netbox.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: netbox
---
apiVersion: v1
data:
  password: SjVickhyQVhGTFFTaWYwSw== # J5brHrAXFLQSif0K
kind: Secret
metadata:
  name: psql-superuser-secret
  namespace: netbox
type: kubernetes.io/basic-auth
---
apiVersion: v1
data:
  username: bmV0Ym94 # netbox
  password: SjVickhyQVhGTFFTaWYwSw== # J5brHrAXFLQSif0K
kind: Secret
metadata:
  name: psql-netbox-secret
  namespace: netbox
type: kubernetes.io/basic-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: redis-netbox-secret
  namespace: netbox
data:
  REDIS_CACHE_PASSWORD: dDRQaDcyMnFKNVFIZVExcWZ1MzY= # t4Ph722qJ5QHeQ1qfu36
  REDIS_PASSWORD: SDczM0tkam5ka3M4MQ== # H733Kdjndks81
type: bootstrap.kubernetes.io/token
---
apiVersion: v1
kind: Secret
metadata:
  name: netbox-secret
  namespace: netbox
data:
  SECRET_KEY: cihtKTluTEdueiQoX3EzTjR6MWsoRUZzTUNqamp6eDA4eDlWaE5WY2ZkJTZSRiNyITZERUArVjVaazJY # r(m)9nLGnz$(_q3N4z1k(EFsMCjjjzx08x9VhNVcfd%6RF#r!6DE@+V5Zk2X
type: bootstrap.kubernetes.io/token
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: netbox-configmap
  namespace: netbox
data:
  CORS_ORIGIN_ALLOW_ALL: "True"
  DB_HOST: "psql-rw.netbox.svc"
  DB_NAME: "netbox"
  EMAIL_FROM: "netbox@bar.com"
  EMAIL_PASSWORD: ""
  EMAIL_PORT: "25"
  EMAIL_SERVER: "localhost"
  EMAIL_SSL_CERTFILE: ""
  EMAIL_SSL_KEYFILE: ""
  EMAIL_TIMEOUT: "5"
  EMAIL_USERNAME: "netbox"
  # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
  EMAIL_USE_SSL: "false"
  EMAIL_USE_TLS: "false"
  GRAPHQL_ENABLED: "true"
  HOUSEKEEPING_INTERVAL: "86400"
  MEDIA_ROOT: /opt/netbox/netbox/media
  METRICS_ENABLED: "false"
  REDIS_CACHE_DATABASE: "1"
  REDIS_CACHE_HOST: "redis-cache.netbox.svc"
  REDIS_CACHE_PORT: "6379"
  REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY: "false"
  REDIS_CACHE_SSL: "false"
  REDIS_DATABASE: "0"
  REDIS_HOST: "redis.netbox.svc"
  REDIS_PORT: "6379"
  REDIS_INSECURE_SKIP_TLS_VERIFY: "false"
  REDIS_SSL: "false"
  RELEASE_CHECK_URL: "https://api.github.com/repos/netbox-community/netbox/releases"
  SKIP_SUPERUSER: "true"
  WEBHOOKS_ENABLED: "true"
  # DB_WAIT_DEBUG: "1"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: netbox-config-files
  namespace: netbox
data:
  configuration.py: |
    ####
    ## We recommend to not edit this file.
    ## Create separate files to overwrite the settings.
    ## See `extra.py` as an example.
    ####

    import re
    from os import environ
    from os.path import abspath, dirname, join
    from typing import Any, Callable, Tuple

    # For reference see https://docs.netbox.dev/en/stable/configuration/
    # Based on https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/configuration_example.py

    ###
    # NetBox-Docker Helper functions
    ###

    # Read secret from file
    def _read_secret(secret_name: str, default: str | None = None) -> str | None:
        try:
            f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8')
        except EnvironmentError:
            return default
        else:
            with f:
                return f.readline().strip()

    # If the `map_fn` isn't defined, then the value that is read from the environment (or the default value if not found) is returned.
    # If the `map_fn` is defined, then `map_fn` is invoked and the value (that was read from the environment or the default value if not found)
    # is passed to it as a parameter. The value returned from `map_fn` is then the return value of this function.
    # The `map_fn` is not invoked, if the value (that was read from the environment or the default value if not found) is None.
    def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn: Callable[[str], Any | None] = None) -> Any | None:
        env_value = environ.get(variable_name, default)

        if env_value == None:
            return env_value

        if not map_fn:
            return env_value
        
        return map_fn(env_value)

    _AS_BOOL = lambda value : value.lower() == 'true'
    _AS_INT = lambda value : int(value)
    _AS_LIST = lambda value : list(filter(None, value.split(' ')))

    _BASE_DIR = dirname(dirname(abspath(__file__)))

    #########################
    #                       #
    #   Required settings   #
    #                       #
    #########################

    # This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
    # access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
    #
    # Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
    ALLOWED_HOSTS = environ.get('ALLOWED_HOSTS', '*').split(' ')
    # ensure that '*' or 'localhost' is always in ALLOWED_HOSTS (needed for health checks)
    if '*' not in ALLOWED_HOSTS and 'localhost' not in ALLOWED_HOSTS:
        ALLOWED_HOSTS.append('localhost')

    # PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
    #   https://docs.djangoproject.com/en/stable/ref/settings/#databases
    DATABASE = {
        'NAME': environ.get('DB_NAME', 'netbox'),       # Database name
        'USER': environ.get('DB_USER', ''),             # PostgreSQL username
        'PASSWORD': _read_secret('db_password', environ.get('DB_PASSWORD', '')),
                                                        # PostgreSQL password
        'HOST': environ.get('DB_HOST', 'localhost'),    # Database server
        'PORT': environ.get('DB_PORT', ''),             # Database port (leave blank for default)
        'OPTIONS': {'sslmode': environ.get('DB_SSLMODE', 'prefer')},
                                                        # Database connection SSLMODE
        'CONN_MAX_AGE': _environ_get_and_map('DB_CONN_MAX_AGE', '300', _AS_INT),
                                                        # Max database connection age
        'DISABLE_SERVER_SIDE_CURSORS': _environ_get_and_map('DB_DISABLE_SERVER_SIDE_CURSORS', 'False', _AS_BOOL),
                                                        # Disable the use of server-side cursors transaction pooling
    }

    # Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
    # configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
    # to use two separate database IDs.
    REDIS = {
        'tasks': {
            'HOST': environ.get('REDIS_HOST', 'localhost'),
            'PORT': _environ_get_and_map('REDIS_PORT', 6379, _AS_INT),
            'SENTINELS': [tuple(uri.split(':')) for uri in _environ_get_and_map('REDIS_SENTINELS', '', _AS_LIST) if uri != ''],
            'SENTINEL_SERVICE': environ.get('REDIS_SENTINEL_SERVICE', 'default'),
            'SENTINEL_TIMEOUT': _environ_get_and_map('REDIS_SENTINEL_TIMEOUT', 10, _AS_INT),
            'USERNAME': environ.get('REDIS_USERNAME', ''),
            'PASSWORD': _read_secret('redis_password', environ.get('REDIS_PASSWORD', '')),
            'DATABASE': _environ_get_and_map('REDIS_DATABASE', 0, _AS_INT),
            'SSL': _environ_get_and_map('REDIS_SSL', 'False', _AS_BOOL),
            'INSECURE_SKIP_TLS_VERIFY': _environ_get_and_map('REDIS_INSECURE_SKIP_TLS_VERIFY', 'False', _AS_BOOL),
        },
        'caching': {
            'HOST': environ.get('REDIS_CACHE_HOST', environ.get('REDIS_HOST', 'localhost')),
            'PORT': _environ_get_and_map('REDIS_CACHE_PORT', environ.get('REDIS_PORT', '6379'), _AS_INT),
            'SENTINELS': [tuple(uri.split(':')) for uri in _environ_get_and_map('REDIS_CACHE_SENTINELS', '', _AS_LIST) if uri != ''],
            'SENTINEL_SERVICE': environ.get('REDIS_CACHE_SENTINEL_SERVICE', environ.get('REDIS_SENTINEL_SERVICE', 'default')),
            'USERNAME': environ.get('REDIS_CACHE_USERNAME', environ.get('REDIS_USERNAME', '')),
            'PASSWORD': _read_secret('redis_cache_password', environ.get('REDIS_CACHE_PASSWORD', environ.get('REDIS_PASSWORD', ''))),
            'DATABASE': _environ_get_and_map('REDIS_CACHE_DATABASE', '1', _AS_INT),
            'SSL': _environ_get_and_map('REDIS_CACHE_SSL', environ.get('REDIS_SSL', 'False'), _AS_BOOL),
            'INSECURE_SKIP_TLS_VERIFY': _environ_get_and_map('REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY', environ.get('REDIS_INSECURE_SKIP_TLS_VERIFY', 'False'), _AS_BOOL),
        },
    }

    # This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
    # For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
    # symbols. NetBox will not run without this defined. For more information, see
    # https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
    SECRET_KEY = _read_secret('secret_key', environ.get('SECRET_KEY', ''))


    #########################
    #                       #
    #   Optional settings   #
    #                       #
    #########################

    # # Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
    # # application errors (assuming correct email settings are provided).
    # ADMINS = [
    #    # ['John Doe', 'jdoe@example.com'],
    # ]

    if 'ALLOWED_URL_SCHEMES' in environ:
        ALLOWED_URL_SCHEMES = _environ_get_and_map('ALLOWED_URL_SCHEMES', None, _AS_LIST)

    # Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
    # content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
    if 'BANNER_TOP' in environ:
        BANNER_TOP = environ.get('BANNER_TOP', None)
    if 'BANNER_BOTTOM' in environ:
        BANNER_BOTTOM = environ.get('BANNER_BOTTOM', None)

    # Text to include on the login page above the login form. HTML is allowed.
    if 'BANNER_LOGIN' in environ:
        BANNER_LOGIN = environ.get('BANNER_LOGIN', None)

    # Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
    if 'CHANGELOG_RETENTION' in environ:
        CHANGELOG_RETENTION = _environ_get_and_map('CHANGELOG_RETENTION', None, _AS_INT)

