From e2fc0433de38c322ce46ad250bc0f0f03e7710c8 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Thu, 24 Oct 2024 06:43:08 -0400
Subject: add icinga

---
 .../local/etc/icinga2/api-users.conf.icinga_server |   4 +
 .../features-available/icingadb.conf.icinga_server |   3 +
 .../local/etc/icingadb/config.yml.icinga_server    |  10 +
 .../icingaweb2/authentication.ini.icinga_server    |  10 +
 .../local/etc/icingaweb2/config.ini.icinga_server  |  10 +
 .../local/etc/icingaweb2/groups.ini.icinga_server  |  11 ++
 .../icingadb/commandtransports.ini.icinga_server   |   6 +
 .../modules/icingadb/config.ini.icinga_server      |   5 +
 .../modules/icingadb/redis.ini.icinga_server       |   3 +
 .../etc/icingaweb2/resources.ini.icinga_server     |  28 +++
 .../local/etc/icingaweb2/roles.ini.icinga_server   |  12 ++
 .../usr/local/etc/nginx/vhosts.conf.icinga_server  |  33 ++++
 .../etc/php-fpm.d/icingaweb.conf.icinga_server     |  20 ++
 .../local/etc/poudriere.d/pkglist.pkg_repository   |   4 +
 files/usr/local/etc/redis.conf.icinga_server       |  72 ++++++++
 scripts/hostclass/bitwarden_server                 |   7 +-
 scripts/hostclass/dav_server                       |   8 +-
 scripts/hostclass/icinga_server                    | 203 +++++++++++++++++++++
 scripts/hostclass/idm_server/10-slapd              |   4 +-
 scripts/hostclass/idm_server/90-idm                |  19 +-
 scripts/hostclass/postgresql_server                |  21 ++-
 scripts/hostclass/ttrss_server                     |   7 +-
 vars/hostclass/icinga_server                       |   5 +
 vars/hostname/icinga1                              |   3 +
 24 files changed, 498 insertions(+), 10 deletions(-)
 create mode 100644 files/usr/local/etc/icinga2/api-users.conf.icinga_server
 create mode 100644 files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server
 create mode 100644 files/usr/local/etc/icingadb/config.yml.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/authentication.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/config.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/groups.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/resources.ini.icinga_server
 create mode 100644 files/usr/local/etc/icingaweb2/roles.ini.icinga_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.icinga_server
 create mode 100644 files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server
 create mode 100644 files/usr/local/etc/redis.conf.icinga_server
 create mode 100644 scripts/hostclass/icinga_server
 create mode 100644 vars/hostclass/icinga_server
 create mode 100644 vars/hostname/icinga1

