Merge pull request #1609 from netbox-community/develop

Release 4.0.0

.dockerignore

@@ -5,6 +5,9 @@ docker-compose*
 env
 test-configuration
 .netbox/.git*
+.netbox/.pre-commit-config.yaml
+.netbox/.readthedocs.yaml
+.netbox/.tx
 .netbox/contrib
 .netbox/scripts
 .netbox/upgrade.sh

.editorconfig

@@ -9,3 +9,6 @@ indent_size = 2
 
 [*.py]
 indent_size = 4
+
+[VERSION]
+insert_final_newline = false

.editorconfig-checker.json

@@ -2,17 +2,12 @@
   "Verbose": false,
   "Debug": false,
   "IgnoreDefaults": false,
-  "SpacesAftertabs": false,
+  "SpacesAfterTabs": false,
   "NoColor": false,
-  "Exclude": [
+  "Exclude": ["LICENSE", "\\.initializers", "\\.vscode"],
-    "LICENSE",
-    "\\.initializers",
-    "\\.vscode"
-  ],
   "AllowedContentTypes": [],
   "PassedFiles": [],
   "Disable": {
-    // set these options to true to disable specific checks
     "EndOfLine": false,
     "Indentation": false,
     "InsertFinalNewline": false,

.flake8

@@ -4,4 +4,4 @@ extend-ignore = E203, W503
 per-file-ignores =
   configuration/*:E131,E251,E266,E302,E305,E501,E722
   startup_scripts/startup_script_utils/__init__.py:F401
-  docker/*:E266,E722
+  docker/*:E266,E722,E501

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -48,7 +48,7 @@ body:
     id: docker-compose-version
     attributes:
       label: Docker Compose Version
-      description: Please paste the output of `docker-compose version`
+      description: Please paste the output of `docker-compose version` (or `docker compose version`)
       placeholder: Docker Compose version vX.Y.Z
     validations:
       required: true
@@ -139,7 +139,6 @@ body:
       description: Please paste the output of `cat docker-compose.override.yml`
       render: yaml
       placeholder: |
-        version: '3.4'
         services:
           netbox:
             ports:

.github/workflows/push.yml

@@ -16,31 +16,36 @@ concurrency:
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Checks syntax of our code
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`
           fetch-depth: 0
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.9"
       - name: Lint Code Base
-        uses: github/super-linter@v7
+        uses: super-linter/super-linter@v8
         env:
           DEFAULT_BRANCH: develop
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SUPPRESS_POSSUM: true
           LINTER_RULES_PATH: /
           VALIDATE_ALL_CODEBASE: false
+          VALIDATE_BIOME_FORMAT: false
           VALIDATE_CHECKOV: false
           VALIDATE_DOCKERFILE: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_GITLEAKS: false
           VALIDATE_JSCPD: false
+          VALIDATE_PYTHON_PYLINT: false
+          VALIDATE_TRIVY: false
           FILTER_REGEX_EXCLUDE: (.*/)?(LICENSE|configuration/.*)
-          EDITORCONFIG_FILE_NAME: .ecrc
+          EDITORCONFIG_FILE_NAME: .editorconfig-checker.json
           DOCKERFILE_HADOLINT_FILE_NAME: .hadolint.yaml
           MARKDOWN_CONFIG_FILE: .markdown-lint.yml
           PYTHON_BLACK_CONFIG_FILE: pyproject.toml
@@ -55,10 +60,10 @@ jobs:
           - ./build-latest.sh
           - PRERELEASE=true ./build-latest.sh
           - ./build.sh feature
-          - ./build.sh develop
+          - ./build.sh main
         os:
-          - ubuntu-latest
+          - ubuntu-24.04
-          - self-hosted
+          - ubuntu-24.04-arm
       fail-fast: false
     env:
       GH_ACTION: enable
@@ -69,13 +74,18 @@ jobs:
     steps:
       - id: git-checkout
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - id: buildx-setup
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - id: arm-install-skopeo
+        name: Install 'skopeo' on ARM64
+        if: matrix.os == 'ubuntu-24.04-arm'
+        run: |
+          sudo apt-get install -y skopeo
       - id: arm-buildx-platform
         name: Set BUILDX_PLATFORM to ARM64
-        if: matrix.os == 'self-hosted'
+        if: matrix.os == 'ubuntu-24.04-arm'
         run: |
           echo "BUILDX_PLATFORM=linux/arm64" >>"${GITHUB_ENV}"
       - id: docker-build
@@ -85,7 +95,7 @@ jobs:
           BUILDX_BUILDER_NAME: ${{ steps.buildx-setup.outputs.name }}
       - id: arm-time-limit
         name: Set Netbox container start_period higher on ARM64
-        if: matrix.os == 'self-hosted'
+        if: matrix.os == 'ubuntu-24.04-arm'
         run: |
           echo "NETBOX_START_PERIOD=240s" >>"${GITHUB_ENV}"
       - id: docker-test

.github/workflows/release.yml

@@ -13,15 +13,17 @@ jobs:
   build:
     strategy:
       matrix:
-        build_cmd:
+        build:
-          - ./build-latest.sh
+          - { "cmd": "./build-latest.sh", "branch": "release" }
-          - PRERELEASE=true ./build-latest.sh
+          - { "cmd": "./build.sh main", "branch": "release" }
-          - ./build.sh feature
+          # Build pre release images from our develop branch
-          - ./build.sh develop
+          # This is used to test the latest changes before they are merged into the main branch
+          - { "cmd": "PRERELEASE=true ./build-latest.sh", "branch": "develop" }
+          - { "cmd": "./build.sh feature", "branch": "develop" }
         platform:
           - linux/amd64,linux/arm64
       fail-fast: false
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Builds new NetBox Docker Images
     env:
       GH_ACTION: enable
@@ -30,16 +32,18 @@ jobs:
     steps:
       - id: source-checkout
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ matrix.build.branch }}
       - id: set-netbox-docker-version
         name: Get Version of NetBox Docker
         run: echo "version=$(cat VERSION)" >>"$GITHUB_OUTPUT"
         shell: bash
       - id: check-build-needed
-        name: Check if the build is needed for '${{ matrix.build_cmd }}'
+        name: Check if the build is needed for '${{ matrix.build.cmd }}'
         env:
           CHECK_ONLY: "true"
-        run: ${{ matrix.build_cmd }}
+        run: ${{ matrix.build.cmd }}
       # docker.io
       - id: docker-io-login
         name: Login to docker.io
@@ -77,7 +81,7 @@ jobs:
         if: steps.check-build-needed.outputs.skipped != 'true'
       - id: build-and-push
         name: Push the image
-        run: ${{ matrix.build_cmd }} --push
+        run: ${{ matrix.build.cmd }} --push
         if: steps.check-build-needed.outputs.skipped != 'true'
         env:
           BUILDX_PLATFORM: ${{ matrix.platform }}