    # Maximum number of days to retain job results (scripts and reports). Set to 0 to retain job results in the database indefinitely. (Default: 90)
    if 'JOB_RETENTION' in environ:
        JOB_RETENTION = _environ_get_and_map('JOB_RETENTION', None, _AS_INT)
    # JOBRESULT_RETENTION was renamed to JOB_RETENTION in the v3.5.0 release of NetBox. For backwards compatibility, map JOBRESULT_RETENTION to JOB_RETENTION
    elif 'JOBRESULT_RETENTION' in environ:
        JOB_RETENTION = _environ_get_and_map('JOBRESULT_RETENTION', None, _AS_INT)

    # API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
    # allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
    # CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
    CORS_ORIGIN_ALLOW_ALL = _environ_get_and_map('CORS_ORIGIN_ALLOW_ALL', 'False', _AS_BOOL)
    CORS_ORIGIN_WHITELIST = _environ_get_and_map('CORS_ORIGIN_WHITELIST', 'https://localhost', _AS_LIST)
    CORS_ORIGIN_REGEX_WHITELIST = [re.compile(r) for r in _environ_get_and_map('CORS_ORIGIN_REGEX_WHITELIST', '', _AS_LIST)]

    # Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
    # sensitive information about your installation. Only enable debugging while performing testing.
    # Never enable debugging on a production system.
    DEBUG = _environ_get_and_map('DEBUG', 'False', _AS_BOOL)

    # This parameter serves as a safeguard to prevent some potentially dangerous behavior,
    # such as generating new database schema migrations.
    # Set this to True only if you are actively developing the NetBox code base.
    DEVELOPER = _environ_get_and_map('DEVELOPER', 'False', _AS_BOOL)

    # Email settings
    EMAIL = {
        'SERVER': environ.get('EMAIL_SERVER', 'localhost'),
        'PORT': _environ_get_and_map('EMAIL_PORT', 25, _AS_INT),
        'USERNAME': environ.get('EMAIL_USERNAME', ''),
        'PASSWORD': _read_secret('email_password', environ.get('EMAIL_PASSWORD', '')),
        'USE_SSL': _environ_get_and_map('EMAIL_USE_SSL', 'False', _AS_BOOL),
        'USE_TLS': _environ_get_and_map('EMAIL_USE_TLS', 'False', _AS_BOOL),
        'SSL_CERTFILE': environ.get('EMAIL_SSL_CERTFILE', ''),
        'SSL_KEYFILE': environ.get('EMAIL_SSL_KEYFILE', ''),
        'TIMEOUT': _environ_get_and_map('EMAIL_TIMEOUT', 10, _AS_INT),  # seconds
        'FROM_EMAIL': environ.get('EMAIL_FROM', ''),
    }

    # Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
    # (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
    if 'ENFORCE_GLOBAL_UNIQUE' in environ:
        ENFORCE_GLOBAL_UNIQUE = _environ_get_and_map('ENFORCE_GLOBAL_UNIQUE', None, _AS_BOOL)

    # By default, netbox sends census reporting data using a single HTTP request each time a worker starts.
    # This data enables the project maintainers to estimate how many NetBox deployments exist and track the adoption of new versions over time.
    # The only data reported by this function are the NetBox version, Python version, and a pseudorandom unique identifier.
    # To opt out of census reporting, set CENSUS_REPORTING_ENABLED to False.
    if 'CENSUS_REPORTING_ENABLED' in environ:
        CENSUS_REPORTING_ENABLED = _environ_get_and_map('CENSUS_REPORTING_ENABLED', None, _AS_BOOL)

    # Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
    # by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
    EXEMPT_VIEW_PERMISSIONS = _environ_get_and_map('EXEMPT_VIEW_PERMISSIONS', '', _AS_LIST)

    # HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
    # HTTP_PROXIES = {
    #     'http': 'http://10.10.1.10:3128',
    #     'https': 'http://10.10.1.10:1080',
    # }

    # IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
    # NetBox from an internal IP.
    INTERNAL_IPS = _environ_get_and_map('INTERNAL_IPS', '127.0.0.1 ::1', _AS_LIST)

    # Enable GraphQL API.
    if 'GRAPHQL_ENABLED' in environ:
        GRAPHQL_ENABLED = _environ_get_and_map('GRAPHQL_ENABLED', None, _AS_BOOL)

    # # Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
    # #   https://docs.djangoproject.com/en/stable/topics/logging/
    # LOGGING = {}

    # Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
    # authenticated to NetBox indefinitely.
    LOGIN_PERSISTENCE = _environ_get_and_map('LOGIN_PERSISTENCE', 'False', _AS_BOOL)

    # Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
    # are permitted to access most data in NetBox (excluding secrets) but not make any changes.
    LOGIN_REQUIRED = _environ_get_and_map('LOGIN_REQUIRED', 'False', _AS_BOOL)

    # The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
    # re-authenticate. (Default: 1209600 [14 days])
    LOGIN_TIMEOUT = _environ_get_and_map('LOGIN_TIMEOUT', 1209600, _AS_INT)