diff --git a/files/usr/local/etc/icinga2/api-users.conf.icinga_server b/files/usr/local/etc/icinga2/api-users.conf.icinga_server
new file mode 100644
index 0000000..6ee26c2
--- /dev/null
+++ b/files/usr/local/etc/icinga2/api-users.conf.icinga_server
@@ -0,0 +1,4 @@
+object ApiUser "${icingaweb_api_username}" {
+  password = "${icingaweb_api_password}"
+  permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
+}
diff --git a/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server b/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server
new file mode 100644
index 0000000..6fda495
--- /dev/null
+++ b/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server
@@ -0,0 +1,3 @@
+object IcingaDB "icingadb" {
+  path = "${redis_sock}"
+}
diff --git a/files/usr/local/etc/icingadb/config.yml.icinga_server b/files/usr/local/etc/icingadb/config.yml.icinga_server
new file mode 100644
index 0000000..e30d81c
--- /dev/null
+++ b/files/usr/local/etc/icingadb/config.yml.icinga_server
@@ -0,0 +1,10 @@
+database:
+  type: pgsql
+  host: ${icinga_dbhost}
+  user: ${icinga_username}
+  password: ${icinga_password}
+  database: ${icinga_dbname}
+  tls: true
+
+redis:
+  host: ${redis_sock}
diff --git a/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server b/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server
new file mode 100644
index 0000000..52ed21d
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server
@@ -0,0 +1,10 @@
+[icingaweb2]
+backend = "ldap"
+resource = "icingaweb_ldap"
+base_dn = "${users_basedn}"
+user_class = "inetOrgPerson"
+user_name_attribute = "uid"
+filter = "memberOf=cn=${icingaweb_access_role},${roles_basedn}"
+
+[autologin]
+backend = external
diff --git a/files/usr/local/etc/icingaweb2/config.ini.icinga_server b/files/usr/local/etc/icingaweb2/config.ini.icinga_server
new file mode 100644
index 0000000..8c05a5f
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/config.ini.icinga_server
@@ -0,0 +1,10 @@
+[global]
+show_stacktraces = "0"
+show_application_state_messages = "1"
+config_resource = "icingaweb_db"
+
+[logging]
+log = "syslog"
+level = "INFO"
+application = "icingaweb2"
+facility = "user"
diff --git a/files/usr/local/etc/icingaweb2/groups.ini.icinga_server b/files/usr/local/etc/icingaweb2/groups.ini.icinga_server
new file mode 100644
index 0000000..87da799
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/groups.ini.icinga_server
@@ -0,0 +1,11 @@
+[icingaweb2]
+backend = "ldap"
+resource = "icingaweb_ldap"
+user_backend = "icingaweb2"
+user_class = "inetOrgPerson"
+user_name_attribute = "uid"
+user_base_dn = "${users_basedn}"
+base_dn = "${groups_basedn}"
+group_class = "groupOfMembers"
+group_member_attribute = "member"
+group_name_attribute = "cn"
diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server
new file mode 100644
index 0000000..990e08a
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server
@@ -0,0 +1,6 @@
+[icinga2]
+skip_validation = "0"
+transport = "api"
+port = "${icinga_port}"
+username = "${icingaweb_api_username}"
+password = ${icingaweb_api_password}"
diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server
new file mode 100644
index 0000000..7c19f9f
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server
@@ -0,0 +1,5 @@
+[icingadb]
+resource = "icingadb"
+
+[redis]
+tls = "0"
diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server
new file mode 100644
index 0000000..0064b7e
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server
@@ -0,0 +1,3 @@
+[redis1]
+host = "localhost"
+port = "${redis_port}"
diff --git a/files/usr/local/etc/icingaweb2/resources.ini.icinga_server b/files/usr/local/etc/icingaweb2/resources.ini.icinga_server
new file mode 100644
index 0000000..0400b1e
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/resources.ini.icinga_server
@@ -0,0 +1,28 @@
+[icingaweb_db]
+type = "db"
+db = "pgsql"
+host = "${icingaweb_dbhost}"
+dbname = "${icingaweb_dbname}"
+username = "${icinga_username}"
+password = ""
+port = "5432"
+use_ssl = "0"
+
+[icingaweb_ldap]
+type = "ldap"
+hostname = "${ldap_hosts}"
+port = "389"
+encryption = "starttls"
+bind_dn = "${icinga_dn}"
+bind_pw = "${icinga_password}"
+root_dn = "${accounts_basedn}"
+
+[icingadb]
+type = "db"
+db = "pgsql"
+host = "${icinga_dbhost}"
+dbname = "${icinga_dbname}"
+username = "${icinga_username}"
+password = ""
+port = "5432"
+use_ssl = "0"
diff --git a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server
new file mode 100644
index 0000000..6e20e8a
--- /dev/null
+++ b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server
