-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy path.env.example
More file actions
218 lines (201 loc) · 11 KB
/
Copy path.env.example
File metadata and controls
218 lines (201 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# Network MCP Docker Suite - Environment Configuration
# =====================================================
# Copy this file to .env and fill in your actual values:
# cp .env.example .env
# nano .env
#
# This single .env file configures all MCP servers in the suite.
# Only configure the servers you plan to use.
# =====================================================
# ========================================
# MCP SERVERS - ENABLE/DISABLE CONTROL
# ========================================
# Set to 'true' to enable, 'false' to disable individual servers
# Note: Use docker-compose profiles or deploy.sh to start specific servers
# Example: ./deploy.sh start meraki (only starts enabled servers)
ENABLE_MERAKI_MCP=true # Meraki Dashboard API (Port 8000)
ENABLE_NETBOX_MCP=true # NetBox DCIM/IPAM (Port 8001)
ENABLE_CATC_MCP=true # Catalyst Center (Port 8002)
ENABLE_IOS_XE_MCP=true # IOS XE SSH Management (Port 8003)
ENABLE_THOUSANDEYES_MCP=true # ThousandEyes Monitoring (Port 8004)
ENABLE_ISE_MCP=true # ISE Identity Services (Port 8005)
ENABLE_SPLUNK_MCP=true # Splunk Log Analysis (Port 8006)
ENABLE_PROMETHEUS_MCP=true # Prometheus Metrics (Port 8007)
ENABLE_CLICKHOUSE_MCP=true # ClickHouse Syslog (Port 8008)
ENABLE_GITLAB_MCP=true # GitLab CI/CD (Port 8009)
# ========================================
# MERAKI MCP SERVER (Port 8000)
# ========================================
# Meraki Dashboard API Configuration
MERAKI_KEY=your_meraki_api_key_here # Get from Meraki Dashboard > Organization > API & webhooks
MCP_ROLE=noc # Options: noc, sysadmin, all (default: noc)
MERAKI_BASE_URL=https://api.meraki.com/api/v1 # Meraki API base URL (default: official API)
# ========================================
# NETBOX MCP SERVER (Port 8001)
# ========================================
# NetBox DCIM/IPAM Configuration
NETBOX_URL=https://netbox.example.com # Your NetBox instance URL (include https://)
NETBOX_TOKEN=your_netbox_token_here # NetBox API token with appropriate permissions
NETBOX_VERIFY_SSL=false # SSL certificate verification (default: true, use false for self-signed)
# ========================================
# CATALYST CENTER MCP SERVER (Port 8002)
# ========================================
# Catalyst Center API Configuration
CATC_URL=https://catalyst-center.example.com # Your Catalyst Center URL (include https://)
CATC_USERNAME=your_catalyst_center_username # Catalyst Center username with API access
CATC_PASSWORD=your_catalyst_center_password # Catalyst Center password
CATC_VERIFY_SSL=false # SSL certificate verification (default: false, use true for valid certs)
# ========================================
# IOS XE MCP SERVER (Port 8003)
# ========================================
# IOS XE Device SSH Configuration
# REQUIRED: Server fails without these credentials
IOS_XE_USERNAME=admin # SSH username for IOS XE devices
IOS_XE_PASSWORD=your_default_password # SSH password for IOS XE devices
# Enable Secret (optional - for devices requiring privilege escalation)
IOS_XE_ENABLE_SECRET= # Enable secret for priv 15 (leave empty if login is priv 15)
# Read-Only Mode (recommended for monitoring/troubleshooting)
IOS_XE_READ_ONLY=false # Set to 'true' to disable config commands (show only)
# Optional: Advanced SSH Settings
SSH_TIMEOUT=60 # SSH connection timeout in seconds (default: 60)
DEFAULT_DEVICE_TYPE=cisco_ios # Netmiko device type (default: cisco_ios)
# ========================================
# THOUSANDEYES MCP SERVER (Port 8004)
# ========================================
# ThousandEyes API v7 Configuration
TE_TOKEN=your_thousandeyes_api_bearer_token_here # ThousandEyes API v7 Bearer token
TE_BASE_URL=https://api.thousandeyes.com/v7 # ThousandEyes API base URL (default: v7 API)
# ========================================
# ISE MCP SERVER (Port 8005)
# ========================================
# Cisco ISE ERS API Configuration
ISE_HOST=ise.company.com # ISE server hostname or IP
ISE_USERNAME=ise-service-account # ISE username with ERS API access
ISE_PASSWORD=SecurePassword123! # ISE user password
ISE_VERSION=1.0 # ISE API version (default: 1.0)
ISE_VERIFY_SSL=True # SSL certificate verification (default: True)
ISE_REQUEST_TIMEOUT=30 # ISE API timeout in seconds (default: 30)
# ========================================
# SPLUNK MCP SERVER (Port 8006)
# ========================================
# Splunk MCP Backend Configuration
SPLUNK_HOST=splunk.company.com # Splunk server hostname/IP
SPLUNK_PORT=8089 # Splunk management port (default: 8089)
SPLUNK_API_KEY=your_bearer_token # Splunk Bearer token
SPLUNK_VERIFY_SSL=false # SSL certificate verification (default: false)