    # Setting this to True will display a "maintenance mode" banner at the top of every page.
    if 'MAINTENANCE_MODE' in environ:
        MAINTENANCE_MODE = _environ_get_and_map('MAINTENANCE_MODE', None, _AS_BOOL)

    # Maps provider
    if 'MAPS_URL' in environ:
        MAPS_URL = environ.get('MAPS_URL', None)

    # An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
    # "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
    # all objects by specifying "?limit=0".
    if 'MAX_PAGE_SIZE' in environ:
        MAX_PAGE_SIZE = _environ_get_and_map('MAX_PAGE_SIZE', None, _AS_INT)

    # The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
    # the default value of this setting is derived from the installed location.
    MEDIA_ROOT = environ.get('MEDIA_ROOT', join(_BASE_DIR, 'media'))

    # Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
    METRICS_ENABLED = _environ_get_and_map('METRICS_ENABLED', 'False', _AS_BOOL)

    # Determine how many objects to display per page within a list. (Default: 50)
    if 'PAGINATE_COUNT' in environ:
        PAGINATE_COUNT = _environ_get_and_map('PAGINATE_COUNT', None, _AS_INT)

    # # Enable installed plugins. Add the name of each plugin to the list.
    # PLUGINS = []

    # # Plugins configuration settings. These settings are used by various plugins that the user may have installed.
    # # Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
    # PLUGINS_CONFIG = {
    # }

    # When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
    # prefer IPv4 instead.
    if 'PREFER_IPV4' in environ:
        PREFER_IPV4 = _environ_get_and_map('PREFER_IPV4', None, _AS_BOOL)

    # The default value for the amperage field when creating new power feeds.
    if 'POWERFEED_DEFAULT_AMPERAGE' in environ:
        POWERFEED_DEFAULT_AMPERAGE = _environ_get_and_map('POWERFEED_DEFAULT_AMPERAGE', None, _AS_INT)

    # The default value (percentage) for the max_utilization field when creating new power feeds.
    if 'POWERFEED_DEFAULT_MAX_UTILIZATION' in environ:
        POWERFEED_DEFAULT_MAX_UTILIZATION = _environ_get_and_map('POWERFEED_DEFAULT_MAX_UTILIZATION', None, _AS_INT)

    # The default value for the voltage field when creating new power feeds.
    if 'POWERFEED_DEFAULT_VOLTAGE' in environ:
        POWERFEED_DEFAULT_VOLTAGE = _environ_get_and_map('POWERFEED_DEFAULT_VOLTAGE', None, _AS_INT)

    # Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
    if 'RACK_ELEVATION_DEFAULT_UNIT_HEIGHT' in environ:
        RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = _environ_get_and_map('RACK_ELEVATION_DEFAULT_UNIT_HEIGHT', None, _AS_INT)
    if 'RACK_ELEVATION_DEFAULT_UNIT_WIDTH' in environ:
        RACK_ELEVATION_DEFAULT_UNIT_WIDTH = _environ_get_and_map('RACK_ELEVATION_DEFAULT_UNIT_WIDTH', None, _AS_INT)

    # Remote authentication support
    REMOTE_AUTH_ENABLED = _environ_get_and_map('REMOTE_AUTH_ENABLED', 'False', _AS_BOOL)
    REMOTE_AUTH_BACKEND = _environ_get_and_map('REMOTE_AUTH_BACKEND', 'netbox.authentication.RemoteUserBackend', _AS_LIST)
    REMOTE_AUTH_HEADER = environ.get('REMOTE_AUTH_HEADER', 'HTTP_REMOTE_USER')
    REMOTE_AUTH_AUTO_CREATE_USER = _environ_get_and_map('REMOTE_AUTH_AUTO_CREATE_USER', 'False', _AS_BOOL)
    REMOTE_AUTH_DEFAULT_GROUPS = _environ_get_and_map('REMOTE_AUTH_DEFAULT_GROUPS', '', _AS_LIST)
    # REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

    # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
    # version check or use the URL below to check for release in the official NetBox repository.
    RELEASE_CHECK_URL = environ.get('RELEASE_CHECK_URL', None)
    # RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'

    # Maximum execution time for background tasks, in seconds.
    RQ_DEFAULT_TIMEOUT = _environ_get_and_map('RQ_DEFAULT_TIMEOUT', 300, _AS_INT)

    # The name to use for the csrf token cookie.
    CSRF_COOKIE_NAME = environ.get('CSRF_COOKIE_NAME', 'csrftoken')

    # Cross-Site-Request-Forgery-Attack settings. If Netbox is sitting behind a reverse proxy, you might need to set the CSRF_TRUSTED_ORIGINS flag.
    # Django 4.0 requires to specify the URL Scheme in this setting. An example environment variable could be specified like:
    # CSRF_TRUSTED_ORIGINS=https://demo.netbox.dev http://demo.netbox.dev
    CSRF_TRUSTED_ORIGINS = _environ_get_and_map('CSRF_TRUSTED_ORIGINS', '', _AS_LIST)

