From 28799357f34e1128e6f0d3ce144a81dc91f737cb Mon Sep 17 00:00:00 2001 From: stef Date: Wed, 18 Feb 2026 21:25:00 +0000 Subject: [PATCH] =?UTF-8?q?Almalinux=20valid=C3=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 2 + README.md | 143 +++++++++++++++++++++++++++--- files/RPM-GPG-KEY-ZABBIX-B5333005 | 52 +++++++++++ handlers/main.yml | 3 +- tasks/Debian/install-front.yml | 2 +- tasks/RedHat/install-db.yml | 20 +++-- tasks/RedHat/install-front.yml | 31 +++++-- tasks/RedHat/install-proxy.yml | 98 ++++++++++++++++++++ tasks/RedHat/install-srv.yml | 1 + tasks/main.yml | 36 +++++--- vars/RedHat.yml | 1 + 11 files changed, 352 insertions(+), 37 deletions(-) create mode 100644 .gitignore create mode 100644 files/RPM-GPG-KEY-ZABBIX-B5333005 create mode 100644 tasks/RedHat/install-proxy.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..09d401b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +files/*.crt +files/*.key \ No newline at end of file diff --git a/README.md b/README.md index 225dd44..51fc174 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,154 @@ -Role Name +Zabbix ========= -A brief description of the role goes here. +Deploiement d'une infrascutrure ZAbbix complete +Deux serveur zabbix +- HA +- Keealived pour nginx +- Certiticats TLS + +Distribution prise en charges: +- Debian13 +- Almalinux + +Pour Ajouter une distribution RHEL like +Ajouter un block dans tasks/main.yml + +Similaire à ceci ( voir https://www.zabbix.com/download pour le path associé a votre distribution): +``` +- name: Prepare + when: ansible_distribution == "AlmaLinux" <= Nom de votre distriution + block: + - name: add gpg + ansible.builtin.dnf: + name: gnupg2 + state: present + - name: Copie GPG key + ansible.builtin.copy: + src: RPM-GPG-KEY-ZABBIX-B5333005 + dest: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Import a key + ansible.builtin.rpm_key: + state: present + key: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Add Package + ansible.builtin.dnf: + name: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/release//{{ ansible_distribution_major_version }}/noarch/zabbix-release-latest-{{ zabbix_version }}.el{{ ansible_distribution_major_version }}.noarch.rpm" + state: present +``` Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Nécéssite les fichiers de certificats suivants: -Role Variables +- zabbix_ca.cert +- zabbix_server.cert +- zabbix_server.key +- zabbix_agent.cert +- zabbix_agent.key +- zabbix_proxy.cert +- zabbix_proxy.key + +Ces fichiers sont a déposer dans /files + +Note: vous pouvez changer le nom des fichiers en ce cas modifier les variables suivante dans default/main.yml +``` +zabbix_ca: zabbix_ca +zabbix_server: zabbix_server +zabbix_proxy: zabbix_proxy +zabbix_agent: zabbix_agent +``` + +# Variables -------------- +## Role Variables -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +Variable definies dans default/main.yml + +# defaults file for zabbix + + +| Variable | Role | Remarques| +|----------|------|----------| +|zabbix_version|Version de zabbix|Ne fonctionnent actuellement pour les Debian| +|roles_cibles| utlisés pour générer les Variable Server et ActiveServer | Exemple:['srv', 'proxy']| +|db_name|Nom de la base de postgres des serveurs|| +|db_user|Nom de l'utilisateur de la base postgres serveurs|| +|db_passwd|Mot