# SPLUNK_MCP_DYNAMIC=true # Load tool list from Splunk at startup (default: true)
# SPLUNK_MCP_MAX_TOOLS=64 # Max tools to register from tools/list
# SPLUNK_MCP_APPEND_INPUT_SCHEMA=true # Append each tool's inputSchema (JSON) to its description
# SPLUNK_MCP_SCHEMA_DESC_MAX_CHARS=12000 # Max size of embedded schema in descriptions
# ========================================
# PROMETHEUS MCP SERVER (Port 8007)
# ========================================
# Prometheus Metrics Query Configuration (gnp-stack/netops-stack integration)
# Use http://prometheus:9090 when on same Docker network as gnp-stack
# Use http://<host>:9090 for external access
PROMETHEUS_URL=http://prometheus:9090 # Prometheus server URL
# ========================================
# CLICKHOUSE MCP SERVER (Port 8008)
# ========================================
# ClickHouse Syslog Query Configuration (gnp-stack/netops-stack integration)
# Use http://clickhouse:8123 when on same Docker network as gnp-stack
# Use http://<host>:8123 for external access
CLICKHOUSE_URL=http://clickhouse:8123 # ClickHouse HTTP interface URL
CLICKHOUSE_USER= # ClickHouse username (optional if anonymous access)
CLICKHOUSE_PASSWORD= # ClickHouse password (optional if anonymous access)
CLICKHOUSE_DATABASE=default # ClickHouse database name (default: default)
# ========================================
# GITLAB MCP SERVER (Port 8009)
# ========================================
# GitLab CI/CD Pipeline and Repository Management
GITLAB_URL=https://gitlab.com # GitLab instance URL (or self-hosted)
GITLAB_TOKEN=your_gitlab_token_here # Personal access token with api scope
GITLAB_DEFAULT_PROJECT_ID= # Default project ID or path (optional)
# Allowed pipeline variables (comma-separated) - prevents injection attacks
GITLAB_ALLOWED_VARIABLES=DRY_RUN,TARGET_HOST,TARGET_HOSTS,SITE_PIPELINE,SWITCH_PIPELINE,PLAYBOOK,EXTRA_VARS,LIMIT,TAGS,SKIP_TAGS,VERBOSITY
# Allowed file path prefixes for repository updates (comma-separated)
GITLAB_ALLOWED_FILE_PATHS=ansible/,host_vars/,group_vars/,configs/,templates/,inventory/,playbooks/,roles/,vars/
# ========================================
# MCP SERVER COMMON CONFIGURATION
# ========================================
# These settings apply to all MCP servers
# Individual servers may override these with specific defaults
MCP_HOST=0.0.0.0 # Server bind address (0.0.0.0 for Docker)
LOG_LEVEL=INFO # Logging level: DEBUG, INFO, WARNING, ERROR
# ========================================
# CONFIGURATION NOTES
# ========================================
#
# ENABLING/DISABLING SERVERS:
# - Set ENABLE_*_MCP=false to disable a server
# - Disabled servers won't start even if included in docker-compose profiles
# - Use deploy.sh with profiles for flexible deployment
# - Example: ./deploy.sh start cisco (starts only enabled Cisco servers)
#
# MERAKI:
# - Get API key: Meraki Dashboard > Organization > API & webhooks
# - Roles: noc (monitoring), sysadmin (read-only), all (full access)
#
# NETBOX:
# - Get token: NetBox UI > Profile > API Tokens
# - Requires read permissions (write/delete optional)
#
# CATALYST CENTER:
# - Ensure user has API access enabled
# - Recommended: Administrator role for full functionality
# - Observer role minimum for read operations
#
# IOS XE:
# - Credentials loaded from environment only (no parameters)
# - Passwords automatically masked in logs
# - SSH timeout configurable for slow devices
# - Set IOS_XE_ENABLE_SECRET for devices requiring privilege escalation
# - Set IOS_XE_READ_ONLY=true for monitoring only (disables config_command)
# - Read-only mode recommended for AI troubleshooting workflows
#
# THOUSANDEYES:
# - Get token: ThousandEyes Platform > User Profile > API Tokens
# - Uses API v7 (Bearer token authentication)
# - All operations are read-only
#
# ISE:
# - Enable ERS API: ISE > Administration > Settings > ERS Settings
# - User needs ERS Admin or ERS Operator group membership
# - Set ISE_VERIFY_SSL=True for production with valid certificates
#
# SPLUNK:
# - Get Bearer token from Splunk instance
# - Uses Splunk management port (default: 8089)
# - Proxy handles SSL and authentication
#
# PROMETHEUS (netops-stack/gnp-stack):
# - Part of gnp-stack observability platform
# - Stores metrics from gNMIc, SNMP exporters
# - Read-only queries via PromQL
# - Use internal Docker hostname when on same network
#
# CLICKHOUSE (netops-stack/gnp-stack):
# - Part of gnp-stack observability platform
# - Stores syslog messages via Vector
# - Read-only queries for log analysis
# - Anonymous access supported for local deployments
#
# GITLAB:
# - Get token: GitLab > Profile > Access Tokens > api scope
# - For self-hosted: update GITLAB_URL
# - GITLAB_ALLOWED_VARIABLES prevents CI variable injection
# - GITLAB_ALLOWED_FILE_PATHS restricts file update paths
# - Use for triggering Ansible dry-runs and config updates
#
# SECURITY BEST PRACTICES:
# 1. Never commit .env file to version control
# 2. Use strong, unique passwords for each service
# 3. Rotate API keys and passwords regularly
# 4. Use least-privilege access (minimum required permissions)
# 5. Enable SSL verification in production environments
# 6. Consider using Docker secrets for production deployments
# 7. Restrict network access to MCP servers
# 8. Monitor API usage and access logs
# 9. Disable unused MCP servers to reduce attack surface
#
# ========================================