@@ -0,0 +1,12 @@
+[Administrators]
+$(if [ -n "$icingaweb_admin_groups" ]; then
+cat <<EOF
+groups = "$(join ',' $icingaweb_admin_groups)"
+EOF
+fi)
+permissions = "*"
+
+[Users]
+groups = "${icingaweb_access_role}"
+permissions = "module/icingadb"
+icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*"
diff --git a/files/usr/local/etc/nginx/vhosts.conf.icinga_server b/files/usr/local/etc/nginx/vhosts.conf.icinga_server
new file mode 100644
index 0000000..43fa82e
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.icinga_server
@@ -0,0 +1,33 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  root ${icingaweb_webroot};
+  index index.php index.html;
+
+  ssl_certificate      ${icingaweb_https_cert};
+  ssl_certificate_key  ${icingaweb_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${nginx_keytab};
+  auth_gss_allow_basic_fallback off;
+  auth_gss on;
+  satisfy any;
+$(printf '  deny %s;\n' $kerberized_cidrs)
+  allow all;
+
+  location ~ ^/index\.php(.*)$ {
+    fastcgi_pass unix:${icingaweb_fpm_socket};
+    fastcgi_index index.php;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME ${icingaweb_webroot}/index.php;
+    fastcgi_param ICINGAWEB_CONFIGDIR ${icingaweb_conf_dir};
+  }
+
+  location ~ ^/(.+)? {
+    index index.php;
+    try_files \$1 \$uri \$uri/ /index.php\$is_args\$args;
+  }
+}
diff --git a/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server b/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server
new file mode 100644
index 0000000..35bab5c
--- /dev/null
+++ b/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server
@@ -0,0 +1,20 @@
+[icingaweb]
+user = ${nginx_user}
+group = ${nginx_user}
+
+listen = ${icingaweb_fpm_socket}
+
+listen.owner = ${nginx_user}
+listen.group = ${nginx_user}
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chdir = ${icingaweb_webroot}
+
+catch_workers_output = yes
+decorate_workers_output = no
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 7d2a7ab..2b9587d 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -76,6 +76,10 @@ net-im/gajim
 net-im/prosody
 net-im/prosody-modules
 net-im/signal-desktop
+net-mgmt/icinga2
+net-mgmt/icingadb
+net-mgmt/icingaweb2
+net-mgmt/icingaweb2-module-icingadb
 net-mgmt/unifi8
 net/asterisk18
 net/freeradius3
diff --git a/files/usr/local/etc/redis.conf.icinga_server b/files/usr/local/etc/redis.conf.icinga_server
new file mode 100644
index 0000000..1197bd5
--- /dev/null
+++ b/files/usr/local/etc/redis.conf.icinga_server
@@ -0,0 +1,72 @@
+pidfile /var/run/redis/redis.pid
+proc-title-template "{title} icingadb"
+dir ${redis_data_dir}
+unixsocket ${redis_sock}
+unixsocketperm 770
+
+bind 127.0.0.1 ::1
+port ${redis_port}
+
+databases 1
+syslog-enabled yes
+loglevel notice
+logfile ""
+
+# The rest of these values are unchanged from the FreeBSD defaults:
+daemonize yes
+protected-mode yes
+tcp-backlog 511
+timeout 0
+tcp-keepalive 300
+always-show-logo no
+set-proc-title yes
+locale-collate ""
+stop-writes-on-bgsave-error yes
+rdbcompression yes
+rdbchecksum yes
+dbfilename dump.rdb
+rdb-del-sync-files no
+lazyfree-lazy-eviction no
+lazyfree-lazy-expire no
+lazyfree-lazy-server-del no
+replica-lazy-flush no
+lazyfree-lazy-user-del no
+lazyfree-lazy-user-flush no
+oom-score-adj no
+oom-score-adj-values 0 200 800
+disable-thp yes
+appendonly no
+appendfilename "appendonly.aof"
+appenddirname "appendonlydir"
+appendfsync everysec
+no-appendfsync-on-rewrite no
+auto-aof-rewrite-percentage 100
+auto-aof-rewrite-min-size 64mb
+aof-load-truncated yes
+aof-use-rdb-preamble yes
+aof-timestamp-enabled no
+slowlog-log-slower-than 10000
+slowlog-max-len 128
+latency-monitor-threshold 0
+notify-keyspace-events ""
+hash-max-listpack-entries 512
+hash-max-listpack-value 64
+list-max-listpack-size -2
+list-compress-depth 0
+set-max-intset-entries 512
+set-max-listpack-entries 128
+set-max-listpack-value 64
+zset-max-listpack-entries 128
+zset-max-listpack-value 64
+hll-sparse-max-bytes 3000
+stream-node-max-bytes 4096
+stream-node-max-entries 100
+activerehashing yes
+client-output-buffer-limit normal 0 0 0
+client-output-buffer-limit replica 256mb 64mb 60
+client-output-buffer-limit pubsub 32mb 8mb 60
+hz 10
+dynamic-hz yes
+aof-rewrite-incremental-fsync yes
+rdb-save-incremental-fsync yes
+jemalloc-bg-thread yes
diff --git a/scripts/hostclass/bitwarden_server b/scripts/hostclass/bitwarden_server
index 1f025fe..ff67c3e 100644
--- a/scripts/hostclass/bitwarden_server
+++ b/scripts/hostclass/bitwarden_server
@@ -5,6 +5,7 @@
 : ${vaultwarden_dbhost:="$postgres_host"}
 : ${vaultwarden_fqdn:="$fqdn"}
 
