diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
| commit | 975f66f2eebe9dadba04f275774d4ab83f74cf25 (patch) | |
| tree | 89bd26a93aaae6a25749145b7e4bca4a1e75b2be /ansible_collections/community/zabbix/roles/zabbix_web | |
| parent | Initial commit. (diff) | |
| download | ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.tar.xz ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.zip | |
Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/community/zabbix/roles/zabbix_web')
31 files changed, 2165 insertions, 0 deletions
diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/README.md b/ansible_collections/community/zabbix/roles/zabbix_web/README.md new file mode 100644 index 000000000..cef5d62e7 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/README.md @@ -0,0 +1,349 @@ +# community.zabbix.zabbix_web role + + + +**Table of Contents** + +- [Overview](#overview) +- [Requirements](#requirements) + - [Operating Systems](#operating-systems) + - [Zabbix Versions](#zabbix-versions) +- [Installation](#installation) +- [Role Variables](#role-variables) + - [Main variables](#main-variables) + - [Overall Zabbix](#overall-zabbix) + - [Zabbix Web specific](#zabbix-web-specific) + - [Apache configuration](#apache-configuration) + - [Nginx configuration](#nginx-configuration) + - [PHP-FPM](#php-fpm) + - [Zabbix Server](#zabbix-server) + * [proxy](#proxy) +- [Example Playbook](#example-playbook) + - [Single instance](#single-instance) + - [Multi host setup](#multi-host-setup) + - [Adding Environment Variables for zabbix_web](#adding-environment-variables-for-zabbixweb) + - [Using Elasticsearch for history storage](#using-elasticsearch-for-history-storage) +- [Molecule](#molecule) +- [License](#license) +- [Author Information](#author-information) + +# Overview + +# Requirements +## Operating Systems + +This role will work on the following operating systems: + + * RedHat + * Debian + * Ubuntu + +So, you'll need one of those operating systems.. :-) +Please send Pull Requests or suggestions when you want to use this role for other Operating systems. + +## Ansible 2.10 and higher + +With the release of Ansible 2.10, modules have been moved into collections. With the exception of ansible.builtin modules, this means additonal collections must be installed in order to use modules such as seboolean (now ansible.posix.seboolean). The following collections are now required: `ansible.posix`. The `community.general` collection is required when defining the `zabbix_web_htpasswd` variable (see variable section below). Installing the collections: + +```sh +ansible-galaxy collection install ansible.posix +ansible-galaxy collection install community.general +``` + +## Zabbix Versions + +See the following list of supported Operating Systems with the Zabbix releases. + +| Zabbix | 6.4 | 6.2 | 6.0 (LTS) | 5.4 | 5.2 | 5.0 (LTS) | 4.4 | 4.0 (LTS) | 3.0 (LTS) | +|---------------------|-----|-----|-----------|-----|-----|------------|-----|-----------|-----------| +| Red Hat Fam 9 | V | V | V | | | | | | | +| Red Hat Fam 8 | V | V | V | V | V | V | V | | | +| Red Hat Fam 7 | | V | V | V | V | V | V | V | V | +| Red Hat Fam 6 | | | | | V | V | | | V | +| Red Hat Fam 5 | | | | | V | V | | | V | +| Fedora | | | | | | | V | V | | +| Ubuntu 22.04 jammy | V | V | V | | | | | | | +| Ubuntu 20.04 focal | V | V | V | V | V | V | V | | | +| Ubuntu 18.04 bionic | | | V | V | V | V | V | V | | +| Ubuntu 16.04 xenial | | | | | V | V | V | V | | +| Ubuntu 14.04 trusty | | | | | V | V | V | V | V | +| Debian 10 buster | V | V | V | V | V | V | V | | | +| Debian 9 stretch | | | V | V | V | V | V | V | | +| Debian 8 jessie | | | | | V | V | V | V | V | +| Debian 7 wheezy | | | | | | | | V | V | +| macOS 10.15 | | | | | | | V | V | | +| macOS 10.14 | | | | | | | V | V | | + +# Installation + +Installing this role is very simple: `ansible-galaxy install community.zabbix.zabbix_web` + +When the Zabbix Web needs to be running on the same host as the Zabbix Server, please also install the Zabbix Server by executing the following command: `ansible-galaxy install community.zabbix.zabbix_server` + +Default username/password for the Zabbix Web interface is the default. + +Username: Admin +Password: zabbix + +# Role Variables + +## Main variables + +The following is an overview of all available configuration defaults for this role. + +### Overall Zabbix + +* `zabbix_web_version`: This is the version of zabbix. Default: The highest supported version for the operating system. Can be overridden to 6.2, 6.0, 5.4, 5.2, 5.0, 4.4, 4.0, 3.4, 3.2, 3.0, 2.4, or 2.2. Previously the variable `zabbix_version` was used directly but it could cause [some inconvenience](https://github.com/dj-wasabi/ansible-zabbix-agent/pull/303). That variable is maintained by retrocompativility. +* `zabbix_web_version_minor`: When you want to specify a minor version to be installed. RedHat only. Default set to: `*` (latest available) +* `zabbix_repo`: Default: `zabbix` + * `epel`: install agent from EPEL repo + * `zabbix`: (default) install agent from Zabbix repo + * `other`: install agent from pre-existing or other repo +* `zabbix_repo_yum`: A list with Yum repository configuration. +* `zabbix_repo_yum_schema`: Default: `https`. Option to change the web schema for the yum repository(http/https) +* `zabbix_repo_yum_disabled`: A string with repository names that should be disabled when installing Zabbix component specific packages. Is only used when `zabbix_repo_yum_enabled` contains 1 or more repositories. Default `*`. +* `zabbix_repo_yum_enabled`: A list with repository names that should be enabled when installing Zabbix component specific packages. + +* `zabbix_web_package_state`: Default: `present`. Can be overridden to `latest` to update packages when needed. +* `zabbix_web_centos_release`: Default: True. When the `centos-release-scl` repository needs to be enabled. This is required when using Zabbix 5.0 due to installation of a recent version of `PHP`. +* `zabbix_web_rhel_release`: Default: True. When the `scl-utils` repository needs to be enabled. This is required when using Zabbix 5.0 due to installation of a recent version of `PHP`. +* `zabbix_web_doubleprecision`: Default: `False`. For upgraded installations, please read database [upgrade notes](https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500) (Paragraph "Enabling extended range of numeric (float) values") before enabling this option. +* `zabbix_web_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file. + +### Zabbix Web specific + +* `zabbix_api_server_url`: This is the url on which the zabbix web interface is available. Default is zabbix.example.com, you should override it. For example, see "Example Playbook" +* `zabbix_url_aliases`: A list with Aliases for the Apache Virtual Host configuration. +* `zabbix_timezone`: Default: `Europe/Amsterdam`. This is the timezone. The Apache Virtual Host needs this parameter. +* `zabbix_vhost`: Default: `true`. When you don't want to create an Apache Virtual Host configuration, you can set it to False. +* `zabbix_web_env`: (Optional) A Dictionary of PHP Environments settings. +* `zabbix_web_conf_web_user`: When provided, the user (which should already exist on the host) will be used for ownership for web/php related processes. (Default set to either `apache` (`www-data` for Debian) or `nginx`). +* `zabbix_web_conf_web_group`: When provided, the group (which should already exist on the host) will be used for ownership for web/php related processes. (Default set to either `apache` (`www-data` for Debian) or `nginx`). +* `zabbix_web_htpasswd`: (Optional) Allow HTTP authentication at the webserver level via a htpasswd file. +* `zabbix_web_htpasswd_file`: Default: `/etc/zabbix/web/htpasswd`. Allows the change the default path to the htpasswd file. +* `zabbix_web_htpasswd_users`: (Optional) Dictionary for creating users via `htpasswd_user` and passphrases via `htpasswd_pass` in htpasswd file. +* `zabbix_web_allowlist_ips`: (Optional) Allow web access at webserver level to a list of defined IPs or CIDR. +* `zabbix_web_connect_ha_backend`: (Optional) Default: `false`. When set to `true` values for Zabbix server will not be written and frontend gets values from database to connect to active cluster node. Set `true` when operating Zabbix servers in a cluste (only >=6.0). +* `zabbix_saml_idp_crt`: (Optional) The path to the certificate of the Identity Provider used for SAML authentication +* `zabbix_saml_sp_crt`: (Optional) The path to the public certificate of Zabbix as Service Provider +* `zabbix_saml_sp_key`: (Optional) The path to the private certificate of Zabbix as Service Provider + +#### Apache configuration + +* `zabbix_apache_vhost_port`: The port on which Zabbix HTTP vhost is running. +* `zabbix_apache_vhost_tls_port`: The port on which Zabbix HTTPS vhost is running. +* `zabbix_apache_vhost_listen_ip`: On which interface the Apache Virtual Host is available. +* `zabbix_apache_can_connect_ldap`: Default: `false`. Set SELinux boolean to allow httpd to connect to LDAP. +* `zabbix_php_install`: Default: `true`. True / False. Switch for extra install of packages for PHP, currently on for Debian/Ubuntu. +* `zabbix_web_max_execution_time`: +* `zabbix_web_memory_limit`: +* `zabbix_web_post_max_size`: +* `zabbix_web_upload_max_filesize`: +* `zabbix_web_max_input_time`: +* `zabbix_apache_include_custom_fragment`: Default: `true`. Includes php_value vars max_execution_time, memory_limit, post_max_size, upload_max_filesize, max_input_time and date.timezone in vhost file.. place those in php-fpm configuration. +* `zabbix_apache_tls`: If the Apache vhost should be configured with TLS encryption or not. +* `zabbix_apache_redirect`: If a redirect should take place from HTTP to HTTPS +* `zabbix_apache_tls_crt`: The path to the TLS certificate file. +* `zabbix_apache_tls_key`: The path to the TLS key file. +* `zabbix_apache_tls_chain`: The path to the TLS certificate chain file. +* `zabbix_apache_SSLPassPhraseDialog`: Type of pass phrase dialog for encrypted private keys. +* `zabbix_apache_SSLSessionCache`: Type of the global/inter-process SSL Session Cache +* `zabbix_apache_SSLSessionCacheTimeout`: Number of seconds before an SSL session expires in the Session Cache +* `zabbix_apache_SSLCryptoDevice`: Enable use of a cryptographic hardware accelerator +* `zabbix_apache_custom_includes`: Configure custom includes. Default: `[]` + +When `zabbix_apache_tls_crt`, `zabbix_apache_tls_key` and/or `zabbix_apache_tls_chain` are used, make sure that these files exists before executing this role. The Zabbix-Web role will not install the mentioned files. + +See https://httpd.apache.org/docs/current/mod/mod_ssl.html for SSL* configuration options for Apache HTTPD. + +#### Nginx configuration + +* `zabbix_nginx_vhost_port`: The port on which Zabbix HTTP vhost is running. +* `zabbix_nginx_vhost_tls_port`: The port on which Zabbix HTTPS vhost is running. +* `zabbix_nginx_tls`: If the Nginx vhost should be configured with TLS encryption or not. +* `zabbix_nginx_tls_crt`: The path to the TLS certificate file. +* `zabbix_nginx_tls_key`: The path to the TLS key file. +* `zabbix_nginx_tls_dhparam`: The path to the TLS DHParam file. +* `zabbix_nginx_tls_session_cache`: Type of the global/inter-process SSL Session Cache +* `zabbix_nginx_tls_session_timeout`: +* `zabbix_nginx_tls_session_tickets`: +* `zabbix_nginx_tls_protocols`: The TLS Protocols to accept. +* `zabbix_nginx_tls_ciphers`: The TLS Ciphers to be allowed. + +When `zabbix_nginx_tls_crt` and `zabbix_nginx_tls_key` are used, make sure that these files exists before executing this role. The Zabbix-Web role will not install the mentioned files. + +#### PHP-FPM + +The following properties are specific to Zabbix 5.0 and for the PHP(-FPM) configuration: + +* `zabbix_php_version`: Either `7.3` or `7.4` (Based on the OS Family). When you want to override the PHP Version. +* `zabbix_php_fpm_session`: The directory where sessions will be stored. If none are provided, defaults are used. +* `zabbix_php_fpm_listen`: The path to a socket file or ipaddress:port combination on which PHP-FPM needs to listen. If none are provided, defaults are used. +* `zabbix_php_fpm_conf_listen`: Default: `true`. If we want to configure the `zabbix_php_fpm_listen` in the PHP-FPM configuration file. +* `zabbix_php_fpm_conf_user`: The owner of the socket file (When `zabbix_php_fpm_listen` contains a patch to a socket file). +* `zabbix_php_fpm_conf_enable_user`: Default: `true`. If we want to configure the owner of the `zabbix_php_fpm_listen` in the PHP-FPM configuration file. +* `zabbix_php_fpm_conf_group`: The group of the owner of the socket file (When `zabbix_php_fpm_listen` contains a patch to a socket file). +* `zabbix_php_fpm_conf_enable_group`: Default: `true`. If we want to configure the group of the `zabbix_php_fpm_listen` in the PHP-FPM configuration file. +* `zabbix_php_fpm_conf_mode`: The mode for the socket file (When `zabbix_php_fpm_listen` contains a patch to a socket file). +* `zabbix_php_fpm_conf_enable_mode`: Default: `true`. If we want to configure the mode of the `zabbix_php_fpm_listen` in the PHP-FPM configuration file. +* `zabbix_php_fpm_dir_etc`: etc HOME root directory of PHP-FPM setup. +* `zabbix_php_fpm_dir_var`: Var HOME root directory of PHP-FPM setup. + +### Zabbix Server + +* `zabbix_server_name`: The name of the Zabbix Server. +* `zabbix_server_database`: The type of database used. Can be: mysql or pgsql +* `zabbix_server_database_long`: The type of database used, but long name. Can be: mysql or postgresql +* `zabbix_server_hostname`: The hostname on which the zabbix-server is running. Default set to: {{ inventory_hostname }} +* `zabbix_server_listenport`: On which port the Zabbix Server is available. Default: 10051 +* `zabbix_server_dbhost`: The hostname on which the database is running. +* `zabbix_server_dbname`: The database name which is used by the Zabbix Server. +* `zabbix_server_dbuser`: The database username which is used by the Zabbix Server. +* `zabbix_server_dbpassword`: The database user password which is used by the Zabbix Server. +* `zabbix_server_dbport`: The database port which is used by the Zabbix Server. + +The following properties are related when using Elasticsearch for history storage: + +* `zabbix_server_history_url`: String with url to the Elasticsearch server or a list if the types are stored on different Elasticsearch URLs. +* `zabbix_server_history_types`: List of history types to store in Elasticsearch. + +See the following links for more information regarding Zabbix and Elasticsearch +https://www.zabbix.com/documentation/3.4/manual/appendix/install/elastic_search_setup +https://www.zabbix.com/documentation/4.0/manual/appendix/install/elastic_search_setup + +## proxy + +When the target host does not have access to the internet, but you do have a proxy available then the following properties needs to be set to download the packages via the proxy: + +* `zabbix_http_proxy` +* `zabbix_https_proxy` + +# Example Playbook + +There are two ways of using the zabbix-web: + +* Single instance +* Multi host setup + +## Single instance + +When there is one host running both Zabbix Server and the Zabbix Web (Running MySQL as database): + +```yaml +- hosts: zabbix-server + become: yes + roles: + - role: geerlingguy.apache + - role: geerlingguy.php + - role: community.zabbix.zabbix_server + zabbix_server_database: mysql + zabbix_server_database_long: mysql + zabbix_server_dbport: 3306 + - role: community.zabbix.zabbix_web + zabbix_api_server_url: zabbix.mydomain.com + zabbix_server_database: mysql + zabbix_server_database_long: mysql + zabbix_server_dbport: 3306 +``` + +## Multi host setup + +This is a two host setup. On one host (Named: "zabbix-server") the Zabbix Server is running, and the other host (Named: zabbix-web) runs Zabbix Web (with MySQL as database): + +```yaml +- hosts: zabbix-server + become: yes + roles: + - role: community.zabbix.zabbix_server + zabbix_server_database: mysql + zabbix_server_database_long: mysql + zabbix_server_dbport: 3306 + +- hosts: zabbix-web + become: yes + roles: + - role: geerlingguy.apache + - role: geerlingguy.php + - role: community.zabbix.zabbix_web + zabbix_api_server_url: zabbix.mydomain.com + zabbix_server_hostname: zabbix-server + zabbix_server_database: mysql + zabbix_server_database_long: mysql + zabbix_server_dbport: 3306 +``` + +## Adding Environment Variables for zabbix_web + +Sometimes you need to add environment variables to your +zabbix.conf.php, for example to add LDAP CA certificates. To do this add a `zabbix_web_env` dictionary: + +```yaml +- hosts: zabbix-web + become: yes + roles: + - role: geerlingguy.apache + - role: geerlingguy.php + php_memory_limit: "128M" + php_max_execution_time: "300" + php_upload_max_filesize: "256M" + php_packages: + - php + - php-fpm + - php-acpu + - role: geerlingguy.apache-php-fpm + - role: community.zabbix.zabbix_web + zabbix_api_server_url: zabbix.mydomain.com + zabbix_server_hostname: zabbix-server + zabbix_server_database: mysql + zabbix_server_database_long: mysql + zabbix_server_dbport: 3306 + zabbix_web_env: + LDAPTLS_CACERT: /etc/ssl/certs/ourcert.pem +``` + +## Using Elasticsearch for history storage + +To use Elasticsearch for history storage you need to configure the `zabbix_server_history_url` and `zabbix_server_history_types`. You will also need to configure Elasticsearch +in the zabbix_server role. + +Zabbix can store the following history types +in Elasticsearch: +* Numeric (unsigned) - `uint` +* Numeric (float) - `dbl` +* Character - `str` +* Log - `log` +* Text - `text` + +To store all history types in the same history URL the following variables should be set (make sure history url points to your Elasticsearch cluster): + +``` +zabbix_server_history_url: "http://localhost:9200" +zabbix_server_history_types: + - 'str' + - 'text' + - 'log' + - 'uint' + - 'dbl' +``` + +# Molecule + +This role is configured to be tested with Molecule. You can find on this page some more information regarding Molecule: + +* http://werner-dijkerman.nl/2016/07/10/testing-ansible-roles-with-molecule-testinfra-and-docker/ +* http://werner-dijkerman.nl/2016/07/27/extending-ansible-role-testing-with-molecule-by-adding-group_vars-dependencies-and-using-travis-ci/ +* http://werner-dijkerman.nl/2016/07/31/testing-ansible-roles-in-a-cluster-setup-with-docker-and-molecule/ + +With each Pull Request, Molecule will be executed via travis.ci. Pull Requests will only be merged once these tests run successfully. + +# License + +GNU General Public License v3.0 or later + +See LICENCE to see the full text. + +# Author Information + +Please send suggestion or pull requests to make this role better. Also let us know if you encounter any issues installing or using this role. + +Github: https://github.com/ansible-collections/community.zabbix diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml b/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml new file mode 100644 index 000000000..6e326461e --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml @@ -0,0 +1,144 @@ +--- +# defaults file for zabbix-web + +# zabbix_web_version: 6.0 +zabbix_web_version_minor: "*" +zabbix_version: "{{ zabbix_web_version }}" +zabbix_repo: zabbix +zabbix_web_package_state: present +zabbix_web_centos_release: true +zabbix_web_rhel_release: true +zabbix_selinux: false +zabbix_web_doubleprecision: false +zabbix_web_conf_mode: "0640" +zabbix_web_connect_ha_backend: false + +zabbix_url: zabbix.example.com # Will be deprecated in 2.0.0 +zabbix_api_server_url: "{{ zabbix_url }}" +zabbix_websrv: apache +zabbix_websrv_servername: "{{ zabbix_api_server_url | regex_findall('(?:https?