{ config, lib, pkgs, ... }: with lib; let cfg = config.services.icingaweb2; poolName = "icingaweb2"; phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock"; formatBool = b: if b then "1" else "0"; configIni = let config = cfg.generalConfig; in '' [global] show_stacktraces = "${formatBool config.showStacktraces}" show_application_state_messages = "${formatBool config.showApplicationStateMessages}" module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}" config_backend = "${config.configBackend}" ${optionalString (config.configBackend == "db") ''config_resource = "${config.configResource}"''} [logging] log = "${config.log}" ${optionalString (config.log != "none") ''level = "${config.logLevel}"''} ${optionalString (config.log == "php" || config.log == "syslog") ''application = "${config.logApplication}"''} ${optionalString (config.log == "syslog") ''facility = "${config.logFacility}"''} ${optionalString (config.log == "file") ''file = "${config.logFile}"''} [themes] default = "${config.themeDefault}" disabled = "${formatBool config.themeDisabled}" [authentication] ${optionalString (config.authDefaultDomain != null) ''default_domain = "${config.authDefaultDomain}"''} ''; resourcesIni = concatStringsSep "\n" (mapAttrsToList (name: config: '' [${name}] type = "${config.type}" ${optionalString (config.type == "db") '' db = "${config.db}" host = "${config.host}" ${optionalString (config.port != null) ''port = "${toString config.port}"''} username = "${config.username}" password = "${config.password}" dbname = "${config.dbname}" ${optionalString (config.charset != null) ''charset = "${config.charset}"''} use_ssl = "${formatBool config.useSSL}" ${optionalString (config.sslCert != null) ''ssl_cert = "${config.sslCert}"''} ${optionalString (config.sslKey != null) ''ssl_cert = "${config.sslKey}"''} ${optionalString (config.sslCA != null) ''ssl_cert = "${config.sslCA}"''} ${optionalString (config.sslCApath != null) ''ssl_cert = "${config.sslCApath}"''} ${optionalString (config.sslCipher != null) ''ssl_cert = "${config.sslCipher}"''} ''} ${optionalString (config.type == "ldap") '' hostname = "${config.host}" ${optionalString (config.port != null) ''port = "${toString config.port}"''} root_dn = "${config.rootDN}" bind_dn = "${config.username}" bind_pw = "${config.password}" encryption = "${config.ldapEncryption}" timeout = "${toString config.ldapTimeout}" ''} ${optionalString (config.type == "ssh") '' user = "${config.username}" private_key = "${config.sshPrivateKey}" ''} '') cfg.resources); authenticationIni = concatStringsSep "\n" (mapAttrsToList (name: config: '' [${name}] backend = "${config.backend}" ${optionalString (config.domain != null) ''domain = "${config.domain}"''} ${optionalString (config.backend == "external" && config.externalStripRegex != null) ''strip_username_regexp = "${config.externalStripRegex}"''} ${optionalString (config.backend != "external") ''resource = "${config.resource}"''} ${optionalString (config.backend == "ldap" || config.backend == "msldap") '' ${optionalString (config.ldapUserClass != null) ''user_class = "${config.ldapUserClass}"''} ${optionalString (config.ldapUserNameAttr != null) ''user_name_attribute = "${config.ldapUserNameAttr}"''} ${optionalString (config.ldapFilter != null) ''filter = "${config.ldapFilter}"''} ''} '') cfg.authentications); groupsIni = concatStringsSep "\n" (mapAttrsToList (name: config: '' [${name}] backend = "${config.backend}" resource = "${config.resource}" ${optionalString (config.backend != "db") '' ${optionalString (config.ldapUserClass != null) ''user_class = "${config.ldapUserClass}"''} ${optionalString (config.ldapUserNameAttr != null) ''user_name_attribute = "${config.ldapUserNameAttr}"''} ${optionalString (config.ldapGroupClass != null) ''group_class = "${config.ldapGroupClass}"''} ${optionalString (config.ldapGroupNameAttr != null) ''group_name_attribute = "${config.ldapGroupNameAttr}"''} ${optionalString (config.ldapGroupFilter != null) ''group_filter = "${config.ldapGroupFilter}"''} ''} ${optionalString (config.backend == "msldap" && config.ldapNestedSearch) ''nested_group_search = "1"''} '') cfg.groupBackends); rolesIni = let optionalList = var: attribute: optionalString (builtins.length var > 0) ''${attribute} = "${concatStringsSep "," var}"''; in concatStringsSep "\n" (mapAttrsToList (name: config: '' [${name}] ${optionalList config.users "users"} ${optionalList config.groups "groups"} ${optionalList config.permissions "permissions"} ${optionalList config.permissions "permissions"} ${concatStringsSep "\n" (mapAttrsToList (key: value: optionalList value key) config.extraAssignments)} '') cfg.roles); in { options.services.icingaweb2 = with types; { enable = mkEnableOption "the icingaweb2 web interface"; pool = mkOption { type = str; default = "${poolName}"; description = '' Name of existing PHP-FPM pool that is used to run Icingaweb2. If not specified, a pool will automatically created with default values. ''; }; virtualHost = mkOption { type = nullOr str; default = "icingaweb2"; description = '' Name of the nginx virtualhost to use and setup. If null, no virtualhost is set up. ''; }; timezone = mkOption { type = str; default = "UTC"; example = "Europe/Berlin"; description = "PHP-compliant timezone specification"; }; modules = { doc.enable = mkEnableOption "the icingaweb2 doc module"; migrate.enable = mkEnableOption "the icingaweb2 migrate module"; setup.enable = mkEnableOption "the icingaweb2 setup module"; test.enable = mkEnableOption "the icingaweb2 test module"; translation.enable = mkEnableOption "the icingaweb2 translation module"; }; modulePackages = mkOption { type = attrsOf package; default = {}; example = literalExample '' { "snow" = pkgs.icingaweb2Modules.theme-snow; } ''; description = '' Name-package attrset of Icingaweb 2 modules packages to enable. If you enable modules manually (e.g. via the web ui), they will not be touched. ''; }; generalConfig = { mutable = mkOption { type = bool; default = false; description = '' Make config.ini mutable (e.g. via the web interface). Not that you need to update module_path manually. ''; }; showStacktraces = mkOption { type = bool; default = true; description = "Enable stack traces in the Web UI"; }; showApplicationStateMessages = mkOption { type = bool; default = true; description = "Enable application state messages in the Web UI"; }; modulePath = mkOption { type = listOf str; default = []; description = "List of additional module search paths"; }; configBackend = mkOption { type = enum [ "ini" "db" "none" ]; default = "db"; description = "Where to store user preferences"; }; configResource = mkOption { type = nullOr str; default = null; description = "Database resource where user preferences are stored (if they are stored in a database)"; }; log = mkOption { type = enum [ "syslog" "php" "file" "none" ]; default = "syslog"; description = "Logging target"; }; logLevel = mkOption { type = enum [ "ERROR" "WARNING" "INFO" "DEBUG" ]; default = "ERROR"; description = "Maximum logging level to emit"; }; logApplication = mkOption { type = str; default = "icingaweb2"; description = "Application name to log under (syslog and php log)"; }; logFacility = mkOption { type = enum [ "user" "local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7" ]; default = "user"; description = "Syslog facility to log to"; }; logFile = mkOption { type = str; default = "/var/log/icingaweb2/icingaweb2.log"; description = "File to log to"; }; themeDefault = mkOption { type = str; default = "Icinga"; description = "Name of the default theme"; }; themeDisabled = mkOption { type = bool; default = false; description = "Disallow users to change the theme"; }; authDefaultDomain = mkOption { type = nullOr str; default = null; description = "Domain for users logging in without a qualified domain"; }; }; mutableResources = mkOption { type = bool; default = false; description = "Make resources.ini mutable (e.g. via the web interface)"; }; resources = mkOption { default = {}; description = "Icingaweb 2 resources to define"; type = attrsOf (submodule ({ name, ... }: { options = { name = mkOption { visible = false; default = name; type = str; description = "Name of this resource"; }; type = mkOption { type = enum [ "db" "ldap" "ssh" ]; default = "db"; description = "Type of this resouce"; }; db = mkOption { type = enum [ "mysql" "pgsql" ]; default = "mysql"; description = "Type of this database resource"; }; host = mkOption { type = str; description = "Host to connect to"; }; port = mkOption { type = nullOr port; default = null; description = "Port to connect on"; }; username = mkOption { type = str; description = "Database or SSH user or LDAP bind DN to connect with"; }; password = mkOption { type = str; description = "Password for the database user or LDAP bind DN"; }; dbname = mkOption { type = str; description = "Name of the database to connect to"; }; charset = mkOption { type = nullOr str; default = null; example = "utf8"; description = "Database character set to connect with"; }; useSSL = mkOption { type = nullOr bool; default = false; description = "Whether to connect to the database using SSL"; }; sslCert = mkOption { type = nullOr str; default = null; description = "The file path to the SSL certificate. Only available for the mysql database."; }; sslKey = mkOption { type = nullOr str; default = null; description = "The file path to the SSL key. Only available for the mysql database."; }; sslCA = mkOption { type = nullOr str; default = null; description = "The file path to the SSL certificate authority. Only available for the mysql database."; }; sslCApath = mkOption { type = nullOr str; default = null; description = "The file path to the directory that contains the trusted SSL CA certificates in PEM format. Only available for the mysql database."; }; sslCipher = mkOption { type = nullOr str; default = null; description = "A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. Only available for the mysql database."; }; rootDN = mkOption { type = str; description = "Root object of the LDAP tree"; }; ldapEncryption = mkOption { type = enum [ "none" "starttls" "ldaps" ]; default = "none"; description = "LDAP encryption to use"; }; ldapTimeout = mkOption { type = ints.positive; default = 5; description = "Connection timeout for every LDAP connection"; }; sshPrivateKey = mkOption { type = str; description = "The path to the private key of the user"; }; }; })); }; mutableAuthConfig = mkOption { type = bool; default = true; description = "Make authentication.ini mutable (e.g. via the web interface)"; }; authentications = mkOption { default = {}; description = "Icingaweb 2 authentications to define"; type = attrsOf (submodule ({ name, ... }: { options = { name = mkOption { visible = false; default = name; type = str; description = "Name of this authentication"; }; backend = mkOption { type = enum [ "external" "ldap" "msldap" "db" ]; default = "db"; description = "The type of this authentication backend"; }; domain = mkOption { type = nullOr str; default = null; description = "Domain for domain-aware authentication"; }; externalStripRegex = mkOption { type = nullOr str; default = null; description = "Regular expression to strip off specific user name parts"; }; resource = mkOption { type = str; description = "Name of the database/LDAP resource"; }; ldapUserClass = mkOption { type = nullOr str; default = null; description = "LDAP user class"; }; ldapUserNameAttr = mkOption { type = nullOr str; default = null; description = "LDAP attribute which contains the username"; }; ldapFilter = mkOption { type = nullOr str; default = null; description = "LDAP search filter"; }; }; })); }; mutableGroupsConfig = mkOption { type = bool; default = true; description = "Make groups.ini mutable (e.g. via the web interface)"; }; groupBackends = mkOption { default = {}; description = "Icingaweb 2 group backends to define"; type = attrsOf (submodule ({ name, ... }: { options = { name = mkOption { visible = false; default = name; type = str; description = "Name of this group backend"; }; backend = mkOption { type = enum [ "ldap" "msldap" "db" ]; default = "db"; description = "The type of this