From c3dcc6c59f3b111142f7da972dc73205173baf82 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@gmail.com>
Date: Wed, 7 Jan 2026 19:40:41 +0100
Subject: [PATCH 1/6] Support new API token format

---
 Dockerfile                  |  1 +
 docker/docker-entrypoint.sh | 18 +-----------------
 docker/super_user.py        | 22 ++++++++++++++++++++++
 3 files changed, 24 insertions(+), 17 deletions(-)
 create mode 100644 docker/super_user.py

diff --git a/Dockerfile b/Dockerfile
index 753200a..91f814f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -76,6 +76,7 @@ COPY docker/configuration.docker.py /opt/netbox/netbox/netbox/configuration.py
 COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY docker/docker-entrypoint.sh /opt/netbox/docker-entrypoint.sh
 COPY docker/launch-netbox.sh /opt/netbox/launch-netbox.sh
+COPY docker/super_user.py /opt/netbox/super_user.py
 COPY configuration/ /etc/netbox/config/
 COPY docker/granian.py /opt/netbox/netbox/netbox/granian.py
 COPY VERSION /opt/netbox/VERSION
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index fa5930d..1ea34e4 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -71,26 +71,10 @@ else
     SUPERUSER_API_TOKEN='0123456789abcdef0123456789abcdef01234567'
   fi
 
-  ./manage.py shell --interface python <<END
-from users.models import Token, User
-if not User.objects.filter(username='${SUPERUSER_NAME}'):
-    u = User.objects.create_superuser('${SUPERUSER_NAME}', '${SUPERUSER_EMAIL}', '${SUPERUSER_PASSWORD}')
-    Token.objects.create(user=u, key='${SUPERUSER_API_TOKEN}')
-END
+  ./manage.py shell --interface python < /opt/netbox/super_user.py
 
-  echo "💡 Superuser Username: ${SUPERUSER_NAME}, E-Mail: ${SUPERUSER_EMAIL}"
 fi
 
-./manage.py shell --interface python <<END
-from users.models import Token
-try:
-    old_default_token = Token.objects.get(key="0123456789abcdef0123456789abcdef01234567")
-    if old_default_token:
-        print("⚠️ Warning: You have the old default admin API token in your database. This token is widely known; please remove it. Log in as your superuser and check API Tokens in your user menu.")
-except Token.DoesNotExist:
-    pass
-END
-
 echo "✅ Initialisation is done."
 
 # Launch whatever is passed by docker
diff --git a/docker/super_user.py b/docker/super_user.py
new file mode 100644
index 0000000..1f8bb16
--- /dev/null
+++ b/docker/super_user.py
@@ -0,0 +1,22 @@
+from os import environ
+from users.models import Token, User
+from users.choices import TokenVersionChoices
+from django.conf import settings
+
+su_name = environ.get("SUPERUSER_NAME")
+su_email = environ.get("SUPERUSER_EMAIL")
+su_password = environ.get("SUPERUSER_PASSWORD")
+su_api_token = environ.get("SUPERUSER_API_TOKEN")
+
+if not User.objects.filter(username=su_name):
+    u = User.objects.create_superuser(su_name, su_email, su_password)
+    msg = ""
+    if not settings.API_TOKEN_PEPPERS:
+        print("⚠️ No API token will be created as API_TOKEN_PEPPERS is not set")
+        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}"
+    else:
+        t = Token.objects.create(
+            user=u, token=su_api_token, version=TokenVersionChoices.V2
+        )
+        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t} (use with '{t.get_auth_header_prefix()}<Your token>')"
+    print(msg)

From 0cd10dd3b5190ec220652ab806f955d1264efa0f Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Thu, 8 Jan 2026 08:14:59 +0100
Subject: [PATCH 2/6] Review comments addressed

---
 docker/docker-entrypoint.sh | 21 ++-------------------
 docker/super_user.py        | 20 +++++++++++++++-----
 2 files changed, 17 insertions(+), 24 deletions(-)

diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index 1ea34e4..5b1ee6a 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -54,25 +54,8 @@ fi
 if [ "$SKIP_SUPERUSER" == "true" ]; then
   echo "↩️ Skip creating the superuser"
 else
-  if [ -z ${SUPERUSER_NAME+x} ]; then
-    SUPERUSER_NAME='admin'
-  fi
-  if [ -z ${SUPERUSER_EMAIL+x} ]; then
-    SUPERUSER_EMAIL='admin@example.com'
-  fi
-  if [ -f "/run/secrets/superuser_password" ]; then
-    SUPERUSER_PASSWORD="$(</run/secrets/superuser_password)"
-  elif [ -z ${SUPERUSER_PASSWORD+x} ]; then
-    SUPERUSER_PASSWORD='admin'
-  fi
-  if [ -f "/run/secrets/superuser_api_token" ]; then
-    SUPERUSER_API_TOKEN="$(</run/secrets/superuser_api_token)"
-  elif [ -z ${SUPERUSER_API_TOKEN+x} ]; then
-    SUPERUSER_API_TOKEN='0123456789abcdef0123456789abcdef01234567'
-  fi
-
-  ./manage.py shell --interface python < /opt/netbox/super_user.py
-
+  ./manage.py shell --no-startup --no-imports --interface python \
+                    < /opt/netbox/super_user.py
 fi
 
 echo "✅ Initialisation is done."
diff --git a/docker/super_user.py b/docker/super_user.py
index 1f8bb16..5213617 100644
--- a/docker/super_user.py
+++ b/docker/super_user.py
@@ -3,10 +3,22 @@ from users.models import Token, User
 from users.choices import TokenVersionChoices
 from django.conf import settings
 
