Ansible playbook for managing the netbox server
| inventory | ||
| playbooks | ||
| roles | ||
| .cursorignore | ||
| .gitignore | ||
| ansible.cfg | ||
| Makefile | ||
| README.md | ||
| requirements.yml | ||
NetBox Ansible Deployment
This Ansible project deploys NetBox using Docker Compose on Ubuntu servers. It follows Ansible best practices with modular roles, idempotent operations, and comprehensive configuration management.
Features
- Modular Design: Separate roles for system updates, Docker installation, Traefik reverse proxy, and NetBox deployment
- Idempotent: Safe to run multiple times without side effects
- Ubuntu Only: Specifically designed for Ubuntu distributions (Focal, Jammy, Noble)
- Docker Compose: Uses the official NetBox Docker repository
- Traefik Integration: Automatic reverse proxy with ACME TLS certificate management
- HTTPS by Default: Automatic HTTP to HTTPS redirection with Let's Encrypt certificates
- Configuration Management: Templated environment files with Ansible variables
- Security: Support for Ansible Vault for sensitive data
- Backup Support: Built-in backup playbook for data protection
Project Structure
netbox-ansible/
├── ansible.cfg # Ansible configuration
├── inventory/
│ └── hosts.yml # Inventory file
├── group_vars/
│ ├── netbox.yml # Group variables
│ └── netbox/
│ └── vault.yml # Encrypted sensitive variables
├── playbooks/
│ ├── deploy-netbox.yml # Main deployment playbook
│ ├── update-netbox.yml # Update NetBox playbook
│ └── backup-netbox.yml # Backup NetBox playbook
├── roles/
│ ├── system-update/ # System package updates
│ ├── docker-install/ # Docker and Docker Compose installation
│ ├── traefik/ # Traefik reverse proxy with ACME TLS
│ └── netbox-deploy/ # NetBox deployment and configuration
└── templates/ # Additional templates if needed
Prerequisites
- Ansible 2.9 or later
- Target servers running Ubuntu (Focal, Jammy, or Noble)
- SSH access to target servers with sudo privileges
- Python 3 on target servers
Quick Start
-
Configure Inventory
# Edit inventory/hosts.yml vim inventory/hosts.ymlAdd your server(s):
[netbox] netbox-server ansible_host=192.168.1.100 ansible_user=ubuntu -
Configure Variables
# Edit group variables vim group_vars/netbox.yml # Edit vault variables (domains, ACME email, etc.) vim group_vars/netbox/vault.yml # Encrypt sensitive variables ansible-vault encrypt group_vars/netbox/vault.yml -
Deploy NetBox with Traefik
# Run the deployment playbook (includes Traefik) ansible-playbook -i inventory/hosts.yml playbooks/deploy-netbox.yml --ask-vault-pass -
Access Your Services
- NetBox:
https://your-domain.com - Traefik Dashboard:
https://traefik.your-domain.com:8080
- NetBox:
Configuration
Group Variables (group_vars/netbox.yml)
Key configuration options:
netbox_install_dir: Directory for NetBox installation (default:/opt/netbox-docker)netbox_data_dir: Directory for persistent data (default:/opt/netbox-data)netbox_backup_dir: Directory for backups (default:/opt/netbox-backups)netbox_domain: Domain name for NetBox (configured in vault)netbox_allowed_hosts: Allowed hosts for NetBoxnetbox_superuser_*: Superuser configurationnetbox_db_*: Database configurationnetbox_redis_*: Redis configurationtraefik_*: Traefik reverse proxy configuration
Vault Variables (group_vars/netbox/vault.yml)
Sensitive data should be encrypted:
# Encrypt vault file
ansible-vault encrypt group_vars/netbox/vault.yml
# Edit encrypted vault file
ansible-vault edit group_vars/netbox/vault.yml
Docker Compose Overrides
NetBox is now configured to work with Traefik labels instead of port forwarding:
netbox_docker_compose_overrides:
services:
netbox:
labels:
- "traefik.enable=true"
- "traefik.http.routers.netbox.rule=Host(`{{ netbox_domain }}`)"
- "traefik.http.routers.netbox.entrypoints=websecure"
- "traefik.http.routers.netbox.tls.certresolver=letsencrypt"
- "traefik.http.services.netbox.loadbalancer.server.port=8080"
networks:
- "traefik"
Playbooks
Main Deployment (deploy-netbox.yml)
Deploys NetBox with Traefik reverse proxy:
- Updates system packages
- Installs Docker and Docker Compose
- Deploys Traefik reverse proxy with ACME TLS
- Clones NetBox Docker repository
- Configures environment files
- Starts NetBox services behind Traefik
- Creates superuser account
Update NetBox (update-netbox.yml)
Updates existing NetBox installation:
- Updates repository
- Pulls latest Docker images
- Restarts services
Backup NetBox (backup-netbox.yml)
Creates comprehensive backup:
- Database dump
- Media files
- Configuration files
Roles
system-update
- Updates apt package cache
- Upgrades all packages
- Installs required packages
- Optional reboot if needed
docker-install
- Adds Docker GPG key and repository
- Installs Docker CE and Docker Compose
- Configures Docker daemon
- Adds users to docker group
traefik
- Creates Traefik directories and configuration
- Sets up ACME certificate resolver for Let's Encrypt
- Configures Docker provider for automatic service discovery
- Deploys Traefik reverse proxy with HTTPS redirection
- Creates external network for service communication
netbox-deploy
- Creates necessary directories