    # The name to use for the session cookie.
    SESSION_COOKIE_NAME = environ.get('SESSION_COOKIE_NAME', 'sessionid')

    # If true, the `includeSubDomains` directive will be included in the HTTP Strict Transport Security (HSTS) header.
    # This directive instructs the browser to apply the HSTS policy to all subdomains of the current domain.
    SECURE_HSTS_INCLUDE_SUBDOMAINS = _environ_get_and_map('SECURE_HSTS_INCLUDE_SUBDOMAINS', 'False', _AS_BOOL)

    # If true, the `preload` directive will be included in the HTTP Strict Transport Security (HSTS) header.
    # This directive instructs the browser to preload the site in HTTPS. Browsers that use the HSTS preload list will force the
    # site to be accessed via HTTPS even if the user types HTTP in the address bar.
    SECURE_HSTS_PRELOAD = _environ_get_and_map('SECURE_HSTS_PRELOAD', 'False', _AS_BOOL)

    # If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security (HSTS) header on all
    # responses that do not already have it. This will instruct the browser that the website must be accessed via HTTPS,
    # blocking any HTTP request.
    SECURE_HSTS_SECONDS = _environ_get_and_map('SECURE_HSTS_SECONDS', 0, _AS_INT)

    # If true, all non-HTTPS requests will be automatically redirected to use HTTPS.
    SECURE_SSL_REDIRECT = _environ_get_and_map('SECURE_SSL_REDIRECT', 'False', _AS_BOOL)

    # By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
    # local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
    # database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
    SESSION_FILE_PATH = environ.get('SESSION_FILE_PATH', environ.get('SESSIONS_ROOT', None))

    # Time zone (default: UTC)
    TIME_ZONE = environ.get('TIME_ZONE', 'UTC')
  extra.py: |
    ####
    ## This file contains extra configuration options that can't be configured
    ## directly through environment variables.
    ####

    ## Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
    ## application errors (assuming correct email settings are provided).
    # ADMINS = [
    #     # ['John Doe', 'jdoe@example.com'],
    # ]


    ## URL schemes that are allowed within links in NetBox
    # ALLOWED_URL_SCHEMES = (
    #     'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
    # )

    ## Enable installed plugins. Add the name of each plugin to the list.
    # from netbox.configuration.configuration import PLUGINS
    # PLUGINS.append('my_plugin')

    ## Plugins configuration settings. These settings are used by various plugins that the user may have installed.
    ## Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
    # from netbox.configuration.configuration import PLUGINS_CONFIG
    # PLUGINS_CONFIG['my_plugin'] = {
    #   'foo': 'bar',
    #   'buzz': 'bazz'
    # }


    ## Remote authentication support
    # REMOTE_AUTH_DEFAULT_PERMISSIONS = {}


    ## By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
    ## class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
    # STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
    # STORAGE_CONFIG = {
    #     'AWS_ACCESS_KEY_ID': 'Key ID',
    #     'AWS_SECRET_ACCESS_KEY': 'Secret',
    #     'AWS_STORAGE_BUCKET_NAME': 'netbox',
    #     'AWS_S3_REGION_NAME': 'eu-west-1',
    # }


    ## This file can contain arbitrary Python code, e.g.:
    # from datetime import datetime
    # now = datetime.now().strftime("%d/%m/%Y %H:%M:%S")
    # BANNER_TOP = f'<marquee width="200px">This instance started on {now}.</marquee>'
  logging.py: |
    # # Remove first comment(#) on each line to implement this working logging example.
    # # Add LOGLEVEL environment variable to netbox if you use this example & want a different log level.
    # from os import environ

    # # Set LOGLEVEL in netbox.env or docker-compose.overide.yml to override a logging level of INFO.
    # LOGLEVEL = environ.get('LOGLEVEL', 'INFO')

    # LOGGING = {

    #    'version': 1,
    #    'disable_existing_loggers': False,
    #    'formatters': {
    #        'verbose': {
    #            'format': '{levelname} {asctime} {module} {process:d} {thread:d} {message}',
    #            'style': '{',
    #        },
    #        'simple': {
    #            'format': '{levelname} {message}',
    #            'style': '{',
    #        },
    #    },
    #    'filters': {
    #        'require_debug_false': {
    #            '()': 'django.utils.log.RequireDebugFalse',
    #        },
    #    },
    #    'handlers': {
    #        'console': {
    #            'level': LOGLEVEL,
    #            'filters': ['require_debug_false'],
    #            'class': 'logging.StreamHandler',
    #            'formatter': 'simple'
    #        },
    #        'mail_admins': {
    #            'level': 'ERROR',
    #            'class': 'django.utils.log.AdminEmailHandler',
    #            'filters': ['require_debug_false']
    #        }
    #    },
    #    'loggers': {
    #        'django': {
    #            'handlers': ['console'],
    #            'propagate': True,
    #        },
    #        'django.request': {
    #            'handlers': ['mail_admins'],
    #            'level': 'ERROR',
    #            'propagate': False,
    #        },
    #        'django_auth_ldap': {
    #            'handlers': ['console',],
    #            'level': LOGLEVEL,
    #        }
    #    }
    # }
  plugins.py: |
    # Add your plugins and plugin settings here.
    # Of course uncomment this file out.

