diff --git a/Puppetfile b/Puppetfile --- a/Puppetfile +++ b/Puppetfile @@ -163,6 +163,10 @@ :git => 'https://forge.softwareheritage.org/source/puppet-puppet-rabbitmq', :ref => 'v10.0.0' +mod 'redis', + :git => 'https://forge.softwareheritage.org/source/puppet-puppet-redis.git' + :ref => 'v6.1.0' + mod 'resolv_conf', :git => 'https://forge.softwareheritage.org/source/puppet-saz-resolv_conf', :ref => 'v4.1.0' diff --git a/data/defaults.yaml b/data/defaults.yaml --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -811,7 +811,12 @@ - sponsorship.softwareheritage.org - testimonials.softwareheritage.org deploy_hook: gandi_paas - + netbox: + domain: + - inventory.internal.softwareheritage.org + netbox-vagrant: + domain: + - inventory-vagrant.inventory.softwareheritage.org bind::update_key: local-update @@ -2999,7 +3004,7 @@ # See http://wiki.apache.org/cassandra/StorageConfiguration for # full explanations of configuration directives # /NOTE - + # This defines the number of tokens randomly assigned to this node on the ring # The more tokens, relative to other nodes, the larger the proportion of data # that this node will store. You probably want all nodes to have the same number @@ -3011,10 +3016,10 @@ # Specifying initial_token will override this setting on the node's initial start, # on subsequent starts, this setting will apply even if initial token is set. # - # If you already have a cluster with 1 token per node, and wish to migrate to + # If you already have a cluster with 1 token per node, and wish to migrate to # multiple tokens per node, see http://wiki.apache.org/cassandra/Operations num_tokens: 256 - + # Triggers automatic allocation of num_tokens tokens for this node. The allocation # algorithm attempts to choose tokens in a way that optimizes replicated load over # the nodes in the datacenter for the replication strategy used by the specified @@ -3025,47 +3030,47 @@ # # Only supported with the Murmur3Partitioner. # allocate_tokens_for_keyspace: KEYSPACE - + # initial_token allows you to specify tokens manually. While you can use it with - # vnodes (num_tokens > 1, above) -- in which case you should provide a - # comma-separated list -- it's primarily used when adding nodes to legacy clusters + # vnodes (num_tokens > 1, above) -- in which case you should provide a + # comma-separated list -- it's primarily used when adding nodes to legacy clusters # that do not have vnodes enabled. # initial_token: - + # See http://wiki.apache.org/cassandra/HintedHandoff # May either be "true" or "false" to enable globally hinted_handoff_enabled: true - + # When hinted_handoff_enabled is true, a black list of data centers that will not # perform hinted handoff # hinted_handoff_disabled_datacenters: # - DC1 # - DC2 - + # this defines the maximum amount of time a dead host will have hints # generated. After it has been dead this long, new hints for it will not be # created until it has been seen alive and gone down again. max_hint_window_in_ms: 10800000 # 3 hours - + # Maximum throttle in KBs per second, per delivery thread. This will be # reduced proportionally to the number of nodes in the cluster. (If there # are two nodes in the cluster, each delivery thread will use the maximum # rate; if there are three, each will throttle to half of the maximum, # since we expect two nodes to be delivering hints simultaneously.) hinted_handoff_throttle_in_kb: 1024 - + # Number of threads with which to deliver hints; # Consider increasing this number when you have multi-dc deployments, since # cross-dc handoff tends to be slower max_hints_delivery_threads: 2 - + # How often hints should be flushed from the internal buffers to disk. # Will *not* trigger fsync. hints_flush_period_in_ms: 10000 - + # Maximum size for a single hints file, in megabytes. max_hints_file_size_in_mb: 128 - + # Compression to apply to the hint files. If omitted, hints files # will be written uncompressed. LZ4, Snappy, and Deflate compressors # are supported. @@ -3073,11 +3078,11 @@ # - class_name: LZ4Compressor # parameters: # - - + # Maximum throttle in KBs per second, total. This will be # reduced proportionally to the number of nodes in the cluster. batchlog_replay_throttle_in_kb: 1024 - + # Authentication backend, implementing IAuthenticator; used to identify users # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator, # PasswordAuthenticator}. @@ -3088,7 +3093,7 @@ # Please increase system_auth keyspace replication factor if you use this authenticator. # If using PasswordAuthenticator, CassandraRoleManager must also be used (see below) authenticator: AllowAllAuthenticator - + # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer, # CassandraAuthorizer}. @@ -3097,7 +3102,7 @@ # - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please # increase system_auth keyspace replication factor if you use this authorizer. authorizer: AllowAllAuthorizer - + # Part of the Authentication & Authorization backend, implementing IRoleManager; used # to maintain grants and memberships between roles. # Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager, @@ -3108,7 +3113,7 @@ # - CassandraRoleManager stores role data in the system_auth keyspace. Please # increase system_auth keyspace replication factor if you use this role manager. role_manager: CassandraRoleManager - + # Validity period for roles cache (fetching granted roles can be an expensive # operation depending on the role manager, CassandraRoleManager is one example) # Granted roles are cached for authenticated sessions in AuthenticatedUser and @@ -3116,7 +3121,7 @@ # Defaults to 2000, set to 0 to disable caching entirely. # Will be disabled automatically for AllowAllAuthenticator. roles_validity_in_ms: 2000 - + # Refresh interval for roles cache (if enabled). # After this interval, cache entries become eligible for refresh. Upon next # access, an async reload is scheduled and the old value returned until it @@ -3124,13 +3129,13 @@ # also. # Defaults to the same value as roles_validity_in_ms. # roles_update_interval_in_ms: 2000 - + # Validity period for permissions cache (fetching permissions can be an # expensive operation depending on the authorizer, CassandraAuthorizer is # one example). Defaults to 2000, set to 0 to disable. # Will be disabled automatically for AllowAllAuthorizer. permissions_validity_in_ms: 2000 - + # Refresh interval for permissions cache (if enabled). # After this interval, cache entries become eligible for refresh. Upon next # access, an async reload is scheduled and the old value returned until it @@ -3138,7 +3143,7 @@ # also. # Defaults to the same value as permissions_validity_in_ms. # permissions_update_interval_in_ms: 2000 - + # Validity period for credentials cache. This cache is tightly coupled to # the provided PasswordAuthenticator implementation of IAuthenticator. If # another IAuthenticator implementation is configured, this cache will not @@ -3149,7 +3154,7 @@ # latency of individual authentication attempts. # Defaults to 2000, set to 0 to disable credentials caching. credentials_validity_in_ms: 2000 - + # Refresh interval for credentials cache (if enabled). # After this interval, cache entries become eligible for refresh. Upon next # access, an async reload is scheduled and the old value returned until it @@ -3157,7 +3162,7 @@ # also. # Defaults to the same value as credentials_validity_in_ms. # credentials_update_interval_in_ms: 2000 - + # The partitioner is responsible for distributing groups of rows (by # partition key) across nodes in the cluster. You should leave this # alone for new clusters. The partitioner can NOT be changed without @@ -3169,12 +3174,12 @@ # OrderPreservingPartitioner. # partitioner: org.apache.cassandra.dht.Murmur3Partitioner - + # Enable / disable CDC functionality on a per-node basis. This modifies the logic used # for write path allocation rejection (standard: never reject. cdc: reject Mutation # containing a CDC-enabled table if at space limit in cdc_raw_directory). cdc_enabled: false - + # Policy for data disk failures: # # die @@ -3197,7 +3202,7 @@ # ignore # ignore fatal errors and let requests fail, as in pre-1.2 Cassandra disk_failure_policy: stop - + # Policy for commit disk failures: # # die @@ -3214,7 +3219,7 @@ # ignore # ignore fatal errors and let the batches fail commit_failure_policy: stop - + # Maximum size of the native protocol prepared statement cache # # Valid values are either "auto" (omitting the value) or a value greater 0. @@ -3233,7 +3238,7 @@ # # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater #prepared_statements_cache_size_mb: - + # Maximum size of the Thrift prepared statement cache # # If you do not use Thrift at all, it is safe to leave this value at "auto". @@ -3242,7 +3247,7 @@ # # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater #thrift_prepared_statements_cache_size_mb: - + # Maximum size of the key cache in memory. # # Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the @@ -3256,7 +3261,7 @@ # # Default value is empty to make it "auto" (min(5% of Heap (in MB), 100MB)). Set to 0 to disable key cache. #key_cache_size_in_mb: - + # Duration in seconds after which Cassandra should # save the key cache. Caches are saved to saved_caches_directory as # specified in this configuration file. @@ -3267,11 +3272,11 @@ # # Default is 14400 or 4 hours. key_cache_save_period: 14400 - + # Number of keys from the key cache to save # Disabled by default, meaning all keys are going to be saved # key_cache_keys_to_save: 100 - + # Row cache implementation class name. Available implementations: # # org.apache.cassandra.cache.OHCProvider @@ -3281,7 +3286,7 @@ # This is the row cache implementation availabile # in previous releases of Cassandra. # row_cache_class_name: org.apache.cassandra.cache.OHCProvider - + # Maximum size of the row cache in memory. # Please note that OHC cache implementation requires some additional off-heap memory to manage # the map structures and some in-flight memory during operations before/after cache entries can be @@ -3291,7 +3296,7 @@ # # Default value is 0, to disable row caching. row_cache_size_in_mb: 0 - + # Duration in seconds after which Cassandra should save the row cache. # Caches are saved to saved_caches_directory as specified in this configuration file. # @@ -3301,11 +3306,11 @@ # # Default is 0 to disable saving the row cache. row_cache_save_period: 0 - + # Number of keys from the row cache to save. # Specify 0 (which is the default), meaning all keys are going to be saved # row_cache_keys_to_save: 100 - + # Maximum size of the counter cache in memory. # # Counter cache helps to reduce counter locks' contention for hot counter cells. @@ -3320,20 +3325,20 @@ # Default value is empty to make it "auto" (min(2.5% of Heap (in MB), 50MB)). Set to 0 to disable counter cache. # NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache. #counter_cache_size_in_mb: - + # Duration in seconds after which Cassandra should # save the counter cache (keys only). Caches are saved to saved_caches_directory as # specified in this configuration file. # # Default is 7200 or 2 hours. counter_cache_save_period: 7200 - + # Number of keys from the counter cache to save # Disabled by default, meaning all keys are going to be saved # counter_cache_keys_to_save: 100 - - # commitlog_sync may be either "periodic" or "batch." - # + + # commitlog_sync may be either "periodic" or "batch." + # # When in batch mode, Cassandra won't ack writes until the commit log # has been fsynced to disk. It will wait # commitlog_sync_batch_window_in_ms milliseconds between fsyncs. @@ -3349,7 +3354,7 @@ # milliseconds. commitlog_sync: periodic commitlog_sync_period_in_ms: 10000 - + # The size of the individual commitlog file segments. A commitlog # segment may be archived, deleted, or recycled once all the data # in it (potentially from each columnfamily in the system) has been @@ -3367,7 +3372,7 @@ # be set to at least twice the size of max_mutation_size_in_kb / 1024 # commitlog_segment_size_in_mb: 32 - + # Compression to apply to the commit log. If omitted, the commit log # will be written uncompressed. LZ4, Snappy, and Deflate compressors # are supported. @@ -3375,7 +3380,7 @@ # - class_name: LZ4Compressor # parameters: # - - + # For workloads with more data than can fit in memory, Cassandra's # bottleneck will be reads that need to fetch data from # disk. "concurrent_reads" should be set to (16 * number_of_drives) in @@ -3390,11 +3395,11 @@ concurrent_reads: 64 concurrent_writes: 96 concurrent_counter_writes: 64 - + # For materialized view writes, as there is a read involved, so this should # be limited by the less of concurrent reads or concurrent writes. concurrent_materialized_view_writes: 32 - + # Maximum memory to use for sstable chunk cache and buffer pooling. # 32MB of this are reserved for pooling buffers, the rest is used as an # cache that holds uncompressed sstable chunks. @@ -3404,26 +3409,26 @@ # if the default 64k chunk size is used). # Memory is only allocated when needed. # file_cache_size_in_mb: 512 - + # Flag indicating whether to allocate