 dev-db/redis
 www-apps/netbox
 www-apps/netbox-device-type-library-import
 www-plugins/netboxlabs-netbox-branching
 www-servers/nginx
 www-servers/uwsgi