- Clones NetBox Docker repository
- Generates configuration files
- Starts NetBox services with Traefik labels
- Creates superuser account
Usage Examples
Deploy NetBox with Traefik
ansible-playbook -i inventory/hosts.yml playbooks/deploy-netbox.yml --ask-vault-pass
Update NetBox
ansible-playbook -i inventory/hosts.yml playbooks/update-netbox.yml
Backup NetBox
ansible-playbook -i inventory/hosts.yml playbooks/backup-netbox.yml
Run with Vault
ansible-playbook -i inventory/hosts.yml playbooks/deploy-netbox.yml --ask-vault-pass
Run Specific Tags
ansible-playbook -i inventory/hosts.yml playbooks/deploy-netbox.yml --tags "traefik"
ansible-playbook -i inventory/hosts.yml playbooks/deploy-netbox.yml --tags "netbox-deploy"
Traefik Management
# Check Traefik status
make traefik-status
# View Traefik logs
make traefik-logs
# View access logs (JSON format for auditing)
make traefik-access-logs
# Restart Traefik
make traefik-restart
# Update custom root CA certificate
make traefik-update-ca
Security Considerations
- Encrypt Sensitive Data: Use
ansible-vaultfor passwords and secrets - SSH Key Authentication: Use SSH keys instead of passwords
- Firewall Rules: Configure appropriate firewall rules (ports 80, 443)
- TLS Certificates: ACME certificates are automatically managed by Traefik
- Custom Root CA: Support for custom certificate authorities alongside system CAs
- Access Logging: Comprehensive JSON-formatted access logs for auditing
- Regular Updates: Keep NetBox and dependencies updated
- Backup Strategy: Implement regular backup procedures
Troubleshooting
Common Issues
- Permission Denied: Ensure user has sudo privileges
- Docker Not Found: Check Docker installation and user group membership
- Port Conflicts: Verify ports 80 and 443 are available
- Database Connection: Check database configuration and connectivity
- TLS Certificate Issues: Check ACME configuration and domain DNS
- Traefik Not Starting: Check Docker network and configuration
Logs and Debugging
# Enable verbose output
ansible-playbook -i inventory/hosts.yml playbooks/deploy-netbox.yml -vvv
# Check Docker Compose logs
ansible netbox -i inventory/hosts.yml -m shell -a "cd /opt/netbox-docker && docker compose logs"
# Check Traefik logs
ansible netbox -i inventory/hosts.yml -m shell -a "cd /opt/traefik && docker compose logs traefik"
Logging and Auditing
Access Logs
Traefik is configured with comprehensive access logging in JSON format for easy parsing and auditing:
- Format: JSON structured logs
- Fields: Includes request details, response codes, timing, and headers
- Security: Authorization headers are automatically dropped from logs
- Headers Tracked: User-Agent, Content-Type, X-Forwarded-For, X-Real-IP, etc.
Log Management Commands
# View recent access logs
make traefik-access-logs
# View all Traefik logs
make traefik-logs
# Follow logs in real-time
ansible netbox -i inventory/hosts.yml -m shell -a "cd /opt/traefik && docker compose logs -f traefik"
Log Analysis Examples
# Count requests by status code
ansible netbox -i inventory/hosts.yml -m shell -a "cd /opt/traefik && docker compose logs traefik | grep access | jq '.DownstreamStatus' | sort | uniq -c"
# Find failed requests
ansible netbox -i inventory/hosts.yml -m shell -a "cd /opt/traefik && docker compose logs traefik | grep access | jq 'select(.DownstreamStatus >= 400)'"
# Analyze by IP address
ansible netbox -i inventory/hosts.yml -m shell -a "cd /opt/traefik && docker compose logs traefik | grep access | jq '.ClientHost' | sort | uniq -c"
Custom Root CA Configuration
Traefik can be configured to trust custom root certificate authorities while maintaining trust for system root CAs. This is useful for internal PKI environments or corporate certificate authorities.
Configuration
Set the custom CA URL in your vault file:
# Custom Root CA Configuration
vault_traefik_custom_ca_url: "https://your-ca-server.com/root-ca.pem"
Features
- Dual Trust: Trusts both custom CA and system root CAs
- Automatic Download: Downloads CA certificate from web server during deployment
- Certificate Validation: Verifies certificate format using OpenSSL
- Secure Storage: CA certificate stored with appropriate permissions
- Easy Updates: Update CA certificate without full redeployment
Management Commands
# Update custom root CA certificate
make traefik-update-ca
# Verify CA certificate manually
ansible netbox -i inventory/hosts.yml -m shell -a "openssl x509 -in /etc/traefik/custom-ca.pem -text -noout"
Requirements
- Custom CA certificate must be accessible via HTTP/HTTPS GET request
- Certificate must be in PEM format
- Web server must be accessible from the deployment server
- Certificate validation can be disabled if needed (
traefik_custom_ca_verify_ssl: false)
Contributing
- Follow Ansible best practices
- Ensure idempotency
- Add appropriate tags
- Update documentation
- Test on multiple Ubuntu versions
License
MIT License - see LICENSE file for details.
Support
For issues and questions:
- Check NetBox documentation: https://docs.netbox.dev/
- NetBox Community: https://github.com/netbox-community/netbox
- NetBox Docker: https://github.com/netbox-community/netbox-docker