diff options
Diffstat (limited to '')
36 files changed, 385 insertions, 748 deletions
diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/README.md b/ansible_collections/community/zabbix/roles/zabbix_agent/README.md index aa73fab3a..fe4a601b3 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/README.md +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/README.md @@ -102,6 +102,7 @@ See the following list of supported Operating systems with the Zabbix releases: | Debian 11 bullseye | V | V | V | | Debian 10 buster | V | V | V | +You can bypass this matrix by setting `enable_version_check: false` # Getting started @@ -136,6 +137,8 @@ The following is an overview of all available configuration default for this rol * `zabbix_agent_disable_repo`: A list of repos to disable during install. Default `epel`. * `zabbix_repo_deb_url`: The URL to the Zabbix repository. Default `http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/{{ ansible_distribution.lower() }}` * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`. +* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`. +* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`. ### SElinux @@ -337,7 +340,7 @@ Keep in mind that using the Zabbix Agent in a Container requires changes to the ## IPMI variables -* `zabbix_agent_ipmi_authtype`: IPMI authentication algorithm. Possible values are 1 (callback), 2 (user), 3 (operator), 4 (admin), 5 (OEM), with 2 being the API default. +* `zabbix_agent_ipmi_authtype`: IPMI authentication algorithm. Possible values are -1 (default), 0 (none), 1 (MD2), 2 (MD5), 4 (straight), 5 (OEM), 6 (RMCP+), with -1 being the API default. * `zabbix_agent_ipmi_password`: IPMI password. * `zabbix_agent_ipmi_privilege`: IPMI privilege level. Possible values are 1 (callback), 2 (user), 3 (operator), 4 (admin), 5 (OEM), with 2 being the API default. * `zabbix_agent_ipmi_username`: IPMI username. diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/defaults/main.yml b/ansible_collections/community/zabbix/roles/zabbix_agent/defaults/main.yml index dbd5db5db..12424a6da 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/defaults/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/defaults/main.yml @@ -26,6 +26,9 @@ zabbix_agent2_deny_key: "{{ zabbix_agent_deny_key }}" # Selinux related vars selinux_allow_zabbix_run_sudo: false +zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key +zabbix_repo_deb_include_deb_src: true + zabbix_agent_install_agent_only: false zabbix_agent_packages: - "{{ zabbix_agent_package }}" @@ -66,6 +69,7 @@ zabbix_repo_yum: gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX state: present +zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/{{ ansible_facts.lsb.id | default(ansible_facts['distribution']) | lower }}{% if ansible_facts['architecture'] == 'aarch64' and ansible_facts.lsb.id | default(ansible_facts['distribution']) in ['Debian', 'Ubuntu'] %}-arm64{% endif %}" zabbix_repo_deb_component: main # Zabbix API stuff @@ -165,7 +169,7 @@ zabbix_agent_tls_config: cert: "4" # IPMI settings -zabbix_agent_ipmi_authtype: 2 +zabbix_agent_ipmi_authtype: -1 zabbix_agent_ipmi_password: zabbix_agent_ipmi_privilege: 2 zabbix_agent_ipmi_username: diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/molecule/with-server/prepare.yml b/ansible_collections/community/zabbix/roles/zabbix_agent/molecule/with-server/prepare.yml index 582006d4e..e95cc9ad7 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/molecule/with-server/prepare.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/molecule/with-server/prepare.yml @@ -75,6 +75,7 @@ hosts: docker tasks: - name: "Download Docker CE repo file" + when: not ansible_check_mode # Because get_url always has changed status in check_mode. ansible.builtin.get_url: url: https://download.docker.com/linux/centos/docker-ce.repo dest: /etc/yum.repos.d/docker-ce.repo diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/Debian.yml index 6ded0ba03..92d56b179 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/Debian.yml @@ -8,33 +8,6 @@ tags: - always -- name: "Debian | Installing lsb-release" - ansible.builtin.apt: - pkg: lsb-release - update_cache: true - cache_valid_time: 3600 - force: true - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - become: true - tags: - - install - -- name: "Debian | Update ansible_lsb fact" - ansible.builtin.setup: - gather_subset: - - lsb - -- name: "Debian | Repo URL" - ansible.builtin.set_fact: - zabbix_repo_deb_url: "{{ _zabbix_repo_deb_url }}/{{ ansible_lsb.id.lower() }}{{ '-arm64' if ansible_machine == 'aarch64' and ansible_lsb.id == 'debian' else ''}}" - when: - - zabbix_repo_deb_url is undefined - tags: - - always - - name: "Debian | Installing gnupg" ansible.builtin.apt: pkg: gnupg @@ -65,8 +38,9 @@ (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") - name: "Debian | Download gpg key" + when: not ansible_check_mode # Because get_url always has changed status in check_mode. ansible.builtin.get_url: - url: http://repo.zabbix.com/zabbix-official-repo.key + url: "{{ zabbix_repo_deb_gpg_key_url }}" dest: "{{ zabbix_gpg_key }}" mode: "0644" force: true @@ -84,7 +58,7 @@ group: root mode: 0644 content: | - Types: deb deb-src + Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }} Enabled: yes URIs: {{ zabbix_repo_deb_url }} Suites: {{ ansible_distribution_release }} diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/main.yml b/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/main.yml index f5f87d18f..c5fd06480 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/main.yml @@ -12,16 +12,12 @@ tags: - always -- name: Set More Variables - ansible.builtin.set_fact: - zabbix_valid_version: "{{ zabbix_agent_version|float in zabbix_valid_agent_versions[ansible_distribution_major_version] }}" - tags: - - always - -- name: Stopping Install of Invalid Version - ansible.builtin.fail: - msg: Zabbix version {{ zabbix_agent_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} - when: not zabbix_valid_version +- name: Check that version is supported + when: enable_version_check | default(true) | bool + ansible.builtin.assert: + that: + - "{{ zabbix_agent_version|float in zabbix_valid_agent_versions[ansible_distribution_major_version] }}" + fail_msg: Zabbix version {{ zabbix_agent_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} tags: - always diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/userparameter.yml b/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/userparameter.yml index a80be1736..d61e3899f 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/userparameter.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/tasks/userparameter.yml @@ -7,6 +7,7 @@ notify: - restart win zabbix agent with_items: "{{ zabbix_agent_userparameters }}" + when: item.scripts_dir is not defined - name: "Windows | Installing user-defined scripts" ansible.windows.win_copy: @@ -33,6 +34,7 @@ - restart mac zabbix agent become: true with_items: "{{ zabbix_agent_userparameters }}" + when: item.scripts_dir is not defined - name: "Installing user-defined scripts" ansible.builtin.copy: @@ -66,6 +68,7 @@ - restart mac zabbix agent become: true with_items: "{{ zabbix_agent_userparameters }}" + when: item.scripts_dir is not defined - name: "Installing user-defined scripts" ansible.builtin.copy: diff --git a/ansible_collections/community/zabbix/roles/zabbix_agent/vars/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_agent/vars/Debian.yml index 4a65dfbeb..4a88411f1 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_agent/vars/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_agent/vars/Debian.yml @@ -44,5 +44,4 @@ zabbix_valid_agent_versions: - 6.0 debian_keyring_path: /etc/apt/keyrings/ -zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" -_zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}" +zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc" diff --git a/ansible_collections/community/zabbix/roles/zabbix_javagateway/README.md b/ansible_collections/community/zabbix/roles/zabbix_javagateway/README.md index 1761c7f8b..47092a6a0 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_javagateway/README.md +++ b/ansible_collections/community/zabbix/roles/zabbix_javagateway/README.md @@ -46,6 +46,8 @@ See the following list of supported Operating systems with the Zabbix releases. | Debian 11 bullseye | V | V | V | | Debian 10 buster | V | V | V | +You can bypass this matrix by setting `enable_version_check: false` + # Role Variables ## Main variables @@ -62,6 +64,8 @@ The `zabbix_javagateway_version` is optional. The latest available major.minor v * `zabbix_javagateway_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file. * `zabbix_repo_deb_url`: The URL to the Zabbix repository. Default `http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/{{ ansible_distribution.lower() }}` * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`. +* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`. +* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`. ### Java Gatewaty diff --git a/ansible_collections/community/zabbix/roles/zabbix_javagateway/defaults/main.yml b/ansible_collections/community/zabbix/roles/zabbix_javagateway/defaults/main.yml index 4356f61a4..d7f659648 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_javagateway/defaults/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_javagateway/defaults/main.yml @@ -25,9 +25,13 @@ zabbix_repo_yum: gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX state: present +zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_javagateway_version }}/{{ ansible_facts.lsb.id | default(ansible_facts['distribution']) | lower }}{% if ansible_facts['architecture'] == 'aarch64' and ansible_facts.lsb.id | default(ansible_facts['distribution']) in ['Debian', 'Ubuntu'] %}-arm64{% endif %}" zabbix_repo_deb_component: main zabbix_javagateway_pidfile: /run/zabbix/zabbix_java_gateway.pid zabbix_javagateway_listenip: 0.0.0.0 zabbix_javagateway_listenport: 10052 zabbix_javagateway_startpollers: 5 + +zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key +zabbix_repo_deb_include_deb_src: true diff --git a/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/Debian.yml index 4c4cff06d..ad762aa3b 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/Debian.yml @@ -5,33 +5,6 @@ tags: - always -- name: "Debian | Installing lsb-release" - ansible.builtin.apt: - pkg: lsb-release - update_cache: true - cache_valid_time: 3600 - force: true - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - become: true - tags: - - install - -- name: "Debian | Update ansible_lsb fact" - ansible.builtin.setup: - gather_subset: - - lsb - -- name: "Debian | Repo URL" - ansible.builtin.set_fact: - zabbix_repo_deb_url: "{{ _zabbix_repo_deb_url }}/{{ ansible_lsb.id.lower() }}{{ '-arm64' if ansible_machine == 'aarch64' and ansible_lsb.id == 'debian' else ''}}" - when: - - zabbix_repo_deb_url is undefined - tags: - - always - # In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. # It SHOULD be created with permissions 0755 if it is needed and does not already exist. # See: https://wiki.debian.org/DebianRepository/UseThirdParty @@ -46,11 +19,15 @@ (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") - name: "Debian | Download gpg key" + when: not ansible_check_mode # Because get_url always has changed status in check_mode. ansible.builtin.get_url: - url: http://repo.zabbix.com/zabbix-official-repo.key + url: "{{ zabbix_repo_deb_gpg_key_url }}" dest: "{{ zabbix_gpg_key }}" mode: "0644" force: true + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" become: true tags: - install @@ -62,7 +39,7 @@ group: root mode: 0644 content: | - Types: deb deb-src + Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }} Enabled: yes URIs: {{ zabbix_repo_deb_url }} Suites: {{ ansible_distribution_release }} diff --git a/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/main.yml b/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/main.yml index 6b56d43d3..aeeecbc8f 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_javagateway/tasks/main.yml @@ -13,16 +13,12 @@ tags: - always -- name: Set More Variables - ansible.builtin.set_fact: - zabbix_valid_version: "{{ zabbix_javagateway_version|float in zabbix_valid_javagateway_versions[ansible_distribution_major_version] }}" - tags: - - always - -- name: Stopping Install of Invalid Version - ansible.builtin.fail: - msg: Zabbix version {{ zabbix_javagateway_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} - when: not zabbix_valid_version +- name: Check that version is supported + when: enable_version_check | default(true) | bool + ansible.builtin.assert: + that: + - "{{ zabbix_javagateway_version|float in zabbix_valid_javagateway_versions[ansible_distribution_major_version] }}" + fail_msg: Zabbix version {{ zabbix_javagateway_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} tags: - always diff --git a/ansible_collections/community/zabbix/roles/zabbix_javagateway/vars/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_javagateway/vars/Debian.yml index 2253f5b7b..7c36d2d3a 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_javagateway/vars/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_javagateway/vars/Debian.yml @@ -26,5 +26,4 @@ zabbix_valid_javagateway_versions: - 6.0 debian_keyring_path: /etc/apt/keyrings/ -zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" -_zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_javagateway_version }}" +zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc" diff --git a/ansible_collections/community/zabbix/roles/zabbix_proxy/README.md b/ansible_collections/community/zabbix/roles/zabbix_proxy/README.md index baec42155..ee558c8b7 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_proxy/README.md +++ b/ansible_collections/community/zabbix/roles/zabbix_proxy/README.md @@ -89,6 +89,8 @@ See the following list of supported Operating systems with the Zabbix releases. | Debian 11 bullseye | V | V | V | | Debian 10 buster | V | V | V | +You can bypass this matrix by setting `enable_version_check: false` + # Role Variables ## Main variables @@ -133,6 +135,9 @@ The following is an overview of all available configuration default for this rol * `*zabbix_proxy_package_state`: Default: `present`. Can be overridden to `latest` to update packages * `zabbix_repo_deb_url`: The URL to the Zabbix repository. Default `http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}/{{ ansible_distribution.lower() }}` * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`. +* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`. +* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`. + ### SElinux * `zabbix_proxy_selinux`: Default: `False`. Enables an SELinux policy so that the Proxy will run. diff --git a/ansible_collections/community/zabbix/roles/zabbix_proxy/defaults/main.yml b/ansible_collections/community/zabbix/roles/zabbix_proxy/defaults/main.yml index f46c9c64e..b2b74ebec 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_proxy/defaults/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_proxy/defaults/main.yml @@ -41,6 +41,7 @@ zabbix_proxy_version_minor: "*" # Yum/APT Variables zabbix_repo_yum_schema: https zabbix_repo_yum_gpgcheck: 0 +zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}/{{ ansible_facts.lsb.id | default(ansible_facts['distribution']) | lower }}{% if ansible_facts['architecture'] == 'aarch64' and ansible_facts.lsb.id | default(ansible_facts['distribution']) in ['Debian', 'Ubuntu'] %}-arm64{% endif %}" zabbix_repo_deb_component: main zabbix_proxy_disable_repo: - epel @@ -61,6 +62,8 @@ zabbix_repo_yum: state: present zabbix_proxy_apt_priority: zabbix_proxy_package_state: present +zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key +zabbix_repo_deb_include_deb_src: true # Proxy Configuration Variables (Only ones with role provided defaults) zabbix_proxy_allowroot: 0 diff --git a/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/Debian.yml index 8e27e7d27..bef68b27a 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/Debian.yml @@ -7,33 +7,6 @@ tags: - always -- name: "Debian | Installing lsb-release" - ansible.builtin.apt: - pkg: lsb-release - update_cache: true - cache_valid_time: 3600 - force: true - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - become: true - tags: - - install - -- name: "Debian | Update ansible_lsb fact" - ansible.builtin.setup: - gather_subset: - - lsb - -- name: "Debian | Repo URL" - ansible.builtin.set_fact: - zabbix_repo_deb_url: "{{ _zabbix_repo_deb_url }}/{{ ansible_lsb.id.lower() }}{{ '-arm64' if ansible_machine == 'aarch64' and ansible_lsb.id == 'debian' else ''}}" - when: - - zabbix_repo_deb_url is undefined - tags: - - always - - name: "Debian | Set some facts for Zabbix" ansible.builtin.set_fact: datafiles_path: /usr/share/doc/zabbix-sql-scripts/{{ zabbix_proxy_db_long }} @@ -71,11 +44,15 @@ (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") - name: "Debian | Download gpg key" + when: not ansible_check_mode # Because get_url always has changed status in check_mode. ansible.builtin.get_url: - url: http://repo.zabbix.com/zabbix-official-repo.key + url: "{{ zabbix_repo_deb_gpg_key_url }}" dest: "{{ zabbix_gpg_key }}" mode: "0644" force: true + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" register: are_zabbix_proxy_dependency_packages_installed until: are_zabbix_proxy_dependency_packages_installed is succeeded become: true @@ -89,7 +66,7 @@ group: root mode: 0644 content: | - Types: deb deb-src + Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }} Enabled: yes URIs: {{ zabbix_repo_deb_url }} Suites: {{ ansible_distribution_release }} diff --git a/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/main.yml b/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/main.yml index f564635b1..1e8831c35 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_proxy/tasks/main.yml @@ -15,17 +15,18 @@ - name: Set More Variables ansible.builtin.set_fact: zabbix_proxy_db_long: "{{ 'postgresql' if zabbix_proxy_database == 'pgsql' else zabbix_proxy_database }}" - zabbix_valid_version: "{{ zabbix_proxy_version|float in zabbix_valid_proxy_versions[ansible_distribution_major_version] }}" zabbix_short_version: "{{ zabbix_proxy_version | regex_replace('\\.', '') }}" zabbix_proxy_fpinglocation: "{{ zabbix_proxy_fpinglocation if zabbix_proxy_fpinglocation is defined else _zabbix_proxy_fpinglocation}}" zabbix_proxy_fping6location: "{{ zabbix_proxy_fping6location if zabbix_proxy_fping6location is defined else _zabbix_proxy_fping6location}}" tags: - always -- name: Stopping Install of Invalid Version - ansible.builtin.fail: - msg: Zabbix version {{ zabbix_proxy_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} - when: not zabbix_valid_version +- name: Check that version is supported + when: enable_version_check | default(true) | bool + ansible.builtin.assert: + that: + - "{{ zabbix_proxy_version|float in zabbix_valid_proxy_versions[ ansible_facts['distribution_major_version'] ] }}" + fail_msg: Zabbix version {{ zabbix_proxy_version }} is not supported on {{ ansible_facts['distribution'] }} {{ ansible_facts['distribution_major_version'] }} tags: - always diff --git a/ansible_collections/community/zabbix/roles/zabbix_proxy/vars/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_proxy/vars/Debian.yml index cd9527eb2..1362e557e 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_proxy/vars/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_proxy/vars/Debian.yml @@ -51,7 +51,6 @@ mysql_plugin: "10": mysql_native_password debian_keyring_path: /etc/apt/keyrings/ -zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" -_zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}" +zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc" _zabbix_proxy_fping6location: /usr/bin/fping6 _zabbix_proxy_fpinglocation: /usr/bin/fping diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/README.md b/ansible_collections/community/zabbix/roles/zabbix_server/README.md index f154f4951..9557281c3 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/README.md +++ b/ansible_collections/community/zabbix/roles/zabbix_server/README.md @@ -86,6 +86,8 @@ See the following list of supported Operating systems with the Zabbix releases: | Debian 11 bullseye | V | V | V | | Debian 10 buster | | | V | +You can bypass this matrix by setting `enable_version_check: false` + # Installation Installing this role is very simple: `ansible-galaxy install community.zabbix.zabbix_server` @@ -109,6 +111,8 @@ The following is an overview of all available configuration default for this rol * `zabbix_service_enabled`: Default: `True` Can be overridden to `False` if needed * `zabbix_repo_deb_url`: The URL to the Zabbix repository. Default `http://repo.zabbix.com/zabbix/{{ zabbix_server_version }}/{{ ansible_distribution.lower() }}` * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`. +* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`. +* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`. ### SElinux diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/defaults/main.yml b/ansible_collections/community/zabbix/roles/zabbix_server/defaults/main.yml index 6aec202dd..933e0339a 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/defaults/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/defaults/main.yml @@ -40,9 +40,8 @@ zabbix_server_version_minor: "*" zabbix_server_package_state: present zabbix_repo_yum_gpgcheck: 0 zabbix_repo_yum_schema: https +zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_server_version }}/{{ ansible_facts.lsb.id | default(ansible_facts['distribution']) | lower }}{% if ansible_facts['architecture'] == 'aarch64' and ansible_facts.lsb.id | default(ansible_facts['distribution']) in ['Debian', 'Ubuntu'] %}-arm64{% endif %}" zabbix_repo_deb_component: main -zabbix_server_disable_repo: - - epel zabbix_repo_yum: - name: zabbix description: Zabbix Official Repository - $basearch @@ -59,8 +58,9 @@ zabbix_repo_yum: gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX state: present zabbix_server_apt_priority: -zabbix_server_install_recommends: true zabbix_server_conf_mode: 0640 +zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key +zabbix_repo_deb_include_deb_src: true # Server Configuration Variables (Only ones with role provided defaults) zabbix_server_alertscriptspath: /usr/lib/zabbix/alertscripts diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/Debian.yml index ccfe6f121..c7b106614 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/Debian.yml @@ -3,40 +3,6 @@ ansible.builtin.set_fact: zabbix_short_version: "{{ zabbix_server_version | regex_replace('\\.', '') }}" zabbix_underscore_version: "{{ zabbix_server_version | regex_replace('\\.', '_') }}" - zabbix_python_prefix: "python{% if ansible_python_version is version('3', '>=') %}3{% endif %}" - tags: - - always - -- name: "Debian | Installing lsb-release" - ansible.builtin.apt: - pkg: lsb-release - update_cache: true - cache_valid_time: 3600 - force: true - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - become: true - tags: - - install - -- name: "Debian | Update ansible_lsb fact" - ansible.builtin.setup: - gather_subset: - - lsb - -- name: "Debian | Repo URL" - ansible.builtin.set_fact: - zabbix_repo_deb_url: "{{ _zabbix_repo_deb_url }}/{{ ansible_lsb.id.lower() }}{{ '-arm64' if ansible_machine == 'aarch64' and ansible_lsb.id == 'debian' else ''}}" - when: - - zabbix_repo_deb_url is undefined - tags: - - always - -- name: "Debian | Set some facts for Zabbix" - ansible.builtin.set_fact: - datafiles_path: /usr/share/zabbix-sql-scripts/{{ 'postgresql' if zabbix_server_database == 'pgsql' else 'mysql' }} tags: - always @@ -70,11 +36,15 @@ (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") - name: "Debian | Download gpg key" + when: not ansible_check_mode # Because get_url always has changed status in check_mode. ansible.builtin.get_url: - url: http://repo.zabbix.com/zabbix-official-repo.key + url: "{{ zabbix_repo_deb_gpg_key_url }}" dest: "{{ zabbix_gpg_key }}" mode: "0644" force: true + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" register: zabbix_server_repo_files_installed until: zabbix_server_repo_files_installed is succeeded become: true @@ -88,7 +58,7 @@ group: root mode: 0644 content: | - Types: deb deb-src + Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }} Enabled: yes URIs: {{ zabbix_repo_deb_url }} Suites: {{ ansible_distribution_release }} @@ -124,117 +94,3 @@ become: true tags: - install - -# On certain 18.04 images, such as docker or lxc, dpkg is configured not to -# install files into paths /usr/share/doc/* -# Since this is where Zabbix installs its database schemas, we need to allow -# files to be installed to /usr/share/doc/zabbix* -- name: "Debian | Check for the dpkg exclude line" - ansible.builtin.command: grep -F 'path-exclude=/usr/share/doc/*' /etc/dpkg/dpkg.cfg.d/excludes - register: dpkg_exclude_line - failed_when: false - changed_when: false - check_mode: false - become: true - tags: - - install - -- name: "Debian | Allow Zabbix dpkg installs to /usr/share/doc/zabbix*" - ansible.builtin.lineinfile: - path: /etc/dpkg/dpkg.cfg.d/excludes - line: "path-include=/usr/share/doc/zabbix*" - become: true - when: - - dpkg_exclude_line.rc == 0 - tags: - - install - -- name: "Debian | Installing zabbix-server-{{ zabbix_server_database }}" - ansible.builtin.apt: - pkg: zabbix-server-{{ zabbix_server_database }} - state: "{{ zabbix_server_package_state }}" - update_cache: true - cache_valid_time: 0 - install_recommends: "{{ zabbix_server_install_recommends }}" - default_release: "{{ ansible_distribution_release }}" - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_package_installed - until: zabbix_server_package_installed is succeeded - become: true - tags: - - install - -- name: "Debian | Installing zabbix-sql-scripts" - ansible.builtin.apt: - pkg: zabbix-sql-scripts - state: "{{ zabbix_server_package_state }}" - update_cache: true - cache_valid_time: 0 - install_recommends: "{{ zabbix_server_install_recommends }}" - default_release: "{{ ansible_distribution_release }}" - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_package_sql_installed - until: zabbix_server_package_sql_installed is succeeded - when: - - zabbix_server_version is version('5.4', '>=') - become: true - tags: - - install - -- name: "Debian | Install Database Client Package" - block: - - name: "Debian | Install Mysql Client package" - ansible.builtin.apt: - name: - - default-mysql-client - - "{{ zabbix_python_prefix }}-mysqldb" - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_dependencies_installed - until: zabbix_server_dependencies_installed is succeeded - become: true - when: - - zabbix_server_database == 'mysql' - - ansible_distribution_release != "buster" - - - name: "Debian 10 | Install Mysql Client package" - ansible.builtin.apt: - name: - - mariadb-client - - "{{ zabbix_python_prefix }}-mysqldb" - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_dependencies_installed - until: zabbix_server_dependencies_installed is succeeded - become: true - when: - - zabbix_server_database == 'mysql' - - ansible_distribution_release == "buster" - - - name: "Debian | Install PostgreSQL Client package" - ansible.builtin.apt: - name: - - postgresql-client - - "{{ zabbix_python_prefix }}-psycopg2" - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_dependencies_installed - until: zabbix_server_dependencies_installed is succeeded - become: true - when: - - zabbix_server_database == 'pgsql' - when: zabbix_server_install_database_client - tags: - - install - - database - - dependencies diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/RedHat.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/RedHat.yml index fefd7e86c..77fb7cd8a 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/RedHat.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/RedHat.yml @@ -7,18 +7,6 @@ tags: - always -- name: "RedHat | Use Zabbix package name" - ansible.builtin.set_fact: - zabbix_server_package: "zabbix-server-{{ zabbix_server_database }}" - tags: - - always - -- name: "RedHat | Set facts for Zabbix" - ansible.builtin.set_fact: - datafiles_path: "/usr/share/zabbix-sql-scripts/{{ 'postgresql' if zabbix_server_database == 'pgsql' else 'mysql' }}" - tags: - - always - - name: "RedHat | Make sure old file is absent" ansible.builtin.file: path: /etc/yum.repos.d/zabbix-supported.repo @@ -46,86 +34,6 @@ tags: - install -- name: "RedHat | Installing zabbix-server-{{ zabbix_server_database }}" - ansible.builtin.package: - pkg: "{{ zabbix_server_package }}-{{ zabbix_server_version }}.{{ zabbix_server_version_minor }}" - state: "{{ zabbix_server_package_state }}" - disablerepo: "{{ zabbix_server_disable_repo | default(omit) }}" - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_package_installed - until: zabbix_server_package_installed is succeeded - become: true - tags: - - install - -- name: "RedHat | Installing zabbix-sql-scripts" - ansible.builtin.package: - pkg: "zabbix-sql-scripts-{{ zabbix_server_version }}.{{ zabbix_server_version_minor }}" - state: "{{ zabbix_server_package_state }}" - disablerepo: "{{ zabbix_server_disable_repo | default(omit) }}" - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_sql_package_installed - until: zabbix_server_sql_package_installed is succeeded - when: - - zabbix_server_version is version('6.0', '>=') - become: true - tags: - - install - -- name: "RedHat | Install Ansible module dependencies" - ansible.builtin.yum: - name: "{{ pgsql_depenencies[ansible_distribution_major_version] }}" - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_dependencies_installed - until: zabbix_server_dependencies_installed is succeeded - become: true - when: - - zabbix_server_database_creation - - zabbix_server_database == 'pgsql' - tags: - - install - - dependencies - -- name: RedHat | Install Database Client Package - block: - - name: "RedHat | Install Mysql Client packages" - ansible.builtin.yum: - name: "{{ mysql_client_pkgs[ansible_distribution_major_version] }}" - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_dependencies_installed - until: zabbix_server_dependencies_installed is succeeded - become: true - when: - - zabbix_server_database == 'mysql' - - - name: "RedHat | Install PostgreSQL client package" - ansible.builtin.yum: - name: postgresql - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - register: zabbix_server_dependencies_installed - until: zabbix_server_dependencies_installed is succeeded - become: true - when: - - zabbix_server_database == 'pgsql' - when: zabbix_server_install_database_client - tags: - - install - - dependencies - - database - - name: "RedHat | Configure SELinux when enabled" ansible.builtin.include_tasks: selinux.yml when: diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/initialize-mysql.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/initialize-mysql.yml new file mode 100644 index 000000000..c3fd67c6d --- /dev/null +++ b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/initialize-mysql.yml @@ -0,0 +1,155 @@ +--- +# task file for mysql +- name: "Install MySQL dependencies" + ansible.builtin.package: + name: "{{ _zabbix_server_mysql_dependencies | select | list }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: _zabbix_server_dependencies_installed + until: _zabbix_server_dependencies_installed is succeeded + become: true + tags: + - install + - database + - dependencies + +# NOTE: Upgrading system-packages with pip is generally a bad idea, but +# ubuntu-18.04 comes with pymysql==0.8.0, which seems to have a problem with +# versions 8 and above of mysql. +- name: Upgrade pymysql + when: + - ansible_facts['distribution'] == 'Ubuntu' + - ansible_facts['distribution_release'] == 'bionic' + ansible.builtin.pip: + name: "pymysql>=0.10.0,<0.11.0" + state: latest + +- name: "MySQL Database prep" + when: zabbix_server_database_creation + delegate_to: "{{ zabbix_server_real_dbhost | default(zabbix_server_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}" + vars: + delegated_dbhost: "{{ (zabbix_server_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_server_dbhost) }}" + tags: + - database + block: + - name: "MySQL | Create database" + community.mysql.mysql_db: + login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" + login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" + login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" + login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" + name: "{{ zabbix_server_dbname }}" + encoding: "{{ zabbix_server_dbencoding }}" + collation: "{{ zabbix_server_dbcollation }}" + state: present + register: zabbix_database_created + + - name: "MySQL | Create database user" + community.mysql.mysql_user: + login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" + login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" + login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" + login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" + name: "{{ zabbix_server_dbuser }}" + password: "{{ zabbix_server_dbpassword }}" + host: "{{ zabbix_server_privileged_host }}" + plugin: "{{ 'mysql_native_password' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else omit }}" + priv: "{{ zabbix_server_dbname }}.