Dockerfile

@@ -1,6 +1,7 @@
 ARG FROM
 FROM ${FROM} AS builder
 
+COPY --from=ghcr.io/astral-sh/uv:0.9 /uv /usr/local/bin/
 RUN export DEBIAN_FRONTEND=noninteractive \
     && apt-get update -qq \
     && apt-get upgrade \
@@ -20,24 +21,21 @@ RUN export DEBIAN_FRONTEND=noninteractive \
       libxslt-dev \
       pkg-config \
       python3-dev \
-      python3-pip \
+    && /usr/local/bin/uv venv /opt/netbox/venv
-      python3-venv \
-    && python3 -m venv /opt/netbox/venv \
-    && /opt/netbox/venv/bin/python3 -m pip install --upgrade \
-      pip \
-      setuptools \
-      wheel
 
 ARG NETBOX_PATH
 COPY ${NETBOX_PATH}/requirements.txt requirements-container.txt /
+ENV VIRTUAL_ENV=/opt/netbox/venv
 RUN \
-    # Gunicorn is not needed because we use Nginx Unit
+    # Gunicorn is not needed because we use Granian
     sed -i -e '/gunicorn/d' /requirements.txt && \
     # We need 'social-auth-core[all]' in the Docker image. But if we put it in our own requirements-container.txt
     # we have potential version conflicts and the build will fail.
     # That's why we just replace it in the original requirements.txt.
     sed -i -e 's/social-auth-core/social-auth-core\[all\]/g' /requirements.txt && \
-    /opt/netbox/venv/bin/pip install \
+    # The same is true for 'django-storages'
+    sed -i -e 's/django-storages/django-storages\[azure,boto3,dropbox,google,libcloud,sftp\]/g' /requirements.txt && \
+    /usr/local/bin/uv pip install \
       -r /requirements.txt \
       -r /requirements-container.txt
 
@@ -64,44 +62,39 @@ RUN export DEBIAN_FRONTEND=noninteractive \
       openssl \
       python3 \
       tini \
-    && curl --silent --output /usr/share/keyrings/nginx-keyring.gpg \
-      https://unit.nginx.org/keys/nginx-keyring.gpg \
-    && echo "deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] https://packages.nginx.org/unit/ubuntu/ noble unit" \
-      > /etc/apt/sources.list.d/unit.list \
-    && apt-get update -qq \
-    && apt-get install \
-      --yes -qq --no-install-recommends \
-      unit=1.33.0-1~noble \
-      unit-python3.12=1.33.0-1~noble \
     && rm -rf /var/lib/apt/lists/*
 
+# Copy the modified 'requirements*.txt' files, to have the files actually used during installation
+COPY --from=builder /requirements.txt /requirements-container.txt /opt/netbox/
+COPY --from=builder /usr/local/bin/uv /usr/local/bin/
 COPY --from=builder /opt/netbox/venv /opt/netbox/venv
 
 ARG NETBOX_PATH
 COPY ${NETBOX_PATH} /opt/netbox
-# Copy the modified 'requirements*.txt' files, to have the files actually used during installation
-COPY --from=builder /requirements.txt /requirements-container.txt /opt/netbox/
 
 COPY docker/configuration.docker.py /opt/netbox/netbox/netbox/configuration.py
 COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY docker/docker-entrypoint.sh /opt/netbox/docker-entrypoint.sh
-COPY docker/housekeeping.sh /opt/netbox/housekeeping.sh
 COPY docker/launch-netbox.sh /opt/netbox/launch-netbox.sh
+COPY docker/super_user.py /opt/netbox/super_user.py
 COPY configuration/ /etc/netbox/config/
-COPY docker/nginx-unit.json /etc/unit/
+COPY docker/granian.py /opt/netbox/netbox/netbox/granian.py
+COPY VERSION /opt/netbox/VERSION
 
 WORKDIR /opt/netbox/netbox
 
 # Must set permissions for '/opt/netbox/netbox/media' directory
 # to g+w so that pictures can be uploaded to netbox.
-RUN mkdir -p static /opt/unit/state/ /opt/unit/tmp/ \
+RUN useradd --home-dir /opt/netbox/ --no-create-home --no-user-group --system --shell /bin/false --uid 999 --gid 0 netbox \
-      && chown -R unit:root /opt/unit/ media reports scripts \
+    && mkdir -p static media local \
-      && chmod -R g+w /opt/unit/ media reports scripts \
+    && chown -R netbox:root media reports scripts \
-      && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
+    && chmod -R g+w media reports scripts \
-          --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
+    && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
-      && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input
+        --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
+    && DEBUG="true" SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input \
+    && echo "build: Docker-$(cat /opt/netbox/VERSION)" > /opt/netbox/netbox/local/release.yaml
 
-ENV LANG=C.utf8 PATH=/opt/netbox/venv/bin:$PATH
+ENV LANG=C.utf8 PATH=/opt/netbox/venv/bin:$PATH VIRTUAL_ENV=/opt/netbox/venv UV_NO_CACHE=1
 ENTRYPOINT [ "/usr/bin/tini", "--" ]
 
 CMD [ "/opt/netbox/docker-entrypoint.sh", "/opt/netbox/launch-netbox.sh" ]

MAINTAINERS.md

@@ -0,0 +1,19 @@
+# Maintainers of _NetBox Docker_
+
+This file lists all currently recognized maintainers of the _NetBox Docker_ project in alphabetical order:
+
+- @cimnine
+- @tobiasge
+
+## Stepping Down
+
+Every maintainer is a volunteer and may step down as maintainer at any time without providing any reason.
+To make this explicit, the maintainer is asked to update this file.
+
+The last maintainer stepping down is asked to archive the project on GitHub to indicate that the project is no longer maintained.
+
+## Signing up
+
+Everyone is welcome to sign up as maintainer by creating a PR and add their own username to the list.
+The current maintainers shall discuss the application.
+They may turn down an application if they don't feel confident that the new maintainer is a positive addition.