    # To learn how to build images with your required plugins
    # See https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins

    # PLUGINS = ["netbox_bgp"]

    # PLUGINS_CONFIG = {
    #   "netbox_bgp": {
    #     ADD YOUR SETTINGS HERE
    #   }
    # }
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: netbox-config-ldap-files
  namespace: netbox
data:
  extra.py: |
    ####
    ## This file contains extra configuration options that can't be configured
    ## directly through environment variables.
    ## All vairables set here overwrite any existing found in ldap_config.py
    ####

    # # This Python script inherits all the imports from ldap_config.py
    # from django_auth_ldap.config import LDAPGroupQuery # Imported since not in ldap_config.py

    # # Sets a base requirement of membetship to netbox-user-ro, netbox-user-rw, or netbox-user-admin.
    # AUTH_LDAP_REQUIRE_GROUP = (
    #     LDAPGroupQuery("cn=netbox-user-ro,ou=groups,dc=example,dc=com")
    #     | LDAPGroupQuery("cn=netbox-user-rw,ou=groups,dc=example,dc=com")
    #     | LDAPGroupQuery("cn=netbox-user-admin,ou=groups,dc=example,dc=com")
    # )

    # # Sets LDAP Flag groups variables with example.
    # AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    #     "is_staff": (
    #         LDAPGroupQuery("cn=netbox-user-ro,ou=groups,dc=example,dc=com")
    #         | LDAPGroupQuery("cn=netbox-user-rw,ou=groups,dc=example,dc=com")
    #         | LDAPGroupQuery("cn=netbox-user-admin,ou=groups,dc=example,dc=com")
    #     ),
    #     "is_superuser": "cn=netbox-user-admin,ou=groups,dc=example,dc=com",
    # }

    # # Sets LDAP Mirror groups variables with example groups
    # AUTH_LDAP_MIRROR_GROUPS = ["netbox-user-ro", "netbox-user-rw", "netbox-user-admin"]
  ldap_config.py: |
    from importlib import import_module
    from os import environ

    import ldap
    from django_auth_ldap.config import LDAPSearch


    # Read secret from file
    def _read_secret(secret_name, default=None):
        try:
            f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8')
        except EnvironmentError:
            return default
        else:
            with f:
                return f.readline().strip()

    # Import and return the group type based on string name
    def _import_group_type(group_type_name):
        mod = import_module('django_auth_ldap.config')
        try:
            return getattr(mod, group_type_name)()
        except:
            return None

    # Server URI
    AUTH_LDAP_SERVER_URI = environ.get('AUTH_LDAP_SERVER_URI', '')

    # The following may be needed if you are binding to Active Directory.
    AUTH_LDAP_CONNECTION_OPTIONS = {
        ldap.OPT_REFERRALS: 0
    }

    AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = environ.get('AUTH_LDAP_BIND_AS_AUTHENTICATING_USER', 'False').lower() == 'true'

    # Set the DN and password for the NetBox service account if needed.
    if not AUTH_LDAP_BIND_AS_AUTHENTICATING_USER:
        AUTH_LDAP_BIND_DN = environ.get('AUTH_LDAP_BIND_DN', '')
        AUTH_LDAP_BIND_PASSWORD = _read_secret('auth_ldap_bind_password', environ.get('AUTH_LDAP_BIND_PASSWORD', ''))

    # Set a string template that describes any user’s distinguished name based on the username.
    AUTH_LDAP_USER_DN_TEMPLATE = environ.get('AUTH_LDAP_USER_DN_TEMPLATE', None)

    # Enable STARTTLS for ldap authentication.
    AUTH_LDAP_START_TLS = environ.get('AUTH_LDAP_START_TLS', 'False').lower() == 'true'

    # Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
    # Note that this is a NetBox-specific setting which sets:
    #     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
    LDAP_IGNORE_CERT_ERRORS = environ.get('LDAP_IGNORE_CERT_ERRORS', 'False').lower() == 'true'

    # Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
    # Note that this is a NetBox-specific setting which sets:
    #     ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
    LDAP_CA_CERT_DIR = environ.get('LDAP_CA_CERT_DIR', None)

    # Include this setting if you want to validate the LDAP server certificates against your own CA.
    # Note that this is a NetBox-specific setting which sets:
    #     ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
    LDAP_CA_CERT_FILE = environ.get('LDAP_CA_CERT_FILE', None)

    AUTH_LDAP_USER_SEARCH_BASEDN = environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', '')
    AUTH_LDAP_USER_SEARCH_ATTR = environ.get('AUTH_LDAP_USER_SEARCH_ATTR', 'sAMAccountName')
    AUTH_LDAP_USER_SEARCH_FILTER: str = environ.get(
        'AUTH_LDAP_USER_SEARCH_FILTER', f'({AUTH_LDAP_USER_SEARCH_ATTR}=%(user)s)'
    )

    AUTH_LDAP_USER_SEARCH = LDAPSearch(
        AUTH_LDAP_USER_SEARCH_BASEDN, ldap.SCOPE_SUBTREE, AUTH_LDAP_USER_SEARCH_FILTER
    )