\\://)?([\\w\\-\\.]+)') | first }}" +zabbix_url_aliases: [] +zabbix_web_htpasswd: false +zabbix_web_htpasswd_file: /etc/zabbix/web/htpasswd +zabbix_timezone: Europe/Amsterdam +zabbix_vhost: true + +zabbix_php_install: true +zabbix_php_frontend_deprecated: false +zabbix_php_fpm: false +zabbix_php_fpm_dir_etc: /etc/opt/rh/rh-php72/ +zabbix_php_fpm_dir_var: /var/opt/rh/rh-php72/ +zabbix_php_fpm_conf_listen: true +zabbix_php_fpm_conf_enable_user: true +zabbix_php_fpm_conf_enable_group: true +zabbix_php_fpm_conf_mode: "0664" +zabbix_php_fpm_conf_enable_mode: true +zabbix_php_install_state: present + +zabbix_apache_vhost_port: 80 +zabbix_apache_vhost_tls_port: 443 +zabbix_apache_vhost_listen_ip: "*" +zabbix_apache_tls: false +zabbix_apache_redirect: false +zabbix_apache_tls_crt: /etc/pki/server.crt +zabbix_apache_tls_key: /etc/pki/server.key +zabbix_apache_tls_chain: +zabbix_apache_can_connect_ldap: false +zabbix_apache_include_custom_fragment: true +zabbix_apache_SSLPassPhraseDialog: exec:/usr/libexec/httpd-ssl-pass-dialog +zabbix_apache_SSLSessionCache: shmcb:/run/httpd/sslcache(512000) +zabbix_apache_SSLSessionCacheTimeout: 300 +zabbix_apache_SSLCryptoDevice: builtin +zabbix_apache_custom_includes: [] + +zabbix_nginx_vhost_port: 80 +zabbix_nginx_vhost_tls_port: 443 +zabbix_nginx_tls: false +zabbix_nginx_redirect: false +zabbix_nginx_tls_session_timeout: 1d +zabbix_nginx_tls_session_cache: shared:MySSL:10m +zabbix_nginx_tls_session_tickets: !!str off +zabbix_nginx_tls_protocols: TLSv1.2 +zabbix_nginx_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + +zabbix_letsencrypt: false +zabbix_letsencrypt_webroot_path: /var/www/letsencrypt +zabbix_letsencrypt_webroot_mode: 0755 + +zabbix_repo_yum_gpgcheck: 0 +zabbix_repo_yum_schema: https +zabbix_repo_yum_disabled: "*" +zabbix_repo_yum_enabled: [] +zabbix_repo_yum: + - name: zabbix + description: Zabbix Official Repository - $basearch + baseurl: "{{ zabbix_repo_yum_schema }}://repo.zabbix.com/zabbix/{{ zabbix_version | regex_search('^[0-9]+.[0-9]+') }}/rhel/{{ ansible_distribution_major_version }}/$basearch/" + gpgcheck: "{{ zabbix_repo_yum_gpgcheck }}" + mode: "0644" + gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX + state: present + - name: zabbix-non-supported + description: Zabbix Official Repository non-supported - $basearch + baseurl: "{{ zabbix_repo_yum_schema }}://repo.zabbix.com/non-supported/rhel/{{ ansible_distribution_major_version }}/$basearch/" + mode: "0644" + gpgcheck: "{{ zabbix_repo_yum_gpgcheck }}" + gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX + state: present + +zabbix_5_repo_yum: + - name: zabbix-frontend + description: Zabbix Official Repository - $basearch + baseurl: "{{ zabbix_repo_yum_schema }}://repo.zabbix.com/zabbix/{{ zabbix_version | regex_search('^[0-9]+.[0-9]+') }}/rhel/{{ ansible_distribution_major_version }}/$basearch/frontend/" + mode: "0644" + gpgcheck: "{{ zabbix_repo_yum_gpgcheck }}" + gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX + state: present + +zabbix_web_max_execution_time: 300 +zabbix_web_memory_limit: 128M +zabbix_web_post_max_size: 16M +zabbix_web_upload_max_filesize: 2M +zabbix_web_max_input_time: 300 +zabbix_web_max_input_vars: 10000 + +# Database +zabbix_server_database: pgsql +zabbix_server_database_long: postgresql +zabbix_server_name: "{{ inventory_hostname }}" +zabbix_server_hostname: "{{ inventory_hostname }}" +zabbix_server_listenport: 10051 +zabbix_server_dbhost: localhost +zabbix_server_dbname: zabbix-server +zabbix_server_dbuser: zabbix-server +zabbix_server_dbpassword: zabbix-server +zabbix_server_dbport: 5432 +zabbix_server_dbencryption: false +zabbix_server_dbverifyhost: false +zabbix_server_dbschema: + +# Elasticsearch +# zabbix_server_history_url: +# - "'uint' => 'http://localhost:9200'" +# - "'text' => 'http://localhost:9200'" +# - "'log' => 'http://localhost:9200'" +# - "'dbl' => 'http://localhost:9200'" +# - "'str' => 'http://localhost:9200'" +zabbix_server_history_types: + - "str" + - "text" + - "log" + - "uint" + - "dbl" + +selinux_allow_zabbix_can_network: false +_zabbix_web_apache_php_addition: false + +# SAML certificates +# zabbix_saml_idp_crt: +# zabbix_saml_sp_crt: +# zabbix_saml_sp_key: + +# When the `geerlingguys apache role` is not provided, we have some defaults. +apache_ssl_cipher_suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +apache_ssl_protocol: all -SSLv3 -TLSv1 -TLSv1.1 +apache_vhosts_version: "2.4" diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/handlers/main.yml b/ansible_collections/community/zabbix/roles/zabbix_web/handlers/main.yml new file mode 100644 index 000000000..0d0974632 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/handlers/main.yml @@ -0,0 +1,54 @@ +--- + +- name: restart apache + service: + name: "{{ _apache_service }}" + state: restarted + enabled: true + become: true + when: + - zabbix_websrv == 'apache' + +- name: test nginx config + listen: restart nginx + command: nginx -t + register: zabbix_nginx_cfg_check + notify: restart nginx tested + become: true + when: + - zabbix_websrv == 'nginx' + +- name: restart nginx tested + service: + name: nginx + state: restarted + enabled: true + become: true + when: + - zabbix_websrv == 'nginx' + - zabbix_nginx_cfg_check.rc == 0 + +- name: restart redhat-php-fpm + service: + name: "{{ 'rh-php72-php-fpm' if zabbix_php_fpm else 'php-fpm' }}" + state: restarted + enabled: true + become: true + when: + - zabbix_version is version('5.0', '>=') + +- name: restart php-fpm-version + service: + name: php{{ zabbix_php_version }}-fpm + state: restarted + enabled: true + become: true + when: + - zabbix_version is version('5.0', '>=') + +- name: "clean repo files from proxy creds" + shell: ls /etc/yum.repos.d/zabbix* && sed -i 's/^proxy =.*//' /etc/yum.repos.d/zabbix* || true + become: true + when: + - ansible_os_family == 'RedHat' + - zabbix_http_proxy is defined or zabbix_https_proxy is defined diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/meta/main.yml b/ansible_collections/community/zabbix/roles/zabbix_web/meta/main.yml new file mode 100644 index 000000000..907a3c86a --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/meta/main.yml @@ -0,0 +1,28 @@ +--- +galaxy_info: + author: Werner Dijkerman + description: Installing and maintaining zabbix-web for RedHat/Debian/Ubuntu. + company: myCompany.Dotcom + license: license (GPLv3) + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Ubuntu + versions: + - lucid + - precise + - trusty + - name: Debian + versions: + - squeeze + - wheezy + - jessie + - stretch + galaxy_tags: + - monitoring + - zabbix + +dependencies: [] diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml new file mode 100644 index 000000000..8a27b841c --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml @@ -0,0 +1,108 @@ +--- + +- name: "Include Zabbix gpg ids" + include_vars: zabbix.yml + +- name: "Set short version name" + set_fact: + zabbix_short_version: "{{ zabbix_version | regex_replace('\\.', '') }}" + +- name: "Debian | Install gpg key" + apt_key: + id: "{{ sign_keys[zabbix_short_version][ansible_distribution_release]['sign_key'] }}" + url: http://repo.zabbix.com/zabbix-official-repo.key + when: + - zabbix_repo == "zabbix" + become: true + tags: + - zabbix-web + - init + - config + +- name: "Debian | Installing repository {{ ansible_distribution }}" + apt_repository: + repo: "{{ item }} http://repo.zabbix.com/zabbix/{{ zabbix_version }}/{{ ansible_distribution.lower() }}/ {{ ansible_distribution_release }} main" + state: present + become: true + when: + - zabbix_repo == "zabbix" + - ansible_machine != "aarch64" + with_items: + - deb-src + - deb + tags: + - zabbix-web + - init + - config + +- name: "Debian | Installing repository {{ ansible_distribution }}" + apt_repository: + repo: "{{ item }} http://repo.zabbix.com/zabbix/{{ zabbix_version }}/{{ ansible_distribution.lower() }}-arm64/ {{ ansible_distribution_release }} main" + state: present + become: true + when: + - zabbix_repo == "zabbix" + - ansible_machine == "aarch64" + with_items: + - deb-src + - deb + tags: + - zabbix-web + - init + - config + +- name: "Debian | Install PHP apart from zabbix-frontend-php deps" + include_tasks: "php_Debian.yml" + when: zabbix_php_install + +- name: "Debian | Install zabbix-web" + apt: + pkg: "zabbix-frontend-php{{ '-deprecated' if zabbix_php_frontend_deprecated else '' }}" + state: "{{ zabbix_web_package_state }}" + update_cache: true + cache_valid_time: 0 + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_package_install + until: zabbix_web_package_install is succeeded + become: true + tags: + - zabbix-web + - init + - config + +- name: "Debian | Link graphfont.ttf (workaround ZBX-10467)" + file: + src: '/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf' + path: '/usr/share/zabbix/fonts/graphfont.ttf' + state: link + tags: + - zabbix-web + - init + - config + +- name: "Debian | Install PHP" + template: + src: php-fpm.conf.j2 + dest: "{{ zabbix_php_fpm_dir }}/zabbix.conf" + owner: "{{ _apache_user }}" + group: "{{ _apache_group }}" + mode: 0644 + become: true + when: + - zabbix_vhost + notify: + - restart php-fpm-version + +- name: "Including Apache Configuration" + include_tasks: apache_Debian.yml + vars: + zabbix_apache_servername: "{{ zabbix_websrv_servername }}" + when: + - zabbix_websrv == 'apache' + +- name: "Configure SELinux when enabled" + include_tasks: selinux.yml + when: + - zabbix_selinux | bool diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml new file mode 100644 index 000000000..bcd4dd666 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml @@ -0,0 +1,183 @@ +--- +# Tasks specific for RedHat systems + +- name: "RedHat | Install basic repo file" + yum_repository: + name: "{{ item.name }}" + description: "{{ item.description }}" + baseurl: "{{ item.baseurl }}" + gpgcheck: "{{ item.gpgcheck }}" + gpgkey: "{{ item.gpgkey }}" + mode: "{{ item.mode | default('0644') }}" + priority: "{{ item.priority | default('98') }}" + state: "{{ item.state | default('present') }}" + proxy: "{{ zabbix_http_proxy | default(omit) }}" + with_items: "{{ zabbix_repo_yum }}" + register: yum_repo_installed + become: true + when: + zabbix_repo == "zabbix" + notify: + - "clean repo files from proxy creds" + tags: + - zabbix-web + +- name: "RedHat | Install basic repo file (Zabbix 5.x)" + yum_repository: + name: "{{ item.name }}" + description: "{{ item.description }}" + baseurl: "{{ item.baseurl }}" + gpgcheck: "{{ item.gpgcheck }}" + gpgkey: "{{ item.gpgkey }}" + mode: "{{ item.mode | default('0644') }}" + priority: "{{ item.priority | default('98') }}" + state: "{{ item.state | default('present') }}" + proxy: "{{ zabbix_http_proxy | default(omit) }}" + with_items: "{{ zabbix_5_repo_yum }}" + become: true + when: + - zabbix_repo == "zabbix" + - zabbix_version is version('5.0', '>=') + - ansible_distribution_major_version != '8' + - ansible_distribution_major_version != '9' + notify: + - "clean repo files from proxy creds" + tags: + - zabbix-web + +- name: "RedHat | Install zabbix-web dependency (Zabbix 5.x) (CentOS)" + yum: + pkg: + - centos-release-scl + state: "{{ zabbix_web_package_state }}" + update_cache: true + disablerepo: "{{ '*' if (zabbix_repo_yum_enabled | length>0) else omit }}" + enablerepo: "{{ zabbix_repo_yum_enabled if zabbix_repo_yum_enabled is iterable and (zabbix_repo_yum_enabled | length>0) else omit }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_dependency_package_install + until: zabbix_web_dependency_package_install is succeeded + become: true + when: + - zabbix_version is version('5.0', '>=') + - zabbix_web_centos_release + - ansible_distribution_major_version != '9' + - ansible_distribution_major_version != '8' + - ansible_distribution == "CentOS" + tags: + - zabbix-web + +- name: "RedHat | Install zabbix-web dependency (Zabbix 5.x) (RHEL)" + yum: + pkg: + - scl-utils + - scl-utils-build + state: "{{ zabbix_web_package_state }}" + update_cache: true + disablerepo: "{{ '*' if (zabbix_repo_yum_enabled | length>0) else omit }}" + enablerepo: "{{ zabbix_repo_yum_enabled if zabbix_repo_yum_enabled is iterable and (zabbix_repo_yum_enabled | length>0) else omit }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_dependency_package_install + until: zabbix_web_dependency_package_install is succeeded + become: true + when: + - zabbix_version is version('5.0', '>=') + - zabbix_web_centos_release + - ansible_distribution_major_version != '9' + - ansible_distribution_major_version != '8' + - ansible_distribution == "RedHat" + tags: + - zabbix-web + +- name: "RedHat | Install zabbix-web (Zabbix 5.x)" + yum: + pkg: + - zabbix-apache-conf-scl-{{ zabbix_web_version }}.{{ zabbix_web_version_minor }} + state: "{{ zabbix_web_package_state }}" + update_cache: true + disablerepo: "{{ '*' if (zabbix_repo_yum_enabled | length>0) else omit }}" + enablerepo: "{{ zabbix_repo_yum_enabled if zabbix_repo_yum_enabled is iterable and (zabbix_repo_yum_enabled | length>0) else omit }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_package_install + until: zabbix_web_package_install is succeeded + become: true + when: + - zabbix_version is version('5.0', '>=') + - ansible_distribution_major_version != '9' + - ansible_distribution_major_version != '8' + - zabbix_websrv == 'apache' + tags: + - zabbix-web + +- name: "RedHat | Install zabbix-web-{{ zabbix_server_database }}" + yum: + pkg: zabbix-web-{{ zabbix_server_database }}{{ '-scl' if zabbix_version is version('5.0', '>=') and ansible_distribution_major_version|int < 8 else '' }}-{{ zabbix_web_version }}.{{ zabbix_web_version_minor }} + state: "{{ zabbix_web_package_state }}" + update_cache: true + disablerepo: "{{ '*' if (zabbix_repo_yum_enabled | length>0) else omit }}" + enablerepo: "{{ zabbix_repo_yum_enabled if zabbix_repo_yum_enabled is iterable and (zabbix_repo_yum_enabled | length>0) else omit }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_package_install + until: zabbix_web_package_install is succeeded + become: true + tags: + - zabbix-web + +- name: RedHat 9 | Install PHP" + package: + name: php + state: "{{ zabbix_php_install_state }}" + when: + - zabbix_version is version('6.0', '>=') + - ansible_distribution_major_version == '9' + - zabbix_vhost + +- name: "RedHat | Install PHP" + template: + src: php-fpm.conf.j2 + dest: "{{ zabbix_php_fpm_dir }}/zabbix.conf" + owner: "{{ zabbix_web_conf_web_user }}" + group: "{{ zabbix_web_conf_web_group }}" + mode: 0644 + become: true + when: + - zabbix_vhost + notify: + - restart redhat-php-fpm + +- include_tasks: apache_RedHat.yml + vars: + zabbix_apache_servername: "{{ zabbix_websrv_servername }}" + when: + - zabbix_websrv == 'apache' + +- name: "RedHat | Install Nginx vhost" + template: + src: nginx_vhost.conf.j2 + dest: /etc/nginx/conf.d/zabbix.conf + owner: root + group: root + mode: 0644 + when: + - zabbix_vhost + - zabbix_websrv == 'nginx' + become: true + notify: + - restart nginx + tags: + - zabbix-web + - init + - config + - nginx + +- name: "Configure SELinux when enabled" + include_tasks: selinux.yml + when: + - zabbix_selinux | bool diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/access.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/access.yml new file mode 100644 index 000000000..f02a6ebe4 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/access.yml @@ -0,0 +1,32 @@ +--- +- name: "htpasswd | check Python version to set prefix variable" + set_fact: + zabbix_python_prefix: "python{% if ansible_python_version is version_compare('3', '>=') %}3{% endif %}" + when: + - zabbix_web_htpasswd is defined + - zabbix_web_htpasswd + - zabbix_web_htpasswd_users is defined + +- name: "htpasswd | install passlib for Python interpreter" + package: + name: "{{ zabbix_python_prefix }}-passlib" + state: present + when: + - zabbix_web_htpasswd is defined + - zabbix_web_htpasswd + - zabbix_web_htpasswd_users is defined + +- name: "htpasswd | manage HTTP authentication controls" + community.general.htpasswd: + path: "{{ zabbix_web_htpasswd_file }}" + name: "{{ item.value.htpasswd_user }}" + password: "{{ item.value.htpasswd_pass }}" + group: www-data + state: present + loop_control: + label: "{{ item.value.htpasswd_user }}" + with_dict: "{{ zabbix_web_htpasswd_users }}" + when: + - zabbix_web_htpasswd is defined + - zabbix_web_htpasswd + - zabbix_web_htpasswd_users is defined diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache.yml new file mode 100644 index 000000000..f33b9b765 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache.yml @@ -0,0 +1,35 @@ +--- +- name: "Apache | Get Apache version" + shell: | + PATH=/usr/sbin:$PATH + set -o pipefail + apachectl -v | grep 'version' | awk -F '/' '{ print $2 }'| awk '{ print $1 }' | cut -c 1-3 + changed_when: false + register: apachectl_version + check_mode: false + args: + executable: /bin/bash + tags: + - zabbix-web + +- name: "Apache | Set correct apache_version" + set_fact: + apache_version: "{{ apachectl_version.stdout }}" + tags: + - zabbix-web + +- name: "Set some" + set_fact: + _zabbix_web_apache_php_addition: true + when: + - zabbix_version is version('4.4', '<=') + tags: + - zabbix-web + +- name: "Set some" + set_fact: + _zabbix_web_apache_php_addition: true + when: + - ansible_os_family == "Debian" + tags: + - zabbix-web diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache_Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache_Debian.yml new file mode 100644 index 000000000..732feaea9 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache_Debian.yml @@ -0,0 +1,54 @@ +--- + +- name: "Debian | Install legacy PHP integration for Apache" + apt: + state: present + update_cache: true + cache_valid_time: 3600 + name: + - libapache2-mod-php + become: true + +- name: "Debian | install apache vhost" + template: + src: apache_vhost.conf.j2 + dest: /etc/apache2/sites-available/zabbix.conf + owner: "{{ zabbix_web_conf_web_user }}" + group: "{{ zabbix_web_conf_web_group }}" + mode: 0644 + when: zabbix_vhost + become: true + notify: + - restart apache + tags: + - zabbix-web + - init + - config + - apache + +- name: "Debian | Remove provided zabbix.conf files" + file: + path: "{{ item }}" + state: absent + when: zabbix_vhost + become: true + with_items: + - /etc/apache2/conf-available/zabbix.conf + - /etc/apache2/conf-enabled/zabbix.conf + +- name: "Debian | enable apache vhost" + file: + src: /etc/apache2/sites-available/zabbix.conf + dest: /etc/apache2/sites-enabled/zabbix.conf + owner: "{{ zabbix_web_conf_web_user }}" + group: "{{ zabbix_web_conf_web_group }}" + state: link + when: zabbix_vhost + become: true + notify: + - restart apache + tags: + - zabbix-server + - init + - config + - apache diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache_RedHat.