commit 618c5ef1a0b14314cc705ced17e5cacd9d12861b Author: stef Date: Mon Feb 16 18:16:07 2026 +0000 first commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..40b657b --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,70 @@ +--- +# defaults file for zabbix +rhel_db_packages: + - postgresql-server + - postgresql + - postgresql-plpython3 + - zabbix-agent2 + +rhel_srv_packages: + - zabbix-server-pgsql + - zabbix-sql-scripts + - zabbix-selinux-policy + - zabbix-agent2 + +rhel_agent_packages: + - zabbix-agent2 + +rhel_front_packages: + - zabbix-web-pgsql + - zabbix-nginx-conf + - zabbix-agent2 + + +rhel_proxy_packages: + - mariadb + - zabbix-proxy-mysql + - zabbix-sql-scripts + - zabbix-agent2 + +debian_db_packages: + - postgresql-contrib + - postgresql + - python3-psycopg2 + - zabbix-sql-scripts + - zabbix-agent2 + +debian_srv_packages: + - zabbix-server-pgsql + - zabbix-agent2 + +debian_proxy_packages: + - mariadb-server + - zabbix-proxy-mysql + - zabbix-sql-scripts + - zabbix-agent2 + +debian_agent_packages: + - zabbix-agent2 + +debian_front_packages: + - zabbix-frontend-php + - php8.4-pgsql + - zabbix-nginx-conf + - nginx + - zabbix-agent2 + +roles_cibles: ['srv', 'proxy'] + +db_name: zabbix +db_user: zabbix +db_passwd: zabbix + +proxy_db_name: zabbix_proxy +proxy_db_user: zabbix_proxy +proxy_db_passwd: zabbix_proxy + +zabbix_ca: zabbix_ca +zabbix_server: zabbix_server +zabbix_proxy: zabbix_proxy +zabbix_agent: zabbix_agent \ No newline at end of file diff --git a/files/zabbix_agent.crt b/files/zabbix_agent.crt new file mode 100644 index 0000000..0ac9510 --- /dev/null +++ b/files/zabbix_agent.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICKTCCAYqgAwIBAgIUZxhmpvLrqv/1ePzPg28YX/V3q5YwCgYIKoZIzj0EAwMw +ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxNzAw +NTZaFw0yNzAyMTQxNzAwNTZaMCQxCzAJBgNVBAYTAkZSMRUwEwYDVQQDDAx6YWJi +aXhfYWdlbnQwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAF1NBVjvH9JE+SbFBVI +aZZiJn9gXzUHUjhPwCzcHt55jOmbrrszPpOUeYe+5ahqr96sdNS5d+Gc3JNym0UU +mXS6rgHj/3weApB6SmRUOk7im/PmegSECOgA4GSEgP97eoBjYNJNbGw7ybpGoTX0 +Bu+amWlETXDlpi5huUkXx86wiy93vaNaMFgwHwYDVR0jBBgwFoAUIO5hY4gGmlcl +Mw78YGdwHqHJLVswCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPRT +QcdvRdtphLmDBwtx+7MXd9NiMAoGCCqGSM49BAMDA4GMADCBiAJCAXCtWzhuuXX7 +r9duhPWWPJcoL94r71QOgTuMIFp2hGEQQTkpDn8npQe33SEzKleiYlgk1TsNcOGC +V7bzrryRAZbFAkIAzgZP2zW2Vhr6AF0EDW3S7A35v/oi0bGOuuCE7Kb2V9rcaAwM +k9tVv3bRZIAF6bowHcdxNCdUlptk0q1NNE6h43I= +-----END CERTIFICATE----- diff --git a/files/zabbix_agent.key b/files/zabbix_agent.key new file mode 100644 index 0000000..7be598b --- /dev/null +++ b/files/zabbix_agent.key @@ -0,0 +1,10 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBIKtXJBBZMdk4xVf9qKzrJGJks/aruTaX226yh0XHDR2l+49jlwIh +z2LuWCBSnWkOearNi0CiD/0SqBypl6GAvtmgBwYFK4EEACOhgYkDgYYABAF1NBVj +vH9JE+SbFBVIaZZiJn9gXzUHUjhPwCzcHt55jOmbrrszPpOUeYe+5ahqr96sdNS5 +d+Gc3JNym0UUmXS6rgHj/3weApB6SmRUOk7im/PmegSECOgA4GSEgP97eoBjYNJN +bGw7ybpGoTX0Bu+amWlETXDlpi5huUkXx86wiy93vQ== +-----END EC PRIVATE KEY----- diff --git a/files/zabbix_ca.crt b/files/zabbix_ca.crt new file mode 100644 index 0000000..4cd125f --- /dev/null +++ b/files/zabbix_ca.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICLjCCAZCgAwIBAgIUf6NkS48Id1xnJfmxiYE95Rt5W/IwCgYIKoZIzj0EAwMw +ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxNjU5 +MjlaFw0zNjAyMTIxNjU5MjlaMCExCzAJBgNVBAYTAkZSMRIwEAYDVQQDDAl6YWJi +aXhfY2EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACYb7pFnvHYBLPUiUNtaBqK +/zxQQ0JQ0xBBvKN1Lfpew0BlmPy8ZFdTrUz4BohVbmYmkdQ58BO/Gs1CUlxiHS7P +8AApdAfIUdQtOdcy6KQ7FErTyDwyf594GHqWw4ycLaOaYocrV3ItZyYE083piGds +Fbg9vlzj1deBlTRCkgSglCLoa6NjMGEwHQYDVR0OBBYEFCDuYWOIBppXJTMO/GBn +cB6hyS1bMB8GA1UdIwQYMBaAFCDuYWOIBppXJTMO/GBncB6hyS1bMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA4GLADCBhwJBRUwp +n7+2jjrsTkR9NjP5DJP2sav0JJf5u80Y86mslp6rEIU4VTcwVhNXyvzUPrTS308t +FlCnOcKDA/Pd68A8My4CQgHb5LHzI+Np3FT+kb4gvOw9YgHFUS5iDy4yB9ffT6z1 +5QrcIaD0atAPVyM4u7wVoif9wcHcyRiGFR+qaV6UwwoFHA== +-----END CERTIFICATE----- diff --git a/files/zabbix_ca.key b/files/zabbix_ca.key new file mode 100644 index 0000000..e28f500 --- /dev/null +++ b/files/zabbix_ca.key @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIB+MT26kyyojwNQxOgLQ10uFxH2DHG+iT2h9xa82BwvUod9AhPytAB +mQJhx/GYHMnFH5ff4nya20Xsj1/NTEeVHH+gBwYFK4EEACOhgYkDgYYABACYb7pF +nvHYBLPUiUNtaBqK/zxQQ0JQ0xBBvKN1Lfpew0BlmPy8ZFdTrUz4BohVbmYmkdQ5 +8BO/Gs1CUlxiHS7P8AApdAfIUdQtOdcy6KQ7FErTyDwyf594GHqWw4ycLaOaYocr +V3ItZyYE083piGdsFbg9vlzj1deBlTRCkgSglCLoaw== +-----END EC PRIVATE KEY----- diff --git a/files/zabbix_proxy.crt b/files/zabbix_proxy.crt new file mode 100644 index 0000000..f389bd3 --- /dev/null +++ b/files/zabbix_proxy.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICKTCCAYqgAwIBAgIUZxhmpvLrqv/1ePzPg28YX/V3q5cwCgYIKoZIzj0EAwMw +ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxODE5 +MjlaFw0yNzAyMTQxODE5MjlaMCQxCzAJBgNVBAYTAkZSMRUwEwYDVQQDDAx6YWJi +aXhfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACasAU16MClAB06k8lQ +G2hn6CUJCBKhjOcIRZqL1L5PdWprqnKfYdioOgzHfIlgikBrGryI66wj3SMWwtOB +pZXg3wDcPRLSDDkwZa0hjCQfUHqO1wPQKN8sfnY1X41LXz4RrV79OLEbw1zvbAvG ++Z0yIlNnEFtP/vAapciWFaUUChSarqNaMFgwHwYDVR0jBBgwFoAUIO5hY4gGmlcl +Mw78YGdwHqHJLVswCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPPI +gzk03dz6sWYKdd2MW2n4Y5LrMAoGCCqGSM49BAMDA4GMADCBiAJCASKlHzi830st +8RM0DtPRF4v4YiPNSK4bFXiAS+/OjveR1Y6oFQfuZZinTFUU3P9A5UfinxqLrDJW +iMtjmym4JYmZAkIAmwn9mVrpoKtUmxwBbPDhJLrgCTXPP0sttIuRRDbrGsSTCDhB +HXaRfoA5969eZJ6zcGxI84TZzYSRvvE5AjMxH+k= +-----END CERTIFICATE----- diff --git a/files/zabbix_proxy.key b/files/zabbix_proxy.key new file mode 100644 index 0000000..7e20868 --- /dev/null +++ b/files/zabbix_proxy.key @@ -0,0 +1,10 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBlgrJJI/T9N2pOj5pFrMfuDaYboRfqckR2U0NnOVpqgUBLyVzQK+l +s7iNnopgtqPEUI6zRVQCMAEII0Relhoc7+egBwYFK4EEACOhgYkDgYYABACasAU1 +6MClAB06k8lQG2hn6CUJCBKhjOcIRZqL1L5PdWprqnKfYdioOgzHfIlgikBrGryI +66wj3SMWwtOBpZXg3wDcPRLSDDkwZa0hjCQfUHqO1wPQKN8sfnY1X41LXz4RrV79 +OLEbw1zvbAvG+Z0yIlNnEFtP/vAapciWFaUUChSarg== +-----END EC PRIVATE KEY----- diff --git a/files/zabbix_server.crt b/files/zabbix_server.crt new file mode 100644 index 0000000..1d76111 --- /dev/null +++ b/files/zabbix_server.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICKTCCAYugAwIBAgIUZxhmpvLrqv/1ePzPg28YX/V3q5UwCgYIKoZIzj0EAwMw +ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxNzAw +MzRaFw0yNzAyMTQxNzAwMzRaMCUxCzAJBgNVBAYTAkZSMRYwFAYDVQQDDA16YWJi +aXhfc2VydmVyMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAQNnum/k11nyoW7yc +6LICHe+rHmv18AguNfVg/tQ1lk9DPkOYp3xC+kcZQDkazeKqxEKY9l3jzG84gxvW +qtlc4o0BvoYEEKLPiLXfKSzhkXcmyiAwXKT71t6peDIGYCnZHC8n6Hsio1UH9voA +R6+bc3/rX+xxsDn1KiJ9ibHwyYeoSgGjWjBYMB8GA1UdIwQYMBaAFCDuYWOIBppX +JTMO/GBncB6hyS1bMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMB0GA1UdDgQWBBQ+ +1/AYNQleyhffJLBauHtkqwYu0TAKBggqhkjOPQQDAwOBiwAwgYcCQQf2/5hVMbPP +L18i8VzeSZvNu+hqho0zGqTMY7oCekbEH6J4w+QQqslr9ps+9d+ce3nuQtuJEIBl +1PCgaTHq5Ht7AkIBs+uzxTYQCRRvZ3CtjxYYYKLbSimqGWlnV9qMHASBxV/dskHU +nP/JzeMgJuG44HwdaeqAb1dS1PYsYkPMkdwtLcQ= +-----END CERTIFICATE----- diff --git a/files/zabbix_server.key b/files/zabbix_server.key new file mode 100644 index 0000000..a5c9771 --- /dev/null +++ b/files/zabbix_server.key @@ -0,0 +1,10 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBWA0qpIubCVTvFj0jmQvNl5ucVI5wngXTLwiH6R9naCscSw7fxdRN +W52RikdZnQpExdY7m7cP7oWc/rTsTOAc2wqgBwYFK4EEACOhgYkDgYYABABA2e6b ++TXWfKhbvJzosgId76sea/XwCC419WD+1DWWT0M+Q5infEL6RxlAORrN4qrEQpj2 +XePMbziDG9aq2VzijQG+hgQQos+Itd8pLOGRdybKIDBcpPvW3ql4MgZgKdkcLyfo +eyKjVQf2+gBHr5tzf+tf7HGwOfUqIn2JsfDJh6hKAQ== +-----END EC PRIVATE KEY----- diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..a5a5b8e --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,26 @@ +--- +# handlers file for zabbix +- name: Restart postgresql + service: + name: postgresql + state: restarted + +- name: Restart nginx + service: + name: nginx + state: restarted + +- name: Restart Zabbix Server + service: + name: zabbix-server + state: restarted + +- name: Restart Zabbix Proxy + service: + name: zabbix-proxy + state: restarted + +- name: Restart Zabbix Agent2 + service: + name: zabbix-agent2 + state: restarted \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/tasks/install-agent2.yml b/tasks/install-agent2.yml new file mode 100644 index 0000000..0fa542c --- /dev/null +++ b/tasks/install-agent2.yml @@ -0,0 +1,76 @@ + +- name: Install Agent2 Debian packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ debian_agent_packages }}" + tags: + - install_srv + when: ansible_os_family == "Debian" + +- name: Install packages + ansible.builtin.dnf: + name: "{{ item }}" + state: latest + loop: "{{ rhel_agent_packages }}" + tags: + - install_srv + when: ansible_os_family == "RedHat" + +- name: Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Créer la liste des hôtes correspondant aux rôles cibles + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', roles_cibles) | + map(attribute='inventory_hostname') | + list }} + +- name: Generate Server List + set_fact: + Server: "{{ hotes_filtres | join(',') }}" + +- name: Generate ActiveServer List + set_fact: + ServerActive: "{{ hotes_filtres | join(';') }}" + +- name: Generate agent2 config + ansible.builtin.template: + src: zabbix_agent2.conf.j2 + dest: /etc/zabbix/zabbix_agent2.conf + owner: zabbix + group: zabbix + mode: 0640 + +- name: Create cert directory if zabbix_crypt=="tls" + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Copy Certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca }}.crt" + - "{{ zabbix_agent }}.crt" + - "{{ zabbix_agent }}.key" + when: zabbix_crypt=="tls" + +- name: Enable and start service zabbix agent2 + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-agent2 diff --git a/tasks/install-db.yml b/tasks/install-db.yml new file mode 100644 index 0000000..e725861 --- /dev/null +++ b/tasks/install-db.yml @@ -0,0 +1,84 @@ + + +- name: Install RHEL packages + ansible.builtin.dnf: + name: "{{ item }}" + state: latest + loop: "{{ rhel_db_packages }}" + tags: + - install_db + when: ansible_os_family == "RedHat" + +- name: Install Debian packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ debian_db_packages }}" + tags: + - install_db + when: ansible_os_family == "Debian" + +- name: Enable and start service postgresl + ansible.builtin.service: + name: postgresql + state: started + enabled: yes + tags: + - install_db + +- name: Generate create db script + ansible.builtin.template: + src: create_db.j2 + dest: /tmp/create_db.sql + owner: postgres + tags: + - install_db + +- name: Run create db script + ansible.builtin.shell: su - postgres -c 'psql -f /tmp/create_db.sql' + tags: + - install_db + +- name: Add zabbix user to pg_hba + ansible.builtin.lineinfile: + path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf + insertafter: '# Database administrative login by Unix domain socket' + line: "local {{ db_name }} {{ db_user }} trust" + firstmatch: yes + state: present + +- name: Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Créer les entrées pg_hba pour tous les hosts avec rôle 'srv' + lineinfile: + path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf + line: "host {{ db_name }} {{ db_user }} {{ hostvars[item]['ansible_default_ipv4']['address'] }}/32 md5" + state: present + loop: "{{ groups[my_group] }}" + when: + - hostvars[item].role is defined + - hostvars[item].role == 'srv' or hostvars[item].role == 'front' + - hostvars[item]['ansible_default_ipv4'] is defined + +- name: Configure postgres Listen address + ansible.builtin.lineinfile: + path: /etc/postgresql/17/main/postgresql.conf + regexp: '^#listen_addresses = .*' + line: "listen_addresses = '*'" + tags: + - install_db + + +- name: Restart postgresql + service: + name: postgresql + state: restarted + tags: + - install_db + +- name: Populate zabbix database + ansible.builtin.shell: 'zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | psql -Uzabbix zabbix' + tags: + - install_db \ No newline at end of file diff --git a/tasks/install-front.yml b/tasks/install-front.yml new file mode 100644 index 0000000..15f2787 --- /dev/null +++ b/tasks/install-front.yml @@ -0,0 +1,47 @@ +- name: Install RHEL Front + when: ansible_os_family == "RedHat" + block: + - name: Install packages + ansible.builtin.dnf: + name: "{{ item }}" + state: latest + loop: "{{ rhel_front_packages }}" + tags: + - install_front + - name: Generate front php config + ansible.builtin.template: + src: zabbix.conf.php.j2 + dest: /usr/share/zabbix/conf/zabbix.conf.php + owner: root + group: root + mode: 644 + tags: + - install_front + +- name: Install Debian Front + when: ansible_os_family == "Debian" + block: + - name: Install Debian packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ debian_front_packages }}" + tags: + - install_front + + - name: Configure nginx port + ansible.builtin.lineinfile: + path: /etc/zabbix/nginx.conf + regexp: 'listen 8080;' + line: " listen 80;" + tags: + - install_srv + + - name: Configure nginx url + ansible.builtin.lineinfile: + path: /etc/zabbix/nginx.conf + regexp: 'server_name example.com;' + line: " server_name {{ inventory_hostname }};" + tags: + - install_srv + notify: Restart nginx \ No newline at end of file diff --git a/tasks/install-proxy.yml b/tasks/install-proxy.yml new file mode 100644 index 0000000..1af4c5b --- /dev/null +++ b/tasks/install-proxy.yml @@ -0,0 +1,100 @@ +- name: Proxy - Install Debian Proxy packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ debian_proxy_packages }}" + tags: + - install_proxy + when: ansible_os_family == "Debian" + + +- name: Proxy - Install RedHat packages + ansible.builtin.dnf: + name: "{{ item }}" + state: latest + loop: "{{ rhel_proxy_packages }}" + tags: + - install_proxy + when: ansible_os_family == "RedHat" + +- name: Proxy - Enable and start service mariadb + ansible.builtin.service: + name: mariadb + state: started + enabled: yes + tags: + - install_proxy + +- name: Proxy - Generate mariadb proxy creation script + ansible.builtin.template: + src: create_proxy_db.j2 + dest: /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Create mariadb proxy database + ansible.builtin.shell: mysql -uroot < /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Populate mariadb proxy database + ansible.builtin.shell: 'cat /usr/share/zabbix/sql-scripts/mysql/proxy.sql | mysql --default-character-set=utf8mb4 -u{{proxy_db_user}} --password={{proxy_db_passwd}} {{proxy_db_name}}' + tags: + - install_proxy + +- name: Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Proxy - Génération la liste des servers + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', 'srv') | + map(attribute='inventory_hostname') | + list }} + +- name: Proxy - Set fact Server + set_fact: + Server: "{{ hotes_filtres | join(';') }}" + +- name: Proxy - Generate config + ansible.builtin.template: + src: zabbix_proxy.conf.j2 + dest: /etc/zabbix/zabbix_proxy.conf + owner: root + group: zabbix + mode: 400 + + tags: + - install_proxy + +- name: Proxy - Create certificats directory + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Proxy - Copy certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_proxy}}.crt" + - "{{ zabbix_proxy}}.key" + when: zabbix_crypt=="tls" + +- name: Proxy - Enable and start service zabbix proxy + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-proxy \ No newline at end of file diff --git a/tasks/install-srv.yml b/tasks/install-srv.yml new file mode 100644 index 0000000..fba3951 --- /dev/null +++ b/tasks/install-srv.yml @@ -0,0 +1,57 @@ +- name: Install Debian packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ debian_srv_packages }}" + tags: + - install_srv + when: ansible_os_family == "Debian" + + +- name: Install packages + ansible.builtin.dnf: + name: "{{ item }}" + state: latest + loop: "{{ rhel_srv_packages }}" + tags: + - install_srv + when: ansible_os_family == "RedHat" + +- name: Generate srv config + ansible.builtin.template: + src: zabbix_server.conf.j2 + dest: /etc/zabbix/zabbix_server.conf + owner: zabbix + group: zabbix + mode: 0640 + tags: + - install_srv + +- name: Create cert directory if zabbix_crypt=="tls" + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Copy Certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_server}}.crt" + - "{{ zabbix_server}}.key" + when: zabbix_crypt=="tls" + +- name: Enable and start service zabbix server + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-server \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..914d983 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,74 @@ +--- +# tasks file for zabbix +- name: check OS version + debug: var=ansible_os_family +- name: Prepare RHEL + block: + - name: Alma Repo + ansible.builtin.shell: + cmd: rpm -Uvh https://repo.zabbix.com/zabbix/7.0/alma/9/x86_64/zabbix-release-latest.el9.noarch.rpm + - name: disable firewall + ansible.builtin.service: + name: firewalld + state: stopped + enabled: false + - name: clean repo + ansible.builtin.shell: + cmd: dnf clean all + when: ansible_os_family == "RedHat" +- name: Prepare Debian + block: + - name: Debian Repo + ansible.builtin.apt: + deb: https://repo.zabbix.com/zabbix/7.4/release/debian/pool/main/z/zabbix-release/zabbix-release_latest_7.4+debian13_all.deb + - name: Mise à jour le cache des paquets + ansible.builtin.apt: + update_cache: yes + when: ansible_os_family == "Debian" + + +- name: Install Database + when: role == "db" + block: + - name: Install Zabbix DB + ansible.builtin.include_tasks: install-db.yml + when: role == "db" + tags: + - database + tags: + - install_db + +- name: Install server + when: role == "srv" + block: + - name: Install Zabbix Server + ansible.builtin.include_tasks: install-srv.yml + when: role == "srv" + tags: + - install_srv + +- name: Install zabbix_proxy + when: role == "proxy" + block: + - name: Install Zabbix Proxy + ansible.builtin.include_tasks: install-proxy.yml + when: role == "proxy" + tags: + - install_proxy + +- name: Install Front + when: role == "front" + block: + - name: Install Zabbix Front + ansible.builtin.include_tasks: install-front.yml + when: role == "front" + tags: + - install_front + +- name: Install Agent + block: + - name: Install Zabbix Agent + ansible.builtin.include_tasks: install-agent2.yml + tags: + - install_agent + - never \ No newline at end of file diff --git a/templates/create_db.j2 b/templates/create_db.j2 new file mode 100644 index 0000000..e2434f9 --- /dev/null +++ b/templates/create_db.j2 @@ -0,0 +1,6 @@ +DROP DATABASE IF EXISTS {{ db_name }}; +DROP USER IF EXISTS {{ db_user }}; +CREATE DATABASE {{ db_name }}; +CREATE USER {{ db_user }} WITH ENCRYPTED PASSWORD '{{ db_passwd }}'; +GRANT ALL PRIVILEGES ON {{ db_name }} TO {{ db_user }}; +ALTER DATABASE {{ db_name }} OWNER TO {{ db_user }}; \ No newline at end of file diff --git a/templates/create_proxy_db.j2 b/templates/create_proxy_db.j2 new file mode 100644 index 0000000..094b880 --- /dev/null +++ b/templates/create_proxy_db.j2 @@ -0,0 +1,6 @@ +DROP DATABASE IF EXISTS {{proxy_db_name}}; +DROP USER IF EXISTS '{{proxy_db_user}}'@'localhost'; +create database {{proxy_db_name}} character set utf8mb4 collate utf8mb4_bin; +create user {{proxy_db_user}}@localhost identified by '{{proxy_db_passwd}}'; +grant all privileges on {{proxy_db_user}}.* to {{proxy_db_name}}@localhost; +set global log_bin_trust_function_creators = 1; diff --git a/templates/zabbix.conf.php.j2 b/templates/zabbix.conf.php.j2 new file mode 100644 index 0000000..91c1f5f --- /dev/null +++ b/templates/zabbix.conf.php.j2 @@ -0,0 +1,58 @@ + 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//$SSO['SETTINGS'] = []; + +// If set to false, support for HTTP authentication will be disabled. +// $ALLOW_HTTP_AUTH = true; \ No newline at end of file diff --git a/templates/zabbix_agent2.conf.j2 b/templates/zabbix_agent2.conf.j2 new file mode 100644 index 0000000..5372bf4 --- /dev/null +++ b/templates/zabbix_agent2.conf.j2 @@ -0,0 +1,590 @@ +# This is a configuration file for Zabbix agent 2 (Unix) +# To get more information about Zabbix, visit https://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agent2.pid + +PidFile=/run/zabbix/zabbix_agent2.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile=/tmp/zabbix_agent2.log + +LogFile=/var/log/zabbix/zabbix_agent2.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# If left empty or not set will disable passive checks, and Zabbix agent 2 will not listen on the ListenPort. +# +# Mandatory: no +# Default: +# Server= + +Server={{Server}} +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StatusPort +# Agent will listen on this port for HTTP status requests. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# StatusPort= + +##### Active checks related + +### Option: ServerActive +# Zabbix server/proxy address or cluster configuration to get active checks from. +# Server/proxy address is IP address or DNS name and optional port separated by colon. +# Cluster configuration is one or more server or proxy group member addresses separated by semicolon. +# Multiple Zabbix servers/clusters and Zabbix proxies can be specified, separated by comma. +# Unless using proxy groups, more than one Zabbix proxy should not be specified from each Zabbix server/cluster. +# If Zabbix proxy is specified then Zabbix server/cluster for that proxy should not be specified. +# Multiple comma-delimited addresses can be provided to use several independent Zabbix servers in parallel. Spaces are allowed. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example for Zabbix proxy: +# ServerActive=127.0.0.1:10051 +# Example for Zabbix proxy group: +# ServerActive=proxy1.example.com;proxy2.example.com;proxy3.example.com;proxy4.example.com;proxy5.example.com +# Example for multiple servers: +# ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# Example for high availability: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051;zabbix.cluster.node3 +# Example for high availability with two clusters and one server: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051,zabbix.cluster2.node1;zabbix.cluster2.node2,zabbix.domain +# +# Mandatory: no +# Default: +ServerActive={{ServerActive}} + +### Option: Hostname +# List of comma delimited unique, case sensitive hostnames. +# Required for active checks and must match hostnames as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +Hostname={{ansible_fqdn}} + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 2034 bytes. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-2034 bytes +# Default: +# HostMetadata= + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 65535 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 1-86400 +# Default: +# RefreshActiveChecks=5 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# Option is not valid if EnablePersistentBuffer=1 +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=1000 + +### Option: EnablePersistentBuffer +# Enable usage of local persistent storage for active items. +# 0 - disabled, in-memory buffer is used (default); 1 - use persistent buffer +# Mandatory: no +# Range: 0-1 +# Default: +# EnablePersistentBuffer=0 + +### Option: PersistentBufferPeriod +# Zabbix Agent2 will keep data for this time period in case of no +# connectivity with Zabbix server or proxy. Older data will be lost. Log data will be preserved. +# Option is valid if EnablePersistentBuffer=1 +# +# Mandatory: no +# Range: 1m-365d +# Default: +# PersistentBufferPeriod=1h + +### Option: PersistentBufferFile +# Full filename. Zabbix Agent2 will keep SQLite database in this file. +# Option is valid if EnablePersistentBuffer=1 +# +# Mandatory: no +# Default: +# PersistentBufferFile= + +### Option: HeartbeatFrequency +# Frequency of heartbeat messages in seconds. +# Used for monitoring availability of active checks. +# 0 - heartbeat messages disabled. +# +# Mandatory: no +# Range: 0-3600 +# Default: 60 +# HeartbeatFrequency= + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Specifies how long to wait (in seconds) for establishing connection and exchanging data with Zabbix proxy or server. +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option:PluginTimeout +# Timeout for connections with external plugins. +# +# Mandatory: no +# Range: 1-30 +# Default: +# PluginTimeout= + +### Option:PluginSocket +# Path to unix socket for external plugin communications. +# +# Mandatory: no +# Default:/tmp/agent.plugin.sock +# PluginSocket= + +PluginSocket=/run/zabbix/agent.plugin.sock + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=, +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +### Option: UserParameterDir +# Directory to execute UserParameter commands from. Only one entry is allowed. +# When executing UserParameter commands the agent will change the working directory to the one +# specified in the UserParameterDir option. +# This way UserParameter commands can be specified using the relative ./ prefix. +# +# Mandatory: no +# Default: +# UserParameterDir= + +### Option: ControlSocket +# The control socket, used to send runtime commands with '-R' option. +# +# Mandatory: no +# Default: +# ControlSocket= + +ControlSocket=/run/zabbix/agent.sock + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +{% if zabbix_crypt=="tls" %} +TLSConnect=cert +{% else %} +TLSConnect=unencrypted +{% endif %} +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +{% if zabbix_crypt=="tls" %} +TLSAccept=cert +{% else %} +TLSAccept=unencrypted +{% endif %} + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSCAFile=/etc/zabbix/certs/{{zabbix_ca}}.crt +{% else %} +# TLSCAFile= +{% endif %} + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= +{% if zabbix_crypt=="tls" %} +TLSServerCertIssuer={{TLSServerCertIssuer}} +{% else %} +# TLSServerCertIssuer= +{% endif %} +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= +{% if zabbix_crypt=="tls" %} +TLSServerCertSubject={{TLSServerCertSubject}} +{% else %} +# TLSServerCertSubject= +{% endif %} +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSCertFile=/etc/zabbix/certs/{{zabbix_agent}}.crt +{% else %} +# TLSCertFile= +{% endif %} +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSKeyFile=/etc/zabbix/certs/{{zabbix_agent}}.key +{% else %} +# TLSKeyFile= +{% endif %} + + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +####### PLUGIN-SPECIFIC PARAMETERS ####### + +### Option: Plugins +# A plugin can have one or more plugin specific configuration parameters in format: +# Plugins..= +# Plugins..