PRINCIPALS.md

@@ -0,0 +1,71 @@
+# Development, Maintenance and Community Principals for _NetBox Docker_
+
+These principals shall guide the development and the maintenance of _NetBox Docker_.
+
+## Basic principals
+
+This project is maintained on voluntary basis.
+Everyone is asked to respect that.
+
+This means, that …
+
+- … sometimes features are not implemented as fast as one might like -- or not at all.
+- … sometimes nobody is looking at bugs, or they are not fixed as fast as one might like -- or not at all.
+- … sometimes PRs are not reviewed for an extended period.
+
+Everyone is welcome to provide improvements and bugfixes to the benefit of everyone else.
+
+## Development Principals
+
+The goal of the _NetBox Docker_ project is to provide a container to run the basic NetBox project.
+The container should feel like a native container -- as if it were provided by NetBox itself:
+
+- Configuration via environment variables where feasible.
+  - Except: Whenever a complex type such as a `dict` is required as value of a configuration setting,
+    then it shall not be provided through an environment variable.
+- Configuration of secrets via secret files.
+- Log output to standard out (STDOUT/`&1`) / standard error (STDERR/`&2`).
+- Volumes for data and cache directories.
+  - Otherwise, no mounts shall be necessary.
+- Runs a non-root user by default.
+- One process / role for each instance.
+
+The container generally does not provide more features than the basic NetBox project itself provides.
+It may provide additional Python dependencies than the upstream project,
+so that all configurable features of NetBox can be used in the container without further modification.
+The container may provide helpers, so that it feels and behaves like a native container.
+
+The container does not bundle any community plugins.
+
+## Maintenance Principals
+
+The main goals of maintaining _NetBox Docker_ are:
+
+- Keeping the project at a high quality level.
+- Keeping the maintenance effort minimal.
+- Coordinating development efforts.
+
+The following guidelines help us to achieve these goals:
+
+- As many maintenance tasks as possible shall be automated or scripted.
+- All manual tasks must be documented.
+- All changes are reviewed by at least one maintainer.
+  - Changes of maintainers are reviewed by at least one other maintainer.
+    (Except if there's only one maintainer left.)
+- The infrastructure beyond what GitHub provides shall be kept to a minimum.
+  - On request, every maintainer shall get access to infrastructure that is beyond GitHub
+    (at the time of writing that's _Docker Hub_ and _Quay_ in particular).
+
+## Community Principals
+
+This project is developed by the NetBox community for the NetBox community.
+We welcome contributions, as long as they are in line with the principals above.
+
+The maintainers of NetBox Docker are not the support team.
+The community is expected to help each other out.
+
+Always remember:
+Behind every screen (or screen-reader) on the other end is a fellow human.
+Be nice and respectful, thankful for help,
+and value ideas and contributions,
+even when they don't fit the goals.

README.md

@@ -8,11 +8,16 @@
 [![GitHub license](https://img.shields.io/github/license/netbox-community/netbox-docker)][netbox-docker-license]
 
 [The GitHub repository][netbox-docker-github] houses the components needed to build NetBox as a container.
-Images are built regularly using the code in that repository and are pushed to [Docker Hub][netbox-dockerhub], [Quay.io][netbox-quayio] and [GitHub Container Registry][netbox-ghcr].
+Images are built regularly using the code in that repository
+and are pushed to [Docker Hub][netbox-dockerhub],
+[Quay.io][netbox-quayio] and [GitHub Container Registry][netbox-ghcr].
+_NetBox Docker_ is a project developed and maintained by the _NetBox_ community.
 
 Do you have any questions?
-Before opening an issue on Github,
+Before opening an issue on GitHub,
-please join [our Slack][netbox-docker-slack] and ask for help in the [`#netbox-docker`][netbox-docker-slack-channel] channel.
+please join [our Slack][netbox-docker-slack]
+and ask for help in the [`#netbox-docker`][netbox-docker-slack-channel] channel,
+or start a new [GitHub Discussion][github-discussions].
 
 [github-stargazers]: https://github.com/netbox-community/netbox-docker/stargazers
 [github-release]: https://github.com/netbox-community/netbox-docker/releases
@@ -24,6 +29,7 @@ please join [our Slack][netbox-docker-slack] and ask for help in the [`#netbox-d
 [netbox-docker-slack-channel]: https://netdev-community.slack.com/archives/C01P0GEVBU7
 [netbox-slack-channel]: https://netdev-community.slack.com/archives/C01P0FRSXRV
 [netbox-docker-license]: https://github.com/netbox-community/netbox-docker/blob/release/LICENSE
+[github-discussions]: https://github.com/netbox-community/netbox-docker/discussions
 