on or off heap when the sstable buffer # pool is exhausted, that is when it has exceeded the maximum memory # file_cache_size_in_mb, beyond which it will not cache buffers but allocate on request. - + # buffer_pool_use_heap_if_exhausted: true - + # The strategy for optimizing disk read # Possible values are: # ssd (for solid state disks, the default) # spinning (for spinning disks) # disk_optimization_strategy: ssd - + # Total permitted memory to use for memtables. Cassandra will stop # accepting writes when the limit is exceeded until a flush completes, # and will trigger a flush based on memtable_cleanup_threshold # If omitted, Cassandra will set both to 1/4 the size of the heap. # memtable_heap_space_in_mb: 2048 # memtable_offheap_space_in_mb: 2048 - + # memtable_cleanup_threshold is deprecated. The default calculation # is the only reasonable choice. See the comments on memtable_flush_writers # for more information. @@ -3436,7 +3441,7 @@ # # memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1) # memtable_cleanup_threshold: 0.11 - + # Specify the way Cassandra allocates and manages memtable memory. # Options are: # @@ -3449,7 +3454,7 @@ # offheap_objects # off heap objects memtable_allocation_type: heap_buffers - + # Total space to use for commit logs on disk. # # If space gets above this value, Cassandra will flush every dirty CF @@ -3460,7 +3465,7 @@ # of the commitlog volume. # # commitlog_total_space_in_mb: 8192 - + # This sets the number of memtable flush writer threads per disk # as well as the total number of memtables that can be flushed concurrently. # These are generally a combination of compute and IO bound. @@ -3489,7 +3494,7 @@ # to never stall waiting for flushing to free memory. # #memtable_flush_writers: 2 - + # Total space to use for change-data-capture logs on disk. # # If space gets above this value, Cassandra will throw WriteTimeoutException @@ -3499,12 +3504,12 @@ # The default value is the min of 4096 mb and 1/8th of the total space # of the drive where cdc_raw_directory resides. # cdc_total_space_in_mb: 4096 - + # When we hit our cdc_raw limit and the CDCCompactor is either running behind # or experiencing backpressure, we check at the following interval to see if any # new space for cdc-tracked tables has been made available. Default to 250ms # cdc_free_space_check_interval_ms: 250 - + # A fixed memory pool size in MB for for SSTable index summaries. If left # empty, this will default to 5% of the heap size. If the memory usage of # all index summaries exceeds this limit, SSTables with low read rates will @@ -3512,13 +3517,13 @@ # is a best-effort process. In extreme conditions Cassandra may need to use # more than this amount of memory. #index_summary_capacity_in_mb: - + # How frequently index summaries should be resampled. This is done # periodically to redistribute memory from the fixed-size pool to sstables # proportional their recent read rates. Setting to -1 will disable this # process, leaving existing index summaries at their current sampling level. index_summary_resize_interval_in_minutes: 60 - + # Whether to, when doing sequential writing, fsync() at intervals in # order to force the operating system to flush the dirty # buffers. Enable this to avoid sudden dirty buffer flushing from @@ -3526,30 +3531,30 @@ # necessarily on platters. trickle_fsync: true trickle_fsync_interval_in_kb: 10240 - + # TCP port, for commands and data # For security reasons, you should not expose this port to the internet. Firewall it if needed. storage_port: 7000 - + # SSL port, for encrypted communication. Unused unless enabled in # encryption_options # For security reasons, you should not expose this port to the internet. Firewall it if needed. ssl_storage_port: 7001 - + # Set listen_address OR listen_interface, not both. Interfaces must correspond # to a single address, IP aliasing is not supported. # listen_interface: eth0 - + # If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address # you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4 # address will be used. If true the first ipv6 address will be used. Defaults to false preferring # ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. # listen_interface_prefer_ipv6: false - + # Address to broadcast to other Cassandra nodes # Leaving this blank will set it to the same value as listen_address # broadcast_address: 1.2.3.4 - + # When using multiple physical network interfaces, set this # to true to listen on broadcast_address in addition to # the listen_address, allowing nodes to communicate in both @@ -3557,11 +3562,11 @@ # Ignore this property if the network configuration automatically # routes between the public and private networks such as EC2. # listen_on_broadcast_address: false - + # Internode authentication backend, implementing IInternodeAuthenticator; # used to allow/disallow connections from peer nodes. # internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator - + # Whether to start the native transport server. # Please note that the address on which the native transport is bound is the # same as the rpc_address. The port however is different and specified below. @@ -3587,40 +3592,40 @@ # be rejected as invalid. The default is 256MB. If you're changing this parameter, # you may want to adjust max_value_size_in_mb accordingly. This should be positive and less than 2048. # native_transport_max_frame_size_in_mb: 256 - + # The maximum number of concurrent client connections. # The default is -1, which means unlimited. # native_transport_max_concurrent_connections: -1 - + # The maximum number of concurrent client connections per source ip. # The default is -1, which means unlimited. # native_transport_max_concurrent_connections_per_ip: -1 - + # Whether to start the thrift rpc server. start_rpc: false - + # Set rpc_address OR rpc_interface, not both. Interfaces must correspond # to a single address, IP aliasing is not supported. # rpc_interface: eth1 - + # If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address # you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4 # address will be used. If true the first ipv6 address will be used. Defaults to false preferring # ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. # rpc_interface_prefer_ipv6: false - + # port for Thrift to listen for clients on rpc_port: 9160 - + # RPC address to broadcast to drivers and other Cassandra nodes. This cannot # be set to 0.0.0.0. If left blank, this will be set to the value of # rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must # be