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache_RedHat.yml new file mode 100644 index 000000000..3a271331d --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/apache_RedHat.yml @@ -0,0 +1,17 @@ +--- + +- include_tasks: apache.yml + +- name: "RedHat | Install apache vhost" + template: + src: apache_vhost.conf.j2 + dest: /etc/httpd/conf.d/zabbix.conf + owner: "{{ zabbix_web_conf_web_user }}" + group: "{{ zabbix_web_conf_web_group }}" + mode: 0644 + when: zabbix_vhost + become: true + notify: + - restart apache + tags: + - zabbix-server diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml new file mode 100644 index 000000000..fad607b1d --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml @@ -0,0 +1,103 @@ +--- +# tasks file for wdijkerman.zabbix-web + +- name: "Include OS-specific variables" + include_vars: "{{ ansible_os_family }}.yml" + tags: + - always + +- name: Determine Latest Supported Zabbix Version + set_fact: + zabbix_web_version: "{{ zabbix_valid_web_versions[ansible_distribution_major_version][0] | default(6.0) }}" + when: zabbix_web_version is not defined + +- name: "Include distribution and version-specific vars" + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + tags: + - always + +- name: "Set some versions" + set_fact: + zabbix_short_version: "{{ zabbix_version | regex_replace('\\.', '') }}" + zabbix_php_version: "{{ zabbix_php_version if zabbix_php_version is defined else _zabbix_php_version }}" + _zabbix_php_package_prefix: "" + tags: + - always + +- name: "Set default PHP-FPM variables" + set_fact: + zabbix_php_fpm_dir: "{{ zabbix_php_fpm_dir if zabbix_php_fpm_dir is defined else _php_fpm_dir }}" + zabbix_php_fpm_session: "{{ zabbix_php_fpm_session if zabbix_php_fpm_session is defined else _php_fpm_session }}" + zabbix_php_fpm_listen: "{{ zabbix_php_fpm_listen if zabbix_php_fpm_listen is defined else _php_fpm_listen }}" + when: + - not zabbix_php_fpm + +- name: "Set default PHP-FPM variables specific RH provided" + set_fact: + zabbix_php_fpm_dir: "{{ zabbix_php_fpm_dir if zabbix_php_fpm_dir is defined else _php_fpm_dir }}" + zabbix_php_fpm_session: "{{ zabbix_php_fpm_session if zabbix_php_fpm_session is defined else _zabbix_php_fpm_session }}" + zabbix_php_fpm_listen: "{{ zabbix_php_fpm_listen if zabbix_php_fpm_listen is defined else _zabbix_php_fpm_listen }}" + when: + - zabbix_php_fpm + - ansible_os_family == "RedHat" + +- name: "Set websrv specific variables (Apache)" + set_fact: + zabbix_web_conf_web_user: "{{ zabbix_web_conf_web_user if zabbix_web_conf_web_user is defined else _apache_user }}" + zabbix_web_conf_web_group: "{{ zabbix_web_conf_web_group if zabbix_web_conf_web_group is defined else _apache_group }}" + when: + - zabbix_websrv == 'apache' + +- include_tasks: nginx.yml + when: + - zabbix_websrv == 'nginx' + +- name: "Install the correct repository" + include_tasks: "RedHat.yml" + when: ansible_os_family == "RedHat" + tags: + - zabbix-web + +- name: "Install the correct repository" + include_tasks: "Debian.yml" + when: ansible_os_family == "Debian" + tags: + - zabbix-web + +- name: "Create zabbix-web directory" + file: + path: /etc/zabbix/web + owner: "{{ zabbix_web_conf_web_user }}" + group: "{{ zabbix_web_conf_web_group }}" + state: directory + mode: 0755 + tags: + - zabbix-web + - init + - config + +- name: "Configure zabbix-web" + template: + src: zabbix.conf.php.j2 + dest: /etc/zabbix/web/zabbix.conf.php + owner: "{{ zabbix_web_conf_web_user }}" + group: "{{ zabbix_web_conf_web_group }}" + mode: "{{ zabbix_web_conf_mode }}" + notify: + - restart apache + tags: + - zabbix-web + - init + - config + +- include_tasks: access.yml + when: + - zabbix_web_htpasswd + tags: + - zabbix-web + - init + - config diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/nginx.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/nginx.yml new file mode 100644 index 000000000..9e4ec41f1 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/nginx.yml @@ -0,0 +1,153 @@ +--- +- name: "Nginx | Set websrv specific variables" + set_fact: + zabbix_web_conf_web_user: "{{ zabbix_web_conf_web_user if zabbix_web_conf_web_user is defined else _nginx_user }}" + zabbix_web_conf_web_group: "{{ zabbix_web_conf_web_group if zabbix_web_conf_web_group is defined else _nginx_group }}" + zabbix_nginx_config_path: "{{ zabbix_nginx_config_path if zabbix_nginx_config_path is defined else _nginx_config_path }}" + zabbix_nginx_log_path: "{{ zabbix_nginx_log_path if zabbix_nginx_log_path is defined else _nginx_log_path }}" + zabbix_nginx_service: "{{ zabbix_nginx_service if zabbix_nginx_service is defined else _nginx_service }}" + zabbix_nginx_tls_crt: "{{ zabbix_nginx_tls_crt if zabbix_nginx_tls_crt is defined else _nginx_tls_crt }}" + zabbix_nginx_tls_key: "{{ zabbix_nginx_tls_key if zabbix_nginx_tls_key is defined else _nginx_tls_key }}" + zabbix_nginx_tls_dhparam: "{{ zabbix_nginx_tls_dhparam if zabbix_nginx_tls_dhparam is defined else _nginx_tls_dhparam }}" + zabbix_apache_service: "{{ zabbix_apache_service if zabbix_apache_service is defined else _apache_service }}" + +- name: "Nginx | Check Apache service if same ports" + command: systemctl status "{{ zabbix_apache_service }}" + failed_when: false + register: zabbix_apache_service_check + changed_when: zabbix_apache_service_check.rc == 0 + check_mode: false + when: + - zabbix_apache_vhost_port == zabbix_nginx_vhost_port + - zabbix_apache_vhost_tls_port == zabbix_nginx_vhost_tls_port + +- name: "Nginx | Stop Apache running on same ports" + service: + name: "{{ zabbix_apache_service }}" + state: stopped + enabled: false + tags: + - zabbix-web + when: + - zabbix_apache_vhost_port == zabbix_nginx_vhost_port + - zabbix_apache_vhost_tls_port == zabbix_nginx_vhost_tls_port + - zabbix_apache_service_check.rc == 0 + +- name: "Nginx | Debian | Install Nginx and ssl-cert packages" + # README don't go for HTTP2 with nginx-full yet due to: + # https://support.zabbix.com/browse/ZBXNEXT-4670 + apt: + state: present + name: + - nginx-light + - ssl-cert + when: ansible_os_family == "Debian" + +- name: "Nginx | RedHat | Install Nginx packages" + yum: + state: present + name: + - nginx + when: ansible_os_family == "RedHat" + +- name: "Nginx | Start and enable service" + service: + name: "{{ zabbix_nginx_service }}" + state: started + enabled: true + +- name: "Nginx | Install OpenSSL package for DH parameters" + package: + name: openssl + state: present + +- name: "Nginx | Generate SSL DH parameters" + command: "openssl dhparam -out {{ zabbix_nginx_tls_dhparam }} {{ zabbix_nginx_tls_dhparam_bits | default('2048') }}" + args: + creates: "{{ zabbix_nginx_tls_dhparam }}" + +- name: "Let's Encrypt | check for certificate created by certbot" + stat: + path: "/etc/letsencrypt/live/{{ zabbix_websrv_servername }}/fullchain.pem" + register: zabbix_letsencrypt_cert + failed_when: false + when: zabbix_letsencrypt + +- name: "Let's Encrypt | Create directory for certbot webroot if not exist" + file: + path: "{{ zabbix_letsencrypt_webroot_path }}" + mode: "{{ zabbix_letsencrypt_webroot_mode }}" + state: directory + when: + - zabbix_letsencrypt + become: true + +- name: "Nginx | Install vhost in conf.d" + template: + src: nginx_vhost.conf.j2 + dest: "{{ zabbix_nginx_config_path }}/zabbix.conf" + owner: root + group: root + mode: 0644 + when: + - zabbix_vhost + become: true + notify: + - restart nginx + +- name: "Let's Encrypt | Check if zabbix_websrv_servername is resolvable" + set_fact: + zabbix_websrv_servername_ip: "{{ lookup('dig', 'qtype=A', zabbix_websrv_servername) }}" + changed_when: zabbix_websrv_servername_ip != ansible_default_ipv4.address + register: zabbix_letsencrypt_resolve + when: zabbix_letsencrypt + +- name: "Let's Encrypt | check if certbot CLI is present" + shell: "certbot --version" + register: zabbix_cerbot_check + changed_when: zabbix_cerbot_check.rc != 0 + check_mode: false + when: zabbix_letsencrypt + +- name: "Let's Encrypt | flash all handlers before certbot" + meta: flush_handlers + when: + - zabbix_letsencrypt + - zabbix_letsencrypt_resolve is not changed + - zabbix_cerbot_check.rc == 0 + +- name: "Let's Encrypt | generate