15 files changed, 231 insertions, 0 deletions
diff --git a/files/usr/local/etc/icinga2/api-users.conf.icinga_server b/files/usr/local/etc/icinga2/api-users.conf.icinga_server
new file mode 100644
index 0000000..6ee26c2
--- /dev/null
+++ b/files/usr/local/etc/icinga2/api-users.conf.icinga_server
@@ -0,0 +1,4 @@
+object ApiUser "${icingaweb_api_username}" {
+  password = "${icingaweb_api_password}"
+  permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
+}
diff --git a/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server b/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server
new file mode 100644
index 0000000..6fda495
--- /dev/null
+++ b/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server
@@ -0,0 +1,3 @@
+object IcingaDB "icingadb" {
+  path = "${redis_sock}"
+}
diff --git a/files/usr/local/etc/icingadb/config.yml.icinga_server b/files/usr/local/etc/icingadb/config.yml.icinga_server
new file mode 100644
index 0000000..e30d81c
--- /dev/null
+++ b/files/usr/local/etc/icingadb/config.yml.icinga_server
@@ -0,0 +1,10 @@
+database:
+  type: pgsql
+  host: ${icinga_dbhost}
+  user: ${icinga_username}
+  password: ${icinga_password}
+  database: ${icinga_dbname}
+  tls: true
+
+redis:
+  host: ${redis_sock}
diff --git a/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server b/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server
new file mode 100644
index 0000000..52ed21d
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server
@@ -0,0 +1,10 @@
+[icingaweb2]
+backend = "ldap"
+resource = "icingaweb_ldap"
+base_dn = "${users_basedn}"
+user_class = "inetOrgPerson"
+user_name_attribute = "uid"
+filter = "memberOf=cn=${icingaweb_access_role},${roles_basedn}"
+
+[autologin]
+backend = external
diff --git a/files/usr/local/etc/icingaweb2/config.ini.icinga_server b/files/usr/local/etc/icingaweb2/config.ini.icinga_server
new file mode 100644
index 0000000..8c05a5f
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/config.ini.icinga_server
@@ -0,0 +1,10 @@
+[global]
+show_stacktraces = "0"
+show_application_state_messages = "1"
+config_resource = "icingaweb_db"
+
+[logging]
+log = "syslog"
+level = "INFO"
+application = "icingaweb2"
+facility = "user"
diff --git a/files/usr/local/etc/icingaweb2/groups.ini.icinga_server b/files/usr/local/etc/icingaweb2/groups.ini.icinga_server
new file mode 100644
index 0000000..87da799
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/groups.ini.icinga_server
@@ -0,0 +1,11 @@
+[icingaweb2]
+backend = "ldap"
+resource = "icingaweb_ldap"
+user_backend = "icingaweb2"
+user_class = "inetOrgPerson"
+user_name_attribute = "uid"
+user_base_dn = "${users_basedn}"
+base_dn = "${groups_basedn}"
+group_class = "groupOfMembers"
+group_member_attribute = "member"
+group_name_attribute = "cn"
diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server
new file mode 100644
index 0000000..990e08a
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server
@@ -0,0 +1,6 @@
+[icinga2]
+skip_validation = "0"
+transport = "api"
+port = "${icinga_port}"
+username = "${icingaweb_api_username}"
+password = ${icingaweb_api_password}"
diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server
new file mode 100644
index 0000000..7c19f9f
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server
@@ -0,0 +1,5 @@
+[icingadb]
+resource = "icingadb"
+
+[redis]
+tls = "0"
diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server
new file mode 100644
index 0000000..0064b7e
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server
@@ -0,0 +1,3 @@
+[redis1]
+host = "localhost"
+port = "${redis_port}"
diff --git a/files/usr/local/etc/icingaweb2/resources.ini.icinga_server b/files/usr/local/etc/icingaweb2/resources.ini.icinga_server
new file mode 100644
index 0000000..0400b1e
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/resources.ini.icinga_server
@@ -0,0 +1,28 @@
+[icingaweb_db]
+type = "db"
+db = "pgsql"
+host = "${icingaweb_dbhost}"
+dbname = "${icingaweb_dbname}"
+username = "${icinga_username}"
+password = ""
+port = "5432"
+use_ssl = "0"
+
+[icingaweb_ldap]
+type = "ldap"
+hostname = "${ldap_hosts}"
+port = "389"
+encryption = "starttls"
+bind_dn = "${icinga_dn}"
+bind_pw = "${icinga_password}"
+root_dn = "${accounts_basedn}"
+
+[icingadb]
+type = "db"
+db = "pgsql"
+host = "${icinga_dbhost}"
+dbname = "${icinga_dbname}"
+username = "${icinga_username}"
+password = ""
+port = "5432"
+use_ssl = "0"
