Today I’m diving into Netbox, a tool designed to help you keep track of your network infrastructure. Netbox is a database of relationships, showing you what is connected where, all of your equipment, IP addresses and prefixes, etc.

We’ve got a LOT to install today! So hold on tight and follow along. Probably also want to do an apt update && apt full-upgrade -y before we start just to make sure the sytem is fully up to date.

If you want to do one big apt install and skip the rest, here it is:

# Update
apt update
# Install everything
apt install -y sudo postgres redis-server python3 python3-pip python3-venv python3-dev build-essential libxml2-dev libxslt1-dev libffi-dev libpq-dev libssl-dev zlib1g-dev git
# Does not include Caddy and their repo

Contents

Video

Thumbnail

Postgres

First install it:

apt update
apt install -y postgresql sudo

Next, login as the postgres user (sudo -u postgres psql) and run this SQL to create the database. You need to copy these commands one at a time into the prompt!

CREATE DATABASE netbox;
CREATE USER netbox WITH PASSWORD 'CorrectHorseBatteryStaple';
ALTER DATABASE netbox OWNER TO netbox;
\connect netbox;
GRANT CREATE ON SCHEMA public TO netbox;
\q

Whew! First step done

Redis

Now more stuff to install!

apt install -y redis-server

You can test it with redis-cli ping but that’s it, it’s done

Netbox

More shell stuff to copy:

#Install everything we need
apt install -y python3 python3-pip python3-venv python3-dev build-essential libxml2-dev libxslt1-dev libffi-dev libpq-dev libssl-dev zlib1g-dev git
#Clone netbox into its new home (master should have latest stable release)
cd /opt
git clone -b master --depth 1 https://github.com/netbox-community/netbox.git
#Create a system user for netbox to run as
adduser --system --group netbox
#Chown netbox subdir's to Netbox
chown -R netbox /opt/netbox/netbox/{media,reports,scripts}/
#Copy example config as running config
#Dear god guys can you stop nesting netbox folders??
cp /opt/netbox/netbox/netbox/configuration_example.py /opt/netbox/netbox/netbox/configuration.py

Now before we edit the config file, let’s generate a random number to use as our secret key (and copy it for later) by running /opt/netbox/netbox/generate_secret_key.py. Then we can edit the config file (nano /opt/netbox/netbox/netbox/configuration.py)and change our settings. Here’s what I modified (this is a diff):

--- configuration_example.py
+++ configuration.py
@@ -8,15 +8,15 @@
 # access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
 #
 # Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['netbox.palnet.net']
 
 # PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
 #   https://docs.djangoproject.com/en/stable/ref/settings/#databases
 DATABASE = {
     'ENGINE': 'django.db.backends.postgresql',  # Database engine
     'NAME': 'netbox',         # Database name
-    'USER': '',               # PostgreSQL username
-    'PASSWORD': '',           # PostgreSQL password
+    'USER': 'netbox',         # PostgreSQL username
+    'PASSWORD': 'CorrectHorseBatteryStaple',           # PostgreSQL password
     'HOST': 'localhost',      # Database server
     'PORT': '',               # Database port (leave blank for default)
     'CONN_MAX_AGE': 300,      # Max database connection age
@@ -64,7 +64,7 @@
 # For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
 # symbols. NetBox will not run without this defined. For more information, see
 # https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
-SECRET_KEY = ''
+SECRET_KEY = 'w!13OYWS!o2Or156)-!Ld^!9BZAKYrGFAeHGV=XnGYuM!!v*hk'

And finally, we can run the actual install script:

/opt/netbox/upgrade.sh

Create Superuser

Even after installing, we still need to create a superuser for our new site:

source /opt/netbox/venv/bin/activate
cd /opt/netbox/netbox
python3 manage.py createsuperuser
deactivate

Housekeeping Task

We could create a systemd timer unit for this, but I’m tired at this point and just want to get it done. So we are putting this entry in cron.daily:

ln -s /opt/netbox/contrib/netbox-housekeeping.sh /etc/cron.daily/netbox-housekeeping

Test It

Here’s a way to test it if you want to (you probably should):

source /opt/netbox/venv/bin/activate
cd /opt/netbox/netbox
python3 manage.py runserver [::]:8000 --insecure
#Use Crtl-C to end, log in to port 8000 to make sure it's up
deactivate

Gunicorn

Now we can add the WSGI server, Gunicorn, and its associated systemd service:

cp /opt/netbox/contrib/gunicorn.py /opt/netbox/gunicorn.py
cp /opt/netbox/contrib/netbox.service /etc/systemd/system
cp /opt/netbox/contrib/netbox-rq.service /etc/systemd/system
systemctl daemon-reload
systemctl enable --now netbox netbox-rq

Gunicorn will bind to localhost:8001, which is perfect since we are going to run a reverse proxy to do TLS termination.

Caddy

And now the TLS termination proxy - Caddy. Netbox suggests Apache or Nginx, but I prefer Caddy, so here’s my setup:

#Install from Caddy's repos (they are more up to date)
apt update
apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
# Download their deb signing key + their sources.list file
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
# Update with new sources
apt update
# Install Caddy
apt install -y caddy

And here’s my /etc/caddy/Caddyfile (delete everything already in it):

netbox.palnet.net {
    handle /static* {
        root * /opt/netbox/netbox/
        file_server
    }

    handle {
        #Backend is running on 8001
        reverse_proxy http://localhost:8001
    }
    #Only if you don't want to use the default of Let's Encrypt
    tls internal
    #Otherwise you can put your email:
    #tls adventure@apalrd.net
}

And we can start it with systemctl enable --now caddy! If it’s already running, then systemctl restart caddy.

Upgrading

When you need to upgrade, checkout master again and run the upgrade script:

#Go to netbox
cd /opt/netbox
#Pull latest
git checkout master
git pull origin master
#Run upgrade
./upgrade.sh
#Restart services
systemctl restart netbox netbox-rq caddy