Netbox Docker

Ansible role to configure Netbox as a docker-compose project.

Installation

Install this role with Ansible Galaxy:

ansible-galaxy install git+https://github.com/wastrachan/ansible-role-netbox-docker.git

Local Installation

If you'd like to include this role directly in a playbook, set your roles_path to ./roles via environment variable or ansible.cfg.

Then, add this role to your playbook's requirements.yml:

- src: https://github.com/wastrachan/ansible-role-netbox-docker
  version: master
  name: netbox-docker

And finally, install the role with Ansible Galaxy:

ansible-galaxy install -r requirements.yml

Requirements

docker and docker-compose must be available and installed on the target system.

Role Variables

Configuration and installation options are made available as variables. Some of these (secret_key, passwords) must be overridden before use!

Option	Default	Description
`netbox_base_dir`	`/opt/netbox`	Root path for netbox's docker-compose file and data store
`netbox_port`	`8080`	Host port to expose netbox on. If blank, netbox's port is not exposed
`netbox_netbox_image`	`docker.io/netboxcommunity/netbox:v4.1-3.0.1`	Netbox docker image tag
`netbox_valkey_image`	`docker.io/valkey/valkey:8.0-alpine`	Valkey docker image tag
`netbox_postgres_image`	`docker.io/postgres:16-alpine`	Postgres docker image tag
`netbox_caddy_image`	`docker.io/caddy:2-alpine`	Caddy docker image tag
`netbox_admin_api_token`	-	API token for the default admin user, created on first run
`netbox_admin_email`	`admin@example.com`	Email of the default admin user, created on first run
`netbox_admin_password`	`admin`	Password for the default admin user, created on first run
`netbox_admin_username`	`admin`	Username of the default admin user, created on first run
`netbox_allowed_hosts`	`*`	If set, connections will be restricted to this list host names (also used in caddy)
`netbox_cors_origin_allow_all`	`true`	If set to true, all CORS origins will be allowed
`netbox_cors_origin_whitelist`	`http://localhost`	Whitelist of acceptable CORS origin headers
`netbox_default_page_size`	`250`	Default number of objects for paginated views
`netbox_email_certfile`	-	Email server settings documentation
`netbox_email_from`	`netbox@bar.com`	Email server settings documentation
`netbox_email_keyfile`	-	Email server settings documentation
`netbox_email_password`	-	Email server settings documentation
`netbox_email_port`	`25`	Email server settings documentation
`netbox_email_server`	`localhost`	Email server settings documentation
`netbox_email_timeout`	`5`	Email server settings documentation
`netbox_email_use_ssl`	`false`	Email server settings documentation
`netbox_email_use_tls`	`false`	Email server settings documentation
`netbox_email_username`	`netbox`	Email server settings documentation
`netbox_enforce_global_unique`	`false`	Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table, set this to true
`netbox_graphql_enabled`	`true`	Enable GraphQL API
`netbox_housekeeping_interval`	`86400`	Interval to run housekeeping worker
`netbox_container_labels`	`[]`	Optional extra container labels to apply to the netbox container. See Traefiknginx-proxy Support
`netbox_container_env`	`[]`	Optional extra container environment variables to apply to the netbox container. See Traefik/nginx-proxy Support
`netbox_login_required`	`false`	Whether or not a user must be authenticated to view DCIM details in Netbox
`netbox_max_page_size`	`1000`	Maximum number of objects for paginated API requests
`netbox_metrics_enabled`	`false`	Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
`netbox_pg_db`	`netbox`	Postgres database name
`netbox_pg_host`	`postgres`	Postgres database host. This should not be changed if using the default docker-compose setup.
`netbox_pg_password`	`RANDOM_SEED`	Postgres password
`netbox_pg_user`	`netbox`	Postgres user
`netbox_additional_network_names`	-	Extra external networks to attach to the netbox container. See Traefik/nginx-proxy Support
`netbox_valkey_cache_host`	`valkey-cache`	Valkey cache instance host. This should not be changed if using the default docker-compose setup.
`netbox_valkey_cache_insecure_skip_tls_verify`	`false`	If true, certificates for valkey cache are not checked
`netbox_valkey_cache_password`	`RANDOM_SEED`	Valkey cache instance password
`netbox_valkey_cache_ssl`	`false`	If true, communication with valkey is secured with SSL
`netbox_valkey_host`	`valkey`	Valkey instance host. This should not be changed if using the default docker-compose setup.
`netbox_valkey_insecure_skip_tls_verify`	`false`	If true, certificates for valkey are not checked
`netbox_valkey_password`	`RANDOM_SEED`	Valkey instance password
`netbox_secret_key`	`RANDOM_SEED`	Netbox secret key. Should be at least 50 characters long
`netbox_skip_startup_scripts`	`false`	If true, do not run startup scripts on container start
`netbox_skip_superuser`	`false`	If true, do not create superuser on container start
`netbox_webhooks_enabled`	`true`	If true, enable netbox webhooks functionality
`netbox_use_caddy`	`false`	If set, Caddy will be used to serve Netbox over TLS
`netbox_caddy_letsencrypt_email`	-	Email address to use for letsencrypt automatic certificate generation
`netbox_caddy_http_port`	`80`	Caddy HTTP port
`netbox_caddy_https_port`	`443`	Caddy HTTPS port
`netbox_ssl_cert_bundle`	-	Caddy certificate bundle
`netbox_ssl_cert_key`	-	Caddy certificate key
`netbox_extra_config`	-	If provided, this string will be rendered in `config/extra.py`