*:ALL" + state: present + +- name: "MySQL verify or create schema" + when: zabbix_server_database_sqlload | bool + vars: + delegated_dbhost: "{{ (zabbix_server_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_server_dbhost) }}" + tags: + - database + block: + # If this check fails, then there's no dbversion table in the database, + # hence it has not been populated, and we'll create it, below. + # Otherwise, the module will succees and we could + # access the database version, for example 5000000 for Zabbix 5.0. + - name: "MySQL | Get current database version" + community.mysql.mysql_query: + login_user: "{{ zabbix_server_dbuser }}" + login_password: "{{ zabbix_server_dbpassword }}" + login_host: "{{ zabbix_server_dbhost }}" + login_port: "{{ zabbix_server_dbport }}" + login_db: "{{ zabbix_server_dbname }}" + query: 'SELECT mandatory FROM dbversion' + rescue: + - name: "MySQL | Get and set schema import overrides" + delegate_to: "{{ zabbix_server_real_dbhost | default(zabbix_server_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}" + block: + - name: "MySQL | Get current value for variables" + community.mysql.mysql_variables: + variable: "{{ name }}" + login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" + login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" + login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" + login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" + loop: + - innodb_default_row_format + - log_bin_trust_function_creators + loop_control: + loop_var: name + register: _mysql_variable_defaults + + - name: "MySQL | Set variable overrides for schema import" + community.mysql.mysql_variables: + variable: "{{ item.name }}" + value: "{{ _mysql_schema_import_overrides[item.name] }}" + login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" + login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" + login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" + login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" + when: item.msg != _mysql_schema_import_overrides[item.name] + loop: "{{ _mysql_variable_defaults.results }}" + loop_control: + label: "{{ item.name }}: {{ _mysql_schema_import_overrides[item.name] }}" + vars: + _mysql_schema_import_overrides: + innodb_default_row_format: "dynamic" + log_bin_trust_function_creators: "ON" + + - name: "MySQL | Disable InnoDB Strict Mode" + when: ansible_facts['distribution_release'] == "buster" + community.mysql.mysql_variables: + variable: innodb_strict_mode + value: 0 + login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" + login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" + login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" + login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" + + - name: "MySQL | Import schema" + community.mysql.mysql_db: + login_user: "{{ zabbix_server_dbuser }}" + login_password: "{{ zabbix_server_dbpassword }}" + login_host: "{{ zabbix_server_dbhost }}" + login_port: "{{ zabbix_server_dbport }}" + name: "{{ zabbix_server_dbname }}" + encoding: "{{ zabbix_server_dbencoding }}" + collation: "{{ zabbix_server_dbcollation }}" + state: import + target: /usr/share/zabbix-sql-scripts/mysql/server.sql.gz + + always: + - name: "MySQL | Revert variable overrides for schema import" + delegate_to: "{{ zabbix_server_real_dbhost | default(zabbix_server_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}" + community.mysql.mysql_variables: + variable: "{{ item.name }}" + value: "{{ item.msg }}" + login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" + login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" + login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" + login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" + loop: "{{ _mysql_variable_defaults.results | default([]) }}" + loop_control: + label: "{{ item.name }}: {{ item.msg }}" diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/postgresql.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/initialize-pgsql.yml index 5177a55be..65bd0beec 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/postgresql.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/initialize-pgsql.yml @@ -1,126 +1,92 @@ --- # task file for postgresql - -- name: "PostgreSQL | Set the correct delegated_dbhost (to support postgres db deployment on a remote dbhost)" - ansible.builtin.set_fact: - delegated_dbhost: "{{ zabbix_server_dbhost if (zabbix_server_dbhost != 'localhost') else inventory_hostname }}" - when: - - zabbix_server_dbhost_run_install - tags: - - database - -- name: "PostgreSQL | Set the correct delegated_dbhost (to support postgres db deployment on a remote dbhost)" - ansible.builtin.set_fact: - delegated_dbhost: "{{ inventory_hostname }}" - when: - - not zabbix_server_dbhost_run_install +- name: "Install PostgreSQL dependencies" + ansible.builtin.package: + name: "{{ _zabbix_server_pgsql_dependencies | select | list }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: _zabbix_server_dependencies_installed + until: _zabbix_server_dependencies_installed is succeeded + become: true tags: + - install - database + - dependencies -- name: "PostgreSQL | Delegated" - block: - - name: "PostgreSQL | Delegated | Create database" - community.postgresql.postgresql_db: - name: "{{ zabbix_server_dbname }}" - port: "{{ zabbix_server_dbport }}" - state: present - - - name: "PostgreSQL | Delegated | Create database user" - community.postgresql.postgresql_user: - db: "{{ zabbix_server_dbname }}" - name: "{{ zabbix_server_dbuser }}" - password: "{{ ('md5' + (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5')) if zabbix_server_dbpassword_hash_method == 'md5' else zabbix_server_dbpassword }}" - port: "{{ zabbix_server_dbport }}" - priv: ALL - state: present - encrypted: true - - - name: "PostgreSQL | Delegated | Create timescaledb extension" - community.postgresql.postgresql_ext: - db: "{{ zabbix_server_dbname }}" - name: timescaledb - when: zabbix_server_database_timescaledb - become: true +- name: "PostgreSQL Database prep" + when: zabbix_server_database_creation + become: "{{ zabbix_server_dbhost_run_install }}" become_user: postgres - delegate_to: "{{ delegated_dbhost }}" - when: - - zabbix_server_database_creation - - zabbix_server_pgsql_login_host is not defined + delegate_to: "{{ zabbix_server_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname) }}" + vars: + delegated_dbhost: "{{ (zabbix_server_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_server_dbhost) }}" tags: - database - -- name: "PostgreSQL | Remote" block: - - name: "PostgreSQL | Remote | Create database" + - name: "PostgreSQL | Create database" community.postgresql.postgresql_db: - login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}" login_user: "{{ zabbix_server_pgsql_login_user | default(omit) }}" login_password: "{{ zabbix_server_pgsql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}" + port: "{{ zabbix_server_dbport }}" login_unix_socket: "{{ zabbix_server_pgsql_login_unix_socket | default(omit) }}" name: "{{ zabbix_server_dbname }}" - port: "{{ zabbix_server_dbport }}" state: present - - name: "PostgreSQL | Remote | Create database user" + - name: "PostgreSQL | Create database user" community.postgresql.postgresql_user: - login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}" login_user: "{{ zabbix_server_pgsql_login_user | default(omit) }}" login_password: "{{ zabbix_server_pgsql_login_password | default(omit) }}" - db: "{{ zabbix_server_dbname }}" + login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}" + port: "{{ zabbix_server_dbport }}" + login_unix_socket: "{{ zabbix_server_pgsql_login_unix_socket | default(omit) }}" name: "{{ zabbix_server_dbuser }}" password: "{{ ('md5' + (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5')) if zabbix_server_dbpassword_hash_method == 'md5' else zabbix_server_dbpassword }}" - port: "{{ zabbix_server_dbport }}" + db: "{{ zabbix_server_dbname }}" priv: ALL state: present encrypted: true - - name: "PostgreSQL | Remote | Create timescaledb extension" + - name: "PostgreSQL | Create timescaledb extension" + when: zabbix_server_database_timescaledb community.postgresql.postgresql_ext: - login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}" login_user: "{{ zabbix_server_pgsql_login_user | default(omit) }}" login_password: "{{ zabbix_server_pgsql_login_password | default(omit) }}" + login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}" + port: "{{ zabbix_server_dbport }}" login_unix_socket: "{{ zabbix_server_pgsql_login_unix_socket | default(omit) }}" db: "{{ zabbix_server_dbname }}" name: timescaledb - when: zabbix_server_database_timescaledb - when: - - zabbix_server_database_creation - - zabbix_server_pgsql_login_host is defined - tags: - - database -- name: "PostgreSQL | Create schema" - ansible.builtin.shell: | - set -euxo pipefail - FILE={{ 'create.sql' if zabbix_server_version is version('6.0', '<') else 'server.sql' }} - cd {{ datafiles_path }} - if [ -f ${FILE}.gz ] - then zcat ${FILE}.gz > /tmp/create.sql - else - cp ${FILE} /tmp/create.sql - fi - cat /tmp/create.sql | psql -h '{{ zabbix_server_dbhost }}' \ - -U '{{ zabbix_server_dbuser }}' \ - -d '{{ zabbix_server_dbname }}' \ - -p '{{ zabbix_server_dbport }}' - touch /etc/zabbix/schema.done - rm -f /tmp/create.sql - args: - creates: /etc/zabbix/schema.done - executable: /bin/bash - warn: "{{ produce_warn | default(omit) }}" - environment: - PGPASSWORD: "{{ zabbix_server_dbpassword }}" - become: true - when: - - zabbix_server_database_sqlload +- name: "PostgreSQL verify or create schema" + when: zabbix_server_database_sqlload tags: - database + block: + - name: "PostgreSQL | Get current database version" + community.postgresql.postgresql_query: + login_user: "{{ zabbix_server_dbuser }}" + login_password: "{{ zabbix_server_dbpassword }}" + login_host: "{{ zabbix_server_dbhost }}" + port: "{{ zabbix_server_dbport }}" + db: "{{ zabbix_server_dbname }}" + query: 'SELECT mandatory FROM dbversion' + rescue: + - name: "PostgreSQL | Import schema" + community.postgresql.postgresql_db: + login_user: "{{ zabbix_server_dbuser }}" + login_password: "{{ zabbix_server_dbpassword }}" + login_host: "{{ zabbix_server_dbhost }}" + port: "{{ zabbix_server_dbport }}" + db: "{{ zabbix_server_dbname }}" + state: restore + target: /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz - name: "PostgreSQL | Create TimescaleDB hypertables" ansible.builtin.shell: | set -euxo pipefail - cd {{ datafiles_path }} && + cd /usr/share/zabbix-sql-scripts/postgresql && if [ -f timescaledb.sql.gz ]; then zcat timescaledb.sql.gz > /etc/timescaledb.sql ; else cp -p timescaledb.sql /etc/timescaledb.sql ; fi cat /etc/timescaledb.sql | psql -h '{{ zabbix_server_dbhost }}' \ -U '{{ zabbix_server_dbuser }}' \ diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/main.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/main.yml index 62674a7ff..356403e0b 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/main.yml @@ -13,25 +13,41 @@ - name: Set More Variables ansible.builtin.set_fact: - zabbix_db_type_long: "{{ 'postgresql' if zabbix_server_database == 'pgsql' else 'mysql' }}" - zabbix_valid_version: "{{ zabbix_server_version|float in zabbix_valid_server_versions[ansible_distribution_major_version] }}" zabbix_server_fpinglocation: "{{ zabbix_server_fpinglocation if zabbix_server_fpinglocation is defined else _zabbix_server_fpinglocation}}" zabbix_server_fping6location: "{{ zabbix_server_fping6location if zabbix_server_fping6location is defined else _zabbix_server_fping6location}}" tags: - always -- name: Stopping Install of Invalid Version - ansible.builtin.fail: - msg: Zabbix version {{ zabbix_server_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} - when: not zabbix_valid_version +- name: Check that version is supported + when: enable_version_check | default(true) | bool + ansible.builtin.assert: + that: + - "{{ zabbix_server_version|float in zabbix_valid_server_versions[ ansible_facts['distribution_major_version'] ] }}" + fail_msg: Zabbix version {{ zabbix_server_version }} is not supported on {{ ansible_facts['distribution'] }} {{ ansible_facts['distribution_major_version'] }} tags: - always - name: Install the correct repository ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" -- name: Installing the {{ zabbix_db_type_long }} database - ansible.builtin.include_tasks: "{{ zabbix_db_type_long }}.yml" +- name: Install zabbix-server packages + ansible.builtin.package: + name: "{{ _zabbix_server_packages }}" + state: "{{ zabbix_server_package_state }}" + update_cache: true + disablerepo: "{{ zabbix_server_disable_repo | default(_zabbix_server_disable_repo | default(omit)) }}" + install_recommends: "{{ zabbix_server_install_recommends | default(_zabbix_server_install_recommends | default(omit)) }}" + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" + register: _zabbix_server_package_installed + until: _zabbix_server_package_installed is succeeded + become: true + tags: + - install + +- name: "Initialize the database" + ansible.builtin.include_tasks: "initialize-{{ zabbix_server_database }}.yml" - name: "Configure zabbix-server" ansible.builtin.template: diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/mysql.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/mysql.yml deleted file mode 100644 index aad009816..000000000 --- a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/mysql.yml +++ /dev/null @@ -1,213 +0,0 @@ ---- -# task file for mysql - -- name: "MySQL | Set the correct delegated_dbhost (to support MySQL db deployment on a remote dbhost)" - ansible.builtin.set_fact: - delegated_dbhost: "{{ zabbix_server_dbhost if (zabbix_server_dbhost != 'localhost') else inventory_hostname }}" - when: - - zabbix_server_dbhost_run_install - tags: - - database - -- name: "MySQL | Set the correct delegated_dbhost (to support MySQL db deployment on a remote dbhost)" - ansible.builtin.set_fact: - delegated_dbhost: "{{ inventory_hostname }}" - when: - - not zabbix_server_dbhost_run_install - tags: - - database - -- name: "MySQL | Override delegated_dbhost with real dbhost when dbhost is behind loadbalancer" - ansible.builtin.set_fact: - delegated_dbhost: "{{ zabbix_server_real_dbhost }}" - when: zabbix_server_real_dbhost | default(false) - tags: - - database - -- name: "MySQL | Create database" - community.mysql.mysql_db: - name: "{{ zabbix_server_dbname }}" - encoding: "{{ zabbix_server_dbencoding }}" - collation: "{{ zabbix_server_dbcollation }}" - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" - login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - state: present - when: zabbix_server_database_creation - register: zabbix_database_created - delegate_to: "{{ delegated_dbhost }}" - tags: - - database - - skip_ansible_lint - -- name: "MySQL | Create database user" - community.mysql.mysql_user: - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" - login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - name: "{{ zabbix_server_dbuser }}" - password: "{{ zabbix_server_dbpassword }}" - plugin: "{{ 'mysql_native_password' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else omit }}" - priv: "{{ zabbix_server_dbname }}.