| blob | ff1860e99a75758155e69486d1a3feacb30d2de0 |
1 { config, lib, pkgs, ... }:
2 let
3 cfg = config.services.graylog;
5 confFile = pkgs.writeText "graylog.conf" ''
6 is_master = ${lib.boolToString cfg.isMaster}
7 node_id_file = ${cfg.nodeIdFile}
8 password_secret = ${cfg.passwordSecret}
9 root_username = ${cfg.rootUsername}
10 root_password_sha2 = ${cfg.rootPasswordSha2}
11 elasticsearch_hosts = ${lib.concatStringsSep "," cfg.elasticsearchHosts}
12 message_journal_dir = ${cfg.messageJournalDir}
13 mongodb_uri = ${cfg.mongodbUri}
14 plugin_dir = /var/lib/graylog/plugins
15 data_dir = ${cfg.dataDir}
17 ${cfg.extraConfig}
18 '';
20 glPlugins = pkgs.buildEnv {
21 name = "graylog-plugins";
22 paths = cfg.plugins;
23 };
25 in
27 {
28 ###### interface
30 options = {
32 services.graylog = {
34 enable = lib.mkEnableOption "Graylog, a log management solution";
36 package = lib.mkOption {
37 type = lib.types.package;
38 default = if lib.versionOlder config.system.stateVersion "23.05" then pkgs.graylog-3_3 else pkgs.graylog-5_1;
39 defaultText = lib.literalExpression (if lib.versionOlder config.system.stateVersion "23.05" then "pkgs.graylog-3_3" else "pkgs.graylog-5_1");
40 description = "Graylog package to use.";
41 };
43 user = lib.mkOption {
44 type = lib.types.str;
45 default = "graylog";
46 description = "User account under which graylog runs";
47 };
49 isMaster = lib.mkOption {
50 type = lib.types.bool;
51 default = true;
52 description = "Whether this is the master instance of your Graylog cluster";
53 };
55 nodeIdFile = lib.mkOption {
56 type = lib.types.str;
57 default = "/var/lib/graylog/server/node-id";
58 description = "Path of the file containing the graylog node-id";
59 };
61 passwordSecret = lib.mkOption {
62 type = lib.types.str;
63 description = ''
64 You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
65 Generate one by using for example: pwgen -N 1 -s 96
66 '';
67 };
69 rootUsername = lib.mkOption {
70 type = lib.types.str;
71 default = "admin";
72 description = "Name of the default administrator user";
73 };
75 rootPasswordSha2 = lib.mkOption {
76 type = lib.types.str;
77 example = "e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952";
78 description = ''
79 You MUST specify a hash password for the root user (which you only need to initially set up the
80 system and in case you lose connectivity to your authentication backend)
81 This password cannot be changed using the API or via the web interface. If you need to change it,
82 modify it here.
83 Create one by using for example: echo -n yourpassword | shasum -a 256
84 and use the resulting hash value as string for the option
85 '';
86 };
88 elasticsearchHosts = lib.mkOption {
89 type = lib.types.listOf lib.types.str;
90 example = lib.literalExpression ''[ "http://node1:9200" "http://user:password@node2:19200" ]'';
91 description = "List of valid URIs of the http ports of your elastic nodes. If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that requires authentication";
92 };
94 dataDir = lib.mkOption {
95 type = lib.types.str;
96 default = "/var/lib/graylog/data";
97 description = "Directory used to store Graylog server state.";
98 };
100 messageJournalDir = lib.mkOption {
101 type = lib.types.str;
102 default = "/var/lib/graylog/data/journal";
103 description = "The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself";
104 };
106 mongodbUri = lib.mkOption {
107 type = lib.types.str;
108 default = "mongodb://localhost/graylog";
109 description = "MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details";
110 };
112 extraConfig = lib.mkOption {
113 type = lib.types.lines;
114 default = "";
115 description = "Any other configuration options you might want to add";
116 };
118 plugins = lib.mkOption {
119 description = "Extra graylog plugins";
120 default = [ ];
121 type = lib.types.listOf lib.types.package;
122 };
124 };
125 };
128 ###### implementation
130 config = lib.mkIf cfg.enable {
132 users.users = lib.mkIf (cfg.user == "graylog") {
133 graylog = {
134 isSystemUser = true;
135 group = "graylog";
136 description = "Graylog server daemon user";
137 };
138 };
139 users.groups = lib.mkIf (cfg.user == "graylog") { graylog = {}; };
141 systemd.tmpfiles.rules = [
142 "d '${cfg.messageJournalDir}' - ${cfg.user} - - -"
143 ];
145 systemd.services.graylog = {
146 description = "Graylog Server";
147 wantedBy = [ "multi-user.target" ];
148 environment = {
149 GRAYLOG_CONF = "${confFile}";
150 };
151 path = [ pkgs.which pkgs.procps ];
152 preStart = ''
153 rm -rf /var/lib/graylog/plugins || true
154 mkdir -p /var/lib/graylog/plugins -m 755
156 mkdir -p "$(dirname ${cfg.nodeIdFile})"
157 chown -R ${cfg.user} "$(dirname ${cfg.nodeIdFile})"
159 for declarativeplugin in `ls ${glPlugins}/bin/`; do
160 ln -sf ${glPlugins}/bin/$declarativeplugin /var/lib/graylog/plugins/$declarativeplugin
161 done
162 for includedplugin in `ls ${cfg.package}/plugin/`; do
163 ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true
164 done
165 '';
166 serviceConfig = {
167 User="${cfg.user}";
168 StateDirectory = "graylog";
169 ExecStart = "${cfg.package}/bin/graylogctl run";
170 };
171 };
172 };
173 }