diff --git a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server
new file mode 100644
index 0000000..6e20e8a
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server
@@ -0,0 +1,12 @@
+[Administrators]
+$(if [ -n "$icingaweb_admin_groups" ]; then
+cat <<EOF
+groups = "$(join ',' $icingaweb_admin_groups)"
+EOF
+fi)
+permissions = "*"
+
+[Users]
+groups = "${icingaweb_access_role}"
+permissions = "module/icingadb"
+icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*"
diff --git a/files/usr/local/etc/nginx/vhosts.conf.icinga_server b/files/usr/local/etc/nginx/vhosts.conf.icinga_server
new file mode 100644
index 0000000..43fa82e
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.icinga_server
@@ -0,0 +1,33 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  root ${icingaweb_webroot};
+  index index.php index.html;
+
+  ssl_certificate      ${icingaweb_https_cert};
+  ssl_certificate_key  ${icingaweb_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${nginx_keytab};
+  auth_gss_allow_basic_fallback off;
+  auth_gss on;
+  satisfy any;
+$(printf '  deny %s;\n' $kerberized_cidrs)
+  allow all;
+
+  location ~ ^/index\.php(.*)$ {
+    fastcgi_pass unix:${icingaweb_fpm_socket};
+    fastcgi_index index.php;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME ${icingaweb_webroot}/index.php;
+    fastcgi_param ICINGAWEB_CONFIGDIR ${icingaweb_conf_dir};
+  }
+
+  location ~ ^/(.+)? {
+    index index.php;
+    try_files \$1 \$uri \$uri/ /index.php\$is_args\$args;
+  }
+}
diff --git a/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server b/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server
new file mode 100644
index 0000000..35bab5c
--- /dev/null
+++ b/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server
@@ -0,0 +1,20 @@
+[icingaweb]
+user = ${nginx_user}
+group = ${nginx_user}
+
+listen = ${icingaweb_fpm_socket}
+
+listen.owner = ${nginx_user}
+listen.group = ${nginx_user}
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chdir = ${icingaweb_webroot}
+
+catch_workers_output = yes
+decorate_workers_output = no
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 7d2a7ab..2b9587d 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -76,6 +76,10 @@ net-im/gajim
 net-im/prosody
 net-im/prosody-modules
 net-im/signal-desktop
+net-mgmt/icinga2
+net-mgmt/icingadb
+net-mgmt/icingaweb2
+net-mgmt/icingaweb2-module-icingadb
 net-mgmt/unifi8
 net/asterisk18
 net/freeradius3
diff --git a/files/usr/local/etc/redis.conf.icinga_server b/files/usr/local/etc/redis.conf.icinga_server
new file mode 100644
index 0000000..1197bd5
--- /dev/null
+++ b/files/usr/local/etc/redis.conf.icinga_server
@@ -0,0 +1,72 @@
+pidfile /var/run/redis/redis.pid
+proc-title-template "{title} icingadb"
+dir ${redis_data_dir}
+unixsocket ${redis_sock}
+unixsocketperm 770
+
+bind 127.0.0.1 ::1
+port ${redis_port}
+
+databases 1
+syslog-enabled yes
+loglevel notice
+logfile ""
+
+# The rest of these values are unchanged from the FreeBSD defaults:
+daemonize yes
+protected-mode yes
+tcp-backlog 511
+timeout 0
+tcp-keepalive 300
+always-show-logo no
+set-proc-title yes
+locale-collate ""
+stop-writes-on-bgsave-error yes
+rdbcompression yes
+rdbchecksum yes
+dbfilename dump.rdb
+rdb-del-sync-files no
+lazyfree-lazy-eviction no
+lazyfree-lazy-expire no
+lazyfree-lazy-server-del no
+replica-lazy-flush no
+lazyfree-lazy-user-del no
+lazyfree-lazy-user-flush no
+oom-score-adj no
+oom-score-adj-values 0 200 800
+disable-thp yes
+appendonly no
+appendfilename "appendonly.aof"
+appenddirname "appendonlydir"
+appendfsync everysec
+no-appendfsync-on-rewrite no
+auto-aof-rewrite-percentage 100
+auto-aof-rewrite-min-size 64mb
+aof-load-truncated yes
+aof-use-rdb-preamble yes
+aof-timestamp-enabled no
+slowlog-log-slower-than 10000
+slowlog-max-len 128
+latency-monitor-threshold 0
+notify-keyspace-events ""
+hash-max-listpack-entries 512
+hash-max-listpack-value 64
+list-max-listpack-size -2
+list-compress-depth 0
+set-max-intset-entries 512
+set-max-listpack-entries 128
+set-max-listpack-value 64
+zset-max-listpack-entries 128
+zset-max-listpack-value 64
+hll-sparse-max-bytes 3000
+stream-node-max-bytes 4096
+stream-node-max-entries 100
+activerehashing yes
+client-output-buffer-limit normal 0 0 0
+client-output-buffer-limit replica 256mb 64mb 60
+client-output-buffer-limit pubsub 32mb 8mb 60
+hz 10
+dynamic-hz yes
+aof-rewrite-incremental-fsync yes
+rdb-save-incremental-fsync yes
+jemalloc-bg-thread yes