de passe l'utilisateur de la base postgres serveurs|| +|proxy_db_name|Nom de la base des proxys|| +|proxy_db_user|Nom de l'utilisateur de la base des proxys|| +|proxy_db_passwd|Mot de passe de l'utilisateur de la base des proxys|| +|zabbix_ca|Nom du fichier de CA|| +|zabbix_server|Nom du fichier de certificat utilisés par les serveurs|| +|zabbix_proxy|Nom du fichier de certificat utilisés par les proxy|| +|zabbix_agent|Nom du fichier de certificat utilisés par les agents|| + + +## Group Variables + +| Variable | Role | Remarques| +|----------|------|----------| +|db_host| adatabase.bv.stef.lan| +|db_port| 5432|Non utilisé pour le moment| +|postgresql_version|| Exemple 17, uniquement implementé dans débian| +|zabbix_crypt| Type de chiffrement utilisé| tls ou psk pour le moment seul tls est totalement implementé| +|zabbix_cert_ca_name| zabbix_ca|| +|zabbix_cert_server_name| zabbix_server|| +|zabbix_cert_agent_name| zabbix_agent|| +|TLSServerCertSubject| DN des serveurs zabbix| exemple: "CN=zabbix_server,C=FR"| +|TLSServerCertIssuer| DN du CA zabbix| exemple: "CN=zabbix_ca,C=FR"| +|ZabbixHA| Activation du HA ou non | true ou false| +|vip_address| Vip keealived des nginx| exemple 192.168.200.75| +|vip_fqdn| FQDN de la Vip keealived des nginx|exemple: zabbix.mondomain.com| +|ActiveVault| Active ou non le vault| true ou false| +|Vault| Modele du vault| HashiCorp actuellement uniquement implémenté| +|VaultToken|Token d'acces au vault|| +|VaultURL| Url du vault | exemple: https://vault.mondomain.com| +|VaultPrefix| Path des secret zabbix| exemple: /v1/secret/data/zabbix/| +|VaultDBPath| nom du secret des credential d'acces DB| exemple: /database| + +## Hosts Variables +L'host master keepalived doit contenir: +``` +keepalived: + state: MASTER + priority: 244 +``` + +L'host backup keepalived doit contenir: +``` +keepalived: + state: BACKUP + priority: 243 +``` Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +None + +Exemple Inventory + + zabbix_instance01: + hosts: + server01.mondomain.com: + role: srv + server02.mondomain.com: + role: srv + database.mondomain.com: + role: db + front.mondomain.com: + role: front + proxy01.mondomain.com: + role: proxy + proxy02.mondomain.com: + role: proxy Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - hosts: servers - roles: - - { role: username.rolename, x: 42 } License ------- diff --git a/files/RPM-GPG-KEY-ZABBIX-B5333005 b/files/RPM-GPG-KEY-ZABBIX-B5333005 new file mode 100644 index 0000000..ef43a30 --- /dev/null +++ b/files/RPM-GPG-KEY-ZABBIX-B5333005 @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGYwjIcBEADHPOcYeW6xpiMh2ZO6a9OCncCs4IBQa7Ie+omyzJLNldnBMrxO +jbZXY2brQZWu5GEA6rTrexbfq9w/MaGiV5hAJ/x9oKHHKod79IfYLWsYS+rKTEr4 +OptCGYqmJhdB29m44feut/PjjbjTuD0nwkaaE4Cm90r2aHMj5CcuD0/V823MgOwY +v5uz1Az9OhMLHB+qO/QDGZOxfmETpfj0J1Sh1afTngXoPgyniBT0BuyAMRlb2js6 +QSpT9AnVxVDMVZwu5Ioy9Jf1Rz8ibP6LTN4Rh+TDFJizzoqJMqfDjN8PculcVZvG +j3bpweL0txhSykuLN75GPP1DO7rSVljIAChpY1hPtpYBD3F7uL0udpauVhVUY3Vs +13kxbsDgSr84s+tpRxV9BaQy2pjQY/jyesbFpFCjGHqUZVS1F3huWYBukQn3Em7C +X3WgzWe1iewPxENCLSGfSEVBcQ28guNvy2INcHHjx+AWOXFfkDKVZtBOH5MVr6hR +/xJH9S8Pd4wJZ4wvXwwDUBMD0Jju5ELE9/NQty8AeL6tjZomVhO2nFUe3N0lKE2K +wNLt0N4PqDrCHogQ7knROMR+9KqjFu+ko39TZmCUlVncX3s0v0t9gxIK9zQoX9p6 +ngAr7IM8rGe/BGD7crYsrveWtBA7AY2DX9Z9iQylsXrq8tfGyhMaH3SgLwARAQAB +tCtaYWJiaXggTExDIChBcHIgMjAyNCkgPHBhY2thZ2VyQHphYmJpeC5jb20+iQJU +BBMBCgA+FiEETD1vLMdfUUZ1T8N02RMhmrUzMAUFAmYwjIcCGwMFCRLMAwAFCwkI +BwMFFQoJCAsFFgIDAQACHgECF4AACgkQ2RMhmrUzMAWf/w/+NSQz9LfZo7eNuKpd +piWsQgI+73sdLXmABp9kNWYrYTghXUe0WkWyLuFRMOh4fxZCtdiwpeEKGEDUgPr7 +gTMH7ay7gD2kCJLCJl1tUCh4ryXJvVMyN9J+x7w742fOdPrVK9/ULad1KAH6zx+J +Ym/Qt5JfYMhjeCIBKpappGMVCFb3sEJUT4e7ggqt9uUgbjlpQtYhZg65vaX9C7qZ +EXxaWEfBkBNiHEeImuv6wjp1rM4cNMQW7lnfnvlo1MmkmDzQjCFA5g41DvK1YQcE +HWDW6Zp30SGQqthEHNOPHezNCxD1vMxfUCUawSZP5ajuK6o/CGM9L5rjvcCnpe+6 +JVCX93KkPB0VqgfzzHB7OQsWQ8csRkjsW0v+5PkXbRRkf98YzaYDqVa1AvGv5YOv +alEPlqvQ6Xnm/6xV9gIr49Kgkf+VFvigbvwKfiH0hseWZN5ykswFoZ4mvYCJO6m4 +ouU4sSW8AM/LxHHvlAZdO9h8O961nh5fs8AIl4EJb+4kClnYFGaguCKZyAu1V7bJ +vDZ0OlaRtnh2cEPBd9W0CoPZaEHYcUDFmMIlxab1oGgDqIN4SJoCTnJLJ4BloQFs +9rIpAMcXxA3lqNnBjbolXqUTJq9WIpe6q/r38ADh0M5najksbwZWU0WZ+j2DJmgV +otW7wuTabGL9k3lnyNRwlK4OkRe5Ag0EZjCMhwEQAL1RylY+ljV/Ma9rAcZxwT08 +/emKEE4VMeDlJbzEWeMNjx8IpeVI3JlADkolbggcBEELZiwRRAJrJaYcBDNq0ZmE +BG5ffJin12iIU6f0GFg4x4elcPi9diP/1foz6k93eWYMpAj17B1YTM9ZgKKIJmuf +8GDsMTb/AgHcGC+gkduZGakUcHv538o+ub8/021HPqmYcF/HVaENv0LJd3yxLB6/ +mhSCT9axuX6NDQxVxzXKz+PAnz1uYyz7yZB4YXROHNwnvOGPYbljIGQPTIgjrCNP +26ySH9t6JYxWY7bXJKGepSnk0QeGHiM0p6TC9n3BS6RkmKUt0c6cXbW+BCc8QHOj +jzPOxjbvpmbZtVo56ZQYm/DWuj0lg+/pYKSReX5YJ8gnvhRoNM/fLeWsIGMZJaM9 +DygVTU0/0r7rxYbXoDqHMhsdMvjmrSAD3pDcPDci6WyeaLcvphvfZR4uyKtz1FS0 +GU+B0ly1gwItDca2En01AbrYX3eLnSw6ZwegBy42gnzAooFmGrfQUuskr+j5hxzs +BBCTtU6zEBGIMAVs1pNCnUVEleD/2E2U4Uzqi/XQv95b3msqP3tNkWrp1Em12Wls +2bIe47+uOpfcxzsAADLTu5avJT0YcJ3u1lBB6rIBcFL6kmkqD1u2pgFZw5Otdo4h +/8gxK3CZ/g81yCsBOcNZABEBAAGJAjwEGAEKACYWIQRMPW8sx19RRnVPw3TZEyGa +tTMwBQUCZjCMhwIbDAUJEswDAAAKCRDZEyGatTMwBeZUEACOatbYmCCIdcqF05id +GsoPRqXEQHj8cY3NmzD4nlATJPHLN8+p6TH1mDInnBFfDp6Ll1u8PHnvGccVDUl+ +aJCDCOcscqaKNaIbAi39OFLyED/j1t2g0VH9M0F41ZOofQN/Tf4SaR3ziY4j4hn+ +pWpzqcdQ4zCSA+c95NijkeSgGFdT8OzCbWrmvKHdoeaescRMJg3Zmi3Aegqaaxe8 +MMmixmGYk7jz35G0oBABCEcWTeqFXpQIG91AN5F0qe+tgQgwEr2N8YvIdRUb0e1c +Yc7Ly7pNHgH7wd0L2SND2pamXrZ6+kbUVVg46aa6XKvx36Fa2R0n6Var+Dcb9Rsr +mLq69/n2C18QLKwMnVSJfetPzQhAOnJ85Q2alRIyrMa7wq7+5NLcNBTGRRm4WYut +mzRvmmMmt0r+LOaV1fUdtfUVyIDrAb7rdqGW4eGbWTSLOcSgX7czThne7/v3zuSP +N0nc8yosGQp2aT8XCuzWqGQQ10NxUKP374jdetWgFI/8fH5zVx67TrViJ0FnK2Ug +CTtaHKt7jwwkMs6Y0kCCi/xysw+6UlDmBvzM5TVcWSO/lDUotFccn7IC782ghT03 +pY9AfSJCu2NB44LODaLg9jyXbv2MPq8ZsWRqxxmmCUinmQMV6rI/nWPZpgEpKId7 +RF/42ix6CdCLj9WuDJRHAPA6nA== +=iQwh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/handlers/main.yml b/handlers/main.yml index 90b89ab..d227dcc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,4 +33,5 @@ - name: Restart Keepalived service: name: keepalived - state: restarted \ No newline at end of file + state: restarted + diff --git a/tasks/Debian/install-front.yml b/tasks/Debian/install-front.yml index 60aba64..796066a 100644 --- a/tasks/Debian/install-front.yml +++ b/tasks/Debian/install-front.yml @@ -1,7 +1,7 @@ - name: Front - Install packages ansible.builtin.apt: name: "{{ item }}" - state: latest + state: present loop: "{{ front.packages }}" tags: - install_front diff --git a/tasks/RedHat/install-db.yml b/tasks/RedHat/install-db.yml index 7cc4bab..3b71768 100644 --- a/tasks/RedHat/install-db.yml +++ b/tasks/RedHat/install-db.yml @@ -8,22 +8,17 @@ tags: - install_db -- name: Database - Check if postgrsql configured +- name: Database - Check if postgresql is configured stat: - path: /var/lib/pgsql/data + path: /var/lib/pgsql/data/PG_VERSION register: postgresqldata -- name: Database - debug - debug: - var: postgresqldata - - name: Database - Init DB ansible.builtin.shell: cmd: postgresql-setup --initdb when: postgresqldata.stat.exists == false tags: - install_db - - name: Database - Enable and start service postgresl ansible.builtin.service: @@ -82,10 +77,19 @@ service: name: postgresql state: restarted + enabled: true tags: - install_db - name: Populate zabbix database ansible.builtin.shell: 'zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | psql -Uzabbix zabbix' tags: - - install_db \ No newline at end of file + - install_db + +- name: Proxy - Enable and start service zabbix component + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-agent2 \ No newline at end of file diff --git a/tasks/RedHat/install-front.yml b/tasks/RedHat/install-front.yml index e032ffd..593c035 100644 --- a/tasks/RedHat/install-front.yml +++ b/tasks/RedHat/install-front.yml @@ -27,10 +27,27 @@ - Restart php-fpm - name: Front - Configure keepalived - ansible.builtin.template: - src: keepalived.conf.j2 - dest: /etc/keepalived/keepalived.conf - owner: root - group: root - mode: 0644 - notify: Restart Keepalived + when: role == "srv" + block: + - name: Configure Keepalived + ansible.builtin.template: + src: keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + owner: root + group: root + mode: 0644 + - name: Enable Keepalived service + ansible.builtin.systemd_service: + name: keepalived + state: restarted + enabled: true + +- name: Enable and start + ansible.builtin.systemd_service: + name: "{{ item }}" + state: started + enabled: true + loop: + - nginx + - php-fpm + - zabbix-agent2 diff --git a/tasks/RedHat/install-proxy.yml b/tasks/RedHat/install-proxy.yml new file mode 100644 index 0000000..fe56edd --- /dev/null +++ b/tasks/RedHat/install-proxy.yml @@ -0,0 +1,98 @@ +- name: Proxy - Install Debian Proxy packages + ansible.builtin.dnf: + name: "{{ item }}" + state: present + loop: "{{ proxy.packages }}" + tags: + - install_proxy + +- name: Proxy - Enable and start service mariadb + ansible.builtin.service: + name: mariadb + state: started + enabled: yes + tags: + - install_proxy + +- name: Proxy - Generate mariadb proxy creation script + ansible.builtin.template: + src: create_proxy_db.j2 + dest: /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Create mariadb proxy database + ansible.builtin.shell: mysql -uroot < /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Populate mariadb proxy database + ansible.builtin.shell: 'cat /usr/share/zabbix/sql-scripts/mysql/proxy.sql | mysql --default-character-set=utf8mb4 -u{{proxy_db_user}} --password={{proxy_db_passwd}} {{proxy_db_name}}' + tags: + - install_proxy + +- name: Proxy - Enable and restart mariadb + ansible.builtin.systemd_service: + name: "{{ item }}" + state: started + enabled: true + loop: + - mariadb + +- name: Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Proxy - Génération la liste des servers + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', 'srv') | + map(attribute='inventory_hostname') | + list }} + +- name: Proxy - Set fact Server + set_fact: + Server: "{{ hotes_filtres | join(';') }}" + +- name: Proxy - Generate config + ansible.builtin.template: + src: zabbix_proxy.conf.j2 + dest: /etc/zabbix/zabbix_proxy.conf + owner: root + group: zabbix + mode: 400 + + tags: + - install_proxy + +- name: Proxy - Create certificats directory + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Proxy - Copy certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_proxy}}.crt" + - "{{ zabbix_proxy}}.key" + when: zabbix_crypt=="tls" + +- name: Proxy - Enable and start service zabbix proxy + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-proxy + - zabbix-agent2 \ No newline at end of file diff --git a/tasks/RedHat/install-srv.yml b/tasks/RedHat/install-srv.yml index ca010ec..2187b39 100644 --- a/tasks/RedHat/install-srv.yml +++ b/tasks/RedHat/install-srv.yml @@ -1,3 +1,4 @@ +# Server - name: Server - Install packages ansible.builtin.dnf: name: "{{ item }}" diff --git a/tasks/main.yml b/tasks/main.yml index a0c7274..c037e43 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,10 +15,14 @@ ansible.builtin.dnf: name: gnupg2 state: present - - name: Import a key from a url + - name: Copie GPG key + ansible.builtin.copy: + src: RPM-GPG-KEY-ZABBIX-B5333005 + dest: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Import a key ansible.builtin.rpm_key: state: present - key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-B5333005 + key: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 - name: Add Package ansible.builtin.dnf: name: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/release/alma/{{ ansible_distribution_major_version }}/noarch/zabbix-release-latest-{{ zabbix_version }}.el{{ ansible_distribution_major_version }}.noarch.rpm" @@ -36,12 +40,23 @@ ansible.builtin.shell: cmd: dnf clean all + - name: set selinux permivise + ansible.builtin.lineinfile: + path: /etc/selinux/config + regexp: '^SELINUX=.*' + line: "SELINUX=permissive" + register: selinux + + - name: Reboot if necessary + ansible.builtin.reboot: + when: selinux.changed + - name: Prepare Debian when: ansible_os_family == "Debian" block: - name: Debian Repo ansible.builtin.apt: - deb: "{{repo}}" + deb: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/release/debian/pool/main/z/zabbix-release/zabbix-release_latest_{{ zabbix_version }}+debian13_all.deb" - name: Mise à jour le cache des paquets ansible.builtin.apt: update_cache: yes @@ -57,20 +72,21 @@ - name: Server - Install ansible.builtin.include_tasks: "{{ansible_os_family}}/install-srv.yml" - when: role == "srv" + when: + - role == "srv" tags: - install_srv -# - name: Proxy - Install -# ansible.builtin.include_tasks: "{{ansible_os_family}}/install-proxy.yml" -# tags: -# - install_proxy -# when: role == "proxy" +- name: Proxy - Install + ansible.builtin.include_tasks: "{{ansible_os_family}}/install-proxy.yml" + tags: + - install_proxy + when: role == "proxy" - name: Front - Install ansible.builtin.include_tasks: "{{ansible_os_family}}/install-front.yml" - when: role == "srv" + when: role == "srv" or role == "front" tags: - install_front diff --git a/vars/RedHat.yml b/vars/RedHat.yml index f409361..c495932 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -26,6 +26,7 @@ front: - php-fpm proxy: packages: + - mariadb-server - mariadb - zabbix-proxy-mysql - zabbix-sql-scripts