 ## Quickstart
 
@@ -33,12 +39,9 @@ There is a more complete [_Getting Started_ guide on our wiki][wiki-getting-star
 ```bash
 git clone -b release https://github.com/netbox-community/netbox-docker.git
 cd netbox-docker
-tee docker-compose.override.yml <<EOF
+# Copy the example override file
-services:
+cp docker-compose.override.yml.example docker-compose.override.yml
-  netbox:
+# Read and edit the file to your liking
-    ports:
-      - 8000:8080
-EOF
 docker compose pull
 docker compose up
 ```
@@ -53,7 +56,8 @@ To create the first admin user run this command:
 docker compose exec netbox /opt/netbox/netbox/manage.py createsuperuser
 ```
 
-If you need to restart Netbox from an empty database often, you can also set the `SUPERUSER_*` variables in your `docker-compose.override.yml` as shown in the example.
+If you need to restart Netbox from an empty database often,
+you can also set the `SUPERUSER_*` variables in your `docker-compose.override.yml`.
 
 [wiki-getting-started]: https://github.com/netbox-community/netbox-docker/wiki/Getting-Started
 
@@ -63,37 +67,34 @@ New container images are built and published automatically every ~24h.
 
 > We recommend to use either the `vX.Y.Z-a.b.c` tags or the `vX.Y-a.b.c` tags in production!
 
-* `vX.Y.Z-a.b.c`, `vX.Y-a.b.c`:
+- `vX.Y.Z-a.b.c`, `vX.Y-a.b.c`:
   These are release builds containing _NetBox version_ `vX.Y.Z`.
   They contain the support files of _NetBox Docker version_ `a.b.c`.
   You must use _NetBox Docker version_ `a.b.c` to guarantee the compatibility.
   These images are automatically built from [the corresponding releases of NetBox][netbox-releases].
-* `latest-a.b.c`:
+- `latest-a.b.c`:
   These are release builds, containing the latest stable version of NetBox.
   They contain the support files of _NetBox Docker version_ `a.b.c`.
   You must use _NetBox Docker version_ `a.b.c` to guarantee the compatibility.
-  These images are automatically built from [the `master` branch of NetBox][netbox-master].
+- `snapshot-a.b.c`:
-* `snapshot-a.b.c`:
   These are prerelease builds.
   They contain the support files of _NetBox Docker version_ `a.b.c`.
   You must use _NetBox Docker version_ `a.b.c` to guarantee the compatibility.
-  These images are automatically built from the [`develop` branch of NetBox][netbox-develop].
+  These images are automatically built from the [`main` branch of NetBox][netbox-main].
 
 For each of the above tag, there is an extra tag:
 
-* `vX.Y.Z`, `vX.Y`:
+- `vX.Y.Z`, `vX.Y`:
   This is the same version as `vX.Y.Z-a.b.c` (or `vX.Y-a.b.c`, respectively).
-  It always points to the latest version of _NetBox Docker_.
+- `latest`
-* `latest`
   This is the same version as `latest-a.b.c`.
   It always points to the latest version of _NetBox Docker_.
-* `snapshot`
+- `snapshot`
   This is the same version as `snapshot-a.b.c`.
   It always points to the latest version of _NetBox Docker_.
 
 [netbox-releases]: https://github.com/netbox-community/netbox/releases
-[netbox-master]: https://github.com/netbox-community/netbox/tree/master
+[netbox-main]: https://github.com/netbox-community/netbox/tree/main
-[netbox-develop]: https://github.com/netbox-community/netbox/tree/develop
 
 ## Documentation
 
@@ -109,7 +110,7 @@ Feel free to correct errors, update outdated information or provide additional g
 
 Feel free to ask questions in our [GitHub Community][netbox-community]
 or [join our Slack][netbox-docker-slack] and ask [in our channel `#netbox-docker`][netbox-docker-slack-channel],
-which is free to use and where there are almost always people online that can help you in the Slack channel.
+which is free to use and where there are almost always people online that can help you.
 
 If you need help with using NetBox or developing for it or against it's API
 you may find [the `#netbox` channel][netbox-slack-channel] on the same Slack instance very helpful.
@@ -120,16 +121,16 @@ you may find [the `#netbox` channel][netbox-slack-channel] on the same Slack ins
 
 This project relies only on _Docker_ and _docker-compose_ meeting these requirements:
 
-* The _Docker version_ must be at least `20.10.10`.
+- The _Docker version_ must be at least `20.10.10`.
-* The _containerd version_ must be at least `1.5.6`.
+- The _containerd version_ must be at least `1.5.6`.
-* The _docker-compose version_ must be at least `1.28.0`.
+- The _docker-compose version_ must be at least `1.28.0`.
 
 To check the version installed on your system run `docker --version` and `docker compose version`.
 
 ## Updating
 
 Please read [the release notes][releases] carefully when updating to a new image version.
-Note that the version of the NetBox Docker container image must stay in sync with the code.
+Note that the version of the NetBox Docker container image must stay in sync with the version of the Git repository.
 
 If you update for the first time, be sure [to follow our _How To Update NetBox Docker_ guide in the wiki][netbox-docker-wiki-updating].
 
@@ -138,7 +139,8 @@ If you update for the first time, be sure [to follow our _How To Update NetBox D
 
 ## Rebuilding the Image
 
-`./build.sh` can be used to rebuild the container image. See `./build.sh --help` for more information.
+`./build.sh` can be used to rebuild the container image.
+See `./build.sh --help` for more information or `./build-latest.sh` for an example.
 
 For more details on custom builds [consult our wiki][netbox-docker-wiki-build].
 
@@ -147,13 +149,15 @@ For more details on custom builds [consult our wiki][netbox-docker-wiki-build].
 ## Tests
 
 We have a test script.
-It runs NetBox's own unit tests and ensures that all initializers work:
+It runs NetBox's own unit tests and ensures that NetBox starts:
 