+vaultwarden_dn="uid=${vaultwarden_username},${robots_basedn}"
 vaultwarden_local_username=$nginx_user
 vaultwarden_https_cert="${nginx_conf_dir}/vaultwarden.crt"
 vaultwarden_https_key="${nginx_conf_dir}/vaultwarden.key"
@@ -17,7 +18,11 @@ pkg install -y \
   nginx
 
 # Create vaultwarden principal and keytab.
-add_principal -nokey -x "containerdn=${robots_basedn}" "$vaultwarden_username"
+ldap_add "$vaultwarden_dn" <<EOF
+objectClass: account
+uid: ${vaultwarden_username}
+EOF
+add_principal -nokey -x "dn=${vaultwarden_dn}" "$vaultwarden_username"
 
 ktadd -k "$vaultwarden_client_keytab" "$vaultwarden_username"
 chgrp "$vaultwarden_local_username" "$vaultwarden_client_keytab"
diff --git a/scripts/hostclass/dav_server b/scripts/hostclass/dav_server
index b7391bd..a69c072 100644
--- a/scripts/hostclass/dav_server
+++ b/scripts/hostclass/dav_server
@@ -10,10 +10,10 @@
 : ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'}
 : ${davical_awl_branch:='master'}
 
+davical_dn="uid=${davical_username},${robots_basedn}"
 davical_repo_dir=/usr/local/www/davical
 davical_awl_repo_dir=/usr/local/share/awl
 davical_webroot="${davical_repo_dir}/htdocs"
-
 davical_https_cert="${nginx_conf_dir}/davical.crt"
 davical_https_key="${nginx_conf_dir}/davical.key"
 davical_https_cacert="${nginx_conf_dir}/davical.ca.crt"
@@ -55,7 +55,11 @@ git -C "$davical_awl_repo_dir" pull --ff-only
 git -C "$davical_awl_repo_dir" switch "$davical_awl_branch"
 
 # Create davical principal and keytab.
-add_principal -nokey -x "containerdn=${robots_basedn}" "$davical_username"
+ldap_add "$davical_dn" <<EOF
+objectClass: account
+uid: ${davical_username}
+EOF
+add_principal -nokey -x "dn=${davical_dn}" "$davical_username"
 