Example Playbook

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- hosts: servers
  roles:
    - netbox-docker

TLS for localhost

Developing locally and testing TLS (i.e. https) features often poses a challenge. This guide is intended for people developing with, on or for NetBox or NetBox Docker on their computer. It allows to access NetBox Docker through TLS on https://localhost:443, https://127.0.0.1:443 and https://[::1]:443. It is based on the setup recommended by the Netbox-Docker wiki on TLS. First install mkcert on your computer. It creates and installs a local CA-Certificate, which will be used by mkcert to create and sign other certificates. This way, your certificates are trusted on your own computer and you don't get a TLS warning in your tools (browsers, cURL, and so forth).

Begin by creating the certificates for localhost and it's IPv4 and IPv6 addresses using the following commands.

mkcert -install
mkcert localhost 127.0.0.1 ::1

This should have created a file called localhost+2.pem and another file called localhost+2-key.pem. Use these two certificates with a slight modification of the setup proposed above:

- hosts: localhost
  vars:
    netbox_port: null
    netbox_use_caddy: true
    netbox_ssl_cert_bundle: path_to/localhost+2.pem
    netbox_ssl_cert_key: path_to/localhost+2-key.pem
  roles:
    - netbox-docker

Traefik/nginx-proxy Support

This playbook can be used with traefik or jwilder's nginx-proxy by adding labels with netbox_container_labels, or environment variables with netbox_container_env, respectively. Additionally, netbox_additional_network_names will attach the netbox service to additional networks, as traefik/nginx-proxy usually reside in a network other than that created by docker-compose projects. While not a complete guide to these services, your configuration may look like the below:

traefik

netbox_port: null
netbox_additional_network_names:
  - traefik
netbox_container_labels:
  traefik.enable: "true"
  traefik.http.services.netbox.loadbalancer.server.port: "8080"
  traefik.http.routers.netbox.rule: "Host(`netbox.domain.com`)"

nginx-proxy

netbox_port: null
netbox_additional_network_names:
  - nginx
netbox_container_env:
  VIRTUAL_HOST: netbox.domain.com
  VIRTUAL_PORT: "8080"

License

This project itself is licensed under the terms of the MIT License. View license information for software contained within.

wastrachan / ansible-role-netbox-docker

readme