*:ALL" - host: "{{ zabbix_server_privileged_host }}" - state: present - when: zabbix_server_database_creation - delegate_to: "{{ delegated_dbhost }}" - tags: - - database - -- name: "MySQL | Get the file for create.sql" - ansible.builtin.shell: ls -1 {{ datafiles_path }}/{{ 'create' if zabbix_server_version is version('6.0', '<') else 'server' }}.sq* - changed_when: false - become: true - when: - - zabbix_server_database_sqlload | bool - register: ls_output_create - tags: - - database - -- name: MySQL | Get current database version - ansible.builtin.shell: | - mysql -h {{ zabbix_server_dbhost }} -u{{ zabbix_server_dbuser }} \ - -p'{{ zabbix_server_dbpassword }}' -D '{{ zabbix_server_dbname }}' \ - -e 'SELECT mandatory FROM dbversion;' - register: mysql_db_version - become: true - changed_when: false - ignore_errors: true - tags: - - database - -# If the above check failed, then there was no dbversion table in the database. -# We'll create it, below. Otherwise, we can access the database version in -# `mysql_db_version["stdout_lines"][1]`, for example 5000000 for Zabbix 5.0. -- name: MySQL | Check if database needs to be populated - ansible.builtin.set_fact: - mysql_schema_empty: "{{ mysql_db_version is failed }}" - -- name: "MySQL | Get current value for innodb_default_row_format" - community.mysql.mysql_variables: - variable: innodb_default_row_format - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" - login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - delegate_to: "{{ delegated_dbhost }}" - register: mysql_innodb_default_row_format - tags: - - database - -- name: "MySQL | Set innodb_default_row_format to dynamic" - community.mysql.mysql_variables: - variable: innodb_default_row_format - value: dynamic - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" - login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - when: - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - - mysql_innodb_default_row_format.msg != 'dynamic' - delegate_to: "{{ delegated_dbhost }}" - tags: - - database - -- name: "MySQL | Disable InnoDB Strict Mode" - community.mysql.mysql_variables: - variable: innodb_strict_mode - value: 0 - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" - login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - when: - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - - ansible_distribution_release == "buster" - delegate_to: "{{ delegated_dbhost }}" - tags: - - database - -- name: "MySQL | Fetch sql create file" - fetch: - src: "{{ ls_output_create.stdout }}" - dest: /tmp/{{ role_name }}/ - flat: true - become: true - when: - - delegated_dbhost != inventory_hostname - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - tags: - - database - -- name: "MySQL | Copy sql create file" - ansible.builtin.copy: - src: /tmp/{{ role_name }}/ - dest: "{{ ls_output_create.stdout | dirname }}" - mode: "0640" - delegate_to: "{{ delegated_dbhost }}" - become: true - when: - - delegated_dbhost != inventory_hostname - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - tags: - - database - -- name: "MySQL | Create database and import file" - community.mysql.mysql_db: - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_dbuser if (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else zabbix_server_mysql_login_user }}" - login_password: "{{ zabbix_server_dbpassword if (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else zabbix_server_mysql_login_password }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - name: "{{ zabbix_server_dbname }}" - encoding: "{{ zabbix_server_dbencoding }}" - collation: "{{ zabbix_server_dbcollation }}" - state: import - target: "{{ ls_output_create.stdout }}" - use_shell: "{{ true if zabbix_server_version is version('5.0', '==') else false }}" - when: - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - delegate_to: "{{ delegated_dbhost }}" - tags: - - database - -- name: "MySQL | Revert innodb_default_row_format to previous value" - community.mysql.mysql_variables: - variable: innodb_default_row_format - value: "{{ mysql_innodb_default_row_format.msg }}" - login_host: "{{ zabbix_server_mysql_login_host | default(omit) }}" - login_user: "{{ zabbix_server_mysql_login_user | default(omit) }}" - login_password: "{{ zabbix_server_mysql_login_password | default(omit) }}" - login_port: "{{ zabbix_server_mysql_login_port | default(omit) }}" - login_unix_socket: "{{ zabbix_server_mysql_login_unix_socket | default(omit) }}" - when: - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - - mysql_innodb_default_row_format.msg != 'dynamic' - delegate_to: "{{ delegated_dbhost }}" - tags: - - database - -- name: "MySQL | Check if we have sql_done files" - ansible.builtin.file: - path: /etc/zabbix/create.done - state: touch - mode: "0644" - become: true - when: - - zabbix_server_database_sqlload | bool - - mysql_schema_empty - tags: - - database diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/selinux.yml b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/selinux.yml index fe203aed1..cd13dbbfd 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/tasks/selinux.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/tasks/selinux.yml @@ -126,6 +126,6 @@ cmd: files/install_semodule.bsx args: creates: /etc/selinux/targeted/active/modules/400/zabbix_server_add/cil - become: true + become: true tags: - config diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/vars/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_server/vars/Debian.yml index 4074869e6..75f3751c2 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/vars/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/vars/Debian.yml @@ -29,7 +29,20 @@ zabbix_valid_server_versions: - 6.0 debian_keyring_path: /etc/apt/keyrings/ -zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" -_zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_server_version }}" +zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc" + +_zabbix_server_pgsql_dependencies: + - "{{ zabbix_server_install_database_client | ternary('postgresql-client', '') }}" + - python3-psycopg2 + +_zabbix_server_mysql_dependencies: + - "{{ zabbix_server_install_database_client | ternary('default-mysql-client', '') }}" + - python3-pymysql + _zabbix_server_fping6location: /usr/bin/fping6 _zabbix_server_fpinglocation: /usr/bin/fping + +_zabbix_server_packages: + - "zabbix-server-{{ zabbix_server_database }}" + - "zabbix-sql-scripts" +_zabbix_server_install_recommends: true diff --git a/ansible_collections/community/zabbix/roles/zabbix_server/vars/RedHat.yml b/ansible_collections/community/zabbix/roles/zabbix_server/vars/RedHat.yml index c2e0f14f3..fb20631f8 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_server/vars/RedHat.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_server/vars/RedHat.yml @@ -18,19 +18,19 @@ zabbix_valid_server_versions: - 6.2 - 6.0 -pgsql_depenencies: - "9": - - python3-psycopg2 - "8": - - python3-psycopg2 +_zabbix_server_pgsql_dependencies: + - "{{ zabbix_server_install_database_client | ternary('postgresql', '') }}" + - python3-psycopg2 -mysql_client_pkgs: - "9": - - mysql - - python3-PyMySQL - "8": - - mysql - - python3-PyMySQL +_zabbix_server_mysql_dependencies: + - "{{ zabbix_server_install_database_client | ternary('mysql', '') }}" + - python3-PyMySQL _zabbix_server_fping6location: /usr/sbin/fping6 _zabbix_server_fpinglocation: /usr/sbin/fping + +_zabbix_server_packages: + - "zabbix-server-{{ zabbix_server_database }}-{{ zabbix_server_version }}.{{ zabbix_server_version_minor }}" + - "zabbix-sql-scripts-{{ zabbix_server_version }}.