+
+# Read secret from file
+def _read_secret(secret_name: str, default: str | None = None) -> str | None:
+    try:
+        f = open("/run/secrets/" + secret_name, "r", encoding="utf-8")
+    except EnvironmentError:
+        return default
+    else:
+        with f:
+            return f.readline().strip()
+
+
 su_name = environ.get("SUPERUSER_NAME")
 su_email = environ.get("SUPERUSER_EMAIL")
-su_password = environ.get("SUPERUSER_PASSWORD")
-su_api_token = environ.get("SUPERUSER_API_TOKEN")
+su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD"))
+su_api_token = _read_secret("superuser_api_token", environ.get("SUPERUSER_API_TOKEN"))
 
 if not User.objects.filter(username=su_name):
     u = User.objects.create_superuser(su_name, su_email, su_password)
@@ -15,8 +27,6 @@ if not User.objects.filter(username=su_name):
         print("⚠️ No API token will be created as API_TOKEN_PEPPERS is not set")
         msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}"
     else:
-        t = Token.objects.create(
-            user=u, token=su_api_token, version=TokenVersionChoices.V2
-        )
+        t = Token.objects.create(user=u, token=su_api_token, version=TokenVersionChoices.V2)
         msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t} (use with '{t.get_auth_header_prefix()}<Your token>')"
     print(msg)

From 14f669fe0d821cfb28000086c2a906571700d640 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Thu, 8 Jan 2026 09:03:46 +0100
Subject: [PATCH 3/6] Formatting

---
 docker/docker-entrypoint.sh | 2 +-
 docker/super_user.py        | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index 5b1ee6a..a1ae580 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -55,7 +55,7 @@ if [ "$SKIP_SUPERUSER" == "true" ]; then
   echo "↩️ Skip creating the superuser"
 else
   ./manage.py shell --no-startup --no-imports --interface python \
-                    < /opt/netbox/super_user.py
+  < /opt/netbox/super_user.py
 fi
 
 echo "✅ Initialisation is done."
diff --git a/docker/super_user.py b/docker/super_user.py
index 5213617..7f3f532 100644
--- a/docker/super_user.py
+++ b/docker/super_user.py
@@ -1,7 +1,8 @@
 from os import environ
-from users.models import Token, User
-from users.choices import TokenVersionChoices
+
 from django.conf import settings
+from users.choices import TokenVersionChoices
+from users.models import Token, User
 
 
 # Read secret from file

From dde39aec653f87f2c75c427b8c980621ee28aec5 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Thu, 8 Jan 2026 09:06:10 +0100
Subject: [PATCH 4/6] Formatting

---
 docker/docker-entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index a1ae580..a9c8f47 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -55,7 +55,7 @@ if [ "$SKIP_SUPERUSER" == "true" ]; then
   echo "↩️ Skip creating the superuser"
 else
   ./manage.py shell --no-startup --no-imports --interface python \
-  < /opt/netbox/super_user.py
+    < /opt/netbox/super_user.py
 fi
 
 echo "✅ Initialisation is done."

From 8c5cf9e26bfc5b08689a8ecd05720ad8af8f5db4 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Thu, 8 Jan 2026 09:10:05 +0100
Subject: [PATCH 5/6] Formatting

---
 .flake8                     | 2 +-
 docker/docker-entrypoint.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.flake8 b/.flake8
index 83a86a2..6872797 100644
--- a/.flake8
+++ b/.flake8
@@ -4,4 +4,4 @@ extend-ignore = E203, W503
 per-file-ignores =
   configuration/*:E131,E251,E266,E302,E305,E501,E722
   startup_scripts/startup_script_utils/__init__.py:F401
-  docker/*:E266,E722
+  docker/*:E266,E722,E501
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index a9c8f47..1d36167 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -55,7 +55,7 @@ if [ "$SKIP_SUPERUSER" == "true" ]; then
   echo "↩️ Skip creating the superuser"
 else
   ./manage.py shell --no-startup --no-imports --interface python \
-    < /opt/netbox/super_user.py
+    </opt/netbox/super_user.py
 fi
 
 echo "✅ Initialisation is done."

From 2127d2156a51db86801e77c9828840d815503a46 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Thu, 8 Jan 2026 10:45:24 +0100
Subject: [PATCH 6/6] Missing defaults

---
 docker/super_user.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/docker/super_user.py b/docker/super_user.py
index 7f3f532..7918388 100644
--- a/docker/super_user.py
+++ b/docker/super_user.py
@@ -16,10 +16,13 @@ def _read_secret(secret_name: str, default: str | None = None) -> str | None:
             return f.readline().strip()
 
 
-su_name = environ.get("SUPERUSER_NAME")
-su_email = environ.get("SUPERUSER_EMAIL")
-su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD"))
-su_api_token = _read_secret("superuser_api_token", environ.get("SUPERUSER_API_TOKEN"))
+su_name = environ.get("SUPERUSER_NAME", "admin")
+su_email = environ.get("SUPERUSER_EMAIL", "admin@example.com")
+su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD", "admin"))
+su_api_token = _read_secret(
+    "superuser_api_token",
+    environ.get("SUPERUSER_API_TOKEN", "0123456789abcdef0123456789abcdef01234567"),
+)
 
 if not User.objects.filter(username=su_name):
     u = User.objects.create_superuser(su_name, su_email, su_password)