certs with certbot CLI" + command: > + certbot --non-interactive certonly --expand + -a webroot --webroot-path={{ zabbix_letsencrypt_webroot_path }} + --email {{ zabbix_letsencrypt_account_email }} --agree-tos + --cert-name {{ zabbix_websrv_servername }} + -d {{ zabbix_websrv_servername }} + args: + creates: "/etc/letsencrypt/live/{{ zabbix_websrv_servername }}/fullchain.pem" + when: + - zabbix_letsencrypt + - zabbix_letsencrypt_resolve is not changed + - zabbix_cerbot_check.rc == 0 + +- name: "Let's Encrypt | Check for certificate created by certbot" + stat: + path: "/etc/letsencrypt/live/{{ zabbix_websrv_servername }}/fullchain.pem" + register: zabbix_letsencrypt_cert + failed_when: false + when: zabbix_letsencrypt + +- name: "Let's Encrypt | Reinstall Nginx vhost" + template: + src: nginx_vhost.conf.j2 + dest: /etc/nginx/conf.d/zabbix.conf + owner: root + group: root + mode: 0644 + when: + - zabbix_letsencrypt + - zabbix_letsencrypt_resolve is not changed + - zabbix_cerbot_check.rc == 0 + become: true + notify: + - restart nginx diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/php_Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/php_Debian.yml new file mode 100644 index 000000000..6a2f329b6 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/php_Debian.yml @@ -0,0 +1,43 @@ +--- + +- include_tasks: apache.yml + when: + - zabbix_websrv == 'apache' + +# This obviously needs to have some improvements.. :) + +- name: "Debian | Determine php prefix for packages installations (legacy php5)" + set_fact: + _zabbix_php_package_prefix: 5 + when: + - ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('16.04', '<') + or ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('9', '<') + +- name: "Debian | Determine php prefix for packages installations (Current distros)" + set_fact: + _zabbix_php_package_prefix: "{{ zabbix_php_version }}" + when: + - ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('16.04', '>=') or + ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('9', '>=') + - zabbix_version is version_compare('5.0', '>=') + - not _zabbix_web_apache_php_addition + +- name: "Debian | Install php packages" + apt: + state: present + update_cache: true + cache_valid_time: 3600 + name: + - php{{ _zabbix_php_package_prefix }}-{{ zabbix_server_database }} + - php{{ _zabbix_php_package_prefix }}-bcmath + - php{{ _zabbix_php_package_prefix }}-mbstring + - php{{ _zabbix_php_package_prefix }}-ldap + - php{{ _zabbix_php_package_prefix }}-xml + - php{{ _zabbix_php_package_prefix }}-gd + - php{{ _zabbix_php_package_prefix }}-fpm + register: zabbix_web_php_dependency_install + until: zabbix_web_php_dependency_install is succeeded + become: true + tags: + - zabbix-web + - init diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml new file mode 100644 index 000000000..df8936eb1 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml @@ -0,0 +1,82 @@ +--- + +- name: "SELinux | RedHat | Install related SELinux package" + yum: + name: + - libsemanage-python + state: present + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_dependencies_installed + until: zabbix_web_dependencies_installed is succeeded + become: true + when: + - ansible_os_family == "RedHat" + - selinux_allow_zabbix_can_network + - ansible_distribution_major_version == "7" or ansible_distribution_major_version == "6" + tags: + - zabbix-web + +- name: "SELinux | RedHat | Install related SELinux package on RHEL9 and RHEL8" + yum: + name: + - python3-libsemanage + state: present + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: zabbix_web_dependencies_installed + until: zabbix_web_dependencies_installed is succeeded + become: true + when: + - ansible_os_family == "RedHat" + - selinux_allow_zabbix_can_network + - ansible_distribution_major_version|int >= 8 + tags: + - zabbix-web + +- name: "SELinux | RedHat | Enable zabbix_can_network SELinux boolean" + ansible.posix.seboolean: + name: zabbix_can_network + state: true + persistent: true + become: true + when: + - ansible_os_family == "RedHat" + - selinux_allow_zabbix_can_network + tags: + - zabbix-web + +- name: "SELinux | Allow httpd to connect to db (SELinux)" + ansible.posix.seboolean: + name: httpd_can_network_connect_db + persistent: true + state: true + become: true + when: + - ansible_selinux.status == "enabled" + - selinux_allow_zabbix_can_network + tags: selinux + +- name: "SELinux | Allow httpd to connect to zabbix (SELinux)" + ansible.posix.seboolean: + name: httpd_can_connect_zabbix + persistent: true + state: true + become: true + when: + - ansible_selinux.status == "enabled" + - selinux_allow_zabbix_can_network + tags: selinux + +- name: "SELinux | Allow httpd to connect to ldap (SELinux)" + ansible.posix.seboolean: + name: httpd_can_connect_ldap + persistent: true + state: true + become: true + when: + - ansible_selinux.status == "enabled" + - zabbix_apache_can_connect_ldap | bool + tags: selinux diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/templates/apache_vhost.conf.j2 b/ansible_collections/community/zabbix/roles/zabbix_web/templates/apache_vhost.conf.j2 new file mode 100644 index 000000000..4149c43fa --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/templates/apache_vhost.conf.j2 @@ -0,0 +1,199 @@ +<VirtualHost {{ zabbix_apache_vhost_listen_ip }}:{{ zabbix_apache_vhost_port }}> + ServerName {{ zabbix_apache_servername }} + {% for alias in zabbix_url_aliases %} + ServerAlias {{ alias }} + {% endfor %} + + ## Vhost docroot + DocumentRoot "/usr/share/zabbix" + +{% if zabbix_apache_custom_includes is iterable and (zabbix_apache_custom_includes | length>0) %} + {% for include in zabbix_apache_custom_includes %} + {{ include }} + {% endfor %} +{% endif %} + +{% if zabbix_apache_redirect and zabbix_apache_tls %} + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] +{% endif %} + +{% set directory_paths = ['/usr/share/zabbix/conf', '/usr/share/zabbix/app', '/usr/share/zabbix/include', '/usr/share/zabbix/include/classes'] %} + + <Directory "/usr/share/zabbix"> + {% if apache_version|string() == '2.4' %} + Options FollowSymLinks + AllowOverride None + Require all granted + {% else %} + AllowOverride None + Order Allow,Deny + Allow from all + {% endif %} + + <IfModule dir_module> + DirectoryIndex index.php + </IfModule> + +{% if ansible_os_family == "RedHat" %} + <FilesMatch \.(php|phar)$> + SetHandler "proxy:unix:{{ zabbix_php_fpm_listen }}|fcgi://localhost" + </FilesMatch> +{% endif %} + + </Directory> + +{% for my_path in directory_paths %} + <Directory "{{ my_path }}"> + {% if apache_version|string() == '2.4' %} + Require all denied + {% else %} + AllowOverride None + Order Deny,Allow + Deny from all + {% endif %} + </Directory> + +{% endfor %} + ## Logging + ErrorLog "/var/log/{{ _apache_log }}/{{ zabbix_apache_servername }}_error.log" + ServerSignature Off + CustomLog "/var/log/{{ _apache_log }}/{{ zabbix_apache_servername }}_access.log" combined + + ## Rewrite rules + RewriteEngine On + RewriteRule ^$ /index.php [L] + +{% if _zabbix_web_apache_php_addition | default(false) %} +{% if zabbix_apache_include_custom_fragment | default(true) %} + ## Custom fragment + {% if zabbix_php_fpm %} + ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/usr/share/zabbix/$1 + ProxyTimeout 1800 + {% else %} + php_value max_execution_time {{ zabbix_web_max_execution_time | default('300') }} + php_value memory_limit {{ zabbix_web_memory_limit | default('128M') }} + php_value post_max_size {{ zabbix_web_post_max_size | default('16M') }} + php_value upload_max_filesize {{ zabbix_web_upload_max_filesize | default('2M') }} + php_value max_input_time {{ zabbix_web_max_input_time | default('300') }} + + {% if zabbix_version is version('5.0', '>=') %} + php_value max_input_vars {{ zabbix_web_max_input_vars | default('10000') }} + {% endif %} + + # Set correct timezone. + php_value date.timezone {{ zabbix_timezone }} + {% endif %} +{% endif %} +{% endif %} +</VirtualHost> + +{# Set up TLS vhosts #} +{% if zabbix_apache_tls and zabbix_apache_vhost_tls_port %} + +SSLPassPhraseDialog {{ zabbix_apache_SSLPassPhraseDialog }} +SSLSessionCache {{ zabbix_apache_SSLSessionCache }} +SSLSessionCacheTimeout {{ zabbix_apache_SSLSessionCacheTimeout }} +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +SSLCryptoDevice {{ zabbix_apache_SSLCryptoDevice }} + +<VirtualHost _default_:{{ zabbix_apache_vhost_tls_port }}> + ServerName {{ zabbix_apache_servername }} + {% for alias in zabbix_url_aliases %} + ServerAlias {{ alias }} + {% endfor %} + + ## Vhost docroot + DocumentRoot "/usr/share/zabbix" + +{% if zabbix_apache_custom_includes is iterable and (zabbix_apache_custom_includes | length>0) %} + {% for include in zabbix_apache_custom_includes %} + {{ include }} + {% endfor %} +{% endif %} + + SSLEngine on + SSLCipherSuite {{ apache_ssl_cipher_suite }} + SSLProtocol {{ apache_ssl_protocol }} + SSLHonorCipherOrder On +{% if apache_vhosts_version == "2.4" %} + SSLCompression off +{% endif %} + SSLCertificateFile {{ zabbix_apache_tls_crt }} + SSLCertificateKeyFile {{ zabbix_apache_tls_key }} +{% if zabbix_apache_tls_chain %} + SSLCertificateChainFile {{ zabbix_apache_tls_chain }} +{% endif %} + +{% set directory_paths = ['/usr/share/zabbix/conf', '/usr/share/zabbix/app', '/usr/share/zabbix/include', '/usr/share/zabbix/include/classes'] %} + + <Directory "/usr/share/zabbix"> + {% if apache_version|string() == '2.4' %} + Options FollowSymLinks + AllowOverride None + Require all granted + {% else %} + AllowOverride None + Order Allow,Deny + Allow from all + {% endif %} + + <IfModule dir_module> + DirectoryIndex index.php + </IfModule> + +{% if ansible_os_family == "RedHat" %} + <FilesMatch \.