 ktadd -k "$davical_client_keytab" "$davical_username"
 chgrp "$nginx_user" "$davical_client_keytab"
diff --git a/scripts/hostclass/icinga_server b/scripts/hostclass/icinga_server
new file mode 100644
index 0000000..ccd1d46
--- /dev/null
+++ b/scripts/hostclass/icinga_server
@@ -0,0 +1,203 @@
+#!/bin/sh
+
+: ${icinga_username:='s-icinga'}
+: ${icinga_dbname:='icinga'}
+: ${icinga_dbhost:="$postgres_host"}
+: ${icinga_password:='changeme'}
+: ${icingaweb_api_password:='changeme'}
+: ${icingaweb_dbhost:="$postgres_host"}
+: ${icingaweb_dbname:='icingaweb'}
+: ${icingaweb_access_role:='icinga-access'}
+
+# Note that icinga does not support nested groups.
+: ${icingaweb_admin_groups:=''}
+
+icinga_local_user=icinga
+icinga_dn="uid=${icinga_username},${robots_basedn}"
+icinga_conf_dir=/usr/local/etc/icinga2
+icinga_data_dir=/var/lib/icinga2
+icinga_cert_dir="${icinga_data_dir}/certs"
+icinga_ca_dir="${icinga_data_dir}/ca"
+icingadb_conf_dir=/usr/local/etc/icingadb
+icingaweb_api_username=icingaweb2
+icingaweb_https_cert="${nginx_conf_dir}/icingaweb.crt"
+icingaweb_https_key="${nginx_conf_dir}/icingaweb.key"
+icingaweb_install_dir=/usr/local/www/icingaweb2
+icingaweb_webroot="${icingaweb_install_dir}/public"
+icingaweb_conf_dir=/usr/local/etc/icingaweb2
+icingaweb_fpm_socket=/var/run/fpm-icingaweb.sock
+icingaweb_client_keytab="${keytab_dir}/icingaweb.client.keytab"
+nginx_keytab="${keytab_dir}/nginx.keytab"
+redis_user=redis
+redis_data_dir=/var/db/redis
+redis_sock=/var/run/redis/redis.sock
+redis_port=6379
+redis_data_dir=/var/db/redis
+
+icinga_psql(){
+  KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME="$icingaweb_client_keytab" \
+  psql \
+    --quiet --no-align --tuples-only --echo-all \
+    --host="$icinga_dbhost" \
+    --dbname="$icinga_dbname" \
+    --username="$icinga_username" \
+    --no-password \
+    "$@"
+}
+
+icingaweb_psql(){
+  KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME="$icingaweb_client_keytab" \
+  psql \
+    --quiet --no-align --tuples-only --echo-all \
+    --host="$icingaweb_dbhost" \
+    --dbname="$icingaweb_dbname" \
+    --username="$icinga_username" \
+    --no-password \
+    "$@"
+}
+
+# Install packages.
+pkg install -y \
+  icinga2 \
+  icingadb \
+  icingaweb2-php${php_version} \
+  icingaweb2-module-icingadb-php${php_version} \
+  nginx \
+  redis
+
+# Create dataset for icinga state directory
+create_dataset -o "mountpoint=${icinga_data_dir}" "${state_dataset}/icinga"
+install_directory -m 0755 -o "$icinga_local_user" -g "$icinga_local_user" "$icinga_data_dir"
+
+# Create icinga LDAP user, principal, and keytab.
+# Note that we have a separate userPassword attribute in LDAP because icingadb is
+# written in golang, and it's pq library does not build with GSSAPI support.
+# GSSAPI is supported by icingaweb2 via PHP's PDO, however, so we use it there.
+# We also need a userPassword attribute for icingaweb2 authn/authz.
+ldap_add "$icinga_dn" <<EOF
+objectClass: account
+objectClass: simpleSecurityObject
+uid: ${icinga_username}
+userPassword: {SSHA-512}
+EOF
+ldap_passwd "$icinga_dn" "$icinga_password"
+
+add_principal -nokey -x "dn=${icinga_dn}" "$icinga_username"
+ktadd -k "$icingaweb_client_keytab" "$icinga_username"
+chgrp "$nginx_user" "$icingaweb_client_keytab"
+chmod 640 "$icingaweb_client_keytab"
+nginx_uid=$(id -u "$nginx_user")
+install_directory -o "$nginx_user" -m 0700 "/var/krb5/user/${nginx_uid}"
+ln -snfv "$icingaweb_client_keytab" "/var/krb5/user/${nginx_uid}/client.keytab"
+
+# Create icinga postgres user and database.
+postgres_create_role "$icinga_dbhost" "$icinga_username"
+postgres_create_database "$icinga_dbhost" "$icinga_dbname" "$icinga_username"
+
+# Apply icinga database schema.
+if ! icinga_psql -c 'SELECT 1 FROM icingadb_schema'; then
+  icinga_psql -f /usr/local/share/examples/icingadb/schema/pgsql/schema.sql
+fi
+
+# Generate icinga database configuration.
+install_template -g "${icinga_local_user}" -m 0640 "${icingadb_conf_dir}/config.yml"
+