set. # broadcast_rpc_address: 1.2.3.4 - + # enable or disable keepalive on rpc/native connections rpc_keepalive: true - + # Cassandra provides two out-of-the-box options for the RPC Server: # # sync @@ -3642,7 +3647,7 @@ # Alternatively, can provide your own RPC server by providing the fully-qualified class name # of an o.a.c.t.TServerFactory that can create an instance of it. rpc_server_type: sync - + # Uncomment rpc_min|max_thread to set request pool size limits. # # Regardless of your choice of RPC server (see above), the number of maximum requests in the @@ -3655,11 +3660,11 @@ # # rpc_min_threads: 16 # rpc_max_threads: 2048 - + # uncomment to set socket buffer sizes on rpc connections # rpc_send_buff_size_in_bytes: # rpc_recv_buff_size_in_bytes: - + # Uncomment to set socket buffer size for internode communication # Note that when setting this, the buffer size is limited by net.core.wmem_max # and when not setting it it is defined by net.ipv4.tcp_wmem @@ -3670,33 +3675,33 @@ # /proc/sys/net/ipv4/tcp_wmem # and 'man tcp' # internode_send_buff_size_in_bytes: - + # Uncomment to set socket buffer size for internode communication # Note that when setting this, the buffer size is limited by net.core.wmem_max # and when not setting it it is defined by net.ipv4.tcp_wmem # internode_recv_buff_size_in_bytes: - + # Frame size for thrift (maximum message length). thrift_framed_transport_size_in_mb: 15 - + # Set to true to have Cassandra create a hard link to each sstable # flushed or streamed locally in a backups/ subdirectory of the # keyspace data. Removing these links is the operator's # responsibility. incremental_backups: false - + # Whether or not to take a snapshot before each compaction. Be # careful using this option, since Cassandra won't clean up the # snapshots for you. Mostly useful if you're paranoid when there # is a data format change. snapshot_before_compaction: false - + # Whether or not a snapshot is taken of the data before keyspace truncation - # or dropping of column families. The STRONGLY advised default of true + # or dropping of column families. The STRONGLY advised default of true # should be used to provide data safety. If you set this flag to false, you will # lose data on truncation or drop. auto_snapshot: true - + # Granularity of the collation index of rows within a partition. # Increase if your rows are large, or if you have a very large # number of rows per partition. The competing goals are these: @@ -3708,7 +3713,7 @@ # rows (as part of the key cache), so a larger granularity means # you can cache more hot rows column_index_size_in_kb: 64 - + # Per sstable indexed key cache entries (the collation index in memory # mentioned above) exceeding this size will not be held on heap. # This means that only partition information is held on heap and the @@ -3717,7 +3722,7 @@ # Note that this size refers to the size of the # serialized index information and not the size of the partition. column_index_cache_size_in_kb: 2 - + # Number of simultaneous compactions to allow, NOT including # validation "compactions" for anti-entropy repair. Simultaneous # compactions can help preserve read performance in a mixed read/write @@ -3729,11 +3734,11 @@ # # concurrent_compactors defaults to the smaller of (number of disks, # number of cores), with a minimum of 2 and a maximum of 8. - # + # # If your data directories are backed by SSD, you should increase this # to the number of cores. #concurrent_compactors: 1 - + # Throttles compaction to the given total throughput across the entire # system. The faster you insert data, the faster you need to compact in # order to keep the sstable count down, but in general, setting this to @@ -3741,27 +3746,27 @@ # Setting this to 0 disables throttling. Note that this account for all types # of compaction, including validation compaction. compaction_throughput_mb_per_sec: 16 - + # When compacting, the replacement sstable(s) can be opened before they # are completely written, and used in place of the prior sstables for - # any range that has been written. This helps to smoothly transfer reads + # any range that has been written. This helps to smoothly transfer reads # between the sstables, reducing page cache churn and keeping hot rows hot sstable_preemptive_open_interval_in_mb: 50 - + # Throttles all outbound streaming file transfers on this node to the # given total throughput in Mbps. This is necessary because Cassandra does # mostly sequential IO when streaming data during bootstrap or repair, which # can lead to saturating the network connection and degrading rpc performance. # When unset, the default is 200 Mbps or 25 MB/s. # stream_throughput_outbound_megabits_per_sec: 200 - + # Throttles all streaming file transfer between the datacenters, # this setting allows users to throttle inter dc stream throughput in addition # to throttling all network stream traffic as configured with # stream_throughput_outbound_megabits_per_sec # When unset, the default is 200 Mbps or 25 MB/s # inter_dc_stream_throughput_outbound_megabits_per_sec: 200 - + # How long the coordinator should wait for read operations to complete read_request_timeout_in_ms: 5000 # How long the coordinator should wait for seq or index scans to complete @@ -3779,22 +3784,22 @@ truncate_request_timeout_in_ms: 60000 # The default timeout for other, miscellaneous operations request_timeout_in_ms: 10000 - + # How long before a node logs slow queries. Select queries that take longer than # this timeout to execute, will generate an aggregated log message, so that slow queries # can be identified. Set this value to zero to disable slow query logging. slow_query_log_timeout_in_ms: 500 - + # Enable operation timeout information exchange between nodes to accurately # measure request timeouts. If disabled, replicas will assume that requests # were forwarded to them instantly by the coordinator, which means that - # under overload conditions we will waste that much extra time processing + # under overload conditions we will waste that much extra time processing # already-timed-out requests. # # Warning: before enabling this property make sure to ntp is installed # and the times are synchronized between the nodes. cross_node_timeout: false - + # Set keep-alive period for streaming # This node will send a keep-alive message periodically with this period. # If the node does not receive a keep-alive message from the peer for @@ -3802,11 +3807,11 @@ # Default value is 300s (5 minutes), which means stalled stream # times out in 10 minutes by default # streaming_keep_alive_period_in_secs: 300 - + # phi value that must be reached for a host to be marked down. # most users should never need to adjust this. # phi_convict_threshold: 8 - + # endpoint_snitch -- Set this to a class that implements # IEndpointSnitch. The snitch has two functions: # @@ -3871,10 +3876,10 @@ # You can use a custom Snitch by setting this to the full class name # of the snitch, which will be assumed to be on your classpath. endpoint_snitch: SimpleSnitch - + # controls how often to perform the more expensive part of host score # calculation - dynamic_snitch_update_interval_in_ms: 100 + dynamic_snitch_update_interval_in_ms: 100 # controls how often to reset all host scores, allowing a bad host to # possibly recover dynamic_snitch_reset_interval_in_ms: 600000 @@ -3886,7 +3891,7 @@ # 0.2 means Cassandra would continue to prefer the static snitch values # until the pinned host was 20% worse than the fastest. dynamic_snitch_badness_threshold: 0.1 - + # request_scheduler -- Set this to a class that implements # RequestScheduler, which will schedule incoming client requests # according to the specific policy. This is useful for multi-tenancy @@ -3899,7 +3904,7 @@ # request_scheduler_id. The scheduler is further customized by # request_scheduler_options as described below. request_scheduler: org.apache.cassandra.scheduler.NoScheduler - + # Scheduler Options vary based on the type of scheduler # # NoScheduler @@ -3908,7 +3913,7 @@ # RoundRobin # throttle_limit # The throttle_limit is the number of in-flight - # requests per client. Requests beyond + # requests per client. Requests beyond # that limit are queued up until # running requests can complete. # The value of 80 here is twice the number of @@ -3928,11 +3933,11 @@ # weights: # Keyspace1: 1 # Keyspace2: 5 - + # request_scheduler_id -- An identifier based on which to perform # the request scheduling. Currently the only valid option is keyspace. # request_scheduler_id: keyspace - + # Enable or disable inter-node encryption # JVM defaults for supported SSL socket protocols and cipher suites can # be replaced using custom encryption options. This is not recommended @@ -3965,7 +3970,7 @@ # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] # require_client_auth: false # require_endpoint_verification: false - + # enable or disable client/server encryption. client_encryption_options: enabled: false @@ -3982,7 +3987,7 @@ # algorithm: SunX509 # store_type: JKS # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - + # internode_compression controls whether traffic between nodes is # compressed. # Can be: @@ -3996,45 +4001,45 @@ # none # nothing is compressed. internode_compression: dc - + # Enable or disable tcp_nodelay for inter-dc communication. # Disabling it will result in larger (but fewer) network packets being sent, # reducing overhead from the TCP protocol itself, at the cost of increasing # latency if you block for cross-datacenter responses. inter_dc_tcp_nodelay: false - + # TTL for different trace types used during logging of the repair process. tracetype_query_ttl: 86400 tracetype_repair_ttl: 604800 - + # By default, Cassandra logs GC Pauses greater than 200 ms at INFO level # This threshold can be adjusted to minimize logging if necessary # gc_log_threshold_in_ms: 200 - + # If unset, all GC Pauses greater than gc_log_threshold_in_ms will log at # INFO level # UDFs (user defined functions) are disabled by default. # As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code. enable_user_defined_functions: true - + # Enables scripted UDFs (JavaScript UDFs). # Java UDFs are always enabled, if enable_user_defined_functions is true. # Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider. # This option has no effect, if enable_user_defined_functions is false. enable_scripted_user_defined_functions: false - + # Enables materialized view creation on this node. # Materialized views are considered experimental and are not recommended for production use. enable_materialized_views: true - + # The default Windows kernel timer and scheduling resolution is 15.6ms for power conservation. # Lowering this value on Windows can provide much tighter latency and better throughput, however # some virtualized environments may see a negative performance impact from changing this setting # below their system default. The sysinternals 'clockres' tool can confirm your system's default # setting. windows_timer_interval: 1 - - + + # Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by # the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys @@ -4054,19 +4059,19 @@ key_alias: testing:1 # CBC IV length for AES needs to be 16 bytes (which is also the default size) # iv_length: 16 - key_provider: + key_provider: - class_name: org.apache.cassandra.security.JKSKeyProvider - parameters: + parameters: - keystore: conf/.keystore keystore_password: cassandra store_type: JCEKS key_password: cassandra - - + + ##################### # SAFETY THRESHOLDS # ##################### - + # When executing a scan, within or across a partition, we need to keep the # tombstones seen in memory so we can return them to the coordinator, which # will use them to make sure other replicas also know about the deleted rows. @@ -4078,30 +4083,30 @@ # using the StorageService mbean. tombstone_warn_threshold: 1000 tombstone_failure_threshold: 100000 - + # Log WARN on any multiple-partition batch size exceeding this value. 5kb per batch by default. # Caution should be taken on increasing the size of this threshold as it can lead to node instability. batch_size_warn_threshold_in_kb: 5 - + # Fail any multiple-partition batch exceeding this value. 