(php|phar)$> + SetHandler "proxy:unix:{{ zabbix_php_fpm_listen }}|fcgi://localhost" + </FilesMatch> +{% endif %} + + </Directory> + +{% for my_path in directory_paths %} + <Directory "{{ my_path }}"> + {% if apache_version|string() == '2.4' %} + Require all granted + {% else %} + AllowOverride None + Order Deny,Allow + Deny from all + {% endif %} + </Directory> + +{% endfor %} + ## Logging + ErrorLog "/var/log/{{ _apache_log }}/{{ zabbix_apache_servername }}_tls_error.log" + ServerSignature Off + CustomLog "/var/log/{{ _apache_log }}/{{ zabbix_apache_servername }}_tls_access.log" combined + + ## Rewrite rules + RewriteEngine On + RewriteRule ^$ /index.php [L] + +{% if _zabbix_web_apache_php_addition | default(false) %} +{% if zabbix_apache_include_custom_fragment | default(true) %} + ## Custom fragment + {% if zabbix_php_fpm %} + ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/usr/share/zabbix/$1 + ProxyTimeout 1800 + {% else %} + php_value max_execution_time {{ zabbix_web_max_execution_time | default('300') }} + php_value memory_limit {{ zabbix_web_memory_limit | default('128M') }} + php_value post_max_size {{ zabbix_web_post_max_size | default('16M') }} + php_value upload_max_filesize {{ zabbix_web_upload_max_filesize | default('2M') }} + php_value max_input_time {{ zabbix_web_max_input_time | default('300') }} + + {% if zabbix_version is version('5.0', '>=') %} + php_value max_input_vars {{ zabbix_web_max_input_vars | default('10000') }} + {% endif %} + + # Set correct timezone. + php_value date.timezone {{ zabbix_timezone }} + {% endif %} +{% endif %} +{% endif %} +</VirtualHost> +{% endif %} diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 b/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 new file mode 100644 index 000000000..49671984c --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 @@ -0,0 +1,110 @@ +# Nginx configuration for Zabbix Web + +server { +{% if not zabbix_nginx_tls %} + listen {{ zabbix_nginx_vhost_port }}; +{% else %} +{% if zabbix_letsencrypt %} + listen 80; + server_tokens off; + server_name {{ zabbix_websrv_servername }} {% for alias in zabbix_url_aliases -%}{{ alias -}} {% endfor %}; + location ^~ /.well-known/acme-challenge { + root {{ zabbix_letsencrypt_webroot_path | default('/var/www/letsencrypt') }}; + # disables IP restrictions and HTTP auth + allow all; + default_type text/plain; + try_files $uri =404; + } + location / { return 301 https://$host:{{ zabbix_nginx_vhost_tls_port }}$request_uri; } +} + +server { +{% endif %} + listen {{ zabbix_nginx_vhost_tls_port }} ssl; +{% if zabbix_letsencrypt and zabbix_letsencrypt_cert.stat.exists %} + ssl_certificate /etc/letsencrypt/live/{{ zabbix_websrv_servername }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ zabbix_websrv_servername }}/privkey.pem; +{% else %} + ssl_certificate {{ zabbix_nginx_tls_crt }}; + ssl_certificate_key {{ zabbix_nginx_tls_key }}; +{% endif %} + ssl_session_timeout {{ zabbix_nginx_tls_session_timeout }}; + ssl_session_cache {{ zabbix_nginx_tls_session_cache }}; + ssl_session_tickets {{ zabbix_nginx_tls_session_tickets }}; + ssl_dhparam {{ zabbix_nginx_tls_dhparam }}; + + ssl_protocols {{ zabbix_nginx_tls_protocols }}; + ssl_ciphers {{ zabbix_nginx_tls_ciphers }}; + ssl_prefer_server_ciphers off; + +{% endif %} + server_tokens off; + server_name {{ zabbix_websrv_servername }} {% for alias in zabbix_url_aliases -%}{{ alias -}} {% endfor %}; + +{% if zabbix_web_allowlist_ips is defined and zabbix_web_allowlist_ips %} + # Allow list IPs via zabbix_web_allowlist_ips + satisfy any; +{% for ip in zabbix_web_allowlist_ips | ansible.netcommon.ipaddr %} + allow {{ ip }}; +{% endfor %} + deny all; + +{% endif %} +{% if zabbix_web_htpasswd is defined and zabbix_web_htpasswd %} + # HTTP authentication via zabbix_web_htpasswd + auth_basic "Restricted"; + auth_basic_user_file {{ zabbix_web_htpasswd_file }}; + +{% endif %} + root /usr/share/zabbix; + + index index.php; + + location = /favicon.ico { + log_not_found off; + } + + location / { + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /\.ht { + deny all; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:{{ zabbix_php_fpm_listen }}; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } +} diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/templates/php-fpm.conf.j2 b/ansible_collections/community/zabbix/roles/zabbix_web/templates/php-fpm.conf.j2 new file mode 100644 index 000000000..bf2faef7a --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/templates/php-fpm.conf.j2 @@ -0,0 +1,35 @@ +[zabbix] +user = {{ zabbix_php_fpm_conf_user if zabbix_php_fpm_conf_user is defined else zabbix_web_conf_web_user }} +group = {{ zabbix_php_fpm_conf_group if zabbix_php_fpm_conf_group is defined else zabbix_web_conf_web_group }} + +listen = {{ zabbix_php_fpm_listen }} +{% if zabbix_php_fpm_conf_listen and ansible_os_family != 'Debian' %} +listen.acl_users = {{ zabbix_php_fpm_conf_user if zabbix_php_fpm_conf_user is defined else zabbix_web_conf_web_user }} +{% endif %} +{% if zabbix_php_fpm_conf_enable_user is defined %} +listen.owner = {{ zabbix_php_fpm_conf_user if zabbix_php_fpm_conf_user is defined else zabbix_web_conf_web_user }} +{% endif %} +{% if zabbix_php_fpm_conf_enable_group %} +listen.group = {{ _nginx_group if zabbix_websrv=='nginx' else _apache_group }} +{% endif %} +{% if zabbix_php_fpm_conf_enable_mode %} +listen.mode = {{ zabbix_php_fpm_conf_mode }} +{% endif %} +listen.allowed_clients = 127.0.0.1 + +pm = dynamic +pm.max_children = 50 +pm.start_servers = 5 +pm.min_spare_servers = 5 +pm.max_spare_servers = 35 + +php_value[session.save_handler] = files +php_value[session.save_path] = {{ zabbix_php_fpm_session }} + +php_value[max_execution_time] = {{ zabbix_web_max_execution_time | default('300') }} +php_value[memory_limit] = {{ zabbix_web_memory_limit | default('128M') }} +php_value[post_max_size] = {{ zabbix_web_post_max_size | default('16M') }} +php_value[upload_max_filesize] = {{ zabbix_web_upload_max_filesize | default('2M') }} +php_value[max_input_time] = {{ zabbix_web_max_input_time | default('300') }} +php_value[max_input_vars] = {{ zabbix_web_max_input_vars | default('10000') }} +php_value[date.timezone] = {{ zabbix_timezone }} diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/templates/zabbix.conf.php.j2 b/ansible_collections/community/zabbix/roles/zabbix_web/templates/zabbix.conf.php.j2 new file mode 100644 index 000000000..880ed36f0 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/templates/zabbix.conf.php.j2 @@ -0,0 +1,55 @@ +<?php +// Zabbix GUI configuration file +{% if zabbix_server_history_url is defined %} +global $DB, $HISTORY; +{% else %} +global $DB; +{% endif %} + +$DB['TYPE'] = '{{ zabbix_server_database_long | upper() }}'; +$DB['SERVER'] = '{{ zabbix_server_dbhost }}'; +$DB['PORT'] = '{{ zabbix_server_dbport }}'; +$DB['DATABASE'] = '{{ zabbix_server_dbname }}'; +$DB['USER'] = '{{ zabbix_server_dbuser }}'; +$DB['PASSWORD'] = '{{ zabbix_server_dbpassword }}'; +$DB['ENCRYPTION'] = {{ 'true' if zabbix_server_dbencryption else 'false' }}; +$DB['VERIFY_HOST'] = {{ 'true' if zabbix_server_dbverifyhost else 'false' }}; + +// Schema name. Used for IBM DB2 and PostgreSQL. +$DB['SCHEMA'] = '{{ zabbix_server_dbschema }}'; +{% if not zabbix_web_connect_ha_backend %} +$ZBX_SERVER = '{{ zabbix_server_hostname }}'; +$ZBX_SERVER_PORT = '{{ zabbix_server_listenport }}'; +{% endif %} +$ZBX_SERVER_NAME = '{{ zabbix_server_name }}'; + +$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; + +{% if zabbix_server_history_url is defined %} +$HISTORY['url'] = {{ zabbix_server_history_url }}; +$HISTORY['types'] = {{ zabbix_server_history_types | to_json }}; +{% endif %} + +{% if zabbix_web_doubleprecision is defined and zabbix_web_doubleprecision %} +// Use IEEE754 compatible value range for 64-bit Numeric (float) history values. +// This option is enabled by default for new Zabbix installations. +// For upgraded installations, please read database upgrade notes before enabling this option. +$DB['DOUBLE_IEEE754'] = true; +{% endif %} + +{% if zabbix_web_env is defined %} +{% for env,val in zabbix_web_env.items() %} +putenv("{{env}}={{val}}"); +{% endfor %} +{% endif %} + +{% if zabbix_saml_idp_crt is defined %} +$SSO['IDP_CERT'] = '{{ zabbix_saml_idp_crt }}'; +{% endif %} +{% if zabbix_saml_sp_crt is defined %} +$SSO['SP_CERT'] = '{{ zabbix_saml_sp_crt }}'; +{% endif %} +{% if zabbix_saml_sp_key is defined %} +$SSO['SP_KEY'] = '{{ zabbix_saml_sp_key }}'; +{% endif %} +?> diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-10.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-10.yml new file mode 100644 index 000000000..8ed439680 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-10.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 7.2 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-11.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-11.yml new file mode 100644 index 000000000..9d28ef9e3 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-11.