 ```bash
-IMAGE=netboxcommunity/netbox:latest ./test.sh
+IMAGE=docker.io/netboxcommunity/netbox:latest ./test.sh
 ```
 
 ## Support
 
 This repository is currently maintained by the community.
+The community is expected to help each other.
+
 Please consider sponsoring the maintainers of this project.

VERSION

@@ -1 +1 @@
-3.0.2
+4.0.0

actionlint.yml

@@ -0,0 +1,5 @@
+---
+paths:
+  .github/workflows/**/*.{yml,yaml}:
+    ignore:
+      - ".*ubuntu-24.04-arm.*"

build.sh

@@ -39,9 +39,8 @@ SKIP_GIT    If defined, git is not invoked and \${NETBOX_PATH} will not be alter
 
 TAG         The version part of the image tag.
             ${_GREEN}Default:${_CLEAR}
-              When <branch>=master:  latest
+              When <branch>=main: snapshot
-              When <branch>=develop: snapshot
+              Else:               same as <branch>
-              Else:                  same as <branch>
 
 IMAGE_NAMES The names used for the image including the registry
             Used for tagging the image.
@@ -63,7 +62,7 @@ DOCKERFILE  The name of Dockerfile to use.
 DOCKER_FROM The base image to use.
             ${_GREEN}Default:${_CLEAR} 'ubuntu:24.04'
 
-BUILDX_PLATFORMS
+BUILDX_PLATFORM
             Specifies the platform(s) to build the image for.
             ${_CYAN}Example:${_CLEAR} 'linux/amd64,linux/arm64'
             ${_GREEN}Default:${_CLEAR} 'linux/amd64'
@@ -104,24 +103,21 @@ GH_ACTION   If defined, special 'echo' statements are enabled that set the
             ${_GREEN}Default:${_CLEAR} undefined
 
 CHECK_ONLY  Only checks if the build is needed and sets the GH Action output.
+            ${_GREEN}Default:${_CLEAR} undefined
 
 ${_BOLD}Examples:${_CLEAR}
 
-${0} master
+${0} main
-            This will fetch the latest 'master' branch, build a Docker Image and tag it
+            This will fetch the latest 'main' branch, build a Docker Image and tag it
-            'netboxcommunity/netbox:latest'.
-
-${0} develop
-            This will fetch the latest 'develop' branch, build a Docker Image and tag it
             'netboxcommunity/netbox:snapshot'.
 
-${0} v2.6.6
+${0} v4.2.0
-            This will fetch the 'v2.6.6' tag, build a Docker Image and tag it
+            This will fetch the 'v4.2.0' tag, build a Docker Image and tag it
-            'netboxcommunity/netbox:v2.6.6' and 'netboxcommunity/netbox:v2.6'.
+            'netboxcommunity/netbox:v4.2.0' and 'netboxcommunity/netbox:v4.2'.
 
-${0} develop-2.7
+${0} feature
-            This will fetch the 'develop-2.7' branch, build a Docker Image and tag it
+            This will fetch the 'feature' branch, build a Docker Image and tag it
-            'netboxcommunity/netbox:develop-2.7'.
+            'netboxcommunity/netbox:feature'.
 
 SRC_ORG=cimnine ${0} feature-x
             This will fetch the 'feature-x' branch from https://github.com/cimnine/netbox.git,
@@ -227,7 +223,7 @@ fi
 ###
 # Variables for labelling the docker image
 ###
-BUILD_DATE="$(date -u '+%Y-%m-%dT%H:%M+00:00')"
+BUILD_DATE="$(date -u '+%Y-%m-%dT%H:%M:%S+00:00')"
 
 if [ -d ".git" ] && [ -z "${SKIP_GIT}" ]; then
   GIT_REF="$(git rev-parse HEAD)"
@@ -259,10 +255,7 @@ DOCKER_REGISTRY="${DOCKER_REGISTRY-docker.io}"
 DOCKER_ORG="${DOCKER_ORG-netboxcommunity}"
 DOCKER_REPO="${DOCKER_REPO-netbox}"
 case "${NETBOX_BRANCH}" in
-master)
+main)
-  TAG="${TAG-latest}"
-  ;;
-develop)
   TAG="${TAG-snapshot}"
   ;;
 *)
@@ -278,7 +271,7 @@ TARGET_DOCKER_TAG_PROJECT="${TARGET_DOCKER_TAG}-${PROJECT_VERSION}"
 
 ###
 # composing the additional DOCKER_SHORT_TAG,
-# i.e. "v2.6.1" becomes "v2.6",
+# i.e. "v4.2.0" becomes "v4.2",
 # which is only relevant for version tags
 # Also let "latest" follow the highest version
 ###

configuration/configuration.py

@@ -64,19 +64,21 @@ if '*' not in ALLOWED_HOSTS and 'localhost' not in ALLOWED_HOSTS:
 
 # PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
 #   https://docs.djangoproject.com/en/stable/ref/settings/#databases
-DATABASE = {
+DATABASES = {
-    'NAME': environ.get('DB_NAME', 'netbox'),       # Database name
+    'default': {
-    'USER': environ.get('DB_USER', ''),             # PostgreSQL username
+        'NAME': environ.get('DB_NAME', 'netbox'),       # Database name
-    'PASSWORD': _read_secret('db_password', environ.get('DB_PASSWORD', '')),
+        'USER': environ.get('DB_USER', ''),             # PostgreSQL username
-                                                    # PostgreSQL password
+        'PASSWORD': _read_secret('db_password', environ.get('DB_PASSWORD', '')),
-    'HOST': environ.get('DB_HOST', 'localhost'),    # Database server
+                                                        # PostgreSQL password
-    'PORT': environ.get('DB_PORT', ''),             # Database port (leave blank for default)
+        'HOST': environ.get('DB_HOST', 'localhost'),    # Database server
-    'OPTIONS': {'sslmode': environ.get('DB_SSLMODE', 'prefer')},
+        'PORT': environ.get('DB_PORT', ''),             # Database port (leave blank for default)
-                                                    # Database connection SSLMODE
+        'OPTIONS': {'sslmode': environ.get('DB_SSLMODE', 'prefer')},
-    'CONN_MAX_AGE': _environ_get_and_map('DB_CONN_MAX_AGE', '300', _AS_INT),
+                                                        # Database connection SSLMODE
-                                                    # Max database connection age
+        'CONN_MAX_AGE': _environ_get_and_map('DB_CONN_MAX_AGE', '300', _AS_INT),
-    'DISABLE_SERVER_SIDE_CURSORS': _environ_get_and_map('DB_DISABLE_SERVER_SIDE_CURSORS', 'False', _AS_BOOL),
+                                                        # Max database connection age
-                                                    # Disable the use of server-side cursors transaction pooling
+        'DISABLE_SERVER_SIDE_CURSORS': _environ_get_and_map('DB_DISABLE_SERVER_SIDE_CURSORS', 'False', _AS_BOOL),
