anderssh · qn-omarmora · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -17,6 +17,9 @@
 #   Array of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
 #   access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
 #
+# @param allow_token_retrieval
+#   Permit the retrieval of API tokens after their creation.
+#
 # @param database_name
 #   Name of the PostgreSQL database. If handle_database is true, then this database
 #   gets created as well. If not, then it is only used by the application, and needs to exist.
@@ -132,13 +135,44 @@
 # Date/time formatting. See the following link for supported formats:
 # https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
 #
+# @param remote_auth_enabled
+# boolean that enables the remote authentication for netbox.
+# This must be set to True in order for remote_auth_* settings to take effect.
+#
+# @param remote_auth_backend
+#   This is the Python path to the custom Django authentication backend to use for external
+#   user authentication. NetBox provides two built-in backends (listed below), though custom
+#   authentication backends may also be provided by other packages or plugins. Provide a string
+#   for a single backend, or an iterable for multiple backends, which will be attempted in the order given.
+#
+# @param remote_auth_header
+#   When remote user authentication is in use, this is the name of the HTTP header which informs
+#   NetBox of the currently authenticated user. For example, to use the request header X-Remote-User
+#   it needs to be set to HTTP_X_REMOTE_USER
+# 
+# @param remote_auth_first_name
+#   When remote user authentication is in use, this is the name of the HTTP header which informs
+#   NetBox of the first name of the currently authenticated user. For example, to use the request
+#   header X-Remote-User-First-Name it needs to be set to HTTP_X_REMOTE_USER_FIRST_NAME.
+#
+# @param remote_auth_last_name
+#   When remote user authentication is in use, this is the name of the HTTP header which informs
+#   NetBox of the last name of the currently authenticated user. For example, to use the request
+#   header X-Remote-User-Last-Name it needs to be set to HTTP_X_REMOTE_USER_LAST_NAME.
+# 
+# @param remote_auth_user_email
+#   When remote user authentication is in use, this is the name of the HTTP header which informs
+#   NetBox of the email address of the currently authenticated user. For example, to use the request
+#   header X-Remote-User-Email it needs to be set to HTTP_X_REMOTE_USER_EMAIL.
+#
 # @example
 #   include netbox::config
 class netbox::config (
   String $user,
   String $group,
   Stdlib::Absolutepath $install_root,
   Array[Stdlib::Host] $allowed_hosts,
+  Boolean $allow_api_token_retrieval,
   String $database_name,
   String $database_user,
   String $database_password,
@@ -169,6 +203,21 @@
   String $short_time_format,
   String $datetime_format,
   String $short_datetime_format,
+  Boolean $remote_auth_enabled,
+  String $remote_auth_backend,
+  String $remote_auth_header,
+  String $remote_auth_first_name,
+  String $remote_auth_last_name,
+  String $remote_auth_user_email,
+  String $ldap_sever_uri,
+  String $ad_ou,
+  String $ad_bind_dn,
+  String $ad_require_dn,
+  String $ad_admin_dn,
+  String $ad_superuser_dn,
+  String $ldap_bind_password,
+  Boolean $ldap_ignore_cert_errors,
+  Boolean $ldap_mirror_groups,
 ) {
   $should_create_superuser = false;
   $software_directory = "${install_root}/netbox"
@@ -195,37 +244,44 @@
 
