diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..09d401b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +files/*.crt +files/*.key \ No newline at end of file diff --git a/README.md b/README.md index 225dd44..51fc174 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,154 @@ -Role Name +Zabbix ========= -A brief description of the role goes here. +Deploiement d'une infrascutrure ZAbbix complete +Deux serveur zabbix +- HA +- Keealived pour nginx +- Certiticats TLS + +Distribution prise en charges: +- Debian13 +- Almalinux + +Pour Ajouter une distribution RHEL like +Ajouter un block dans tasks/main.yml + +Similaire à ceci ( voir https://www.zabbix.com/download pour le path associé a votre distribution): +``` +- name: Prepare + when: ansible_distribution == "AlmaLinux" <= Nom de votre distriution + block: + - name: add gpg + ansible.builtin.dnf: + name: gnupg2 + state: present + - name: Copie GPG key + ansible.builtin.copy: + src: RPM-GPG-KEY-ZABBIX-B5333005 + dest: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Import a key + ansible.builtin.rpm_key: + state: present + key: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Add Package + ansible.builtin.dnf: + name: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/release//{{ ansible_distribution_major_version }}/noarch/zabbix-release-latest-{{ zabbix_version }}.el{{ ansible_distribution_major_version }}.noarch.rpm" + state: present +``` Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Nécéssite les fichiers de certificats suivants: -Role Variables +- zabbix_ca.cert +- zabbix_server.cert +- zabbix_server.key +- zabbix_agent.cert +- zabbix_agent.key +- zabbix_proxy.cert +- zabbix_proxy.key + +Ces fichiers sont a déposer dans /files + +Note: vous pouvez changer le nom des fichiers en ce cas modifier les variables suivante dans default/main.yml +``` +zabbix_ca: zabbix_ca +zabbix_server: zabbix_server +zabbix_proxy: zabbix_proxy +zabbix_agent: zabbix_agent +``` + +# Variables -------------- +## Role Variables -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +Variable definies dans default/main.yml + +# defaults file for zabbix + + +| Variable | Role | Remarques| +|----------|------|----------| +|zabbix_version|Version de zabbix|Ne fonctionnent actuellement pour les Debian| +|roles_cibles| utlisés pour générer les Variable Server et ActiveServer | Exemple:['srv', 'proxy']| +|db_name|Nom de la base de postgres des serveurs|| +|db_user|Nom de l'utilisateur de la base postgres serveurs|| +|db_passwd|Mot de passe l'utilisateur de la base postgres serveurs|| +|proxy_db_name|Nom de la base des proxys|| +|proxy_db_user|Nom de l'utilisateur de la base des proxys|| +|proxy_db_passwd|Mot de passe de l'utilisateur de la base des proxys|| +|zabbix_ca|Nom du fichier de CA|| +|zabbix_server|Nom du fichier de certificat utilisés par les serveurs|| +|zabbix_proxy|Nom du fichier de certificat utilisés par les proxy|| +|zabbix_agent|Nom du fichier de certificat utilisés par les agents|| + + +## Group Variables + +| Variable | Role | Remarques| +|----------|------|----------| +|db_host| adatabase.bv.stef.lan| +|db_port| 5432|Non utilisé pour le moment| +|postgresql_version|| Exemple 17, uniquement implementé dans débian| +|zabbix_crypt| Type de chiffrement utilisé| tls ou psk pour le moment seul tls est totalement implementé| +|zabbix_cert_ca_name| zabbix_ca|| +|zabbix_cert_server_name| zabbix_server|| +|zabbix_cert_agent_name| zabbix_agent|| +|TLSServerCertSubject| DN des serveurs zabbix| exemple: "CN=zabbix_server,C=FR"| +|TLSServerCertIssuer| DN du CA zabbix| exemple: "CN=zabbix_ca,C=FR"| +|ZabbixHA| Activation du HA ou non | true ou false| +|vip_address| Vip keealived des nginx| exemple 192.168.200.75| +|vip_fqdn| FQDN de la Vip keealived des nginx|exemple: zabbix.mondomain.com| +|ActiveVault| Active ou non le vault| true ou false| +|Vault| Modele du vault| HashiCorp actuellement uniquement implémenté| +|VaultToken|Token d'acces au vault|| +|VaultURL| Url du vault | exemple: https://vault.mondomain.com| +|VaultPrefix| Path des secret zabbix| exemple: /v1/secret/data/zabbix/| +|VaultDBPath| nom du secret des credential d'acces DB| exemple: /database| + +## Hosts Variables +L'host master keepalived doit contenir: +``` +keepalived: + state: MASTER + priority: 244 +``` + +L'host backup keepalived doit contenir: +``` +keepalived: + state: BACKUP + priority: 243 +``` Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +None + +Exemple Inventory + + zabbix_instance01: + hosts: + server01.mondomain.com: + role: srv + server02.mondomain.com: + role: srv + database.mondomain.com: + role: db + front.mondomain.com: + role: front + proxy01.mondomain.com: + role: proxy + proxy02.mondomain.com: + role: proxy Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - hosts: servers - roles: - - { role: username.rolename, x: 42 } License ------- diff --git a/defaults/main.yml b/defaults/main.yml index 40b657b..6079d9a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,59 +1,7 @@ --- # defaults file for zabbix -rhel_db_packages: - - postgresql-server - - postgresql - - postgresql-plpython3 - - zabbix-agent2 - -rhel_srv_packages: - - zabbix-server-pgsql - - zabbix-sql-scripts - - zabbix-selinux-policy - - zabbix-agent2 - -rhel_agent_packages: - - zabbix-agent2 - -rhel_front_packages: - - zabbix-web-pgsql - - zabbix-nginx-conf - - zabbix-agent2 - - -rhel_proxy_packages: - - mariadb - - zabbix-proxy-mysql - - zabbix-sql-scripts - - zabbix-agent2 - -debian_db_packages: - - postgresql-contrib - - postgresql - - python3-psycopg2 - - zabbix-sql-scripts - - zabbix-agent2 - -debian_srv_packages: - - zabbix-server-pgsql - - zabbix-agent2 - -debian_proxy_packages: - - mariadb-server - - zabbix-proxy-mysql - - zabbix-sql-scripts - - zabbix-agent2 - -debian_agent_packages: - - zabbix-agent2 - -debian_front_packages: - - zabbix-frontend-php - - php8.4-pgsql - - zabbix-nginx-conf - - nginx - - zabbix-agent2 +zabbix_version: 7.4 roles_cibles: ['srv', 'proxy'] db_name: zabbix diff --git a/files/RPM-GPG-KEY-ZABBIX-B5333005 b/files/RPM-GPG-KEY-ZABBIX-B5333005 new file mode 100644 index 0000000..ef43a30 --- /dev/null +++ b/files/RPM-GPG-KEY-ZABBIX-B5333005 @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGYwjIcBEADHPOcYeW6xpiMh2ZO6a9OCncCs4IBQa7Ie+omyzJLNldnBMrxO +jbZXY2brQZWu5GEA6rTrexbfq9w/MaGiV5hAJ/x9oKHHKod79IfYLWsYS+rKTEr4 +OptCGYqmJhdB29m44feut/PjjbjTuD0nwkaaE4Cm90r2aHMj5CcuD0/V823MgOwY +v5uz1Az9OhMLHB+qO/QDGZOxfmETpfj0J1Sh1afTngXoPgyniBT0BuyAMRlb2js6 +QSpT9AnVxVDMVZwu5Ioy9Jf1Rz8ibP6LTN4Rh+TDFJizzoqJMqfDjN8PculcVZvG +j3bpweL0txhSykuLN75GPP1DO7rSVljIAChpY1hPtpYBD3F7uL0udpauVhVUY3Vs +13kxbsDgSr84s+tpRxV9BaQy2pjQY/jyesbFpFCjGHqUZVS1F3huWYBukQn3Em7C +X3WgzWe1iewPxENCLSGfSEVBcQ28guNvy2INcHHjx+AWOXFfkDKVZtBOH5MVr6hR +/xJH9S8Pd4wJZ4wvXwwDUBMD0Jju5ELE9/NQty8AeL6tjZomVhO2nFUe3N0lKE2K +wNLt0N4PqDrCHogQ7knROMR+9KqjFu+ko39TZmCUlVncX3s0v0t9gxIK9zQoX9p6 +ngAr7IM8rGe/BGD7crYsrveWtBA7AY2DX9Z9iQylsXrq8tfGyhMaH3SgLwARAQAB +tCtaYWJiaXggTExDIChBcHIgMjAyNCkgPHBhY2thZ2VyQHphYmJpeC5jb20+iQJU +BBMBCgA+FiEETD1vLMdfUUZ1T8N02RMhmrUzMAUFAmYwjIcCGwMFCRLMAwAFCwkI +BwMFFQoJCAsFFgIDAQACHgECF4AACgkQ2RMhmrUzMAWf/w/+NSQz9LfZo7eNuKpd +piWsQgI+73sdLXmABp9kNWYrYTghXUe0WkWyLuFRMOh4fxZCtdiwpeEKGEDUgPr7 +gTMH7ay7gD2kCJLCJl1tUCh4ryXJvVMyN9J+x7w742fOdPrVK9/ULad1KAH6zx+J +Ym/Qt5JfYMhjeCIBKpappGMVCFb3sEJUT4e7ggqt9uUgbjlpQtYhZg65vaX9C7qZ +EXxaWEfBkBNiHEeImuv6wjp1rM4cNMQW7lnfnvlo1MmkmDzQjCFA5g41DvK1YQcE +HWDW6Zp30SGQqthEHNOPHezNCxD1vMxfUCUawSZP5ajuK6o/CGM9L5rjvcCnpe+6 +JVCX93KkPB0VqgfzzHB7OQsWQ8csRkjsW0v+5PkXbRRkf98YzaYDqVa1AvGv5YOv +alEPlqvQ6Xnm/6xV9gIr49Kgkf+VFvigbvwKfiH0hseWZN5ykswFoZ4mvYCJO6m4 +ouU4sSW8AM/LxHHvlAZdO9h8O961nh5fs8AIl4EJb+4kClnYFGaguCKZyAu1V7bJ +vDZ0OlaRtnh2cEPBd9W0CoPZaEHYcUDFmMIlxab1oGgDqIN4SJoCTnJLJ4BloQFs +9rIpAMcXxA3lqNnBjbolXqUTJq9WIpe6q/r38ADh0M5najksbwZWU0WZ+j2DJmgV +otW7wuTabGL9k3lnyNRwlK4OkRe5Ag0EZjCMhwEQAL1RylY+ljV/Ma9rAcZxwT08 +/emKEE4VMeDlJbzEWeMNjx8IpeVI3JlADkolbggcBEELZiwRRAJrJaYcBDNq0ZmE +BG5ffJin12iIU6f0GFg4x4elcPi9diP/1foz6k93eWYMpAj17B1YTM9ZgKKIJmuf +8GDsMTb/AgHcGC+gkduZGakUcHv538o+ub8/021HPqmYcF/HVaENv0LJd3yxLB6/ +mhSCT9axuX6NDQxVxzXKz+PAnz1uYyz7yZB4YXROHNwnvOGPYbljIGQPTIgjrCNP +26ySH9t6JYxWY7bXJKGepSnk0QeGHiM0p6TC9n3BS6RkmKUt0c6cXbW+BCc8QHOj +jzPOxjbvpmbZtVo56ZQYm/DWuj0lg+/pYKSReX5YJ8gnvhRoNM/fLeWsIGMZJaM9 +DygVTU0/0r7rxYbXoDqHMhsdMvjmrSAD3pDcPDci6WyeaLcvphvfZR4uyKtz1FS0 +GU+B0ly1gwItDca2En01AbrYX3eLnSw6ZwegBy42gnzAooFmGrfQUuskr+j5hxzs +BBCTtU6zEBGIMAVs1pNCnUVEleD/2E2U4Uzqi/XQv95b3msqP3tNkWrp1Em12Wls +2bIe47+uOpfcxzsAADLTu5avJT0YcJ3u1lBB6rIBcFL6kmkqD1u2pgFZw5Otdo4h +/8gxK3CZ/g81yCsBOcNZABEBAAGJAjwEGAEKACYWIQRMPW8sx19RRnVPw3TZEyGa +tTMwBQUCZjCMhwIbDAUJEswDAAAKCRDZEyGatTMwBeZUEACOatbYmCCIdcqF05id +GsoPRqXEQHj8cY3NmzD4nlATJPHLN8+p6TH1mDInnBFfDp6Ll1u8PHnvGccVDUl+ +aJCDCOcscqaKNaIbAi39OFLyED/j1t2g0VH9M0F41ZOofQN/Tf4SaR3ziY4j4hn+ +pWpzqcdQ4zCSA+c95NijkeSgGFdT8OzCbWrmvKHdoeaescRMJg3Zmi3Aegqaaxe8 +MMmixmGYk7jz35G0oBABCEcWTeqFXpQIG91AN5F0qe+tgQgwEr2N8YvIdRUb0e1c +Yc7Ly7pNHgH7wd0L2SND2pamXrZ6+kbUVVg46aa6XKvx36Fa2R0n6Var+Dcb9Rsr +mLq69/n2C18QLKwMnVSJfetPzQhAOnJ85Q2alRIyrMa7wq7+5NLcNBTGRRm4WYut +mzRvmmMmt0r+LOaV1fUdtfUVyIDrAb7rdqGW4eGbWTSLOcSgX7czThne7/v3zuSP +N0nc8yosGQp2aT8XCuzWqGQQ10NxUKP374jdetWgFI/8fH5zVx67TrViJ0FnK2Ug +CTtaHKt7jwwkMs6Y0kCCi/xysw+6UlDmBvzM5TVcWSO/lDUotFccn7IC782ghT03 +pY9AfSJCu2NB44LODaLg9jyXbv2MPq8ZsWRqxxmmCUinmQMV6rI/nWPZpgEpKId7 +RF/42ix6CdCLj9WuDJRHAPA6nA== +=iQwh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/files/zabbix_agent.crt b/files/zabbix_agent.crt deleted file mode 100644 index 0ac9510..0000000 --- a/files/zabbix_agent.crt +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICKTCCAYqgAwIBAgIUZxhmpvLrqv/1ePzPg28YX/V3q5YwCgYIKoZIzj0EAwMw -ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxNzAw -NTZaFw0yNzAyMTQxNzAwNTZaMCQxCzAJBgNVBAYTAkZSMRUwEwYDVQQDDAx6YWJi -aXhfYWdlbnQwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAF1NBVjvH9JE+SbFBVI -aZZiJn9gXzUHUjhPwCzcHt55jOmbrrszPpOUeYe+5ahqr96sdNS5d+Gc3JNym0UU -mXS6rgHj/3weApB6SmRUOk7im/PmegSECOgA4GSEgP97eoBjYNJNbGw7ybpGoTX0 -Bu+amWlETXDlpi5huUkXx86wiy93vaNaMFgwHwYDVR0jBBgwFoAUIO5hY4gGmlcl -Mw78YGdwHqHJLVswCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPRT -QcdvRdtphLmDBwtx+7MXd9NiMAoGCCqGSM49BAMDA4GMADCBiAJCAXCtWzhuuXX7 -r9duhPWWPJcoL94r71QOgTuMIFp2hGEQQTkpDn8npQe33SEzKleiYlgk1TsNcOGC -V7bzrryRAZbFAkIAzgZP2zW2Vhr6AF0EDW3S7A35v/oi0bGOuuCE7Kb2V9rcaAwM -k9tVv3bRZIAF6bowHcdxNCdUlptk0q1NNE6h43I= ------END CERTIFICATE----- diff --git a/files/zabbix_agent.key b/files/zabbix_agent.key deleted file mode 100644 index 7be598b..0000000 --- a/files/zabbix_agent.key +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN EC PARAMETERS----- -BgUrgQQAIw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIBIKtXJBBZMdk4xVf9qKzrJGJks/aruTaX226yh0XHDR2l+49jlwIh -z2LuWCBSnWkOearNi0CiD/0SqBypl6GAvtmgBwYFK4EEACOhgYkDgYYABAF1NBVj -vH9JE+SbFBVIaZZiJn9gXzUHUjhPwCzcHt55jOmbrrszPpOUeYe+5ahqr96sdNS5 -d+Gc3JNym0UUmXS6rgHj/3weApB6SmRUOk7im/PmegSECOgA4GSEgP97eoBjYNJN -bGw7ybpGoTX0Bu+amWlETXDlpi5huUkXx86wiy93vQ== ------END EC PRIVATE KEY----- diff --git a/files/zabbix_ca.crt b/files/zabbix_ca.crt deleted file mode 100644 index 4cd125f..0000000 --- a/files/zabbix_ca.crt +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICLjCCAZCgAwIBAgIUf6NkS48Id1xnJfmxiYE95Rt5W/IwCgYIKoZIzj0EAwMw -ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxNjU5 -MjlaFw0zNjAyMTIxNjU5MjlaMCExCzAJBgNVBAYTAkZSMRIwEAYDVQQDDAl6YWJi -aXhfY2EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACYb7pFnvHYBLPUiUNtaBqK -/zxQQ0JQ0xBBvKN1Lfpew0BlmPy8ZFdTrUz4BohVbmYmkdQ58BO/Gs1CUlxiHS7P -8AApdAfIUdQtOdcy6KQ7FErTyDwyf594GHqWw4ycLaOaYocrV3ItZyYE083piGds -Fbg9vlzj1deBlTRCkgSglCLoa6NjMGEwHQYDVR0OBBYEFCDuYWOIBppXJTMO/GBn -cB6hyS1bMB8GA1UdIwQYMBaAFCDuYWOIBppXJTMO/GBncB6hyS1bMA8GA1UdEwEB -/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA4GLADCBhwJBRUwp -n7+2jjrsTkR9NjP5DJP2sav0JJf5u80Y86mslp6rEIU4VTcwVhNXyvzUPrTS308t -FlCnOcKDA/Pd68A8My4CQgHb5LHzI+Np3FT+kb4gvOw9YgHFUS5iDy4yB9ffT6z1 -5QrcIaD0atAPVyM4u7wVoif9wcHcyRiGFR+qaV6UwwoFHA== ------END CERTIFICATE----- diff --git a/files/zabbix_ca.key b/files/zabbix_ca.key deleted file mode 100644 index e28f500..0000000 --- a/files/zabbix_ca.key +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIB+MT26kyyojwNQxOgLQ10uFxH2DHG+iT2h9xa82BwvUod9AhPytAB -mQJhx/GYHMnFH5ff4nya20Xsj1/NTEeVHH+gBwYFK4EEACOhgYkDgYYABACYb7pF -nvHYBLPUiUNtaBqK/zxQQ0JQ0xBBvKN1Lfpew0BlmPy8ZFdTrUz4BohVbmYmkdQ5 -8BO/Gs1CUlxiHS7P8AApdAfIUdQtOdcy6KQ7FErTyDwyf594GHqWw4ycLaOaYocr -V3ItZyYE083piGdsFbg9vlzj1deBlTRCkgSglCLoaw== ------END EC PRIVATE KEY----- diff --git a/files/zabbix_proxy.crt b/files/zabbix_proxy.crt deleted file mode 100644 index f389bd3..0000000 --- a/files/zabbix_proxy.crt +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICKTCCAYqgAwIBAgIUZxhmpvLrqv/1ePzPg28YX/V3q5cwCgYIKoZIzj0EAwMw -ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxODE5 -MjlaFw0yNzAyMTQxODE5MjlaMCQxCzAJBgNVBAYTAkZSMRUwEwYDVQQDDAx6YWJi -aXhfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACasAU16MClAB06k8lQ -G2hn6CUJCBKhjOcIRZqL1L5PdWprqnKfYdioOgzHfIlgikBrGryI66wj3SMWwtOB -pZXg3wDcPRLSDDkwZa0hjCQfUHqO1wPQKN8sfnY1X41LXz4RrV79OLEbw1zvbAvG -+Z0yIlNnEFtP/vAapciWFaUUChSarqNaMFgwHwYDVR0jBBgwFoAUIO5hY4gGmlcl -Mw78YGdwHqHJLVswCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPPI -gzk03dz6sWYKdd2MW2n4Y5LrMAoGCCqGSM49BAMDA4GMADCBiAJCASKlHzi830st -8RM0DtPRF4v4YiPNSK4bFXiAS+/OjveR1Y6oFQfuZZinTFUU3P9A5UfinxqLrDJW -iMtjmym4JYmZAkIAmwn9mVrpoKtUmxwBbPDhJLrgCTXPP0sttIuRRDbrGsSTCDhB -HXaRfoA5969eZJ6zcGxI84TZzYSRvvE5AjMxH+k= ------END CERTIFICATE----- diff --git a/files/zabbix_proxy.key b/files/zabbix_proxy.key deleted file mode 100644 index 7e20868..0000000 --- a/files/zabbix_proxy.key +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN EC PARAMETERS----- -BgUrgQQAIw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIBlgrJJI/T9N2pOj5pFrMfuDaYboRfqckR2U0NnOVpqgUBLyVzQK+l -s7iNnopgtqPEUI6zRVQCMAEII0Relhoc7+egBwYFK4EEACOhgYkDgYYABACasAU1 -6MClAB06k8lQG2hn6CUJCBKhjOcIRZqL1L5PdWprqnKfYdioOgzHfIlgikBrGryI -66wj3SMWwtOBpZXg3wDcPRLSDDkwZa0hjCQfUHqO1wPQKN8sfnY1X41LXz4RrV79 -OLEbw1zvbAvG+Z0yIlNnEFtP/vAapciWFaUUChSarg== ------END EC PRIVATE KEY----- diff --git a/files/zabbix_server.crt b/files/zabbix_server.crt deleted file mode 100644 index 1d76111..0000000 --- a/files/zabbix_server.crt +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICKTCCAYugAwIBAgIUZxhmpvLrqv/1ePzPg28YX/V3q5UwCgYIKoZIzj0EAwMw -ITELMAkGA1UEBhMCRlIxEjAQBgNVBAMMCXphYmJpeF9jYTAeFw0yNjAyMTQxNzAw -MzRaFw0yNzAyMTQxNzAwMzRaMCUxCzAJBgNVBAYTAkZSMRYwFAYDVQQDDA16YWJi -aXhfc2VydmVyMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAQNnum/k11nyoW7yc -6LICHe+rHmv18AguNfVg/tQ1lk9DPkOYp3xC+kcZQDkazeKqxEKY9l3jzG84gxvW -qtlc4o0BvoYEEKLPiLXfKSzhkXcmyiAwXKT71t6peDIGYCnZHC8n6Hsio1UH9voA -R6+bc3/rX+xxsDn1KiJ9ibHwyYeoSgGjWjBYMB8GA1UdIwQYMBaAFCDuYWOIBppX -JTMO/GBncB6hyS1bMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMB0GA1UdDgQWBBQ+ -1/AYNQleyhffJLBauHtkqwYu0TAKBggqhkjOPQQDAwOBiwAwgYcCQQf2/5hVMbPP -L18i8VzeSZvNu+hqho0zGqTMY7oCekbEH6J4w+QQqslr9ps+9d+ce3nuQtuJEIBl -1PCgaTHq5Ht7AkIBs+uzxTYQCRRvZ3CtjxYYYKLbSimqGWlnV9qMHASBxV/dskHU -nP/JzeMgJuG44HwdaeqAb1dS1PYsYkPMkdwtLcQ= ------END CERTIFICATE----- diff --git a/files/zabbix_server.key b/files/zabbix_server.key deleted file mode 100644 index a5c9771..0000000 --- a/files/zabbix_server.key +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN EC PARAMETERS----- -BgUrgQQAIw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIBWA0qpIubCVTvFj0jmQvNl5ucVI5wngXTLwiH6R9naCscSw7fxdRN -W52RikdZnQpExdY7m7cP7oWc/rTsTOAc2wqgBwYFK4EEACOhgYkDgYYABABA2e6b -+TXWfKhbvJzosgId76sea/XwCC419WD+1DWWT0M+Q5infEL6RxlAORrN4qrEQpj2 -XePMbziDG9aq2VzijQG+hgQQos+Itd8pLOGRdybKIDBcpPvW3ql4MgZgKdkcLyfo -eyKjVQf2+gBHr5tzf+tf7HGwOfUqIn2JsfDJh6hKAQ== ------END EC PRIVATE KEY----- diff --git a/handlers/main.yml b/handlers/main.yml index a5a5b8e..d227dcc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,6 +10,11 @@ name: nginx state: restarted +- name: Restart php-fpm + service: + name: php-fpm + state: restarted + - name: Restart Zabbix Server service: name: zabbix-server @@ -23,4 +28,10 @@ - name: Restart Zabbix Agent2 service: name: zabbix-agent2 - state: restarted \ No newline at end of file + state: restarted + +- name: Restart Keepalived + service: + name: keepalived + state: restarted + diff --git a/tasks/Debian/install-agent2.yml b/tasks/Debian/install-agent2.yml new file mode 100644 index 0000000..4b6dbd4 --- /dev/null +++ b/tasks/Debian/install-agent2.yml @@ -0,0 +1,66 @@ + +- name: Agent2 - Install packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ agent.packages }}" + tags: + - install_agent + +- name: Agent2 - Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Agent2 - Créer la liste des hôtes correspondant aux rôles cibles + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', roles_cibles) | + map(attribute='inventory_hostname') | + list }} + +- name: Agent2 - Generate Server List + set_fact: + Server: "{{ hotes_filtres | join(',') }}" + +- name: Agent2 - Generate ActiveServer List + set_fact: + ServerActive: "{{ hotes_filtres | join(';') }}" + +- name: Agent2 - Generate agent2 config + ansible.builtin.template: + src: zabbix_agent2.conf.j2 + dest: /etc/zabbix/zabbix_agent2.conf + owner: zabbix + group: zabbix + mode: 0640 + +- name: Agent2 - Create cert directory if zabbix_crypt=="tls" + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Agent2 - Copy Certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca }}.crt" + - "{{ zabbix_agent }}.crt" + - "{{ zabbix_agent }}.key" + when: zabbix_crypt=="tls" + +- name: Enable and start service zabbix agent2 + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-agent2 diff --git a/tasks/Debian/install-db.yml b/tasks/Debian/install-db.yml new file mode 100644 index 0000000..5768078 --- /dev/null +++ b/tasks/Debian/install-db.yml @@ -0,0 +1,73 @@ +- name: Database - Install packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ db.packages }}" + tags: + - install_db + when: ansible_os_family == "Debian" + +- name: Database - Enable and start service postgresl + ansible.builtin.service: + name: postgresql + state: started + enabled: yes + tags: + - install_db + +- name: Database - Generate create db script + ansible.builtin.template: + src: create_db.j2 + dest: /tmp/create_db.sql + owner: postgres + tags: + - install_db + +- name: Database - Create DB + ansible.builtin.shell: su - postgres -c 'psql -f /tmp/create_db.sql' + tags: + - install_db + +- name: Database - Add zabbix user to pg_hba + ansible.builtin.lineinfile: + path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf + insertafter: '# Database administrative login by Unix domain socket' + line: "local {{ db_name }} {{ db_user }} trust" + firstmatch: yes + state: present + +- name: Database - Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Database - Créer les entrées pg_hba pour tous les hosts avec rôle 'srv' + lineinfile: + path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf + line: "host {{ db_name }} {{ db_user }} {{ hostvars[item]['ansible_default_ipv4']['address'] }}/32 md5" + state: present + loop: "{{ groups[my_group] }}" + when: + - hostvars[item].role is defined + - hostvars[item].role == 'srv' or hostvars[item].role == 'front' + - hostvars[item]['ansible_default_ipv4'] is defined + +- name: Database - Configure postgres Listen address + ansible.builtin.lineinfile: + path: /etc/postgresql/17/main/postgresql.conf + regexp: '^#listen_addresses = .*' + line: "listen_addresses = '*'" + tags: + - install_db + + +- name: Database - Restart postgresql + service: + name: postgresql + state: restarted + tags: + - install_db + +- name: Database - Populate zabbix database + ansible.builtin.shell: 'zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | psql -Uzabbix zabbix' + tags: + - install_db \ No newline at end of file diff --git a/tasks/Debian/install-front.yml b/tasks/Debian/install-front.yml new file mode 100644 index 0000000..796066a --- /dev/null +++ b/tasks/Debian/install-front.yml @@ -0,0 +1,41 @@ +- name: Front - Install packages + ansible.builtin.apt: + name: "{{ item }}" + state: present + loop: "{{ front.packages }}" + tags: + - install_front + +- name: Front - Configure nginx port + ansible.builtin.lineinfile: + path: /etc/zabbix/nginx.conf + regexp: 'listen 8080;' + line: " listen 80;" + tags: + - install_front + +# - name: Front - Setup +# ansible.builtin.template: +# src: zabbix_front.conf.j2 +# dest: /etc/zabbix/web/zabbix.conf.php +# owner: www-data +# group: www-data +# mode: 0600 + +- name: Front - Configure nginx url + ansible.builtin.lineinfile: + path: /etc/zabbix/nginx.conf + regexp: 'server_name example.com;' + line: " server_name {{ inventory_hostname }};" + tags: + - install_front + notify: Restart nginx + +- name: Front - Configure keepalived + ansible.builtin.template: + src: keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + owner: root + group: root + mode: 0644 + notify: Restart Keepalived diff --git a/tasks/Debian/install-proxy.yml b/tasks/Debian/install-proxy.yml new file mode 100644 index 0000000..2417b0e --- /dev/null +++ b/tasks/Debian/install-proxy.yml @@ -0,0 +1,91 @@ +- name: Proxy - Install Debian Proxy packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ proxy.packages }}" + tags: + - install_proxy + when: ansible_os_family == "Debian" + + +- name: Proxy - Enable and start service mariadb + ansible.builtin.service: + name: mariadb + state: started + enabled: yes + tags: + - install_proxy + +- name: Proxy - Generate mariadb proxy creation script + ansible.builtin.template: + src: create_proxy_db.j2 + dest: /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Create mariadb proxy database + ansible.builtin.shell: mysql -uroot < /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Populate mariadb proxy database + ansible.builtin.shell: 'cat /usr/share/zabbix/sql-scripts/mysql/proxy.sql | mysql --default-character-set=utf8mb4 -u{{proxy_db_user}} --password={{proxy_db_passwd}} {{proxy_db_name}}' + tags: + - install_proxy + +- name: Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Proxy - Génération la liste des servers + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', 'srv') | + map(attribute='inventory_hostname') | + list }} + +- name: Proxy - Set fact Server + set_fact: + Server: "{{ hotes_filtres | join(';') }}" + +- name: Proxy - Generate config + ansible.builtin.template: + src: zabbix_proxy.conf.j2 + dest: /etc/zabbix/zabbix_proxy.conf + owner: root + group: zabbix + mode: 400 + + tags: + - install_proxy + +- name: Proxy - Create certificats directory + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Proxy - Copy certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_proxy}}.crt" + - "{{ zabbix_proxy}}.key" + when: zabbix_crypt=="tls" + +- name: Proxy - Enable and start service zabbix proxy + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-proxy \ No newline at end of file diff --git a/tasks/Debian/install-srv.yml b/tasks/Debian/install-srv.yml new file mode 100644 index 0000000..5c55607 --- /dev/null +++ b/tasks/Debian/install-srv.yml @@ -0,0 +1,53 @@ +- name: Server - Install packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ srv.packages }}" + tags: + - install_srv + when: ansible_os_family == "Debian" + +- name: Server - Generate srv config + ansible.builtin.template: + src: zabbix_server.conf.j2 + dest: /etc/zabbix/zabbix_server.conf + owner: zabbix + group: zabbix + mode: 0640 + tags: + - install_srv + +- name: Server - Create cert directory if zabbix_crypt=="tls" + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + tags: + - install_srv + +- name: Server - Copy Certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_server}}.crt" + - "{{ zabbix_server}}.key" + when: zabbix_crypt=="tls" + tags: + - install_srv + +- name: Server -Enable and start service zabbix server + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-server + tags: + - install_srv \ No newline at end of file diff --git a/tasks/RedHat/install-agent2.yml b/tasks/RedHat/install-agent2.yml new file mode 100644 index 0000000..4b6dbd4 --- /dev/null +++ b/tasks/RedHat/install-agent2.yml @@ -0,0 +1,66 @@ + +- name: Agent2 - Install packages + ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ agent.packages }}" + tags: + - install_agent + +- name: Agent2 - Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Agent2 - Créer la liste des hôtes correspondant aux rôles cibles + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', roles_cibles) | + map(attribute='inventory_hostname') | + list }} + +- name: Agent2 - Generate Server List + set_fact: + Server: "{{ hotes_filtres | join(',') }}" + +- name: Agent2 - Generate ActiveServer List + set_fact: + ServerActive: "{{ hotes_filtres | join(';') }}" + +- name: Agent2 - Generate agent2 config + ansible.builtin.template: + src: zabbix_agent2.conf.j2 + dest: /etc/zabbix/zabbix_agent2.conf + owner: zabbix + group: zabbix + mode: 0640 + +- name: Agent2 - Create cert directory if zabbix_crypt=="tls" + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Agent2 - Copy Certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca }}.crt" + - "{{ zabbix_agent }}.crt" + - "{{ zabbix_agent }}.key" + when: zabbix_crypt=="tls" + +- name: Enable and start service zabbix agent2 + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-agent2 diff --git a/tasks/RedHat/install-db.yml b/tasks/RedHat/install-db.yml new file mode 100644 index 0000000..3b71768 --- /dev/null +++ b/tasks/RedHat/install-db.yml @@ -0,0 +1,95 @@ + + +- name: Database - Install RHEL packages + ansible.builtin.dnf: + name: "{{ item }}" + state: present + loop: "{{ db.packages }}" + tags: + - install_db + +- name: Database - Check if postgresql is configured + stat: + path: /var/lib/pgsql/data/PG_VERSION + register: postgresqldata + +- name: Database - Init DB + ansible.builtin.shell: + cmd: postgresql-setup --initdb + when: postgresqldata.stat.exists == false + tags: + - install_db + +- name: Database - Enable and start service postgresl + ansible.builtin.service: + name: postgresql + state: started + enabled: yes + tags: + - install_db + +- name: Database - Generate create db script + ansible.builtin.template: + src: create_db.j2 + dest: /tmp/create_db.sql + owner: postgres + tags: + - install_db + +- name: Database - Run create db script + ansible.builtin.shell: su - postgres -c 'psql -f /tmp/create_db.sql' + tags: + - install_db + +- name: Database - Add zabbix user to pg_hba + ansible.builtin.lineinfile: + path: /var/lib/pgsql/data/pg_hba.conf + insertafter: '# "local" is for Unix domain socket connections only' + line: "local {{ db_name }} {{ db_user }} trust" + firstmatch: yes + state: present + +- name: Database -Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Database - Créer les entrées pg_hba pour tous les hosts avec rôle 'srv' + lineinfile: + path: /var/lib/pgsql/data/pg_hba.conf + line: "host {{ db_name }} {{ db_user }} {{ hostvars[item]['ansible_default_ipv4']['address'] }}/32 md5" + state: present + loop: "{{ groups[my_group] }}" + when: + - hostvars[item].role is defined + - hostvars[item].role == 'srv' or hostvars[item].role == 'front' + - hostvars[item]['ansible_default_ipv4'] is defined + +- name: Database - Configure postgres Listen address + ansible.builtin.lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^#listen_addresses = .*' + line: "listen_addresses = '*'" + tags: + - install_db + + +- name: Database - Restart postgresql + service: + name: postgresql + state: restarted + enabled: true + tags: + - install_db + +- name: Populate zabbix database + ansible.builtin.shell: 'zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | psql -Uzabbix zabbix' + tags: + - install_db + +- name: Proxy - Enable and start service zabbix component + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-agent2 \ No newline at end of file diff --git a/tasks/RedHat/install-front.yml b/tasks/RedHat/install-front.yml new file mode 100644 index 0000000..593c035 --- /dev/null +++ b/tasks/RedHat/install-front.yml @@ -0,0 +1,53 @@ +- name: Front - Install packages + ansible.builtin.dnf: + name: "{{ item }}" + state: present + loop: "{{ front.packages }}" + tags: + - install_front + +- name: Front - Configure nginx port + ansible.builtin.lineinfile: + path: /etc/nginx/conf.d/zabbix.conf + regexp: 'listen 8080;' + line: " listen 80;" + tags: + - install_front + notify: Restart nginx + +- name: Front - Configure nginx url + ansible.builtin.lineinfile: + path: /etc/nginx/conf.d/zabbix.conf + regexp: 'server_name example.com;' + line: " server_name {{ inventory_hostname }};" + tags: + - install_front + notify: + - Restart nginx + - Restart php-fpm + +- name: Front - Configure keepalived + when: role == "srv" + block: + - name: Configure Keepalived + ansible.builtin.template: + src: keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + owner: root + group: root + mode: 0644 + - name: Enable Keepalived service + ansible.builtin.systemd_service: + name: keepalived + state: restarted + enabled: true + +- name: Enable and start + ansible.builtin.systemd_service: + name: "{{ item }}" + state: started + enabled: true + loop: + - nginx + - php-fpm + - zabbix-agent2 diff --git a/tasks/RedHat/install-proxy.yml b/tasks/RedHat/install-proxy.yml new file mode 100644 index 0000000..fe56edd --- /dev/null +++ b/tasks/RedHat/install-proxy.yml @@ -0,0 +1,98 @@ +- name: Proxy - Install Debian Proxy packages + ansible.builtin.dnf: + name: "{{ item }}" + state: present + loop: "{{ proxy.packages }}" + tags: + - install_proxy + +- name: Proxy - Enable and start service mariadb + ansible.builtin.service: + name: mariadb + state: started + enabled: yes + tags: + - install_proxy + +- name: Proxy - Generate mariadb proxy creation script + ansible.builtin.template: + src: create_proxy_db.j2 + dest: /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Create mariadb proxy database + ansible.builtin.shell: mysql -uroot < /tmp/create_proxy_db.sql + tags: + - install_proxy + +- name: Proxy - Populate mariadb proxy database + ansible.builtin.shell: 'cat /usr/share/zabbix/sql-scripts/mysql/proxy.sql | mysql --default-character-set=utf8mb4 -u{{proxy_db_user}} --password={{proxy_db_passwd}} {{proxy_db_name}}' + tags: + - install_proxy + +- name: Proxy - Enable and restart mariadb + ansible.builtin.systemd_service: + name: "{{ item }}" + state: started + enabled: true + loop: + - mariadb + +- name: Find Group + set_fact: + my_group: "{{ group_names | first }}" + +- name: Proxy - Génération la liste des servers + set_fact: + hotes_filtres: >- + {{ groups[my_group] | + map('extract', hostvars) | + selectattr('role', 'in', 'srv') | + map(attribute='inventory_hostname') | + list }} + +- name: Proxy - Set fact Server + set_fact: + Server: "{{ hotes_filtres | join(';') }}" + +- name: Proxy - Generate config + ansible.builtin.template: + src: zabbix_proxy.conf.j2 + dest: /etc/zabbix/zabbix_proxy.conf + owner: root + group: zabbix + mode: 400 + + tags: + - install_proxy + +- name: Proxy - Create certificats directory + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + +- name: Proxy - Copy certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_proxy}}.crt" + - "{{ zabbix_proxy}}.key" + when: zabbix_crypt=="tls" + +- name: Proxy - Enable and start service zabbix proxy + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-proxy + - zabbix-agent2 \ No newline at end of file diff --git a/tasks/RedHat/install-srv.yml b/tasks/RedHat/install-srv.yml new file mode 100644 index 0000000..2187b39 --- /dev/null +++ b/tasks/RedHat/install-srv.yml @@ -0,0 +1,53 @@ +# Server +- name: Server - Install packages + ansible.builtin.dnf: + name: "{{ item }}" + state: present + loop: "{{ srv.packages }}" + tags: + - install_srv +- name: Server - Generate srv config + ansible.builtin.template: + src: zabbix_server.conf.j2 + dest: /etc/zabbix/zabbix_server.conf + owner: zabbix + group: zabbix + mode: 0640 + tags: + - install_srv + +- name: Server - Create cert directory if zabbix_crypt=="tls" + ansible.builtin.file: + path: "/etc/zabbix/certs" + state: directory + recurse: yes + owner: zabbix + group: zabbix + when: zabbix_crypt=="tls" + tags: + - install_srv + +- name: Server - Copy Certificats + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/zabbix/certs/{{ item }}" + owner: zabbix + group: zabbix + loop: + - "{{ zabbix_ca}}.crt" + - "{{ zabbix_server}}.crt" + - "{{ zabbix_server}}.key" + when: zabbix_crypt=="tls" + tags: + - install_srv + +- name: Server -Enable and start service zabbix server + ansible.builtin.service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - zabbix-server + - zabbix-agent2 + tags: + - install_srv \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 914d983..c037e43 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,73 +2,96 @@ # tasks file for zabbix - name: check OS version debug: var=ansible_os_family -- name: Prepare RHEL + +- name: include os variables + include_vars: "{{ ansible_os_family }}.yml" + tags: always + + +- name: Prepare Alma + when: ansible_distribution == "AlmaLinux" + block: + - name: add gpg + ansible.builtin.dnf: + name: gnupg2 + state: present + - name: Copie GPG key + ansible.builtin.copy: + src: RPM-GPG-KEY-ZABBIX-B5333005 + dest: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Import a key + ansible.builtin.rpm_key: + state: present + key: /tmp/RPM-GPG-KEY-ZABBIX-B5333005 + - name: Add Package + ansible.builtin.dnf: + name: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/release/alma/{{ ansible_distribution_major_version }}/noarch/zabbix-release-latest-{{ zabbix_version }}.el{{ ansible_distribution_major_version }}.noarch.rpm" + state: present + +- name: Prepare RH like + when: ansible_os_family == "RedHat" block: - - name: Alma Repo - ansible.builtin.shell: - cmd: rpm -Uvh https://repo.zabbix.com/zabbix/7.0/alma/9/x86_64/zabbix-release-latest.el9.noarch.rpm - name: disable firewall ansible.builtin.service: - name: firewalld - state: stopped - enabled: false + name: firewalld + state: stopped + enabled: false - name: clean repo ansible.builtin.shell: cmd: dnf clean all - when: ansible_os_family == "RedHat" + + - name: set selinux permivise + ansible.builtin.lineinfile: + path: /etc/selinux/config + regexp: '^SELINUX=.*' + line: "SELINUX=permissive" + register: selinux + + - name: Reboot if necessary + ansible.builtin.reboot: + when: selinux.changed + - name: Prepare Debian - block: - - name: Debian Repo - ansible.builtin.apt: - deb: https://repo.zabbix.com/zabbix/7.4/release/debian/pool/main/z/zabbix-release/zabbix-release_latest_7.4+debian13_all.deb - - name: Mise à jour le cache des paquets - ansible.builtin.apt: - update_cache: yes when: ansible_os_family == "Debian" + block: + - name: Debian Repo + ansible.builtin.apt: + deb: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/release/debian/pool/main/z/zabbix-release/zabbix-release_latest_{{ zabbix_version }}+debian13_all.deb" + - name: Mise à jour le cache des paquets + ansible.builtin.apt: + update_cache: yes - -- name: Install Database +- name: Database - Install when: role == "db" block: - name: Install Zabbix DB - ansible.builtin.include_tasks: install-db.yml + ansible.builtin.include_tasks: "{{ansible_os_family}}/install-db.yml" when: role == "db" - tags: - - database tags: - install_db -- name: Install server - when: role == "srv" - block: - - name: Install Zabbix Server - ansible.builtin.include_tasks: install-srv.yml - when: role == "srv" +- name: Server - Install + ansible.builtin.include_tasks: "{{ansible_os_family}}/install-srv.yml" + when: + - role == "srv" tags: - install_srv -- name: Install zabbix_proxy - when: role == "proxy" - block: - - name: Install Zabbix Proxy - ansible.builtin.include_tasks: install-proxy.yml - when: role == "proxy" +- name: Proxy - Install + ansible.builtin.include_tasks: "{{ansible_os_family}}/install-proxy.yml" tags: - - install_proxy + - install_proxy + when: role == "proxy" -- name: Install Front - when: role == "front" - block: - - name: Install Zabbix Front - ansible.builtin.include_tasks: install-front.yml - when: role == "front" + +- name: Front - Install + ansible.builtin.include_tasks: "{{ansible_os_family}}/install-front.yml" + when: role == "srv" or role == "front" tags: - install_front - name: Install Agent - block: - - name: Install Zabbix Agent - ansible.builtin.include_tasks: install-agent2.yml + ansible.builtin.include_tasks: "{{ansible_os_family}}/install-agent2.yml" tags: - install_agent - never \ No newline at end of file diff --git a/templates/keepalived.conf.j2 b/templates/keepalived.conf.j2 new file mode 100644 index 0000000..76d1de3 --- /dev/null +++ b/templates/keepalived.conf.j2 @@ -0,0 +1,22 @@ +vrrp_track_process track_nginx { + process nginx + weight 10 +} + +vrrp_instance VI_1 { + state {{ keepalived.state }} + interface {{ansible_default_ipv4.interface}} + virtual_router_id 51 + priority {{ keepalived.priority }} + advert_int 1 + authentication { + auth_type PASS + auth_pass 12345 + } + virtual_ipaddress { + {{ vip_address }} + } + track_process { + track_nginx + } +} \ No newline at end of file diff --git a/templates/zabbix_front.conf.j2 b/templates/zabbix_front.conf.j2 new file mode 100644 index 0000000..8c405c6 --- /dev/null +++ b/templates/zabbix_front.conf.j2 @@ -0,0 +1,67 @@ +?php +// Zabbix GUI configuration file. + +$DB['TYPE'] = 'POSTGRESQL'; +$DB['SERVER'] = '{{db_host}}'; +$DB['PORT'] = '0'; +$DB['DATABASE'] = 'zabbix'; +$DB['USER'] = ''; +$DB['PASSWORD'] = ''; + +// Schema name. Used for PostgreSQL. +$DB['SCHEMA'] = ''; + +// Used for TLS connection. +$DB['ENCRYPTION'] = false; +$DB['KEY_FILE'] = ''; +$DB['CERT_FILE'] = ''; +$DB['CA_FILE'] = ''; +$DB['VERIFY_HOST'] = false; +$DB['CIPHER_LIST'] = ''; + +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +{% if Vault is defined %} +$DB['VAULT'] = '{{Vault}}'; +$DB['VAULT_URL'] = '{{VaultURL}}'; +$DB['VAULT_PREFIX'] = '{{VaultPrefix}}'; +$DB['VAULT_DB_PATH'] = '{{VaultDBPath}}'; +$DB['VAULT_TOKEN'] = '{{VaultToken}}'; +$DB['VAULT_CERT_FILE'] = ''; +$DB['VAULT_KEY_FILE'] = ''; +// Uncomment to bypass local caching of credentials. +// $DB['VAULT_CACHE'] = true; +{% endif %} +// Uncomment and set to desired values to override Zabbix hostname/IP and port. +// $ZBX_SERVER = ''; +// $ZBX_SERVER_PORT = ''; + +$ZBX_SERVER_NAME = 'zserver02.bv.stef.lan'; + +$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; + +// Uncomment this block only if you are using Elasticsearch. +// Elasticsearch url (can be string if same url is used for all types). +//$HISTORY['url'] = [ +// 'uint' => 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//$SSO['SETTINGS'] = []; + +// If set to false, support for HTTP authentication will be disabled. +// $ALLOW_HTTP_AUTH = true; + +$ZBX_SERVER_TLS['ACTIVE'] = '0'; +$ZBX_SERVER_TLS['CA_FILE'] = ''; +$ZBX_SERVER_TLS['KEY_FILE'] = ''; +$ZBX_SERVER_TLS['CERT_FILE'] = ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = ''; +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = ''; + diff --git a/vars/Debian.yml b/vars/Debian.yml new file mode 100644 index 0000000..2aeca8d --- /dev/null +++ b/vars/Debian.yml @@ -0,0 +1,47 @@ +--- +# defaults file for zabbix +repo: https://repo.zabbix.com/zabbix/7.4/release/debian/pool/main/z/zabbix-release/zabbix-release_latest_7.4+debian13_all.deb +db: + packages: + - postgresql-contrib + - postgresql + - python3-psycopg2 + - zabbix-sql-scripts + - zabbix-agent2 +srv: + packages: + - zabbix-server-pgsql + - zabbix-agent2 +front: + packages: + - zabbix-frontend-php + - php8.4-pgsql + - zabbix-nginx-conf + - nginx + - zabbix-agent2 + - keepalived +proxy: + packages: + - mariadb-server + - zabbix-proxy-mysql + - zabbix-sql-scripts + - zabbix-agent2 +agent: + packages: + - zabbix-agent2 + + +roles_cibles: ['srv', 'proxy'] + +db_name: zabbix +db_user: zabbix +db_passwd: zabbix + +proxy_db_name: zabbix_proxy +proxy_db_user: zabbix_proxy +proxy_db_passwd: zabbix_proxy + +zabbix_ca: zabbix_ca +zabbix_server: zabbix_server +zabbix_proxy: zabbix_proxy +zabbix_agent: zabbix_agent \ No newline at end of file diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..c495932 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,33 @@ +db: + packages: + - postgresql-server + - postgresql-contrib + - postgresql + - postgresql-plpython3 + - zabbix-sql-scripts + - zabbix-agent2 + - zabbix-agent2-plugin-postgresql + +srv: + packages: + - zabbix-server-pgsql + - zabbix-selinux-policy + - zabbix-agent2 + - keepalived +agent: + packages: + - zabbix-agent2 +front: + packages: + - zabbix-web-pgsql + - zabbix-nginx-conf + - zabbix-agent2 + - zabbix-selinux-policy + - php-fpm +proxy: + packages: + - mariadb-server + - mariadb + - zabbix-proxy-mysql + - zabbix-sql-scripts + - zabbix-agent2