+                                                        # Disable the use of server-side cursors transaction pooling
+    }
 }
 
 # Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
@@ -114,6 +116,11 @@ REDIS = {
 # https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
 SECRET_KEY = _read_secret('secret_key', environ.get('SECRET_KEY', ''))
 
+API_TOKEN_PEPPERS = {}
+if api_token_pepper := _read_secret('api_token_pepper_1', environ.get('API_TOKEN_PEPPER_1', '')):
+    API_TOKEN_PEPPERS.update({1: api_token_pepper})
+
+
 
 #########################
 #                       #
@@ -303,6 +310,12 @@ REMOTE_AUTH_SUPERUSER_GROUPS = _environ_get_and_map('REMOTE_AUTH_SUPERUSER_GROUP
 REMOTE_AUTH_SUPERUSERS = _environ_get_and_map('REMOTE_AUTH_SUPERUSERS', '', _AS_LIST)
 REMOTE_AUTH_STAFF_GROUPS = _environ_get_and_map('REMOTE_AUTH_STAFF_GROUPS', '', _AS_LIST)
 REMOTE_AUTH_STAFF_USERS = _environ_get_and_map('REMOTE_AUTH_STAFF_USERS', '', _AS_LIST)
+# SSO Configuration
+SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY')
+SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = _read_secret('okta_openidconnect_secret', environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET', ''))
+SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = environ.get('SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL')
+SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY')
+SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = _read_secret('google_oauth2_secret', environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', ''))
 
 # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
 # version check or use the URL below to check for release in the official NetBox repository.
@@ -348,3 +361,5 @@ SESSION_FILE_PATH = environ.get('SESSION_FILE_PATH', environ.get('SESSIONS_ROOT'
 # Time zone (default: UTC)
 TIME_ZONE = environ.get('TIME_ZONE', 'UTC')
 
+# If true disables miscellaneous functionality which depends on access to the Internet.
+ISOLATED_DEPLOYMENT = _environ_get_and_map('ISOLATED_DEPLOYMENT', 'False', _AS_BOOL)

configuration/extra.py

@@ -33,13 +33,20 @@
 
 
 ## By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
-## class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
+## class path of the storage driver and any configuration options in STORAGES. For example:
-# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+# STORAGES = {
-# STORAGE_CONFIG = {
+#     'default': {
-#     'AWS_ACCESS_KEY_ID': 'Key ID',
+#         'BACKEND': 'storages.backends.s3boto3.S3Boto3Storage',
-#     'AWS_SECRET_ACCESS_KEY': 'Secret',
+#         'OPTIONS': {
-#     'AWS_STORAGE_BUCKET_NAME': 'netbox',
+#             'access_key': 'Key ID',
-#     'AWS_S3_REGION_NAME': 'eu-west-1',
+#             'secret_key': 'Secret',
+#             'bucket_name': 'netbox',
+#             'region_name': 'us-west-1',
+#         }
+#     },
+#     'staticfiles': {
+#         'BACKEND': 'django.contrib.staticfiles.storage.StaticFilesStorage',
+#     }
 # }
 
 

configuration/ldap/ldap_config.py

@@ -109,3 +109,6 @@ AUTH_LDAP_USER_ATTR_MAP = {
     "last_name": environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
     "email": environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
 }
+
+# Update user object with the latest values from the LDAP directory every time the user logs in.
+AUTH_LDAP_ALWAYS_UPDATE_USER = environ.get('AUTH_LDAP_ALWAYS_UPDATE_USER', 'True').lower() == 'true'

docker-compose.override.yml.example

@@ -2,9 +2,6 @@ services:
   netbox:
     ports:
       - "8000:8080"
-    # If you want the Nginx unit status page visible from the
-    # outside of the container add the following port mapping:
-    # - "8001:8081"
     # healthcheck:
       # Time for which the health check can fail after the container is started.
       # This depends mostly on the performance of your database. On the first start,
@@ -19,4 +16,18 @@ services:
       # SUPERUSER_EMAIL: ""
       # SUPERUSER_NAME: ""
       # SUPERUSER_PASSWORD: ""
+      # SSO Configuration
+      # SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY: "your_okta_client_id"
+      # SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL: "https://your-domain.okta.com"
+      # SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: "your_google_client_id"
+    # secrets:
+      # - okta_openidconnect_secret
+      # - google_oauth2_secret
+
+# Uncomment to use Docker secrets for SSO credentials
+# secrets:
+#   okta_openidconnect_secret:
+#     file: ./secrets/okta_secret.txt
+#   google_oauth2_secret:
+#     file: ./secrets/google_secret.txt
 

docker-compose.test.yml

@@ -9,9 +9,9 @@ services:
       redis-cache:
         condition: service_healthy
     env_file: env/netbox.env
-    user: 'unit:root'
+    user: "netbox:root"
     volumes:
-    - ./test-configuration/test_config.py:/etc/netbox/config/test_config.py:z,ro
+      - ./test-configuration/test_config.py:/etc/netbox/config/test_config.py:z,ro
     healthcheck:
       test: curl -f http://localhost:8080/login/ || exit 1
       start_period: ${NETBOX_START_PERIOD-120s}
@@ -20,26 +20,17 @@ services:
   netbox-worker:
     <<: *netbox
     command:
-    - /opt/netbox/venv/bin/python
+      - /opt/netbox/venv/bin/python
-    - /opt/netbox/netbox/manage.py
+      - /opt/netbox/netbox/manage.py
-    - rqworker
+      - rqworker
     healthcheck:
       test: ps -aux | grep -v grep | grep -q rqworker || exit 1
       start_period: 40s
       timeout: 3s
       interval: 15s
-  netbox-housekeeping:
-    <<: *netbox
-    command:
-    - /opt/netbox/housekeeping.sh
-    healthcheck:
-      test: ps -aux | grep -v grep | grep -q housekeeping || exit 1
-      start_period: 40s
-      timeout: 3s
-      interval: 15s
 
   postgres:
-    image: docker.io/postgres:16-alpine
+    image: docker.io/postgres:18-alpine