    # This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
    # heirarchy.

    AUTH_LDAP_GROUP_SEARCH_BASEDN = environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', '')
    AUTH_LDAP_GROUP_SEARCH_CLASS = environ.get('AUTH_LDAP_GROUP_SEARCH_CLASS', 'group')

    AUTH_LDAP_GROUP_SEARCH_FILTER: str = environ.get(
        'AUTH_LDAP_GROUP_SEARCH_FILTER', f'(objectclass={AUTH_LDAP_GROUP_SEARCH_CLASS})'
    )
    AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
        AUTH_LDAP_GROUP_SEARCH_BASEDN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_SEARCH_FILTER
    )
    AUTH_LDAP_GROUP_TYPE = _import_group_type(environ.get('AUTH_LDAP_GROUP_TYPE', 'GroupOfNamesType'))

    # Define a group required to login.
    AUTH_LDAP_REQUIRE_GROUP = environ.get('AUTH_LDAP_REQUIRE_GROUP_DN')

    # Define special user types using groups. Exercise great caution when assigning superuser status.
    AUTH_LDAP_USER_FLAGS_BY_GROUP = {}

    if AUTH_LDAP_REQUIRE_GROUP is not None:
        AUTH_LDAP_USER_FLAGS_BY_GROUP = {
            "is_active": environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),
            "is_staff": environ.get('AUTH_LDAP_IS_ADMIN_DN', ''),
            "is_superuser": environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '')
        }

    # For more granular permissions, we can map LDAP groups to Django groups.
    AUTH_LDAP_FIND_GROUP_PERMS = environ.get('AUTH_LDAP_FIND_GROUP_PERMS', 'True').lower() == 'true'
    AUTH_LDAP_MIRROR_GROUPS = environ.get('AUTH_LDAP_MIRROR_GROUPS', '').lower() == 'true'

    # Cache groups for one hour to reduce LDAP traffic
    AUTH_LDAP_CACHE_TIMEOUT = int(environ.get('AUTH_LDAP_CACHE_TIMEOUT', 3600))

