{ config, lib, pkgs, ... }: let cfg = config.services.zabbixProxy; pgsql = config.services.postgresql; mysql = config.services.mysql; inherit (lib) mkDefault mkEnableOption mkIf mkOption; inherit (lib) attrValues concatMapStringsSep literalExample optional optionalAttrs optionalString types; user = "zabbix"; group = "zabbix"; runtimeDir = "/run/zabbix"; stateDir = "/var/lib/zabbix"; passwordFile = "${runtimeDir}/zabbix-dbpassword.conf"; moduleEnv = pkgs.symlinkJoin { name = "zabbix-proxy-module-env"; paths = attrValues cfg.modules; }; configFile = pkgs.writeText "zabbix_proxy.conf" '' LogType = console ListenIP = ${cfg.listen.ip} ListenPort = ${toString cfg.listen.port} Server = ${cfg.server} # TODO: set to cfg.database.socket if database type is pgsql? DBHost = ${optionalString (cfg.database.createLocally != true) cfg.database.host} ${optionalString (cfg.database.createLocally != true) "DBPort = ${cfg.database.port}"} DBName = ${cfg.database.name} DBUser = ${cfg.database.user} ${optionalString (cfg.database.passwordFile != null) "Include ${passwordFile}"} ${optionalString (mysqlLocal && cfg.database.socket != null) "DBSocket = ${cfg.database.socket}"} SocketDir = ${runtimeDir} FpingLocation = /run/wrappers/bin/fping ${optionalString (cfg.modules != {}) "LoadModulePath = ${moduleEnv}/lib"} ${concatMapStringsSep "\n" (name: "LoadModule = ${name}") (builtins.attrNames cfg.modules)} ${cfg.extraConfig} ''; mysqlLocal = cfg.database.createLocally && cfg.database.type == "mysql"; pgsqlLocal = cfg.database.createLocally && cfg.database.type == "pgsql"; in { # interface options = { services.zabbixProxy = { enable = mkEnableOption "the Zabbix Proxy"; server = mkOption { type = types.str; description = '' The IP address or hostname of the Zabbix server to connect to. ''; }; package = mkOption { type = types.package; default = if cfg.database.type == "mysql" then pkgs.zabbix.proxy-mysql else if cfg.database.type == "pgsql" then pkgs.zabbix.proxy-pgsql else pkgs.zabbix.proxy-sqlite; defaultText = "pkgs.zabbix.proxy-pgsql"; description = "The Zabbix package to use."; }; extraPackages = mkOption { type = types.listOf types.package; default = with pkgs; [ nettools nmap traceroute ]; defaultText = "[ nettools nmap traceroute ]"; description = '' Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything. ''; }; modules = mkOption { type = types.attrsOf types.package; description = "A set of modules to load."; default = {}; example = literalExample '' { "dummy.so" = pkgs.stdenv.mkDerivation { name = "zabbix-dummy-module-''${cfg.package.version}"; src = cfg.package.src; buildInputs = [ cfg.package ]; sourceRoot = "zabbix-''${cfg.package.version}/src/modules/dummy"; installPhase = ''' mkdir -p $out/lib cp dummy.so $out/lib/ '''; }; } ''; }; database = { type = mkOption { type = types.enum [ "mysql" "pgsql" "sqlite" ]; example = "mysql"; default = "pgsql"; description = "Database engine to use."; }; host = mkOption { type = types.str; default = "localhost"; description = "Database host address."; }; port = mkOption { type = types.int; default = if cfg.database.type == "mysql" then mysql.port else pgsql.port; description = "Database host port."; }; name = mkOption { type = types.str; default = if cfg.database.type == "sqlite" then "${stateDir}/zabbix.db" else "zabbix"; defaultText = "zabbix"; description = "Database name."; }; user = mkOption { type = types.str; default = "zabbix"; description = "Database user."; }; passwordFile = mkOption { type = types.nullOr types.path; default = null; example = "/run/keys/zabbix-dbpassword"; description = '' A file containing the password corresponding to . ''; }; socket = mkOption { type = types.nullOr types.path; default = null; example = "/run/postgresql"; description = "Path to the unix socket file to use for authentication."; }; createLocally = mkOption { type = types.bool; default = true; description = "Whether to create a local database automatically."; }; }; listen = { ip = mkOption { type = types.str; default = "0.0.0.0"; description = '' List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing. ''; }; port = mkOption { type = types.port; default = 10051; description = '' Listen port for trapper. ''; }; }; openFirewall = mkOption { type = types.bool; default = false; description = '' Open ports in the firewall for the Zabbix Proxy. ''; }; # TODO: for bonus points migrate this to https://github.com/NixOS/rfcs/pull/42 extraConfig = mkOption { default = ""; type = types.lines; description = '' Configuration that is injected verbatim into the configuration file. Refer to for details on supported values. ''; }; }; }; # implementation config = mkIf cfg.enable { assertions = [ { assertion = !config.services.zabbixServer.enable; message = "Please choose one of services.zabbixServer or services.zabbixProxy."; } { assertion = cfg.database.createLocally -> cfg.database.user == user; message = "services.zabbixProxy.database.user must be set to ${user} if services.zabbixProxy.database.createLocally is set true"; } { assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; message = "a password cannot be specified if services.zabbixProxy.database.createLocally is set to true"; } ]; networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.listen.port ]; }; services.mysql = optionalAttrs mysqlLocal { enable = true; package = mkDefault pkgs.mariadb; ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; } ]; }; services.postgresql = optionalAttrs pgsqlLocal { enable = true; ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; } ]; }; users.users.${user} = { description = "Zabbix daemon user"; uid = config.ids.uids.zabbix; inherit group; }; users.groups.${group} = { gid = config.ids.gids.zabbix; }; security.wrappers = { fping.source = "${pkgs.fping}/bin/fping"; }; systemd.services."zabbix-proxy" = { description = "Zabbix Proxy"; wantedBy = [ "multi-user.target" ]; after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; path = [ "/run/wrappers" ] ++ cfg.extraPackages; preStart = optionalString pgsqlLocal '' if ! test -e "${stateDir}/db-created"; then cat ${cfg.package}/share/zabbix/database/postgresql/schema.sql | ${pgsql.package}/bin/psql ${cfg.database.name} touch "${stateDir}/db-created" fi '' + optionalString mysqlLocal '' if ! test -e "${stateDir}/db-created"; then cat ${cfg.package}/share/zabbix/database/mysql/schema.sql | ${mysql.package}/bin/mysql ${cfg.database.name} touch "${stateDir}/db-created" fi '' + optionalString (cfg.database.type == "sqlite") '' if ! test -e "${cfg.database.name}"; then ${pkgs.sqlite}/bin/sqlite3 "${cfg.database.name}" < ${cfg.package}/share/zabbix/database/sqlite3/schema.sql fi '' + optionalString (cfg.database.passwordFile != null) '' # create a copy of the supplied password file in a format zabbix can consume touch ${passwordFile} chmod 0600 ${passwordFile} echo -n "DBPassword = " > ${passwordFile} cat ${cfg.database.passwordFile} >> ${passwordFile} ''; serviceConfig = { ExecStart = "@${cfg.package}/sbin/zabbix_proxy zabbix_proxy -f --config ${configFile}"; Restart = "always"; RestartSec = 2; User = user; Group = group; RuntimeDirectory = "zabbix"; StateDirectory = "zabbix"; PrivateTmp = true; }; }; }; }