+# Create ZFS dataset for Redis DBs.
+create_dataset -o "mountpoint=${redis_data_dir}" "${state_dataset}/redis"
+install_directory -m 0700 -o "$redis_user" "$redis_data_dir"
+
+# Generate redis configuration
+install_template -m 0644 /usr/local/etc/redis.conf
+
+# Add icinga user to redis group, so it can write to the redis unix socket.
+pw groupmod "$redis_user" -m "$icinga_local_user"
+
+# Generate icinga PKI.
+install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" \
+  "$icinga_cert_dir" \
+  "$icinga_ca_dir"
+[ -f "${icinga_ca_dir}/ca.crt" ] \
+  || icinga2 pki new-ca
+[ -f "${icinga_cert_dir}/${fqdn}.csr" ] \
+  || icinga2 pki new-cert --cn "$fqdn" --key "${icinga_cert_dir}/${fqdn}.key" --csr "${icinga_cert_dir}/${fqdn}.csr"
+[ -f "${icinga_cert_dir}/${fqdn}.crt" ] \
+  || icinga2 pki sign-csr --csr "${icinga_cert_dir}/${fqdn}.csr" --cert "${icinga_cert_dir}/${fqdn}.crt"
+ln -snfv "${icinga_ca_dir}/ca.crt" "${icinga_cert_dir}/ca.crt"
+
+# Enable icinga modules.
+for module in api icingadb notification; do
+  ln -snfv "../features-available/${module}.conf" "${icinga_conf_dir}/features-enabled/${module}.conf"
+done
+
+# Generate icinga configuration.
+install_template -m 0640 -g "$icinga_local_user" \
+  "${icinga_conf_dir}/api-users.conf" \
+  "${icinga_conf_dir}/features-available/icingadb.conf"
+
+# Create icingaweb postgres user and database.
+postgres_create_database "$icingaweb_dbhost" "$icingaweb_dbname" "$icinga_username"
+
+# Apply icingaweb database schema.
+if ! icingaweb_psql -c 'SELECT 1 FROM icingaweb_schema'; then
+  icingaweb_psql -f /usr/local/www/icingaweb2/schema/pgsql.schema.sql
+fi
+
+# Generate icingaweb configuration.
+install_directory -m 2770 -g "$nginx_user" \
+  "$icingaweb_conf_dir" \
+  "${icingaweb_conf_dir}/enabledModules" \
+  "${icingaweb_conf_dir}/modules" \
+  "${icingaweb_conf_dir}/modules/icingadb"
+install_template -m 0660 -g "$nginx_user" \
+  "${icingaweb_conf_dir}/modules/icingadb/commandtransports.ini" \
+  "${icingaweb_conf_dir}/modules/icingadb/config.ini" \
+  "${icingaweb_conf_dir}/modules/icingadb/redis.ini" \
+  "${icingaweb_conf_dir}/config.ini" \
+  "${icingaweb_conf_dir}/resources.ini" \
+  "${icingaweb_conf_dir}/authentication.ini" \
+  "${icingaweb_conf_dir}/groups.ini" \
+  "${icingaweb_conf_dir}/roles.ini"
+ln -snfv "${icingaweb_install_dir}/modules/icingadb" "${icingaweb_conf_dir}/enabledModules/icingadb"
+
+# Generate nginx configuration.
+install_file -m 0644 /usr/local/etc/nginx/fastcgi_params
+install_template -m 0644 \
+  /usr/local/etc/nginx/nginx.conf \
+  /usr/local/etc/nginx/vhosts.conf
+
+# Create HTTP service principal and keytab.
+add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}"
+ktadd -k "$nginx_keytab" "HTTP/${fqdn}"
+chgrp "$nginx_user" "$nginx_keytab"
+chmod 640 "$nginx_keytab"
+
+# Generate php-fpm configuration.
+install_file -m 0644 \
+  /usr/local/etc/php.ini \
+  /usr/local/etc/php-fpm.conf
+install_template -m 0644 \
+  /usr/local/etc/php-fpm.d/icingaweb.conf
+> /usr/local/etc/php-fpm.d/www.conf
+
+# Copy TLS certificate for nginx.
+install_certificate     nginx "$icingaweb_https_cert"
+install_certificate_key nginx "$icingaweb_https_key"
+
+# Enable and start daemons.
+sysrc -v \
+  nginx_enable=YES \
+  php_fpm_enable=YES \
+  redis_enable=YES \
+  icingadb_enable=YES \
+  icinga2_enable=YES
+service nginx restart
+service php_fpm restart
+service redis restart
+service icingadb restart > /dev/null 2>&1 < /dev/null || die 'failed to start icingadb'
+service icinga2 restart
+
+# Create access role.
+ldap_add "cn=${icingaweb_access_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${icingaweb_access_role}
+EOF
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index 12640a4..0dc7d1d 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -10,7 +10,7 @@
 : ${slapd_syncrepl_session_log:='1000'}
 : ${slapd_syncrepl_cleanup_age:='7'}
 : ${slapd_syncrepl_cleanup_interval:='1'}
-: ${slapd_admin_role:='role-ldap-admin'}
+: ${slapd_admin_role:='ldap-admin'}
 