50kb (10x warn threshold) by default. batch_size_fail_threshold_in_kb: 50 - + # Log WARN on any batches not of type LOGGED than span across more partitions than this limit unlogged_batch_across_partitions_warn_threshold: 10 - + # Log a warning when compacting partitions larger than this value compaction_large_partition_warning_threshold_mb: 100 - + # GC Pauses greater than gc_warn_threshold_in_ms will be logged at WARN level # Adjust the threshold based on your application throughput requirement # By default, Cassandra logs GC Pauses greater than 200 ms at INFO level gc_warn_threshold_in_ms: 1000 - + # Maximum size of any value in SSTables. Safety measure to detect SSTable corruption # early. Any value size larger than this threshold will result into marking an SSTable # as corrupted. This should be positive and less than 2048. # max_value_size_in_mb: 256 - + # Back-pressure settings # # If enabled, the coordinator will apply the back-pressure strategy specified below to each mutation # sent to replicas, with the aim of reducing pressure on overloaded replicas. @@ -4123,7 +4128,7 @@ - high_ratio: 0.90 factor: 5 flow: FAST - + # Coalescing Strategies # # Coalescing multiples messages turns out to significantly boost message processing throughput (think doubling or more). # On bare metal, the floor for packet processing throughput is high enough that many applications won't notice, but in @@ -4136,21 +4141,21 @@ # trip to read from a socket, and all the task submission work can be done at the same time reducing context switching # and increasing cache friendliness of network message processing. # See CASSANDRA-8692 for details. - + # Strategy to use for coalescing messages in OutboundTcpConnection. # Can be fixed, movingaverage, timehorizon, disabled (default). # You can also specify a subclass of CoalescingStrategies.CoalescingStrategy by name. # otc_coalescing_strategy: DISABLED - + # How many microseconds to wait for coalescing. For fixed strategy this is the amount of time after the first # message is received before it will be sent with any accompanying messages. For moving average this is the # maximum amount of time that will be waited as well as the interval at which messages must arrive on average # for coalescing to be enabled. # otc_coalescing_window_us: 200 - + # Do not try to coalesce messages if we already got that many messages. This should be more than 2 and less than 128. # otc_coalescing_enough_coalesced_messages: 8 - + # How many milliseconds to wait between two expiration runs on the backlog (queue) of the OutboundTcpConnection. # Expiration is done if messages are piling up in the backlog. Droppable messages are expired to free the memory # taken by expired messages. The interval should be between 0 and 1000, and in most installations the default value @@ -4159,7 +4164,7 @@ # An interval of 0 disables any wait time, which is the behavior of former Cassandra versions. # # otc_backlog_expiration_interval_ms: 200 - + cassandra::clusters: azure: cluster_name: SWH on Azure @@ -4204,3 +4209,35 @@ - localhost - "::1" +netbox::version: 2.9.3 +netbox::user: netbox +netbox::db::host: localhost +netbox::db::port: 5432 +netbox::db::database: netbox +netbox::db::username: netbox +# netbox::db::password: in private-data +netbox::mail::host: "%{lookup('smtp::relay_hostname')}" +netbox::mail::from: inventory@softwareheritage.org +netbox::redis::host: localhost +netbox::redis::port: 6379 +# netbox::redis::password in private-data +# netbox::redis_cache::password in private-data +# netbox::secret_key in private-data +netbox::admin::email: sysop+netbox@softwareheritage.org +# netbox::admin::password in private-data +# netbox::admin::api_token in private-data +netbox::webhook_enabled: true +netbox::gunicorn::binding: 127.0.0.1 +netbox::gunicorn::port: 8001 + +# TODO tune this +netbox::allowed_hosts: + - "*" + - "localhost" + +netbox::vhost::letsencrypt_cert: netbox +netbox::vhost::name: inventory.softwareheritage.org +netbox::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" +netbox::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" +netbox::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" +netbox::vhost::hsts_header: "%{hiera('apache::hsts_header')}" diff --git a/data/vagrant/inventory.internal.softwareheritage.org.yaml b/data/vagrant/inventory.internal.softwareheritage.org.yaml new file mode 100644 --- /dev/null +++ b/data/vagrant/inventory.internal.softwareheritage.org.yaml @@ -0,0 +1,4 @@ +networks: + eth0: + # vagrant admin interface + type: dhcp diff --git a/manifests/site.pp b/manifests/site.pp --- a/manifests/site.pp +++ b/manifests/site.pp @@ -179,6 +179,10 @@ include role::swh_journal_allinone } +node 'inventory.internal.softwareheritage.org' { + include role::swh_netbox +} + node default { include role::swh_base } diff --git a/site-modules/profile/manifests/netbox.pp b/site-modules/profile/manifests/netbox.pp new file mode 100644 --- /dev/null +++ b/site-modules/profile/manifests/netbox.pp @@ -0,0 +1,189 @@ +# deploy a netbox instance +class profile::netbox { + + $version = lookup('netbox::version') + $netbox_user = lookup('netbox::user') + $db_host = lookup('netbox::db::host') + $db_port = lookup('netbox::db::port') + $db_database = lookup('netbox::db::database') + $db_username = lookup('netbox::db::username') + $db_password = lookup('netbox::db::password') + $secret_key = lookup('netbox::secret_key') + $allowed_hosts = lookup('netbox::allowed_hosts') + $redis_host = lookup('netbox::redis::host') + $redis_port = lookup('netbox::redis::port') + $redis_password = lookup('netbox::redis::password') + $smtp_host = lookup('netbox::mail::host') + $email_from = lookup('netbox::mail::from') + $gunicorn_binding = lookup('netbox::gunicorn::binding') + $gunicorn_port = lookup('netbox::gunicorn::port') + + $archive_url = "https://github.com/netbox-community/netbox/archive/v${version}.tar.gz" + $archive_path = "/opt/netbox-v${version}.tar.gz" + $install_path = "/opt/netbox-${version}" + $netbox_home = '/opt/netbox' + $upgrade_flag_path = "${netbox_home}/.upgrade_done" + + ensure_packages ('python3-venv') + + include ::postgresql::server + + ::postgresql::server::db {$db_database: + user => $db_username, + password => postgresql_password($db_username, $db_password) + } + + class { '::redis' : + requirepass => $redis_password, + bind => '127.0.0.1', + port => $redis_port, + } + + user {$netbox_user: + ensure => present, + system => true, + shell => '/bin/bash', + home => $netbox_home, + } + + exec { 'netbox-archive' : + command => "wget --quiet ${archive_url} -O ${archive_path}", + path => '/usr/bin', + creates => $install_path, + notify => Exec['extract-netbox-archive'], + } + + exec { 'extract-netbox-archive' : + command => "tar xvzf ${archive_path}", + cwd => '/opt/', + creates => $install_path, + refreshonly => true, + path => '/usr/bin', + notify => Exec['netbox-update-files-owner'], + } + + file { $netbox_home : + ensure => link, + target => $install_path, + owner => $netbox_user, + group => $netbox_user, + require => User[$netbox_user], + } + + exec { 'netbox-update-files-owner' : + command => "chown -R netbox:netbox ${install_path}", + path => '/usr/bin', + refreshonly => true, + require => User[$netbox_user], + notify => Exec['netbox-upgrade'] + } + + file { 'netbox-configuration': + ensure => present, + path => "${netbox_home}/netbox/netbox/configuration.py", + owner => $netbox_user, + group => $netbox_user, + content => template('profile/netbox/configuration.py.erb'), + require => User[$netbox_user], + notify => Service['netbox'], + } + + file { 'netbox-gunicorn-config': + ensure => present, + path => "${netbox_home}/gunicorn.py", + owner => $netbox_user, + group => $netbox_user, + content => template('profile/netbox/gunicorn.py.erb'), + require => User[$netbox_user], + notify => Service['netbox'], + } + + exec { 'netbox-upgrade': + command => "${netbox_home}/upgrade.sh", + cwd => $netbox_home, + creates => $upgrade_flag_path, + require => File['netbox-configuration'], + notify => Exec['netbox-flag-upgrade-done'], + } + + exec {'netbox-flag-upgrade-done': + command => "touch ${upgrade_flag_path}", + path => '/usr/bin', + refreshonly => true, + } + + ::systemd::unit_file {'netbox.service': + ensure => present, + content => template('profile/netbox/netbox.service.erb'), + } ~> service {'netbox': + ensure => 'running', + enable => true, + require => File['netbox-gunicorn-config'] + } + + $vhost_name = lookup('netbox::vhost::name') + $cert_name = lookup('netbox::vhost::letsencrypt_cert') + $vhost_docroot = "${netbox_home}/netbox" + $vhost_ssl_protocol = lookup('netbox::vhost::ssl_protocol') + $vhost_ssl_honorcipherorder = lookup('netbox::vhost::ssl_honorcipherorder') + $vhost_ssl_cipher = lookup('netbox::vhost::ssl_cipher') + $vhost_hsts_header = lookup('netbox::vhost::hsts_header') + + include ::profile::apache::common + + ::apache::vhost {"${vhost_name}_non-ssl": + servername => $vhost_name, + port => '80', + docroot => $vhost_docroot, + manage_docroot => false, + redirect_status => 'permanent', + redirect_dest => "https://${vhost_name}/", + } + + ::profile::letsencrypt::certificate {$vhost_name:} + $cert_paths = ::profile::letsencrypt::certificate_paths($vhost_name) + + ::apache::vhost {"${vhost_name}_ssl": + servername => $vhost_name, + port => '443', + ssl => true, + ssl_protocol => $vhost_ssl_protocol, + ssl_honorcipherorder => $vhost_ssl_honorcipherorder, + ssl_cipher => $vhost_ssl_cipher, + ssl_cert => $cert_paths['cert'], + ssl_chain => $cert_paths['chain'], + ssl_key => $cert_paths['privkey'], + headers => [$vhost_hsts_header], + docroot => $vhost_docroot, + manage_docroot => false, + directories => [ + { + 'path' => $vhost_docroot, + 'require' => 'all granted', + 'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'], + }, + ], + proxy_pass => [ + { path => '/static', + url => '!', + }, + { path => '/', + url => "http://${gunicorn_binding}:${gunicorn_port}/", + }, + ], + aliases => [ + { alias => '/static', + path => "${netbox_home}/netbox/static", + }, + ], + require => [ + File[$ssl_cert], + File[$ssl_chain], + File[$ssl_key], + ], + } + + File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service'] + + +} diff --git a/site-modules/profile/templates/netbox/configuration.py.erb b/site-modules/profile/templates/netbox/configuration.py.erb new file mode 100644 --- /dev/null +++ b/site-modules/profile/templates/netbox/configuration.py.erb @@ -0,0 +1,257 @@ +######################### +# # +# Required settings # +# # +######################### + +# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write +# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. +# +# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] +ALLOWED_HOSTS = [ +<%- @allowed_hosts.each do |host| -%> +"<%= host %>", +<%- end -%>] + +# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters: +# https://docs.djangoproject.com/en/stable/ref/settings/#databases +DATABASE = { + 'NAME': '<%= @db_database %>', # Database name + 'USER': '<%= @db_username %>', # PostgreSQL username + 'PASSWORD': '<%= @db_password %>', # PostgreSQL password + 'HOST': '<%= @db_host %>', # Database server + 'PORT': '<%= @db_port %>', # Database port (leave blank for default) + 'CONN_MAX_AGE': 300, # Max database connection age +} + +# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate +# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended +# to use two separate database IDs. +REDIS = { + 'tasks': { + 'HOST': 'localhost', + 'PORT': 6379, + # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel + # 'SENTINELS': [('mysentinel.redis.example.com', 6379)], + # 'SENTINEL_SERVICE': 'netbox', + 'PASSWORD': '<%= @redis_password %>', + 'DATABASE': 0, + 'DEFAULT_TIMEOUT': 300, + 'SSL': False, + }, + 'caching': { + 'HOST': 'localhost', + 'PORT': 6379, + # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel + # 'SENTINELS': [('mysentinel.redis.example.com', 6379)], + # 'SENTINEL_SERVICE': 'netbox', + 'PASSWORD': '<%= @redis_password %>', + 'DATABASE': 1, + 'DEFAULT_TIMEOUT': 300, + 'SSL': False, + } +} + +# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. +# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and +# symbols. NetBox will not run without this defined. For more information, see +# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY +SECRET_KEY = '<%= @secret_key %>' + + +######################### +# # +# Optional settings # +# # +######################### + +# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of +# application errors (assuming correct email settings are provided). +ADMINS = [ + # ['John Doe', 'jdoe@example.com'], +] + +# URL schemes that are allowed within links in NetBox +ALLOWED_URL_SCHEMES = ( + 'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp', +) + +# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same +# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP. +BANNER_TOP = '' +BANNER_BOTTOM = '' + +# Text to include on the login page above the login form. HTML is allowed. +BANNER_LOGIN = '' + +# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: +# BASE_PATH = 'netbox/' +BASE_PATH = '' + +# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes) +CACHE_TIMEOUT = 900 + +# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90) +CHANGELOG_RETENTION = 90 + +# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be +# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or +# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers +CORS_ORIGIN_ALLOW_ALL = False +CORS_ORIGIN_WHITELIST = [ + # 'https://hostname.example.com', +] +CORS_ORIGIN_REGEX_WHITELIST = [ + # r'^(https?://)?(\w+\.)