    # Populate the Django user from the LDAP directory.
    AUTH_LDAP_USER_ATTR_MAP = {
        "first_name": environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
        "last_name": environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
        "email": environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
    }
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: psql
  namespace: netbox
spec:
  instances: 2
  superuserSecret:
    name: psql-superuser-secret
  bootstrap:
    initdb:
      database: netbox
      owner: netbox
      secret:
        name: psql-netbox-secret
  storage:
    storageClass: rook-ceph-block
    size: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: netbox-redis-data
  namespace: netbox
spec:
  storageClassName: rook-ceph-block
  resources:
    requests:
      storage: 1Gi
  accessModes:
  - ReadWriteOnce
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: netbox-redis-cache-data
  namespace: netbox
spec:
  storageClassName: rook-ceph-block
  resources:
    requests:
      storage: 1Gi
  accessModes:
  - ReadWriteOnce
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: netbox-media-files
  namespace: netbox
spec:
  storageClassName: rook-ceph-block
  resources:
    requests:
      storage: 1Gi
  accessModes:
  - ReadWriteOnce
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: netbox-reports-files
  namespace: netbox
spec:
  storageClassName: rook-ceph-block
  resources:
    requests:
      storage: 1Gi
  accessModes:
  - ReadWriteOnce
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: netbox-scripts-files
  namespace: netbox
spec:
  storageClassName: rook-ceph-block
  resources:
    requests:
      storage: 1Gi
  accessModes:
  - ReadWriteOnce
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
  namespace: netbox
  labels:
    app.kubernetes.io/name: redis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: docker.io/redis:7-alpine
        command:
          - sh
          - -c
          - redis-server --appendonly yes --requirepass $REDIS_PASSWORD
        env:
        - name: REDIS_PASSWORD
          valueFrom:
            secretKeyRef:
              name: redis-netbox-secret
              key: REDIS_PASSWORD
        ports:
        - containerPort: 6379
        resources:
          limits:
            cpu: "500m"
            memory: "512Mi"
        volumeMounts:
        - name: netbox-redis-data
          mountPath: /data
      volumes:
      - name: netbox-redis-data
        persistentVolumeClaim:
          claimName: netbox-redis-data
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-cache
  namespace: netbox
  labels:
    app.kubernetes.io/name: redis-cache
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis-cache
  template:
    metadata:
      labels:
        app: redis-cache
    spec:
      containers:
      - name: redis
        image: docker.io/redis:7-alpine
        command:
          - sh
          - -c
          - redis-server --requirepass $$REDIS_PASSWORD
        env:
        - name: REDIS_PASSWORD
          valueFrom:
            secretKeyRef:
              name: redis-netbox-secret
              key: REDIS_CACHE_PASSWORD
        ports:
        - containerPort: 6379
        resources:
          limits:
            cpu: "500m"
            memory: "512Mi"
        volumeMounts:
        - name: netbox-redis-cache-data
          mountPath: /data
      volumes:
      - name: netbox-redis-cache-data
        persistentVolumeClaim:
          claimName: netbox-redis-cache-data
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: netbox
  namespace: netbox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: netbox
  template:
    metadata:
      labels:
        app: netbox
    spec:
      containers:
      - name: netbox
        image: docker.io/netboxcommunity/netbox:v4.0-2.9.1
        # livenessProbe:
        #   httpGet:
        #     path: /login/
        #     port: 8080
        #   initialDelaySeconds: 120
        #   periodSeconds: 15
        env:
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: psql-netbox-secret
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: psql-netbox-secret
              key: password
        envFrom:
        - configMapRef:
            name: netbox-configmap
        - secretRef:
            name: netbox-secret
        - secretRef:
            name: redis-netbox-secret
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: "2000m"
            memory: "2Gi"
        volumeMounts:
        - name: netbox-config-files
          mountPath: /etc/netbox/config
          readOnly: true
        - name: netbox-config-ldap-files
          mountPath: /etc/netbox/config/ldap
          readOnly: true
        - name: netbox-media-files
          mountPath: /opt/netbox/netbox/media
        - name: netbox-reports-files
          mountPath: /opt/netbox/netbox/reports
        - name: netbox-scripts-files
          mountPath: /opt/netbox/netbox/scripts
      - name: netbox-worker
        image: docker.io/netboxcommunity/netbox:v4.0-2.9.1
        command:
        - /opt/netbox/venv/bin/python
        - /opt/netbox/netbox/manage.py
        - rqworker
        # livenessProbe:
        #   exec:
        #     command:
        #     - ps -aux | grep -v grep | grep -q rqworker || exit 1
        #   initialDelaySeconds: 20
        #   periodSeconds: 15
        env:
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: psql-netbox-secret
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: psql-netbox-secret
              key: password
        envFrom:
        - configMapRef:
            name: netbox-configmap
        - secretRef:
            name: netbox-secret
        - secretRef:
            name: redis-netbox-secret
        resources:
          limits:
            cpu: "500m"
            memory: "1Gi"
        volumeMounts:
        - name: netbox-config-files
          mountPath: /etc/netbox/config
          readOnly: true
        - name: netbox-config-ldap-files
          mountPath: /etc/netbox/config/ldap
          readOnly: true
        - name: netbox-media-files
          mountPath: /opt/netbox/netbox/media
        - name: netbox-reports-files
          mountPath: /opt/netbox/netbox/reports
        - name: netbox-scripts-files
          mountPath: /opt/netbox/netbox/scripts
      - name: netbox-housekeeping
        image: docker.io/netboxcommunity/netbox:v4.0-2.9.1
        command:
        - /opt/netbox/housekeeping.sh
        # livenessProbe:
        #   exec:
        #     command:
        #     - ps -aux | grep -v grep | grep -q housekeeping || exit 1
        #   initialDelaySeconds: 20
        #   periodSeconds: 15
        env:
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: psql-netbox-secret
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: psql-netbox-secret
              key: password
        envFrom:
        - configMapRef:
            name: netbox-configmap
        - secretRef:
            name: netbox-secret
        - secretRef:
            name: redis-netbox-secret
        resources:
          limits:
            cpu: "500m"
            memory: "1Gi"
        volumeMounts:
        - name: netbox-config-files
          mountPath: /etc/netbox/config
          readOnly: true
        - name: netbox-config-ldap-files
          mountPath: /etc/netbox/config/ldap
          readOnly: true
        - name: netbox-media-files
          mountPath: /opt/netbox/netbox/media
        - name: netbox-reports-files
          mountPath: /opt/netbox/netbox/reports
        - name: netbox-scripts-files
          mountPath: /opt/netbox/netbox/scripts
      volumes:
      - name: netbox-config-files
        configMap:
          name: netbox-config-files
      - name: netbox-config-ldap-files
        configMap:
          name: netbox-config-ldap-files
      - name: netbox-media-files
        persistentVolumeClaim:
          claimName: netbox-media-files
      - name: netbox-reports-files
        persistentVolumeClaim:
          claimName: netbox-reports-files
      - name: netbox-scripts-files
        persistentVolumeClaim:
          claimName: netbox-scripts-files
---
apiVersion: v1
kind: Service
metadata:
  name: redis
  namespace: netbox
spec:
  selector:
    app: redis
  ports:
    - port: 6379
      targetPort: 6379
---
apiVersion: v1
kind: Service
metadata:
  name: redis-cache
  namespace: netbox
spec:
  selector:
    app: redis-cache
  ports:
    - port: 6379
      targetPort: 6379
---
apiVersion: v1
kind: Service
metadata:
  name: netbox
  namespace: netbox
  labels:
    app: netbox
spec:
  ports:
  - port: 8080
    targetPort: 8080
  selector:
    app: netbox
---
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
#   name: netbox
#   namespace: netbox
#   annotations:
#     nginx.ingress.kubernetes.io/rewrite-target: /
#     cert-manager.io/cluster-issuer: "smallstep-production"
#   labels:
#     app: netbox
# spec:
#   ingressClassName: nginx
#   defaultBackend:
#     service:
#       name: netbox
#       port:
#         number: 8080
#   rules:
#   - host: netbox.example.com
#   tls:
#   - hosts:
#     - netbox.example.com
#     secretName: netbox-key
---