 slapd_user=ldap
 slapd_data_dir=/var/db/openldap-data
@@ -173,7 +173,7 @@ objectClass: organizationalUnit
 ou: $(ldap_rdn_value "$roles_basedn")
 EOF
 
-  # cn=role-ldap-admin,ou=roles,ou=groups,ou=accounts,dc=example,dc=com
+  # cn=ldap-admin,ou=roles,ou=groups,ou=accounts,dc=example,dc=com
   ldap_add "cn=${slapd_admin_role},${roles_basedn}" <<EOF
 objectClass: groupOfMembers
 cn: ${slapd_admin_role}
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index 1f6920b..eadd621 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -64,17 +64,32 @@ pkg install -y \
   pam_krb5 \
   perl5 \
   p5-perl-ldap \
-  p5-Authen-SASL
+  p5-Authen-SASL \
+  pam_mkhomedir
 
 # Configure PAM/NSS integration.
 install_file -m 0644 \
   /etc/nsswitch.conf \
-  /etc/pam.d/sshd
+  /etc/pam.d/system \
+  /etc/pam.d/login \
+  /etc/pam.d/sshd \
+  /etc/pam.d/sudo \
+  /etc/pam.d/su \
+  /etc/pam.d/other
+
+install_template -m 0644 /etc/login.access
 
 install_template -m 0644 \
   /usr/local/etc/nslcd.conf \
   /etc/nscd.conf
 
+# Ensure /home exists and configure skel files.
+install_directory -m 0755 /home
+install_file -m 0644 \
+  /usr/share/skel/dot.login \
+  /usr/share/skel/dot.profile \
+  /usr/share/skel/dot.shrc
+
 sysrc -v \
   nslcd_enable=YES \
   nscd_enable=YES
diff --git a/scripts/hostclass/postgresql_server b/scripts/hostclass/postgresql_server
index dbb84b4..cbd9c17 100644
--- a/scripts/hostclass/postgresql_server
+++ b/scripts/hostclass/postgresql_server
@@ -19,7 +19,21 @@ postgres_tls_cert="${postgres_home}/postgres.crt"
 postgres_tls_key="${postgres_home}/postgres.key"
 postgres_keytab="${keytab_dir}/postgres.keytab"
 
-pkg install -y postgresql${postgresql_version}-server
+postgres_psql(){
+  psql \
+    --quiet \
+    --no-align \
+    --echo-all \
+    --tuples-only \
+    --no-password \
+    --username=postgres \
+    --dbname=postgres \
+    "$@"
+}
+
+pkg install -y \
+  postgresql${postgresql_version}-server \
+  postgresql${postgresql_version}-contrib
 
 # Create ZFS dataset for postgresql data.
 create_dataset \
@@ -78,7 +92,7 @@ echo 'Restarting postgresql.'
 service postgresql restart > /dev/null 2>&1 < /dev/null || die 'failed to start postgresql'
 
 # Create boxconf admin user.
-psql --quiet --no-align --echo-all --tuples-only --no-password --username=postgres --dbname=postgres -c \
+postgres_psql -c \
 "DO
 \$$
 BEGIN
@@ -87,3 +101,6 @@ BEGIN
   END IF;
 END
 \$$"
+
+# Load citext extension (required by icingadb)
+postgres_psql -c 'create extension if not exists citext;'
diff --git a/scripts/hostclass/ttrss_server b/scripts/hostclass/ttrss_server
index 1a2104a..fc6fffd 100644
--- a/scripts/hostclass/ttrss_server
+++ b/scripts/hostclass/ttrss_server
@@ -8,6 +8,7 @@
 : ${ttrss_admin_role:='ttrss-admin'}
 : ${ttrss_mail_from:="ttrss-noreply@${email_domain}"}
 
+ttrss_dn="uid=${ttrss_username},${robots_basedn}"
 ttrss_https_cert="${nginx_conf_dir}/ttrss.crt"
 ttrss_https_key="${nginx_conf_dir}/ttrss.key"
 ttrss_repo='https://git.tt-rss.org/fox/tt-rss.git/'
@@ -49,7 +50,11 @@ pkg install -y \
   php${php_version}-zip
 
 # Create ttrss principal and keytab.
-add_principal -nokey -x "containerdn=${robots_basedn}" "$ttrss_username"
+ldap_add "$ttrss_dn" <<EOF
+objectClass: account
+uid: ${ttrss_username}
+EOF
+add_principal -nokey -x "dn=${ttrss_dn}" "$ttrss_username"
 
 ktadd -k "$ttrss_client_keytab" "$ttrss_username"
 chgrp "$nginx_user" "$ttrss_client_keytab"
diff --git a/vars/hostclass/icinga_server b/vars/hostclass/icinga_server
new file mode 100644
index 0000000..cc5de73
--- /dev/null
+++ b/vars/hostclass/icinga_server
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+icinga_port=5665
+allowed_tcp_ports="ssh http https ${icinga_port}"
+nginx_gssapi=true
diff --git a/vars/hostname/icinga1 b/vars/hostname/icinga1
new file mode 100644
index 0000000..b0de31c
--- /dev/null
+++ b/vars/hostname/icinga1
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cnames=icinga
-- 
cgit v1.2.3