?example\.com$', +] + +# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal +# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging +# on a production system. +DEBUG = False + +# Email settings +EMAIL = { + 'SERVER': '<%= @smtp_host %>', + 'PORT': 25, + 'USERNAME': '', + 'PASSWORD': '', + 'USE_SSL': False, + 'USE_TLS': False, + 'TIMEOUT': 10, # seconds + 'FROM_EMAIL': '<%= @email_from %>', +} + +# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table +# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True. +ENFORCE_GLOBAL_UNIQUE = False + +# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and +# by anonymous users. List models in the form `.`. Add '*' to this list to exempt all models. +EXEMPT_VIEW_PERMISSIONS = [ + # 'dcim.site', + # 'dcim.region', + # 'ipam.prefix', +] + +# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks). +# HTTP_PROXIES = { +# 'http': 'http://10.10.1.10:3128', +# 'https': 'http://10.10.1.10:1080', +# } + +# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing +# NetBox from an internal IP. +INTERNAL_IPS = ('127.0.0.1', '::1') + +# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: +# https://docs.djangoproject.com/en/stable/topics/logging/ +LOGGING = {} + +# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users +# are permitted to access most data in NetBox (excluding secrets) but not make any changes. +LOGIN_REQUIRED = False + +# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to +# re-authenticate. (Default: 1209600 [14 days]) +LOGIN_TIMEOUT = None + +# Setting this to True will display a "maintenance mode" banner at the top of every page. +MAINTENANCE_MODE = False + +# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g. +# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request +# all objects by specifying "?limit=0". +MAX_PAGE_SIZE = 1000 + +# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that +# the default value of this setting is derived from the installed location. +MEDIA_ROOT = '<%= @netbox_home %>/netbox/media' + +# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the +# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example: +# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage' +# STORAGE_CONFIG = { +# 'AWS_ACCESS_KEY_ID': 'Key ID', +# 'AWS_SECRET_ACCESS_KEY': 'Secret', +# 'AWS_STORAGE_BUCKET_NAME': 'netbox', +# 'AWS_S3_REGION_NAME': 'eu-west-1', +# } + +# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics' +METRICS_ENABLED = True + +# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM. +NAPALM_USERNAME = '' +NAPALM_PASSWORD = '' + +# NAPALM timeout (in seconds). (Default: 30) +NAPALM_TIMEOUT = 30 + +# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must +# be provided as a dictionary. +NAPALM_ARGS = {} + +# Determine how many objects to display per page within a list. (Default: 50) +PAGINATE_COUNT = 50 + +# Enable installed plugins. Add the name of each plugin to the list. +PLUGINS = [] + +# Plugins configuration settings. These settings are used by various plugins that the user may have installed. +# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings. +# PLUGINS_CONFIG = { +# 'my_plugin': { +# 'foo': 'bar', +# 'buzz': 'bazz' +# } +# } + +# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to +# prefer IPv4 instead. +PREFER_IPV4 = False + +# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1. +RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22 +RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220 + +# Remote authentication support +REMOTE_AUTH_ENABLED = False +REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' +REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' +REMOTE_AUTH_AUTO_CREATE_USER = True +REMOTE_AUTH_DEFAULT_GROUPS = [] +REMOTE_AUTH_DEFAULT_PERMISSIONS = {} + +# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour. +RELEASE_CHECK_TIMEOUT = 24 * 3600 + +# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the +# version check or use the URL below to check for release in the official NetBox repository. +RELEASE_CHECK_URL = None +# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases' + +# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +REPORTS_ROOT = '<%= @netbox_home %>/netbox/reports' + +# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of +# this setting is derived from the installed location. +SCRIPTS_ROOT = '<%= @netbox_home %>/netbox/scripts' + +# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use +# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only +# database access.) Note that the user as which NetBox runs must have read and write permissions to this path. +SESSION_FILE_PATH = None + +# Time zone (default: UTC) +TIME_ZONE = 'UTC' + +# Date/time formatting. See the following link for supported formats: +# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date +DATE_FORMAT = 'N j, Y' +SHORT_DATE_FORMAT = 'Y-m-d' +TIME_FORMAT = 'g:i a' +SHORT_TIME_FORMAT = 'H:i:s' +DATETIME_FORMAT = 'N j, Y g:i a' +SHORT_DATETIME_FORMAT = 'Y-m-d H:i' diff --git a/site-modules/profile/templates/netbox/gunicorn.py.erb b/site-modules/profile/templates/netbox/gunicorn.py.erb new file mode 100644 --- /dev/null +++ b/site-modules/profile/templates/netbox/gunicorn.py.erb @@ -0,0 +1,17 @@ + +# The IP address (typically localhost) and port that the Netbox WSGI process should listen on +bind = '<%= @gunicorn_binding %>:<%= @gunicorn_port %>' + +# Number of gunicorn workers to spawn. This should typically be 2n+1, where +# n is the number of CPU cores present. +workers = 2 + +# Number of threads per worker process +threads = 3 + +# Timeout (in seconds) for a request to complete +timeout = 120 + +# The maximum number of requests a worker can handle before being respawned +max_requests = 5000 +max_requests_jitter = 500 diff --git a/site-modules/profile/templates/netbox/netbox.service.erb b/site-modules/profile/templates/netbox/netbox.service.erb new file mode 100644 --- /dev/null +++ b/site-modules/profile/templates/netbox/netbox.service.erb @@ -0,0 +1,22 @@ +[Unit] +Description=NetBox WSGI Service +Documentation=https://netbox.readthedocs.io/en/stable/ +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple + +User=netbox +Group=netbox +PIDFile=/var/tmp/netbox.pid +WorkingDirectory=<%= @netbox_home %> + +ExecStart=<%= @netbox_home %>/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath <%= @netbox_home %>/netbox --config <%= @netbox_home %>/gunicorn.py netbox.wsgi + +Restart=on-failure +RestartSec=30 +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/site-modules/role/manifests/swh_netbox.pp b/site-modules/role/manifests/swh_netbox.pp new file mode 100644 --- /dev/null +++ b/site-modules/role/manifests/swh_netbox.pp @@ -0,0 +1,7 @@ +# Netbox template +class role::swh_netbox inherits role::swh_server { + include profile::postgresql + + include profile::netbox + +}