     env_file: env/postgres.env
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER ## $$ because of docker-compose
@@ -49,14 +40,14 @@ services:
       retries: 5
 
   redis: &redis
-    image: docker.io/valkey/valkey:8.0-alpine
+    image: docker.io/valkey/valkey:9.0-alpine
     command:
-    - sh
+      - sh
-    - -c # this is to evaluate the $REDIS_PASSWORD from the env
+      - -c # this is to evaluate the $REDIS_PASSWORD from the env
-    - valkey-server --save "" --appendonly no --requirepass $$REDIS_PASSWORD ## $$ because of docker-compose
+      - valkey-server --save "" --appendonly no --requirepass $$REDIS_PASSWORD ## $$ because of docker-compose
     env_file: env/redis.env
     healthcheck:
-      test: "[ $$(valkey-cli --pass \"$${REDIS_PASSWORD}\" ping) = 'PONG' ]"
+      test: '[ $$(valkey-cli --pass "$${REDIS_PASSWORD}" ping) = ''PONG'' ]'
       start_period: 5s
       timeout: 3s
       interval: 1s

docker-compose.yml

@@ -1,12 +1,12 @@
 services:
   netbox: &netbox
-    image: docker.io/netboxcommunity/netbox:${VERSION-v4.1-3.0.2}
+    image: docker.io/netboxcommunity/netbox:${VERSION-v4.5-4.0.0}
     depends_on:
       - postgres
       - redis
       - redis-cache
     env_file: env/netbox.env
-    user: "unit:root"
+    user: "netbox:root"
     healthcheck:
       test: curl -f http://localhost:8080/login/ || exit 1
       start_period: 90s
@@ -31,22 +31,10 @@ services:
       start_period: 20s
       timeout: 3s
       interval: 15s
-  netbox-housekeeping:
-    <<: *netbox
-    depends_on:
-      netbox:
-        condition: service_healthy
-    command:
-      - /opt/netbox/housekeeping.sh
-    healthcheck:
-      test: ps -aux | grep -v grep | grep -q housekeeping || exit 1
-      start_period: 20s
-      timeout: 3s
-      interval: 15s
 
   # postgres
   postgres:
-    image: docker.io/postgres:16-alpine
+    image: docker.io/postgres:18-alpine
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER
       start_period: 20s
@@ -55,11 +43,11 @@ services:
       retries: 5
     env_file: env/postgres.env
     volumes:
-      - netbox-postgres-data:/var/lib/postgresql/data
+      - netbox-postgres:/var/lib/postgresql
 
   # redis
   redis:
-    image: docker.io/valkey/valkey:8.0-alpine
+    image: docker.io/valkey/valkey:9.0-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env
@@ -74,7 +62,7 @@ services:
     volumes:
       - netbox-redis-data:/data
   redis-cache:
-    image: docker.io/valkey/valkey:8.0-alpine
+    image: docker.io/valkey/valkey:9.0-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env
@@ -87,7 +75,7 @@ services:
 volumes:
   netbox-media-files:
     driver: local
-  netbox-postgres-data:
+  netbox-postgres:
     driver: local
   netbox-redis-cache-data:
     driver: local

docker/docker-entrypoint.sh

@@ -54,43 +54,10 @@ fi
 if [ "$SKIP_SUPERUSER" == "true" ]; then
   echo "↩️ Skip creating the superuser"
 else
-  if [ -z ${SUPERUSER_NAME+x} ]; then
+  ./manage.py shell --no-startup --no-imports --interface python \
-    SUPERUSER_NAME='admin'
+    </opt/netbox/super_user.py
-  fi
-  if [ -z ${SUPERUSER_EMAIL+x} ]; then
-    SUPERUSER_EMAIL='admin@example.com'
-  fi
-  if [ -f "/run/secrets/superuser_password" ]; then
-    SUPERUSER_PASSWORD="$(</run/secrets/superuser_password)"
-  elif [ -z ${SUPERUSER_PASSWORD+x} ]; then
-    SUPERUSER_PASSWORD='admin'
-  fi
-  if [ -f "/run/secrets/superuser_api_token" ]; then
-    SUPERUSER_API_TOKEN="$(</run/secrets/superuser_api_token)"
-  elif [ -z ${SUPERUSER_API_TOKEN+x} ]; then
-    SUPERUSER_API_TOKEN='0123456789abcdef0123456789abcdef01234567'
-  fi
-
-  ./manage.py shell --interface python <<END
-from users.models import Token, User
-if not User.objects.filter(username='${SUPERUSER_NAME}'):
-    u = User.objects.create_superuser('${SUPERUSER_NAME}', '${SUPERUSER_EMAIL}', '${SUPERUSER_PASSWORD}')
-    Token.objects.create(user=u, key='${SUPERUSER_API_TOKEN}')
-END
-
-  echo "💡 Superuser Username: ${SUPERUSER_NAME}, E-Mail: ${SUPERUSER_EMAIL}"
 fi
 
-./manage.py shell --interface python <<END
-from users.models import Token
-try:
-    old_default_token = Token.objects.get(key="0123456789abcdef0123456789abcdef01234567")
-    if old_default_token:
-        print("⚠️ Warning: You have the old default admin API token in your database. This token is widely known; please remove it. Log in as your superuser and check API Tokens in your user menu.")
-except Token.DoesNotExist:
-    pass
-END
-
 echo "✅ Initialisation is done."
 
 # Launch whatever is passed by docker

docker/granian.py

@@ -0,0 +1,13 @@
+from granian.utils.proxies import wrap_wsgi_with_proxy_headers
+from netbox.wsgi import application
+
+application = wrap_wsgi_with_proxy_headers(
+    application,
+    trusted_hosts=[
+        "10.0.0.0/8",
+        "172.16.0.0/12",
+        "192.168.0.0/16",
+        "fc00::/7",
+        "fe80::/10",
+    ],
+)

docker/housekeeping.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-SLEEP_SECONDS=${HOUSEKEEPING_INTERVAL:=86400}
-echo "Interval set to ${SLEEP_SECONDS} seconds"
-while true; do
-  date
-  /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py housekeeping
-  sleep "${SLEEP_SECONDS}s"
-done

docker/launch-netbox.sh

@@ -1,57 +1,21 @@
 #!/bin/bash
 
-UNIT_CONFIG="${UNIT_CONFIG-/etc/unit/nginx-unit.json}"
+exec granian \
-# Also used in "nginx-unit.json"
+  --host "::" \
-UNIT_SOCKET="/opt/unit/unit.sock"
+  --port "8080" \
-
+  --interface "wsgi" \
-load_configuration() {
+  --no-ws \
-  MAX_WAIT=10
+  --workers "${GRANIAN_WORKERS:-4}" \
-  WAIT_COUNT=0
+  --respawn-failed-workers \
-  while [ ! -S $UNIT_SOCKET ]; do
+  --backpressure "${GRANIAN_BACKPRESSURE:-${GRANIAN_WORKERS:-4}}" \
-    if [ $WAIT_COUNT -ge $MAX_WAIT ]; then
+  --loop "uvloop" \
-      echo "⚠️ No control socket found; configuration will not be loaded."
+  --log \
-      return 1
+  --log-level "info" \