= +# +# Mandatory: no +# Range: +# Default: + +### Option: Plugins.Log.MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# Plugins.Log.MaxLinesPerSecond=20 + +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. +# +# Mandatory: no +# Default: +# DenyKey=system.run[*] + +### Option: Plugins.SystemRun.LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# Plugins.SystemRun.LogRemoteCommands=0 + +### Option: ForceActiveChecksOnStart +# Perform active checks immediately after restart for first received configuration. +# Also available as per plugin configuration, example: Plugins.Uptime.System.ForceActiveChecksOnStart=1 +# +# Mandatory: no +# Range: 0-1 +# Default: +# ForceActiveChecksOnStart=0 + +# Include configuration files for plugins +Include=/etc/zabbix/zabbix_agent2.d/plugins.d/*.conf + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### Additional configuration files ####### + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +Include=/etc/zabbix/zabbix_agent2.d/*.conf + +# Include=/usr/local/etc/zabbix_agent2.userparams.conf +# Include=/usr/local/etc/zabbix_agent2.conf.d/ +# Include=/usr/local/etc/zabbix_agent2.conf.d/*.conf diff --git a/templates/zabbix_proxy.conf.j2 b/templates/zabbix_proxy.conf.j2 new file mode 100644 index 0000000..5a33db4 --- /dev/null +++ b/templates/zabbix_proxy.conf.j2 @@ -0,0 +1,1097 @@ +# This is a configuration file for Zabbix proxy daemon +# To get more information about Zabbix, visit https://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: ProxyMode +# Proxy operating mode. +# 0 - proxy in the active mode +# 1 - proxy in the passive mode +# +# Mandatory: no +# Default: +ProxyMode=0 + +### Option: Server +# If ProxyMode is set to active mode: +# IP address or DNS name (address:port) or cluster (address:port;address2:port) of Zabbix server to get configuration data from and send data to. +# If port is not specified, default port is used. +# Cluster nodes need to be separated by semicolon. +# If ProxyMode is set to passive mode: +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix server. +# Incoming connections will be accepted only from the addresses listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes +# Default: +# Server= + +Server={{ Server }} +### Option: Hostname +# Unique, case sensitive Proxy name. Make sure the Proxy name is known to the server! +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +Hostname={{ ansible_fqdn }} + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. +# Ignored if Hostname is defined. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: ListenPort +# Listen port for trapper. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10051 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/var/log/zabbix/zabbix_proxy.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: EnableRemoteCommands +# Whether remote commands from Zabbix server are allowed. +# 0 - not allowed +# 1 - allowed +# +# Mandatory: no +# Default: +# EnableRemoteCommands=0 + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_proxy.pid + +PidFile=/run/zabbix/zabbix_proxy.pid + +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp + +SocketDir=/run/zabbix + +### Option: DBHost +# Database host name. +# If set to localhost, socket is used for MySQL. +# If set to empty string, socket is used for PostgreSQL. +# +# Mandatory: no +# Default: +# DBHost=localhost + +### Option: DBName +# Database name. +# For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. +# Warning: do not attempt to use the same database Zabbix server is using. +# +# Mandatory: yes +# Default: +# DBName= + +DBName={{ proxy_db_name }} + +### Option: DBSchema +# Schema name. Used for PostgreSQL. +# +# Mandatory: no +# Default: +# DBSchema= + +### Option: DBUser +# Database user. Ignored for SQLite. +# +# Default: +# DBUser= + +DBUser={{ proxy_db_user }} + +### Option: DBPassword +# Database password. Ignored for SQLite. +# Comment this line if no password is used. +# +# Mandatory: no +# Default: +DBPassword={{ proxy_db_passwd }} + +### Option: DBSocket +# Path to MySQL socket. +# +# Mandatory: no +# Default: +# DBSocket= + +# Option: DBPort +# Database port when not using local socket. Ignored for SQLite. +# +# Mandatory: no +# Default for MySQL: 3306 +# Default for PostgreSQL: 5432 +# DBPort= + +### Option: AllowUnsupportedDBVersions +# Allow proxy to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 + +######### PROXY SPECIFIC PARAMETERS ############# + +### Option: ProxyLocalBuffer +# Proxy will keep data locally for N hours, even if the data have already been synced with the server. +# This parameter may be used if local data will be used by third party applications. +# +# Mandatory: no +# Range: 0-720 +# Default: +# ProxyLocalBuffer=0 + +### Option: ProxyOfflineBuffer +# Proxy will keep data for N hours in case if no connectivity with Zabbix Server. +# Older data will be lost. +# +# Mandatory: no +# Range: 1-720 +# Default: +# ProxyOfflineBuffer=1 + +### Option: ProxyBufferMode +# Specifies history, discovery and auto registration data storage mechanism: +# disk - data are stored in database and uploaded from database +# memory - data are stored in memory and uploaded from memory. +# If buffer runs out of memory the old data will be discarded. +# On shutdown the buffer is discarded. +# hybrid - the proxy buffer normally works like in memory mode until it runs out of memory or +# the oldest record exceeds the configured age. If that happens the buffer is flushed +# to database and it works like in disk mode until all data have been uploaded and +# it starts working with memory again. On shutdown the memory buffer is flushed +# to database. +# +# Mandatory: no +# Values: disk, memory, hybrid +# Default: +# ProxyBufferMode=disk + +ProxyBufferMode=hybrid + +### Option: ProxyMemoryBufferSize +# Size of shared memory cache for collected history, discovery and auto registration data, in bytes. +# If enabled (not zero) proxy will keep history discovery and auto registration data in memory unless +# cache is full or stored records are older than defined ProxyMemoryBufferAge. +# This parameter cannot be used together with ProxyLocalBuffer parameter. +# +# Mandatory: no +# Range: 0,128K-2G +# Default: +# ProxyMemoryBufferSize=0 + +ProxyMemoryBufferSize=16M + +### Option: ProxyMemoryBufferAge +# Maximum age of data in proxy memory buffer, in seconds. +# When enabled (not zero) and records in proxy memory buffer are older, then it forces proxy buffer +# to switch to database mode until all records are uploaded to server. +# This parameter must be less or equal to ProxyOfflineBuffer parameter (note different units). +# +# Mandatory: no +# Range: 0,600-864000 +# Default: +# ProxyMemoryBufferAge=0 + +### Option: ConfigFrequency - Deprecated, use ProxyConfigFrequency +# How often proxy retrieves configuration data from Zabbix Server in seconds. +# For a proxy in the passive mode this parameter will be ignored. +# Mandatory: no + +### Option: ProxyConfigFrequency +# How often proxy retrieves configuration data from Zabbix Server in seconds. +# For a proxy in the passive mode this parameter will be ignored. +# +# Mandatory: no +# Range: 1-3600*24*7 +# Default: +# ProxyConfigFrequency=10 + +### Option: DataSenderFrequency +# Proxy will send collected data to the Server every N seconds. +# For a proxy in the passive mode this parameter will be ignored. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# DataSenderFrequency=1 + +############ ADVANCED PARAMETERS ################ + +### Option: StartPollers +# Number of pre-forked instances of pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollers=5 + +### Option: StartAgentPollers +# Number of pre-forked instances of asynchronous Zabbix agent pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartAgentPollers=1 + +### Option: StartHTTPAgentPollers +# Number of pre-forked instances of asynchronous HTTP agent pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPAgentPollers=1 + +### Option: StartSNMPPollers +# Number of pre-forked instances of asynchronous SNMP pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartSNMPPollers=1 + +### Option: MaxConcurrentChecksPerPoller +# Maximum number of asynchronous checks that can be executed at once by each HTTP agent poller or agent poller. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxConcurrentChecksPerPoller=1000 + +### Option: StartIPMIPollers +# Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartIPMIPollers=0 + +### Option: StartPreprocessors +# Number of pre-started instances of preprocessing worker threads should be set to no less than +# the available CPU core count. More workers should be set if preprocessing is not CPU-bound and has +# lots of network requests. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=16 + +### Option: StartPollersUnreachable +# Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). +# At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers +# are started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollersUnreachable=1 + +### Option: StartTrappers +# Number of pre-forked instances of trappers. +# Trappers accept incoming connections from Zabbix sender and active agents. