diff --git a/netbox.tf b/netbox.tf index 2f048f9..6002906 100644 --- a/netbox.tf +++ b/netbox.tf @@ -1,17 +1,20 @@ # Docker images in use data "docker_registry_image" "netbox" { - name = "docker.io/netboxcommunity/netbox:v4.0-2.9.1" + name = "netboxcommunity/netbox:v4.0-2.9.1" } data "docker_registry_image" "netbox_postgres" { - name = "docker.io/postgres:16-alpine" + name = "postgres:16-alpine" } data "docker_registry_image" "netbox_redis" { - name = "docker.io/redis:7-alpine" + name = "redis:7-alpine" } # Docker Network resource "docker_network" "netbox" { - name = "netbox" + name = "netbox" + driver = "overlay" + attachable = true + ipam_driver = "default" } # Docker Volumes @@ -39,54 +42,64 @@ resource "docker_volume" "netbox_cache" { # Configs resource "random_password" "postgres_password" { - length = 32 + length = 32 special = false } resource "random_password" "redis_password" { - length = 32 + length = 32 + special = false +} +resource "random_password" "redis_cache_password" { + length = 32 + special = false +} +resource "random_password" "secret_key" { + length = 50 special = false } locals { - CORS_ORIGIN_ALLOW_ALL = true + netbox_conf = { + CORS_ORIGIN_ALLOW_ALL = true - DB_HOST=docker_service.netbox_postgres.name - DB_NAME="netbox" - DB_PASSWORD = nonsensitive(random_password.postgres_password.result) - DB_USER="netbox" + DB_HOST = docker_service.netbox_postgres.name + DB_NAME = "netbox" + DB_PASSWORD = nonsensitive(random_password.postgres_password.result) + DB_USER = "netbox" - EMAIL_FROM="netbox@bar.com" - EMAIL_PASSWORD="" - EMAIL_PORT=25 - EMAIL_SERVER="localhost" - EMAIL_SSL_CERTFILE="" - EMAIL_SSL_KEYFILE="" - EMAIL_TIMEOUT=5 - EMAIL_USERNAME="netbox" - # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`! - EMAIL_USE_SSL=false - EMAIL_USE_TLS=false + EMAIL_FROM = "netbox@bar.com" + EMAIL_PASSWORD = "" + EMAIL_PORT = 25 + EMAIL_SERVER = "localhost" + EMAIL_SSL_CERTFILE = "" + EMAIL_SSL_KEYFILE = "" + EMAIL_TIMEOUT = 5 + EMAIL_USERNAME = "netbox" + # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`! + EMAIL_USE_SSL = "false" + EMAIL_USE_TLS = "false" - GRAPHQL_ENABLED=true - HOUSEKEEPING_INTERVAL=86400 - MEDIA_ROOT="/opt/netbox/netbox/media" - METRICS_ENABLED=false + GRAPHQL_ENABLED = "true" + HOUSEKEEPING_INTERVAL = 86400 + MEDIA_ROOT = "/opt/netbox/netbox/media" + METRICS_ENABLED = "false" - REDIS_CACHE_DATABASE=1 - REDIS_CACHE_HOST=docker_service.netbox_redis_cache.name - REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY=false - REDIS_CACHE_PASSWORD=nonsensitive(random_password.redis_password.result) - REDIS_CACHE_SSL=false + REDIS_DATABASE = 0 + REDIS_HOST = docker_service.netbox_redis.name + REDIS_INSECURE_SKIP_TLS_VERIFY = "false" + //REDIS_PASSWORD = nonsensitive(random_password.redis_password.result) + REDIS_SSL = "false" - REDIS_DATABASE=0 - REDIS_HOST=docker_service.netbox_redis.name - REDIS_INSECURE_SKIP_TLS_VERIFY=false - REDIS_PASSWORD=nonsensitive(random_password.redis_password.result) - REDIS_SSL=false + REDIS_CACHE_DATABASE = 1 + REDIS_CACHE_HOST = docker_service.netbox_redis_cache.name + REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY = "false" + //REDIS_CACHE_PASSWORD = nonsensitive(random_password.redis_cache_password.result) + REDIS_CACHE_SSL = "false" - RELEASE_CHECK_URL="https://api.github.com/repos/netbox-community/netbox/releases" - SECRET_KEY="r(m)9nLGnz$(_q3N4z1k(EFsMCjjjzx08x9VhNVcfd%6RF#r!6DE@+V5Zk2X" - SKIP_SUPERUSER=true - WEBHOOKS_ENABLED=true + RELEASE_CHECK_URL = "https://api.github.com/repos/netbox-community/netbox/releases" + SECRET_KEY = nonsensitive(random_password.secret_key.result) + SKIP_SUPERUSER = "true" + WEBHOOKS_ENABLED = "true" + } } # Services @@ -95,12 +108,13 @@ resource "docker_service" "netbox" { task_spec { container_spec { image = "${data.docker_registry_image.netbox.name}@${data.docker_registry_image.netbox.sha256_digest}" - user = "unit:root" + user = "unit:root" + env = local.netbox_conf healthcheck { - test = ["CMD-SHELL", "curl -f http://localhost:8080/login/ || exit 1"] - interval = "15s" - timeout = "3s" - start_period = "60s" + test = ["CMD-SHELL", "curl -f http://localhost:8080/login/ || exit 1"] + interval = "15s" + timeout = "3s" + start_period = "2m" } mounts { target = "/etc/netbox/config" @@ -135,18 +149,34 @@ resource "docker_service" "netbox" { window = "0s" } } + endpoint_spec { + ports { + protocol = "tcp" + publish_mode = "ingress" + target_port = 8080 + } + } + converge_config { + timeout = "2m" + } + depends_on = [ + docker_service.netbox_postgres, + docker_service.netbox_redis, + docker_service.netbox_redis_cache, + ] } resource "docker_service" "netbox_worker" { name = "netbox-worker" task_spec { container_spec { - image = "${data.docker_registry_image.netbox.name}@${data.docker_registry_image.netbox.sha256_digest}" - user = "unit:root" - command = ["/opt/netbox/venv/bin/python", "/opt/netbox/netbox/manage.py", "rqworker",] + image = "${data.docker_registry_image.netbox.name}@${data.docker_registry_image.netbox.sha256_digest}" + user = "unit:root" + env = local.netbox_conf + command = ["/opt/netbox/venv/bin/python", "/opt/netbox/netbox/manage.py", "rqworker", ] healthcheck { - test = ["CMD-SHELL", "ps -aux | grep -v grep | grep -q rqworker || exit 1"] - interval = "15s" - timeout = "3s" + test = ["CMD-SHELL", "ps -aux | grep -v grep | grep -q rqworker || exit 1"] + interval = "15s" + timeout = "3s" start_period = "20s" } mounts { @@ -179,18 +209,25 @@ resource "docker_service" "netbox_worker" { window = "0s" } } + converge_config { + timeout = "2m" + } + depends_on = [ + docker_service.netbox + ] } resource "docker_service" "netbox_housekeeping" { name = "netbox-housekeeping" task_spec { container_spec { - image = "${data.docker_registry_image.netbox.name}@${data.docker_registry_image.netbox.sha256_digest}" - user = "unit:root" - command = ["/opt/netbox/housekeeping.sh",] + image = "${data.docker_registry_image.netbox.name}@${data.docker_registry_image.netbox.sha256_digest}" + user = "unit:root" + env = local.netbox_conf + command = ["/opt/netbox/housekeeping.sh", ] healthcheck { - test = ["CMD-SHELL", "ps -aux | grep -v grep | grep -q housekeeping || exit 1"] - interval = "15s" - timeout = "3s" + test = ["CMD-SHELL", "ps -aux | grep -v grep | grep -q housekeeping || exit 1"] + interval = "15s" + timeout = "3s" start_period = "20s" } mounts { @@ -223,6 +260,12 @@ resource "docker_service" "netbox_housekeeping" { window = "0s" } } + converge_config { + timeout = "2m" + } + depends_on = [ + docker_service.netbox + ] } # Netbox Postgres Database @@ -240,7 +283,6 @@ resource "docker_service" "netbox_postgres" { POSTGRES_DB = "netbox" POSTGRES_USER = "netbox" POSTGRES_PASSWORD = random_password.postgres_password.result - } } networks_advanced { @@ -252,6 +294,9 @@ resource "docker_service" "netbox_postgres" { window = "0s" } } + converge_config { + timeout = "2m" + } } # Netbox Redis @@ -260,11 +305,21 @@ resource "docker_service" "netbox_redis" { task_spec { container_spec { image = "${data.docker_registry_image.netbox_redis.name}@${data.docker_registry_image.netbox_redis.sha256_digest}" - command = ["sh", "-c", "redis-server","--appendonly","yes", "--requirepass", random_password.redis_password.result, ] + command = [ + "sh", "-c", + "redis-server", + "--appendonly", "yes", + //"--requirepass", nonsensitive(random_password.redis_password.result), + ] mounts { target = "/data" type = "volume" - source = docker_volume.netbox_database.name + source = docker_volume.netbox_redis.name + } + healthcheck { + test = ["CMD", "sh", "-c", "redis-cli", "PING"] + interval = "5s" + timeout = "3s" } } networks_advanced { @@ -276,17 +331,29 @@ resource "docker_service" "netbox_redis" { window = "0s" } } + converge_config { + timeout = "2m" + } } resource "docker_service" "netbox_redis_cache" { name = "netbox-redis-cache" task_spec { container_spec { image = "${data.docker_registry_image.netbox_redis.name}@${data.docker_registry_image.netbox_redis.sha256_digest}" - command = ["sh", "-c", "redis-server", "--requirepass", random_password.redis_password.result, ] + command = [ + "sh", "-c", + "redis-server", + //"--requirepass", nonsensitive(random_password.redis_cache_password.result), + ] mounts { target = "/data" type = "volume" - source = docker_volume.netbox_database.name + source = docker_volume.netbox_cache.name + } + healthcheck { + test = ["CMD", "sh", "-c", "redis-cli", "PING"] + interval = "5s" + timeout = "3s" } } networks_advanced { @@ -298,4 +365,23 @@ resource "docker_service" "netbox_redis_cache" { window = "0s" } } -} \ No newline at end of file + converge_config { + timeout = "2m" + } +} + +# Set up some nginx bits for it +module "netbox_nginx_config" { + # tflint-ignore: terraform_module_pinned_source + source = "git::https://code.techinc.nl/grey/terraform-nginx.git//nginx-site-available" + hostname = "netbox.california.ti" + //certificate = acme_certificate.ooo_grey["s3"] + service_name = docker_service.netbox.name + upstream_host = "${docker_service.netbox.name}:8080" + config_prefix = "nginx" + allow_non_ssl = true + allow_ssl = false + depends_on = [ + docker_service.netbox + ] +} diff --git a/nginx.tf b/nginx.tf index 0bd6f67..9589bec 100644 --- a/nginx.tf +++ b/nginx.tf @@ -17,9 +17,10 @@ module "nginx" { module.minio.nginx_files, module.vigil_nginx_config.files, module.videobucket_nginx_config.files, + //module.netbox_nginx_config.files, ) networks = [ docker_network.loadbalancer, ] - replicas = 1 + replicas = 2 } diff --git a/video-bucket.tf b/video-bucket.tf index 90f4ec9..75e4478 100644 --- a/video-bucket.tf +++ b/video-bucket.tf @@ -33,6 +33,10 @@ EOF resource "docker_config" "video_bucket_config" { name = "video_bucket_config_${substr(md5(local.video_bucket_config), 0, 7)}" data = base64encode(local.video_bucket_config) + lifecycle { + ignore_changes = [name] + create_before_destroy = true + } } module "videobucket_nginx_config" { # tflint-ignore: terraform_module_pinned_source