group backend"; }; resource = mkOption { type = str; description = "Name of the database/LDAP resource"; }; ldapUserClass = mkOption { type = nullOr str; default = null; description = "LDAP user class"; }; ldapUserNameAttr = mkOption { type = nullOr str; default = null; description = "LDAP attribute which contains the username"; }; ldapGroupClass = mkOption { type = nullOr str; default = null; description = "LDAP group class"; }; ldapGroupNameAttr = mkOption { type = nullOr str; default = null; description = "LDAP attribute which contains the groupname"; }; ldapGroupFilter = mkOption { type = nullOr str; default = null; description = "LDAP group search filter"; }; ldapNestedSearch = mkOption { type = bool; default = false; description = "Enable nested group search in Active Directory based on the user"; }; }; })); }; mutableRolesConfig = mkOption { type = bool; default = true; description = "Make roles.ini mutable (e.g. via the web interface)"; }; roles = mkOption { default = {}; description = "Icingaweb 2 roles to define"; type = attrsOf (submodule ({ name, ... }: { options = { name = mkOption { visible = false; default = name; type = str; description = "Name of this role"; }; users = mkOption { type = listOf str; default = []; description = "List of users that are assigned to the role"; }; groups = mkOption { type = listOf str; default = []; description = "List of groups that are assigned to the role"; }; permissions = mkOption { type = listOf str; default = []; example = [ "application/share/navigation" "config/*" ]; description = "The permissions to grant"; }; extraAssignments = mkOption { type = attrsOf (listOf str); default = {}; example = { "monitoring/blacklist/properties" = [ "sla" "customer"]; }; description = "Additional assignments of this role"; }; }; })); }; }; config = mkIf cfg.enable { services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { "${poolName}" = { listen = phpfpmSocketName; phpOptions = '' extension = ${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so date.timezone = "${cfg.timezone}" ''; extraConfig = '' listen.owner = nginx listen.group = nginx listen.mode = 0600 user = icingaweb2 pm = dynamic pm.max_children = 75 pm.start_servers = 2 pm.min_spare_servers = 2 pm.max_spare_servers = 10 ''; }; }; systemd.services."phpfpm-${poolName}".serviceConfig.ReadWritePaths = [ "/etc/icingaweb2" ]; services.nginx = { enable = true; virtualHosts = mkIf (cfg.virtualHost != null) { "${cfg.virtualHost}" = { root = "${pkgs.icingaweb2}/public"; extraConfig = '' index index.php; try_files $1 $uri $uri/ /index.php$is_args$args; ''; locations."~ ..*/.*.php$".extraConfig = '' return 403; ''; locations."~ ^/index.php(.*)$".extraConfig = '' fastcgi_intercept_errors on; fastcgi_index index.php; include ${config.services.nginx.package}/conf/fastcgi.conf; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${phpfpmSocketName}; fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php; ''; }; }; }; # /etc/icingaweb2 environment.etc = let doModule = name: optionalAttrs (cfg.modules."${name}".enable) (nameValuePair "icingaweb2/enabledModules/${name}" { source = "${pkgs.icingaweb2}/modules/${name}"; }); in {} # Module packages // (mapAttrs' (k: v: nameValuePair "icingaweb2/enabledModules/${k}" { source = v; }) cfg.modulePackages) # Built-in modules // doModule "doc" // doModule "migrate" // doModule "setup" // doModule "test" // doModule "translation" # Configs // optionalAttrs (!cfg.generalConfig.mutable) { "icingaweb2/config.ini".text = configIni; } // optionalAttrs (!cfg.mutableResources) { "icingaweb2/resources.ini".text = resourcesIni; } // optionalAttrs (!cfg.mutableAuthConfig) { "icingaweb2/authentication.ini".text = authenticationIni; } // optionalAttrs (!cfg.mutableGroupsConfig) { "icingaweb2/groups.ini".text = groupsIni; } // optionalAttrs (!cfg.mutableRolesConfig) { "icingaweb2/roles.ini".text = rolesIni; }; # User and group users.groups.icingaweb2 = {}; users.users.icingaweb2 = { description = "Icingaweb2 service user"; group = "icingaweb2"; isSystemUser = true; }; }; }