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartTrappers=5 + +### Option: StartPingers +# Number of pre-forked instances of ICMP pingers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPingers=1 + +### Option: StartDiscoverers +# Number of pre-started instances of discovery workers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartDiscoverers=5 + +### Option: StartHTTPPollers +# Number of pre-forked instances of HTTP pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPPollers=1 + +### Option: JavaGateway +# IP address (or hostname) of Zabbix Java gateway. +# Only required if Java pollers are started. +# +# Mandatory: no +# Default: +# JavaGateway= + +### Option: JavaGatewayPort +# Port that Zabbix Java gateway listens on. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# JavaGatewayPort=10052 + +### Option: StartJavaPollers +# Number of pre-forked instances of Java pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartJavaPollers=0 + +### Option: StartVMwareCollectors +# Number of pre-forked vmware collector instances. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartVMwareCollectors=0 + +### Option: VMwareFrequency +# How often Zabbix will connect to VMware service to obtain a new data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwareFrequency=60 + +### Option: VMwarePerfFrequency +# How often Zabbix will connect to VMware service to obtain performance data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwarePerfFrequency=60 + +### Option: VMwareCacheSize +# Size of VMware cache, in bytes. +# Shared memory size for storing VMware data. +# Only used if VMware collectors are started. +# +# Mandatory: no +# Range: 256K-2G +# Default: +# VMwareCacheSize=8M + +### Option: VMwareTimeout +# Specifies how many seconds vmware collector waits for response from VMware service. +# +# Mandatory: no +# Range: 1-300 +# Default: +# VMwareTimeout=10 + +### Option: SNMPTrapperFile +# Temporary file used for passing data from SNMP trap daemon to the proxy. +# Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. +# +# Mandatory: no +# Default: +# SNMPTrapperFile=/tmp/zabbix_traps.tmp + +SNMPTrapperFile=/var/log/snmptrap/snmptrap.log + +### Option: StartSNMPTrapper +# If 1, SNMP trapper process is started. +# +# Mandatory: no +# Range: 0-1 +# Default: +# StartSNMPTrapper=0 + +### Option: ListenIP +# List of comma delimited IP addresses that the trapper should listen on. +# Trapper will listen on all network interfaces if this parameter is missing. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: HousekeepingFrequency +# How often Zabbix will perform housekeeping procedure (in hours). +# Housekeeping is removing outdated information from the database. +# To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency +# hours of outdated information are deleted in one housekeeping cycle. +# To lower load on proxy startup housekeeping is postponed for 30 minutes after proxy start. +# With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option. +# In this case the period of outdated information deleted in one housekeeping cycle is 4 times the +# period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. +# +# Mandatory: no +# Range: 0-24 +# Default: +# HousekeepingFrequency=1 + +### Option: CacheSize +# Size of configuration cache, in bytes. +# Shared memory size, for storing hosts and items data. +# +# Mandatory: no +# Range: 128K-64G +# Default: +# CacheSize=8M + +### Option: StartDBSyncers +# Number of pre-forked instances of DB Syncers. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartDBSyncers=4 + +### Option: HistoryCacheSize +# Size of history cache, in bytes. +# Shared memory size for storing history data. +# +# Mandatory: no +# Range: 128K-16G +# Default: +# HistoryCacheSize=16M + +### Option: HistoryIndexCacheSize +# Size of history index cache, in bytes. +# Shared memory size for indexing history cache. +# +# Mandatory: no +# Range: 128K-16G +# Default: +# HistoryIndexCacheSize=4M + +### Option: Timeout +# Specifies how long to wait (in seconds) for establishing connection and exchanging data with Zabbix server, agent, web service, and for SNMP checks (except SNMP `walk[OID]` and `get[OID]` items) and `icmpping[*]` item. +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +Timeout=4 + +### Option: TrapperTimeout +# Specifies timeout in seconds for: +# Retrieval of configuration data from Zabbix server +# Global script / remote command execution +# +# Mandatory: no +# Range: 1-300 +# Default: +# TrapperTimeout=300 + +### Option: UnreachablePeriod +# After how many seconds of unreachability treat a host as unavailable. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachablePeriod=45 + +### Option: UnavailableDelay +# How often host is checked for availability during the unavailability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnavailableDelay=60 + +### Option: UnreachableDelay +# How often host is checked for availability during the unreachability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachableDelay=15 + +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + +### Option: ExternalScripts +# Full path to location of external scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# ExternalScripts=/usr/lib/zabbix/externalscripts + +### Option: FpingLocation +# Location of fping. +# Make sure that fping binary has root ownership and SUID flag set. +# +# Mandatory: no +# Default: +# FpingLocation=/usr/sbin/fping + +FpingLocation=/usr/bin/fping + +### Option: Fping6Location +# Location of fping6. +# Make sure that fping6 binary has root ownership and SUID flag set. +# Make empty if your fping utility is capable to process IPv6 addresses. +# +# Mandatory: no +# Default: +# Fping6Location=/usr/sbin/fping6 + +Fping6Location=/usr/bin/fping6 + +### Option: SSHKeyLocation +# Location of public and private keys for SSH checks and actions. +# +# Mandatory: no +# Default: +# SSHKeyLocation= + +### Option: LogSlowQueries +# How long a database query may take before being logged (in milliseconds). +# Only works if DebugLevel set to 3 or 4. +# 0 - don't log slow queries. +# +# Mandatory: no +# Range: 1-3600000 +# Default: +# LogSlowQueries=0 + +LogSlowQueries=3000 + +### Option: TmpDir +# Temporary directory. +# +# Mandatory: no +# Default: +# TmpDir=/tmp + +### Option: AllowRoot +# Allow the proxy to run as 'root'. If disabled and the proxy is started by 'root', the proxy +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: SSLCertLocation +# Location of SSL client certificates. +# This parameter is used in web monitoring and for communication with Vault. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# SSLCertLocation=${datadir}/zabbix/ssl/certs + +### Option: SSLKeyLocation +# Location of private keys for SSL client certificates. +# This parameter is used in web monitoring and for communication with Vault. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# SSLKeyLocation=${datadir}/zabbix/ssl/keys + +### Option: SSLCALocation +# Location of certificate authority (CA) files for SSL server certificate verification. +# If not set, system-wide directory will be used. +# This parameter is used in web monitoring, HTTP agent items and for communication with Vault. +# +# Mandatory: no +# Default: +# SSLCALocation= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of proxy modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at proxy startup. Modules are used to extend functionality of the proxy. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP= +StatsAllowedIP=127.0.0.1,zserve01.bv.stef.lan,zserve02.bv.stef.lan + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the proxy should connect to Zabbix server. Used for an active proxy, ignored on a passive proxy. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +{% if zabbix_crypt=="tls" %} +TLSConnect=cert +{% else %} +TLSConnect=unencrypted +{% endif %} +### Option: TLSAccept +# What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +{% if zabbix_crypt=="tls" %} +TLSAccept=cert +{% else %} +TLSAccept=unencrypted +{% endif %} + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSCAFile=/etc/zabbix/certs/{{zabbix_ca}}.crt +{% else %} +# TLSCAFile= +{% endif %} + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSServerCertIssuer={{TLSServerCertIssuer}} +{% else %} +# TLSServerCertIssuer= +{% endif %} +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSServerCertSubject={{TLSServerCertSubject}} +{% else %} +# TLSServerCertSubject= +{% endif %} + + +### Option: TLSCertFile +# Full pathname of a file containing the proxy certificate or certificate chain. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSCertFile=/etc/zabbix/certs/{{zabbix_proxy}}.crt +{% else %} +# TLSCertFile= +{% endif %} + +### Option: TLSKeyFile +# Full pathname of a file containing the proxy private key. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSKeyFile=/etc/zabbix/certs/{{zabbix_proxy}}.key +{% else %} +# TLSKeyFile= +{% endif %} +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="psk" %} +TLSPSKIdentity=PROXY +{% else %} +# TLSPSKIdentity= +{% endif %} +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="psk" %} +TLSPSKFile=/etc/zabbix/zabbix_proxy.psk +{% else %} +# TLSPSKFile= +{% endif %} +### Option: TLSListen +# Setting this option enforces that only encrypted connections are accepted by trappers. +# Supported values: +# required - accept only TLS connections +# Mandatory: no +# Default: +# TLSListen= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix proxy certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix proxy permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix proxy permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= + +### Option: Vault +# Specifies vault: +# HashiCorp - HashiCorp KV Secrets Engine - Version 2 +# CyberArk - CyberArk Central Credential Provider +# +# Mandatory: no +# Default: +# Vault=HashiCorp + +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix proxy with read only permission to path +# specified in optional VaultDBPath configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# (yes, if Vault is explicitly set to HashiCorp) +# Default: +# VaultToken= + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +# VaultURL=https://127.0.0.1:8200 + +### Option: VaultPrefix +# Custom prefix for Vault path or query depending on the Vault. +# Most suitable defaults will be used if not specified. +# Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified. +# Example prefix for HashiCorp: +# /v1/secret/data/zabbix/ +# Example prefix for CyberArk: +# /AIMWebService/api/Accounts? +# Mandatory: no +# Default: +# VaultPrefix= + +### Option: VaultDBPath +# Vault path or query depending on the Vault from where credentials for database will be retrieved by keys. +# Keys used for HashiCorp are 'password' and 'username'. +# Example path with VaultPrefix=/v1/secret/data/zabbix/: +# database +# Example path without VaultPrefix: +# secret/zabbix/database +# Keys used for CyberArk are 'Content' and 'UserName'. +# Example query: +# AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_proxy_database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +# VaultDBPath= + +### Option: VaultTLSCertFile +# Name of the SSL certificate file used for client authentication. The certificate file must be in PEM1 format. +# If the certificate file contains also the private key, leave the SSL key file field empty. The directory +# containing this file is specified by configuration parameter SSLCertLocation. +# +# Mandatory: no +# Default: +# VaultTLSCertFile= + +### Option: VaultTLSKeyFile +# Name of the SSL private key file used for client authentication. The private key file must be in PEM1 format. +# The directory containing this file is specified by configuration parameter SSLKeyLocation. +# +# Mandatory: no +# Default: +# VaultTLSKeyFile= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + +####### Browser monitoring ####### + +### Option: WebDriverURL +# WebDriver interface HTTP[S] URL. For example http://localhost:4444 used with Selenium WebDriver standalone server. +# +# Mandatory: no +# Default: +# WebDriverURL= + +### Option: StartBrowserPollers +# Number of pre-forked instances of browser item pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartBrowserPollers=1 + +####### Additional configuration files ####### + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +Include=/etc/zabbix/zabbix_proxy.d/*.conf + +# Include=/usr/local/etc/zabbix_proxy.general.conf +# Include=/usr/local/etc/zabbix_proxy.conf.d/ +# Include=/usr/local/etc/zabbix_proxy.conf.d/*.conf diff --git a/templates/zabbix_server.conf.j2 b/templates/zabbix_server.conf.j2 new file mode 100644 index 0000000..0f3f681 --- /dev/null +++ b/templates/zabbix_server.conf.j2 @@ -0,0 +1,1173 @@ +# This is a configuration file for Zabbix server daemon +# To get more information about Zabbix, visit https://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: ListenPort +# Listen port for trapper. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10051 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/var/log/zabbix/zabbix_server.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_server.pid + +PidFile=/run/zabbix/zabbix_server.pid + +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp + +### NOTE: Support for Oracle DB is deprecated since Zabbix 7.0 and will be removed in future versions. + +SocketDir=/run/zabbix + +### Option: DBHost +# Database host name. +# If set to localhost, socket is used for MySQL. +# If set to empty string, socket is used for PostgreSQL. +# If set to empty string, the Net Service Name connection method is used to connect to Oracle database; also see +# the TNS_ADMIN environment variable to specify the directory where the tnsnames.ora file is located. +# +# Mandatory: no +# Default: +DBHost={{ db_host }} + +### Option: DBName +# Database name. +# If the Net Service Name connection method is used to connect to Oracle database, specify the service name from +# the tnsnames.ora file or set to empty string; also see the TWO_TASK environment variable if DBName is set to +# empty string. +# +# Mandatory: yes +# Default: +# DBName= + +DBName={{ db_name }} + +### Option: DBSchema +# Schema name. Used for PostgreSQL. +# +# Mandatory: no +# Default: +# DBSchema= + +### Option: DBUser +# Database user. +# +# Mandatory: no +# Default: +# DBUser= +{% if not ActiveVault %} +DBUser={{ db_user }} +{% endif %} +### Option: DBPassword +# Database password. +# Comment this line if no password is used. +# +# Mandatory: no +# Default: +{% if not ActiveVault %} +DBPassword={{ db_passwd }} +{% endif %} +### Option: DBSocket +# Path to MySQL socket. +# +# Mandatory: no +# Default: +# DBSocket= + +### Option: DBPort +# Database port when not using local socket. +# If the Net Service Name connection method is used to connect to Oracle database, the port number from the +# tnsnames.ora file will be used. The port number set here will be ignored. +# +# Mandatory: no +# Range: 1024-65535 +# Default for MySQL: 3306 +# Default for PostgreSQL: 5432 +DBPort= {{ db_port }} + +### Option: AllowUnsupportedDBVersions +# Allow server to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 + +### Option: HistoryStorageURL +# History storage HTTP[S] URL. +# +# Mandatory: no +# Default: +# HistoryStorageURL= + +### Option: HistoryStorageTypes +# Comma separated list of value types to be sent to the history storage. +# +# Mandatory: no +# Default: +# HistoryStorageTypes=uint,dbl,str,log,text + +### Option: HistoryStorageDateIndex +# Enable preprocessing of history values in history storage to store values in different indices based on date. +# 0 - disable +# 1 - enable +# +# Mandatory: no +# Default: +# HistoryStorageDateIndex=0 + +### Option: ExportDir +# Directory for real time export of events, history and trends in newline delimited JSON format. +# If set, enables real time export. +# +# Mandatory: no +# Default: +# ExportDir= + +### Option: ExportFileSize +# Maximum size per export file in bytes. +# Only used for rotation if ExportDir is set. +# +# Mandatory: no +# Range: 1M-1G +# Default: +# ExportFileSize=1G + +### Option: ExportType +# List of comma delimited types of real time export - allows to control export entities by their +# type (events, history, trends) individually. +# Valid only if ExportDir is set. +# +# Mandatory: no +# Default: +# ExportType=events,history,trends + +############ ADVANCED PARAMETERS ################ + +### Option: StartPollers +# Number of pre-forked instances of pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollers=5 + +### Option: StartAgentPollers +# Number of pre-forked instances of asynchronous Zabbix agent pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartAgentPollers=1 + +### Option: StartHTTPAgentPollers +# Number of pre-forked instances of asynchronous HTTP agent pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPAgentPollers=1 + +### Option: StartSNMPPollers +# Number of pre-forked instances of asynchronous SNMP pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartSNMPPollers=1 + +### Option: MaxConcurrentChecksPerPoller +# Maximum number of asynchronous checks that can be executed at once by each HTTP agent poller or agent poller. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxConcurrentChecksPerPoller=1000 + +### Option: StartIPMIPollers +# Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartIPMIPollers=0 + + +### Option: StartPreprocessors +# Number of pre-started instances of preprocessing worker threads should be set to no less than +# the available CPU core count. More workers should be set if preprocessing is not CPU-bound and has +# lots of network requests. +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=16 + +### Option: StartConnectors +# Number of pre-forked instances of connector workers. +# The connector manager process is automatically started when connector worker is started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartConnectors=0 + +### Option: StartPollersUnreachable +# Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). +# At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers +# are started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollersUnreachable=1 + +### Option: StartHistoryPollers +# Number of pre-forked instances of history pollers. +# Only required for calculated checks. +# A database connection is required for each history poller instance. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHistoryPollers=5 + +### Option: StartTrappers +# Number of pre-forked instances of trappers. +# Trappers accept incoming connections from Zabbix sender, active agents and active proxies. +# At least one trapper process must be running to display server availability and view queue +# in the frontend. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartTrappers=5 + +### Option: StartPingers +# Number of pre-forked instances of ICMP pingers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPingers=1 + +### Option: StartDiscoverers +# Number of pre-started instances of discovery workers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartDiscoverers=5 + +### Option: StartHTTPPollers +# Number of pre-forked instances of HTTP pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPPollers=1 + +### Option: StartTimers +# Number of pre-forked instances of timers. +# Timers process maintenance periods. +# Only the first timer process handles host maintenance updates. Problem suppression updates are shared +# between all timers. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartTimers=1 + +### Option: StartEscalators +# Number of pre-forked instances of escalators. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartEscalators=1 + +### Option: StartAlerters +# Number of pre-forked instances of alerters. +# Alerters send the notifications created by action operations. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartAlerters=3 + +### Option: JavaGateway +# IP address (or hostname) of Zabbix Java gateway. +# Only required if Java pollers are started. +# +# Mandatory: no +# Default: +# JavaGateway= + +### Option: JavaGatewayPort +# Port that Zabbix Java gateway listens on. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# JavaGatewayPort=10052 + +### Option: StartJavaPollers +# Number of pre-forked instances of Java pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartJavaPollers=0 + +### Option: StartVMwareCollectors +# Number of pre-forked vmware collector instances. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartVMwareCollectors=0 + +### Option: VMwareFrequency +# How often Zabbix will connect to VMware service to obtain a new data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwareFrequency=60 + +### Option: VMwarePerfFrequency +# How often Zabbix will connect to VMware service to obtain performance data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwarePerfFrequency=60 + +### Option: VMwareCacheSize +# Size of VMware cache, in bytes. +# Shared memory size for storing VMware data. +# Only used if VMware collectors are started. +# +# Mandatory: no +# Range: 256K-2G +# Default: +# VMwareCacheSize=8M + +### Option: VMwareTimeout +# Specifies how many seconds vmware collector waits for response from VMware service. +# +# Mandatory: no +# Range: 1-300 +# Default: +# VMwareTimeout=10 + +### Option: SNMPTrapperFile +# Temporary file used for passing data from SNMP trap daemon to the server. +# Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. +# +# Mandatory: no +# Default: +# SNMPTrapperFile=/tmp/zabbix_traps.tmp + +SNMPTrapperFile=/var/log/snmptrap/snmptrap.log + +### Option: StartSNMPTrapper +# If 1, SNMP trapper process is started. +# +# Mandatory: no +# Range: 0-1 +# Default: +# StartSNMPTrapper=0 + +### Option: ListenIP +# List of comma delimited IP addresses that the trapper should listen on. +# Trapper will listen on all network interfaces if this parameter is missing. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: HousekeepingFrequency +# How often Zabbix will perform housekeeping procedure (in hours). +# Housekeeping is removing outdated information from the database. +# To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency +# hours of outdated information are deleted in one housekeeping cycle, for each item. +# To lower load on server startup housekeeping is postponed for 30 minutes after server start. +# With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option. +# In this case the period of outdated information deleted in one housekeeping cycle is 4 times the +# period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. +# +# Mandatory: no +# Range: 0-24 +# Default: +# HousekeepingFrequency=1 + +### Option: MaxHousekeeperDelete +# The table "housekeeper" contains "tasks" for housekeeping procedure in the format: +# [housekeeperid], [tablename], [field], [value]. +# No more than 'MaxHousekeeperDelete' rows (corresponding to [tablename], [field], [value]) +# will be deleted per one task in one housekeeping cycle. +# If set to 0 then no limit is used at all. In this case you must know what you are doing! +# +# Mandatory: no +# Range: 0-1000000 +# Default: +# MaxHousekeeperDelete=5000 + +### Option: CacheSize +# Size of configuration cache, in bytes. +# Shared memory size for storing host, item and trigger data. +# +# Mandatory: no +# Range: 128K-64G +# Default: +# CacheSize=32M + +### Option: CacheUpdateFrequency +# How often Zabbix will perform update of configuration cache, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# CacheUpdateFrequency=10 + +### Option: StartDBSyncers +# Number of pre-forked instances of DB Syncers. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartDBSyncers=4 + +### Option: HistoryCacheSize +# Size of history cache, in bytes. +# Shared memory size for storing history data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryCacheSize=16M + +### Option: HistoryIndexCacheSize +# Size of history index cache, in bytes. +# Shared memory size for indexing history cache. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryIndexCacheSize=4M + +### Option: TrendCacheSize +# Size of trend write cache, in bytes. +# Shared memory size for storing trends data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendCacheSize=4M + +### Option: TrendFunctionCacheSize +# Size of trend function cache, in bytes. +# Shared memory size for caching calculated trend function data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendFunctionCacheSize=4M + +### Option: ValueCacheSize +# Size of history value cache, in bytes. +# Shared memory size for caching item history data requests. +# Setting to 0 disables value cache. +# +# Mandatory: no +# Range: 0,128K-64G +# Default: +# ValueCacheSize=8M + +### Option: Timeout +# Specifies how long to wait (in seconds) for establishing connection and exchanging data with Zabbix proxy, agent, web service, and for SNMP checks (except SNMP `walk[OID]` and `get[OID]` items) and `icmpping[*]` item. +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +Timeout=4 + +### Option: TrapperTimeout +# Specifies timeout in seconds for: +# retrieval of historical data from Zabbix proxy +# sending configuration data to Zabbix proxy +# Global script / remote command execution on Zabbix proxy / server +# +# Mandatory: no +# Range: 1-300 +# Default: +# TrapperTimeout=300 + +### Option: UnreachablePeriod +# After how many seconds of unreachability treat a host as unavailable. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachablePeriod=45 + +### Option: UnavailableDelay +# How often host is checked for availability during the unavailability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnavailableDelay=60 + +### Option: UnreachableDelay +# How often host is checked for availability during the unreachability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachableDelay=15 + +### Option: AlertScriptsPath +# Full path to location of custom alert scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# AlertScriptsPath=/usr/lib/zabbix/alertscripts + +### Option: ExternalScripts +# Full path to location of external scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# ExternalScripts=/usr/lib/zabbix/externalscripts + +### Option: FpingLocation +# Location of fping. +# Make sure that fping binary has root ownership and SUID flag set. +# +# Mandatory: no +# Default: +# FpingLocation=/usr/sbin/fping + +### Option: Fping6Location +# Location of fping6. +# Make sure that fping6 binary has root ownership and SUID flag set. +# Make empty if your fping utility is capable to process IPv6 addresses. +# +# Mandatory: no +# Default: +# Fping6Location=/usr/sbin/fping6 + +### Option: SSHKeyLocation +# Location of public and private keys for SSH checks and actions. +# +# Mandatory: no +# Default: +# SSHKeyLocation= + +### Option: LogSlowQueries +# How long a database query may take before being logged (in milliseconds). +# Only works if DebugLevel set to 3, 4 or 5. +# 0 - don't log slow queries. +# +# Mandatory: no +# Range: 1-3600000 +# Default: +# LogSlowQueries=0 + +LogSlowQueries=3000 + +### Option: TmpDir +# Temporary directory. +# +# Mandatory: no +# Default: +# TmpDir=/tmp + +### Option: StartProxyPollers +# Number of pre-forked instances of pollers for passive proxies. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartProxyPollers=1 + +### Option: ProxyConfigFrequency +# How often Zabbix Server sends configuration data to a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600*24*7 +# Default: +# ProxyConfigFrequency=10 + +### Option: ProxyDataFrequency +# How often Zabbix Server requests history data from a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProxyDataFrequency=1 + +### Option: StartLLDProcessors +# Number of pre-forked instances of low level discovery processors. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartLLDProcessors=2 + +### Option: AllowRoot +# Allow the server to run as 'root'. If disabled and the server is started by 'root', the server +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: SSLCertLocation +# Location of SSL client certificates. +# This parameter is used in web monitoring and for communication with Vault. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# SSLCertLocation=${datadir}/zabbix/ssl/certs + +### Option: SSLKeyLocation +# Location of private keys for SSL client certificates. +# This parameter is used in web monitoring and for communication with Vault. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# SSLKeyLocation=${datadir}/zabbix/ssl/keys + +### Option: SSLCALocation +# Override the location of certificate authority (CA) files for SSL server certificate verification. +# If not set, system-wide directory will be used. +# This parameter is used in web monitoring, SMTP authentication, HTTP agent items and for communication with Vault. +# +# Mandatory: no +# Default: +# SSLCALocation= + +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP= +StatsAllowedIP=127.0.0.1 + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of server modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at server startup. Modules are used to extend functionality of the server. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSCAFile=/etc/zabbix/certs/{{zabbix_ca}}.crt +{% else %} +# TLSCAFile= +{% endif %} + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSCertFile +# Full pathname of a file containing the server certificate or certificate chain. +# +# Mandatory: no +# Default: + +{% if zabbix_crypt=="tls" %} +TLSCertFile=/etc/zabbix/certs/{{zabbix_server}}.crt +{% else %} +# TLSCertFile= +{% endif %} +### Option: TLSKeyFile +# Full pathname of a file containing the server private key. +# +# Mandatory: no +# Default: +{% if zabbix_crypt=="tls" %} +TLSKeyFile=/etc/zabbix/certs/{{zabbix_server}}.key +{% else %} +# TLSKeyFile= +{% endif %} +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix server certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= +{% if Vault is defined %} +### Option: Vault +# Specifies vault: +# HashiCorp - HashiCorp KV Secrets Engine - Version 2 +# CyberArk - CyberArk Central Credential Provider +# +# Mandatory: no +# Default: +Vault={{ Vault }} +{% else %} +# Vault= +{% endif %} +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix server with read only permission +# to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath +# configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# (yes, if Vault is explicitly set to HashiCorp) +# Default: +{% if VaultToken is defined %} +VaultToken={{ VaultToken }} +{% else %} +# VaultToken= +{% endif %} + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +{% if VaultURL is defined %} +VaultURL={{ VaultURL }} +{% else %} +# VaultURL= +{% endif %} + + + +### Option: VaultPrefix +# Custom prefix for Vault path or query depending on the Vault. +# Most suitable defaults will be used if not specified. +# Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified. +# Example prefix for HashiCorp: +# /v1/secret/data/zabbix/ +# Example prefix for CyberArk: +# /AIMWebService/api/Accounts? +# Mandatory: no +# Default: +{% if VaultPrefix is defined %} +VaultPrefix={{ VaultPrefix }} +{% else %} +# VaultPrefix= +{% endif %} +### Option: VaultDBPath +# Vault path or query depending on the Vault from where credentials for database will be retrieved by keys. +# Keys used for HashiCorp are 'password' and 'username'. +# Example path with VaultPrefix=/v1/secret/data/zabbix/: +# database +# Example path without VaultPrefix: +# secret/zabbix/database +# Keys used for CyberArk are 'Content' and 'UserName'. +# Example query: +# AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +{% if VaultDBPath is defined %} +VaultDBPath={{ VaultDBPath }} +{% else %} +# VaultDBPath@= +{% endif %} +### Option: VaultTLSCertFile +# Name of the SSL certificate file used for client authentication. The certificate file must be in PEM1 format. +# If the certificate file contains also the private key, leave the SSL key file field empty. The directory +# containing this file is specified by configuration parameter SSLCertLocation. +# +# Mandatory: no +# Default: +# VaultTLSCertFile= + +### Option: VaultTLSKeyFile +# Name of the SSL private key file used for client authentication. The private key file must be in PEM1 format. +# The directory containing this file is specified by configuration parameter SSLKeyLocation. +# +# Mandatory: no +# Default: +# VaultTLSKeyFile= + +### Option: StartReportWriters +# Number of pre-forked report writer instances. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartReportWriters=0 + +### Option: WebServiceURL +# URL to Zabbix web service, used to perform web related tasks. +# Example: http://localhost:10053/report +# +# Mandatory: no +# Default: +# WebServiceURL= + +### Option: ServiceManagerSyncFrequency +# How often Zabbix will synchronize configuration of a service manager (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ServiceManagerSyncFrequency=60 + +### Option: ProblemHousekeepingFrequency +# How often Zabbix will delete problems for deleted triggers (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProblemHousekeepingFrequency=60 + +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + +### Option: EnableGlobalScripts +# Enable global scripts on Zabbix server. +# 0 - disable +# 1 - enable +# +# Mandatory: no +# Default: +# EnableGlobalScripts=1 +EnableGlobalScripts=0 + +# Option: AllowSoftwareUpdateCheck +# Allow Zabbix UI to receive information about software updates from zabbix.com +# 0 - disable software update checks +# 1 - enable software update checks +# +# Mandatory: no +# Default: +# AllowSoftwareUpdateCheck=1 + +### Option: SMSDevices +# List of comma delimited modem files allowed to use Zabbix server +# SMS sending not possible if this parameter is not set +# Example: SMSDevices=/dev/ttyUSB0,/dev/ttyUSB1 +# +# Mandatory: no +# Default: +# SMSDevices= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + + +####### High availability cluster parameters ####### + +## Option: HANodeName +# The high availability cluster node name. +# When empty, server is working in standalone mode; a node with empty name is registered with address for the frontend to connect to. +# +# Mandatory: no +# Default: +{% if ZabbixHA %} +HANodeName={{ inventory_hostname }} +{% else %} +# HANodeName= +{% endif %} +## Option: NodeAddress +# IP or hostname with optional port to specify how frontend should connect to the server. +# Format:
[:] +# +# If IP or hostname is not set, then ListenIP value will be used. In case ListenIP is not set, localhost will be used. +# If port is not set, then ListenPort value will be used. In case ListenPort is not set, 10051 will be used. +# This option can be overridden by address specified in frontend configuration. +# +# Mandatory: no +# Default: +{% if ZabbixHA %} +NodeAddress={{ ansible_default_ipv4.address }}:10051 +{% else %} +# NodeAddress= +{% endif %} +####### Browser monitoring ####### + +### Option: WebDriverURL +# WebDriver interface HTTP[S] URL. For example http://localhost:4444 used with Selenium WebDriver standalone server. +# +# Mandatory: no +# Default: +# WebDriverURL= + +### Option: StartBrowserPollers +# Number of pre-forked instances of browser item pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartBrowserPollers=1 + +####### Additional configuration files ####### + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +Include=/etc/zabbix/zabbix_server.d/*.conf + +# Include=/usr/local/etc/zabbix_server.general.conf +# Include=/usr/local/etc/zabbix_server.conf.d/ +# Include=/usr/local/etc/zabbix_server.conf.d/*.conf diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..c160bf7 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - zabbix diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..1edae81 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1 @@ +# vars file for zabbix