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 7.4 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-8.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-8.yml new file mode 100644 index 000000000..b4537abdf --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-8.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 7.3 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-9.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-9.yml new file mode 100644 index 000000000..9d28ef9e3 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian-9.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 7.4 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml new file mode 100644 index 000000000..9840e6505 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml @@ -0,0 +1,47 @@ +--- +_apache_user: www-data +_apache_group: www-data +_apache_log: apache2 +_apache_service: apache2 + +_php_fpm_dir: /etc/php/{{ _zabbix_php_version }}/fpm/pool.d +_php_fpm_session: /tmp +_php_fpm_listen: /run/php/zabbix.sock +_zabbix_php_fpm_mode: "0666" +_zabbix_php_fpm_allowed_clients: 127.0.0.1 + +_nginx_user: www-data +_nginx_group: www-data +_nginx_config_path: /etc/nginx/conf.d +_nginx_log_path: /var/log/nginx +_nginx_service: nginx +_nginx_tls_crt: /etc/ssl/certs/ssl-cert-snakeoil.pem +_nginx_tls_key: /etc/ssl/private/ssl-cert-snakeoil.key +_nginx_tls_dhparam: /etc/ssl/private/dhparams.pem + +zabbix_valid_web_versions: + # Debian + "11": + - 6.4 + - 6.0 + - 5.0 + - 4.0 + "10": + - 6.0 + - 5.0 + - 4.0 + "9": + - 4.0 + # Ubuntu + "22": + - 6.4 + - 6.0 + "20": + - 6.4 + - 6.0 + - 5.0 + - 4.0 + "18": + - 6.0 + - 5.0 + - 4.0 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-7.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-7.yml new file mode 100644 index 000000000..5109c4793 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-7.yml @@ -0,0 +1,8 @@ +--- +_php_fpm_dir: /etc/opt/rh/rh-php72/php-fpm.d/ +_php_fpm_session: /var/lib/php/session +_php_fpm_listen: "/run/php-fpm/zabbix.sock" + +_zabbix_php_version: 7.2 +_zabbix_php_fpm_session: /var/opt/rh/rh-php72/lib/php/session/ +_zabbix_php_fpm_listen: /var/opt/rh/rh-php72/run/php-fpm/zabbix.sock diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-8.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-8.yml new file mode 100644 index 000000000..72022a460 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-8.yml @@ -0,0 +1,8 @@ +--- +_php_fpm_dir: /etc/php-fpm.d +_php_fpm_session: /var/lib/php/session +_php_fpm_listen: "/run/php-fpm/zabbix.sock" + +_zabbix_php_version: 7.4 +_zabbix_php_fpm_session: /var/opt/rh/rh-php72/lib/php/session/ +_zabbix_php_fpm_listen: /var/opt/rh/rh-php72/run/php-fpm/zabbix.sock diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-9.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-9.yml new file mode 100644 index 000000000..bfcca82d3 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat-9.yml @@ -0,0 +1,8 @@ +--- +_php_fpm_dir: /etc/php-fpm.d +_php_fpm_session: /var/lib/php/session +_php_fpm_listen: "/run/php-fpm/zabbix.sock" + +_zabbix_php_version: 8.0 +_zabbix_php_fpm_session: /var/lib/php/session +_zabbix_php_fpm_listen: /run/php-fpm/zabbix.sock diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat.yml new file mode 100644 index 000000000..89a950683 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/RedHat.yml @@ -0,0 +1,31 @@ +--- +_apache_user: apache +_apache_group: apache +_apache_log: httpd +_apache_service: httpd + +_php_fpm_dir: /etc/php-fpm.d +_php_fpm_session: /var/opt/rh/rh-php72/lib/php/session/ +_php_fpm_listen: /run/php-fpm/zabbix.sock + +_nginx_user: nginx +_nginx_group: nginx +_nginx_config_path: /etc/nginx/conf.d +_nginx_log_path: /var/log/nginx +_nginx_service: nginx +_nginx_tls_crt: /etc/pki/server.crt +_nginx_tls_key: /etc/pki/server.key +_nginx_tls_dhparam: /etc/pki/dhparam-server.pem + +zabbix_valid_web_versions: + "9": + - 6.4 + - 6.0 + "8": + - 6.4 + - 6.0 + - 5.0 + - 4.0 + "7": + - 5.0 + - 4.0 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-18.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-18.yml new file mode 100644 index 000000000..8ed439680 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-18.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 7.2 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-20.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-20.yml new file mode 100644 index 000000000..9d28ef9e3 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-20.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 7.4 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-22.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-22.yml new file mode 100644 index 000000000..39525f373 --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Ubuntu-22.yml @@ -0,0 +1,3 @@ +--- + +_zabbix_php_version: 8.1 diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/zabbix.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/zabbix.yml new file mode 100644 index 000000000..6de493b2e --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/zabbix.yml @@ -0,0 +1,258 @@ +--- +sign_keys: + "64": + bullseye: + sign_key: E709712C + buster: + sign_key: E709712C + stretch: + sign_key: E709712C + focal: + sign_key: E709712C + bionic: + sign_key: E709712C + xenial: + sign_key: E709712C + trusty: + sign_key: E709712C + jammy: + sign_key: E709712C + "62": + bullseye: + sign_key: E709712C + buster: + sign_key: E709712C + stretch: + sign_key: E709712C + focal: + sign_key: E709712C + bionic: + sign_key: E709712C + xenial: + sign_key: E709712C + trusty: + sign_key: E709712C + jammy: + sign_key: E709712C + "60": + bullseye: + sign_key: E709712C + buster: + sign_key: E709712C + stretch: + sign_key: E709712C + focal: + sign_key: E709712C + bionic: + sign_key: E709712C + xenial: + sign_key: E709712C + trusty: + sign_key: E709712C + jammy: + sign_key: E709712C + "54": + bullseye: + sign_key: E709712C + buster: + sign_key: E709712C + jessie: + sign_key: E709712C + stretch: + sign_key: E709712C + focal: + sign_key: E709712C + bionic: + sign_key: E709712C + xenial: + sign_key: E709712C + trusty: + sign_key: E709712C + tricia: + sign_key: E709712C + "52": + # bullseye: not available upstream + buster: + sign_key: E709712C + jessie: + sign_key: E709712C + stretch: + sign_key: E709712C + focal: + sign_key: E709712C + bionic: + sign_key: E709712C + xenial: + sign_key: E709712C + trusty: + sign_key: E709712C + tricia: + sign_key: E709712C + "50": + bullseye: + sign_key: E709712C + buster: + sign_key: E709712C + jessie: + sign_key: E709712C + stretch: + sign_key: E709712C + focal: + sign_key: E709712C + bionic: + sign_key: E709712C + xenial: + sign_key: E709712C + trusty: + sign_key: E709712C + tricia: + sign_key: E709712C + "44": + buster: + sign_key: A14FE591 + jessie: + sign_key: 79EA5ED4 + stretch: + sign_key: A14FE591 + focal: + sign_key: A14FE591 + eoan: + sign_key: A14FE591 + cosmic: + sign_key: A14FE591 + bionic: + sign_key: A14FE591 + sonya: + sign_key: A14FE591 + serena: + sign_key: A14FE591 + trusty: + sign_key: 79EA5ED4 + xenial: + sign_key: E709712C + "42": + buster: + sign_key: A14FE591 + jessie: + sign_key: 79EA5ED4 + stretch: + sign_key: A14FE591 + eoan: + sign_key: A14FE591 + cosmic: + sign_key: A14FE591 + bionic: + sign_key: A14FE591 + sonya: + sign_key: A14FE591 + serena: + sign_key: A14FE591 + trusty: + sign_key: 79EA5ED4 + xenial: + sign_key: E709712C + "40": + bullseye: + sign_key: A14FE591 + buster: + sign_key: A14FE591 + jessie: + sign_key: 79EA5ED4 + stretch: + sign_key: A14FE591 + focal: + sign_key: A14FE591 + bionic: + sign_key: A14FE591 + sonya: + sign_key: A14FE591 + serena: + sign_key: A14FE591 + trusty: + sign_key: 79EA5ED4 + xenial: + sign_key: E709712C + "34": + jessie: + sign_key: 79EA5ED4 + stretch: + sign_key: A14FE591 + wheezy: + sign_key: A14FE591 + bionic: + sign_key: A14FE591 + sonya: + sign_key: A14FE591 + serena: + sign_key: A14FE591 + trusty: + sign_key: 79EA5ED4 + xenial: + sign_key: E709712C + "32": + stretch: + sign_key: A14FE591 + wheezy: + sign_key: 79EA5ED4 + bionic: + sign_key: A14FE591 + sonya: + sign_key: 79EA5ED4 + serena: + sign_key: 79EA5ED4 + trusty: + sign_key: 79EA5ED4 + xenial: + sign_key: E709712C + "30": + buster: + sign_key: A14FE591 + jessie: + sign_key: 79EA5ED4 + stretch: + sign_key: A14FE591 + wheezy: + sign_key: 79EA5ED4 + bionic: + sign_key: A14FE591 + trusty: + sign_key: 79EA5ED4 + xenial: + sign_key: E709712C + "24": + jessie: + sign_key: 79EA5ED4 + wheezy: + sign_key: 79EA5ED4 + precise: + sign_key: 79EA5ED4 + trusty: + sign_key: 79EA5ED4 + "22": + squeeze: + sign_key: 79EA5ED4 + wheezy: + sign_key: 79EA5ED4 + precise: + sign_key: 79EA5ED4 + trusty: + sign_key: 79EA5ED4 + lucid: + sign_key: 79EA5ED4 + +suse: + "openSUSE Leap": + "42": + name: server:monitoring + url: http://download.opensuse.org/repositories/server:/monitoring/openSUSE_Leap_{{ ansible_distribution_version }}/ + "openSUSE": + "12": + name: server_monitoring + url: http://download.opensuse.org/repositories/server:/monitoring/openSUSE_{{ ansible_distribution_version }} + "SLES": + "11": + name: server_monitoring + url: http://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/ + "12": + name: server_monitoring + url: http://download.opensuse.org/repositories/server:/monitoring/SLE_12_SP3/ |