   file { $config_file:
     content      => epp('netbox/configuration.py.epp', {
-      'allowed_hosts'           => $allowed_hosts,
-      'database_name'           => $database_name,
-      'database_user'           => $database_user,
-      'database_password'       => $database_password,
-      'database_host'           => $database_host,
-      'database_port'           => $database_port,
-      'database_conn_max_age'   => $database_conn_max_age,
-      'redis_options'           => $redis_options,
-      'email_options'           => $email_options,
-      'secret_key'              => $secret_key,
-      'admins'                  => $admins,
-      'banner_top'              => $banner_top,
-      'banner_bottom'           => $banner_bottom,
-      'banner_login'            => $banner_login,
-      'base_path'               => $base_path,
-      'debug'                   => $debug,
-      'enforce_global_unique'   => $enforce_global_unique,
-      'exempt_view_permissions' => $exempt_view_permissions,
-      'login_required'          => $login_required,
-      'metrics_enabled'         => $metrics_enabled,
-      'prefer_ipv4'             => $prefer_ipv4,
-      'napalm_username'         => $napalm_username,
-      'napalm_password'         => $napalm_password,
-      'napalm_timeout'          => $napalm_timeout,
-      'time_zone'               => $time_zone,
-      'date_format'             => $date_format,
-      'short_date_format'       => $short_date_format,
-      'time_format'             => $time_format,
-      'short_time_format'       => $short_time_format,
-      'datetime_format'         => $datetime_format,
-      'short_datetime_format'   => $short_datetime_format,
+      'allowed_hosts'             => $allowed_hosts,
+      'allow_api_token_retrieval' => $allow_api_token_retrieval,
+      'database_name'             => $database_name,
+      'database_user'             => $database_user,
+      'database_password'         => $database_password,
+      'database_host'             => $database_host,
+      'database_port'             => $database_port,
+      'database_conn_max_age'     => $database_conn_max_age,
+      'redis_options'             => $redis_options,
+      'email_options'             => $email_options,
+      'secret_key'                => $secret_key,
+      'admins'                    => $admins,
+      'banner_top'                => $banner_top,
+      'banner_bottom'             => $banner_bottom,
+      'banner_login'              => $banner_login,
+      'base_path'                 => $base_path,
+      'debug'                     => $debug,
+      'enforce_global_unique'     => $enforce_global_unique,
+      'exempt_view_permissions'   => $exempt_view_permissions,
+      'login_required'            => $login_required,
+      'metrics_enabled'           => $metrics_enabled,
+      'prefer_ipv4'               => $prefer_ipv4,
+      'napalm_username'           => $napalm_username,
+      'napalm_password'           => $napalm_password,
+      'napalm_timeout'            => $napalm_timeout,
+      'time_zone'                 => $time_zone,
+      'date_format'               => $date_format,
+      'short_date_format'         => $short_date_format,
+      'time_format'               => $time_format,
+      'short_time_format'         => $short_time_format,
+      'datetime_format'           => $datetime_format,
+      'short_datetime_format'     => $short_datetime_format,
+      'remote_auth_enabled'       => $remote_auth_enabled,
+      'remote_auth_backend'       => $remote_auth_backend,
+      'remote_auth_header'        => $remote_auth_header,
+      'remote_auth_first_name'    => $remote_auth_first_name,
+      'remote_auth_last_name'     => $remote_auth_last_name,
+      'remote_auth_user_email'    => $remote_auth_user_email,
     }),
     owner        => $user,
     group        => $group,
@@ -234,6 +290,30 @@
     notify       => Exec['collect static files'],
   }
 
+  if $remote_auth_enabled {
+
+    $ldap_config_file = "${software_directory}/netbox/netbox/ldap_config.py"
+
+    file { $ldap_config_file:
+      content      => epp('netbox/ldap_config.py.epp', {
+        'ldap_sever_uri'          => $ldap_sever_uri,
+        'ad_ou'                   => $ad_ou,
+        'ad_bind_dn'              => $ad_bind_dn,
+        'ad_require_dn'           => $ad_require_dn,
+        'ad_admin_dn'             => $ad_admin_dn,
+        'ad_superuser_dn'         => $ad_superuser_dn,
+        'ldap_bind_password'      => $ldap_bind_password,
+        'ldap_ignore_cert_errors' => $ldap_ignore_cert_errors,
+        'ldap_mirror_groups'      => $ldap_mirror_groups,
+      }),
+      owner        => $user,
+      group        => $group,
+      mode         => '0644',
+      validate_cmd => "${venv_dir}/bin/python -m py_compile %",
+      notify       => Exec['collect static files'],
+    }
+  }
+
   Exec {
     cwd         => $software_directory,
     path        => [ "${venv_dir}/bin", '/usr/bin', '/usr/sbin' ],

diff --git a/manifests/database.pp b/manifests/database.pp
@@ -28,16 +28,12 @@
   String $database_locale,
 ){
 
-  class { 'postgresql::globals':
-    encoding => $database_encoding,
-    locale   => $database_locale,
-  }
-  ->class { 'postgresql::server':
-  }
-
+include postgresql::server
   postgresql::server::db { $database_name:
     user     => $database_user,
-    password => postgresql_password($database_name, $database_password),
+    password => postgresql::postgresql_password($database_name, $database_password),
+    encoding => $database_encoding,
+    locale   => $database_locale,
   }
 
   postgresql::server::database_grant { 'user_ALL_on_database':