-    fi
+  --access-log \
-
+  --working-dir "/opt/netbox/netbox/" \
-    WAIT_COUNT=$((WAIT_COUNT + 1))
+  --static-path-route "/static" \
-    echo "⏳ Waiting for control socket to be created... (${WAIT_COUNT}/${MAX_WAIT})"
+  --static-path-mount "/opt/netbox/netbox/static/" \
-
+  --static-path-dir-to-file index.html \
-    sleep 1
+  --pid-file "/tmp/granian.pid" \
-  done
+  "${GRANIAN_EXTRA_ARGS[@]}" \
-
+  "netbox.granian:application"
-  # even when the control socket exists, it does not mean unit has finished initialisation
-  # this curl call will get a reply once unit is fully launched
-  curl --silent --output /dev/null --request GET --unix-socket $UNIT_SOCKET http://localhost/
-
-  echo "⚙️ Applying configuration from $UNIT_CONFIG"
-
-  RESP_CODE=$(
-    curl \
-      --silent \
-      --output /dev/null \
-      --write-out '%{http_code}' \
-      --request PUT \
-      --data-binary "@${UNIT_CONFIG}" \
-      --unix-socket $UNIT_SOCKET \
-      http://localhost/config
-  )
-  if [ "$RESP_CODE" != "200" ]; then
-    echo "⚠️ Could no load Unit configuration"
-    kill "$(cat /opt/unit/unit.pid)"
-    return 1
-  fi
-
-  echo "✅ Unit configuration loaded successfully"
-}
-
-load_configuration &
-
-exec unitd \
-  --no-daemon \
-  --control unix:$UNIT_SOCKET \
-  --pid /opt/unit/unit.pid \
-  --log /dev/stdout \
-  --statedir /opt/unit/state/ \
-  --tmpdir /opt/unit/tmp/ \
-  --user unit \
-  --group root

docker/nginx-unit.json

@@ -1,57 +0,0 @@
-{
-  "listeners": {
-    "0.0.0.0:8080": {
-      "pass": "routes/main"
-    },
-    "[::]:8080": {
-      "pass": "routes/main"
-    },
-    "0.0.0.0:8081": {
-      "pass": "routes/status"
-    },
-    "[::]:8081": {
-      "pass": "routes/status"
-    }
-  },
-  "routes": {
-    "main": [
-      {
-        "match": {
-          "uri": "/static/*"
-        },
-        "action": {
-          "share": "/opt/netbox/netbox${uri}"
-        }
-      },
-      {
-        "action": {
-          "pass": "applications/netbox"
-        }
-      }
-    ],
-    "status": [
-      {
-        "match": {
-          "uri": "/status/*"
-        },
-        "action": {
-          "proxy": "http://unix:/opt/unit/unit.sock"
-        }
-      }
-    ]
-  },
-  "applications": {
-    "netbox": {
-      "type": "python 3",
-      "path": "/opt/netbox/netbox/",
-      "module": "netbox.wsgi",
-      "home": "/opt/netbox/venv",
-      "processes": {
-        "max": 4,
-        "spare": 1,
-        "idle_timeout": 120
-      }
-    }
-  },
-  "access_log": "/dev/stdout"
-}

docker/super_user.py

@@ -0,0 +1,36 @@
+from os import environ
+
+from django.conf import settings
+from users.choices import TokenVersionChoices
+from users.models import Token, User
+
+
+# Read secret from file
+def _read_secret(secret_name: str, default: str | None = None) -> str | None:
+    try:
+        f = open("/run/secrets/" + secret_name, "r", encoding="utf-8")
+    except EnvironmentError:
+        return default
+    else:
+        with f:
+            return f.readline().strip()
+
+
+su_name = environ.get("SUPERUSER_NAME", "admin")
+su_email = environ.get("SUPERUSER_EMAIL", "admin@example.com")
+su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD", "admin"))
+su_api_token = _read_secret(
+    "superuser_api_token",
+    environ.get("SUPERUSER_API_TOKEN", "0123456789abcdef0123456789abcdef01234567"),
+)
+
+if not User.objects.filter(username=su_name):
+    u = User.objects.create_superuser(su_name, su_email, su_password)
+    msg = ""
+    if not settings.API_TOKEN_PEPPERS:
+        print("⚠️ No API token will be created as API_TOKEN_PEPPERS is not set")
+        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}"
+    else:
+        t = Token.objects.create(user=u, token=su_api_token, version=TokenVersionChoices.V2)
+        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t} (use with '{t.get_auth_header_prefix()}<Your token>')"
+    print(msg)

env/netbox.env

@@ -1,3 +1,4 @@
+API_TOKEN_PEPPER_1=Qy+F=OTeGskWQ(wTMgjc+NPPlz6YwFXY=KHIIg=wpYXT&e(6u8
 CORS_ORIGIN_ALLOW_ALL=True
 DB_HOST=postgres
 DB_NAME=netbox
@@ -14,8 +15,9 @@ EMAIL_USERNAME=netbox
 # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
 EMAIL_USE_SSL=false
 EMAIL_USE_TLS=false
+GRANIAN_BACKPRESSURE=4
+GRANIAN_WORKERS=4
 GRAPHQL_ENABLED=true
-HOUSEKEEPING_INTERVAL=86400
 MEDIA_ROOT=/opt/netbox/netbox/media
 METRICS_ENABLED=false
 REDIS_CACHE_DATABASE=1
@@ -31,4 +33,12 @@ REDIS_SSL=false
 RELEASE_CHECK_URL=https://api.github.com/repos/netbox-community/netbox/releases
 SECRET_KEY='r(m)9nLGnz$(_q3N4z1k(EFsMCjjjzx08x9VhNVcfd%6RF#r!6DE@+V5Zk2X'
 SKIP_SUPERUSER=true
+# SSO Configuration (uncomment and configure as needed)
+# OKTA OpenID Connect
+# SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY=your_okta_client_id
+# SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET=your_okta_client_secret
+# SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL=https://your-domain.okta.com
+# Google OAuth2
+# SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=your_google_client_id
+# SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=your_google_client_secret
 WEBHOOKS_ENABLED=true

requirements-container.txt

@@ -1,5 +1,7 @@
-django-auth-ldap==4.8.0
+django-auth-ldap==5.3.0
-django-storages[azure,boto3,dropbox,google,libcloud,sftp]==1.14.4
+dulwich==1.0.0
-dulwich==0.22.1
+granian[uvloop]==2.7.0
-python3-saml==1.16.0 --no-binary lxml,xmlsec
+python3-saml==1.16.0
-sentry-sdk[django]==2.14.0
+--no-binary lxml
+--no-binary xmlsec
+sentry-sdk[django]==2.51.0

test-configuration/test_config.py

@@ -3,5 +3,14 @@ LOGGING = {
     'disable_existing_loggers': True
 }
 
+PLUGINS = [
+    'netbox.tests.dummy_plugin',
+]
+
+ALLOW_TOKEN_RETRIEVAL = True
+
 DEFAULT_PERMISSIONS = {}
-LOGIN_REQUIRED = False
+
+API_TOKEN_PEPPERS = {
+    1: 'TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE',
+}