Unverified Commit 03e95ed5 authored by Rémi NICOLE's avatar Rémi NICOLE Committed by GitHub
Browse files

netbox_4_5: init at 4.5.5 (#485109)

parents 5550d21d 0a8e6740

doc/release-notes/rl-2605.section.md

+4 −0
Original line number Diff line number Diff line
@@ -165,6 +165,10 @@ 


- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.



- NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes

  of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),

  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.



- The `services.yggdrasil` module has been refactored with the following breaking changes:

  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.

  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).

nixos/modules/services/web-apps/netbox.nix

+32 −8
Original line number Diff line number Diff line
@@ -119,11 +119,11 @@ in 
    package = lib.mkOption {

      type = lib.types.package;

      default =

        if lib.versionAtLeast config.system.stateVersion "25.11" then pkgs.netbox_4_4 else pkgs.netbox_4_2;

        if lib.versionAtLeast config.system.stateVersion "26.05" then pkgs.netbox_4_5 else pkgs.netbox_4_4;

      defaultText = lib.literalExpression ''

        if lib.versionAtLeast config.system.stateVersion "25.11"

        then pkgs.netbox_4_4

        else pkgs.netbox_4_2;

        if lib.versionAtLeast config.system.stateVersion "26.05"

        then pkgs.netbox_4_5

        else pkgs.netbox_4_4;

      '';

      description = ''

        NetBox package to use.
@@ -165,6 +165,15 @@ in 
      '';

    };



    apiTokenPeppersFile = lib.mkOption {

      type = with lib.types; nullOr path;

      description = ''

        Path to a file containing the API_TOKEN_PEPPER that will be configured for the pepper_id with the id 1.

        This is required for netbox >= 4.5. For generating this pepper,

        [consider using `$INSTALL_ROOT/netbox/generate_secret_key.py`](https://netboxlabs.com/docs/netbox/configuration/required-parameters/#api_token_peppers)

      '';

    };



    extraConfig = lib.mkOption {

      type = lib.types.lines;

      default = "";
@@ -237,11 +246,13 @@ in 


        GIT_PATH = "${pkgs.gitMinimal}/bin/git";



        DATABASE = {

        DATABASES = {

          "default" = {

            NAME = "netbox";

            USER = "netbox";

            HOST = "/run/postgresql";

          };

        };



        # Redis database settings. Redis is used for caching and for queuing

        # background tasks such as webhook events. A separate configuration
@@ -283,6 +294,12 @@ in 
        with open("${cfg.secretKeyFile}", "r") as file:

            SECRET_KEY = file.readline()

      ''

      + (lib.optionalString (cfg.apiTokenPeppersFile != null) ''

        with open("${cfg.apiTokenPeppersFile}", "r") as pepper_file:

            API_TOKEN_PEPPERS = {

                1: pepper_file.readline(),

            };

      '')

      + (lib.optionalString (cfg.keycloakClientSecret != null) ''

        with open("${cfg.keycloakClientSecret}", "r") as file:

            SOCIAL_AUTH_KEYCLOAK_SECRET = file.readline()
@@ -446,5 +463,12 @@ in 
    };

    users.groups.netbox = { };

    users.groups."${config.services.redis.servers.netbox.user}".members = [ "netbox" ];



    assertions = [

      {

        assertion = (lib.versionAtLeast cfg.package.version "4.5") -> (cfg.apiTokenPeppersFile != null);

        message = "NetBox 4.5 or newer require setting `services.netbox.apiTokenPeppersFile`";

      }

    ];

  };

}

nixos/tests/all-tests.nix

+1 −2
Original line number Diff line number Diff line
@@ -1054,9 +1054,8 @@ in 
  neo4j = runTest ./neo4j.nix;

  netbird = runTest ./netbird.nix;

  netbox-upgrade = runTest ./web-apps/netbox-upgrade.nix;

  netbox_4_2 = handleTest ./web-apps/netbox/default.nix { netbox = pkgs.netbox_4_2; };

  netbox_4_3 = handleTest ./web-apps/netbox/default.nix { netbox = pkgs.netbox_4_3; };

  netbox_4_4 = handleTest ./web-apps/netbox/default.nix { netbox = pkgs.netbox_4_4; };

  netbox_4_5 = handleTest ./web-apps/netbox/default.nix { netbox = pkgs.netbox_4_5; };

  netdata = runTest ./netdata.nix;

  networking.networkd = handleTest ./networking/networkd-and-scripted.nix { networkd = true; };

  networking.networkmanager = handleTest ./networking/networkmanager.nix { };

nixos/tests/web-apps/netbox-upgrade.nix

+5 −2
Original line number Diff line number Diff line 
{ lib, pkgs, ... }:

let

  oldNetbox = "netbox_4_3";

  newNetbox = "netbox_4_4";

  oldNetbox = "netbox_4_4";

  newNetbox = "netbox_4_5";



  apiVersion =

    version:
@@ -38,6 +38,9 @@ in 
        secretKeyFile = pkgs.writeText "secret" ''

          abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

        '';

        apiTokenPeppersFile = pkgs.writeText "pepper" ''

          kp7ht*76fiQAhUi5dHfASLlYUE_S^gI^(7J^K5M!LfoH@vl&b_

        '';

      };



      services.nginx = {

nixos/tests/web-apps/netbox/default.nix

+28 −2
Original line number Diff line number Diff line
@@ -37,6 +37,10 @@ import ../../make-test-python.nix ( 
          secretKeyFile = pkgs.writeText "secret" ''

            abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

          '';

          # Value from https://netbox.readthedocs.io/en/feature/configuration/required-parameters/#api_token_peppers

          apiTokenPeppersFile = pkgs.writeText "pepper" ''

            kp7ht*76fiQAhUi5dHfASLlYUE_S^gI^(7J^K5M!LfoH@vl&b_

          '';



          enableLdap = true;

          ldapConfigPath = pkgs.writeText "ldap_config.py" ''
@@ -155,10 +159,32 @@ import ../../make-test-python.nix ( 
          u.set_password('netbox')

          u.save()

        '';

        createToken = pkgs.writeText "create-token-v2.py" ''

          from users.models import Token, User

          from users.choices import TokenVersionChoices

          u = User.objects.first()

          t = Token.objects.create(user=u, token="0123456789abcdef0123456789abcdef01234567", version=TokenVersionChoices.V2)

          print(t.get_auth_header_prefix())

        '';

        netboxVersion = netbox.version;

      in

      builtins.replaceStrings

        [ "\${changePassword}" "\${testUser}" "\${testPassword}" "\${testGroup}" ]

        [ "${changePassword}" "${testUser}" "${testPassword}" "${testGroup}" ]

        [

          "\${changePassword}"

          "\${testUser}"

          "\${testPassword}"

          "\${testGroup}"

          "\${createToken}"

          "\${netboxVersion}"

        ]

        [

          "${changePassword}"

          "${testUser}"

          "${testPassword}"

          "${testGroup}"

          "${createToken}"

          "${netboxVersion}"

        ]

        (lib.readFile "${./testScript.py}");

  }

)