{{ zabbix_server_version_minor }}" +_zabbix_server_disable_repo: + - epel diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/README.md b/ansible_collections/community/zabbix/roles/zabbix_web/README.md index 5904f8288..aac6f9dc2 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/README.md +++ b/ansible_collections/community/zabbix/roles/zabbix_web/README.md @@ -16,6 +16,7 @@ - [Apache configuration](#apache-configuration) - [Nginx configuration](#nginx-configuration) - [PHP-FPM](#php-fpm) + - [SElinux](#selinux) - [Zabbix Server](#zabbix-server) * [proxy](#proxy) - [Example Playbook](#example-playbook) @@ -65,6 +66,8 @@ See the following list of supported Operating Systems with the Zabbix releases. | Debian 11 bullseye | V | V | V | | Debian 10 buster | | | V | +You can bypass this matrix by setting `enable_version_check: false` + # Installation Installing this role is very simple: `ansible-galaxy install community.zabbix.zabbix_web` @@ -94,6 +97,8 @@ The following is an overview of all available configuration defaults for this ro * `zabbix_web_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file. * `zabbix_repo_deb_url`: The URL to the Zabbix repository. Default `http://repo.zabbix.com/zabbix/{{ zabbix_web_version }}/{{ ansible_distribution.lower() }}` * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`. +* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`. +* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`. ### Zabbix Web specific @@ -116,7 +121,6 @@ The following is an overview of all available configuration defaults for this ro * `zabbix_web_vhost_port`: The port on which Zabbix HTTP vhost is running. * `zabbix_web_vhost_tls_port`: The port on which Zabbix HTTPS vhost is running. * `zabbix_web_vhost_listen_ip`: On which interface the Apache Virtual Host is available. -* `zabbix_apache_can_connect_ldap`: Default: `false`. Set SELinux boolean to allow httpd to connect to LDAP. * `zabbix_web_max_execution_time`: PHP max execution time * `zabbix_web_memory_limit`: PHP memory limit * `zabbix_web_post_max_size`: PHP maximum post size @@ -151,6 +155,13 @@ The following properties are specific to Zabbix 5.0 and for the PHP(-FPM) config * `zabbix_php_fpm_conf_group`: The group of the owner of the socket file (When `zabbix_php_fpm_listen` contains a patch to a socket file). +### SElinux + +* `zabbix_web_selinux`: Default: `False`. Enables an SELinux policy so that the web will run. +* `selinux_allow_httpd_can_connect_zabbix`: Default: `false`. Set SELinux boolean to allow httpd to connect to zabbix. +* `selinux_allow_httpd_can_connect_ldap`: Default: `false`. Set SELinux boolean to allow httpd to connect to LDAP. +* `selinux_allow_httpd_can_network_connect_db`: Default: `false` Set SELinux boolean to allow httpd to connect databases over the network. + ### Zabbix Server * `zabbix_server_name`: The name of the Zabbix Server. diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml b/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml index f37bb07da..53744bab9 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_web/defaults/main.yml @@ -53,6 +53,7 @@ zabbix_web_apt_priority: zabbix_web_version_minor: "*" zabbix_repo_yum_gpgcheck: 0 zabbix_repo_yum_schema: https +zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_web_version }}/{{ ansible_facts.lsb.id | default(ansible_facts['distribution']) | lower }}{% if ansible_facts['architecture'] == 'aarch64' and ansible_facts.lsb.id | default(ansible_facts['distribution']) in ['Debian', 'Ubuntu'] %}-arm64{% endif %}" zabbix_repo_deb_component: main zabbix_web_disable_repo: - epel @@ -86,9 +87,14 @@ zabbix_server_history_types: - "uint" - "dbl" -zabbix_selinux: false -# selinux_allow_zabbix_can_network: false -# zabbix_apache_can_connect_ldap: false +# SELinux specific +zabbix_web_selinux: false +selinux_allow_httpd_can_connect_ldap: false +selinux_allow_httpd_can_network_connect_db: false +selinux_allow_httpd_can_connect_zabbix: false + +zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key +zabbix_repo_deb_include_deb_src: true # SAML certificates # zabbix_saml_idp_crt: diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml index ae1c7de26..d3c12fdac 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/Debian.yml @@ -13,33 +13,6 @@ tags: - always -- name: "Debian | Update ansible_lsb fact" - ansible.builtin.setup: - gather_subset: - - lsb - -- name: "Debian | Installing lsb-release" - ansible.builtin.apt: - pkg: lsb-release - update_cache: true - cache_valid_time: 3600 - force: true - state: present - environment: - http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" - https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" - become: true - tags: - - install - -- name: "Debian | Repo URL" - ansible.builtin.set_fact: - zabbix_repo_deb_url: "{{ _zabbix_repo_deb_url }}/{{ ansible_lsb.id.lower() }}{{ '-arm64' if ansible_machine == 'aarch64' and ansible_lsb.id == 'debian' else ''}}" - when: - - zabbix_repo_deb_url is undefined - tags: - - always - - name: "Debian | Install PHP Dependencies" ansible.builtin.apt: pkg: "{{ zabbix_web_php_dependencies }}" @@ -88,11 +61,15 @@ (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") - name: "Debian | Download gpg key" + when: not ansible_check_mode # Because get_url always has changed status in check_mode. ansible.builtin.get_url: - url: http://repo.zabbix.com/zabbix-official-repo.key + url: "{{ zabbix_repo_deb_gpg_key_url }}" dest: "{{ zabbix_gpg_key }}" mode: "0644" force: true + environment: + http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" + https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" become: true tags: - install @@ -104,7 +81,7 @@ group: root mode: 0644 content: | - Types: deb deb-src + Types: deb{{ ' deb-src' if zabbix_repo_deb_include_deb_src }} Enabled: yes URIs: {{ zabbix_repo_deb_url }} Suites: {{ ansible_distribution_release }} diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml index 30871017e..8dfb2e113 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/RedHat.yml @@ -57,3 +57,8 @@ - ansible_distribution_major_version == '9' tags: - install + +- name: "Configure SELinux when enabled" + ansible.builtin.include_tasks: selinux.yml + when: + - zabbix_web_selinux | bool diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml index b82d8486b..54a313a1c 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/main.yml @@ -13,15 +13,16 @@ - name: Set More Variables ansible.builtin.set_fact: - zabbix_valid_version: "{{ zabbix_web_version|float in zabbix_valid_web_versions[ansible_distribution_major_version] }}" zabbix_db_type_long: "{{ 'postgresql' if zabbix_server_database == 'pgsql' else 'mysql' }}" tags: - always -- name: Stopping Install of Invalid Version - ansible.builtin.fail: - msg: Zabbix version {{ zabbix_web_version }} is not supported on {{ ansible_distribution }} {{ ansible_distribution_major_version }} - when: not zabbix_valid_version +- name: Check that version is supported + when: enable_version_check | default(true) | bool + ansible.builtin.assert: + that: + - "{{ zabbix_web_version|float in zabbix_valid_web_versions[ ansible_facts['distribution_major_version'] ] }}" + fail_msg: Zabbix version {{ zabbix_web_version }} is not supported on {{ ansible_facts['distribution'] }} {{ ansible_facts['distribution_major_version'] }} tags: - always diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml index 56e2ae05e..df5d388db 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_web/tasks/selinux.yml @@ -12,7 +12,7 @@ become: true when: - ansible_os_family == "RedHat" - - selinux_allow_zabbix_can_network + - ansible_selinux.status == "enabled" - ansible_distribution_major_version == "7" or ansible_distribution_major_version == "6" tags: - install @@ -30,23 +30,11 @@ become: true when: - ansible_os_family == "RedHat" - - selinux_allow_zabbix_can_network + - ansible_selinux.status == "enabled" - ansible_distribution_major_version|int >= 8 tags: - install -- name: "SELinux | RedHat | Enable zabbix_can_network SELinux boolean" - ansible.posix.seboolean: - name: zabbix_can_network - state: true - persistent: true - become: true - when: - - ansible_os_family == "RedHat" - - selinux_allow_zabbix_can_network - tags: - - config - - name: "SELinux | Allow httpd to connect to db (SELinux)" ansible.posix.seboolean: name: httpd_can_network_connect_db @@ -55,7 +43,7 @@ become: true when: - ansible_selinux.status == "enabled" - - selinux_allow_zabbix_can_network + - selinux_allow_httpd_can_network_connect_db | bool tags: - config @@ -67,7 +55,7 @@ become: true when: - ansible_selinux.status == "enabled" - - selinux_allow_zabbix_can_network + - selinux_allow_httpd_can_connect_zabbix | bool tags: - config @@ -79,6 +67,6 @@ become: true when: - ansible_selinux.status == "enabled" - - zabbix_apache_can_connect_ldap | bool + - selinux_allow_httpd_can_connect_ldap | bool tags: - config diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 b/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 index 7854b83ce..c04a0712c 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 +++ b/ansible_collections/community/zabbix/roles/zabbix_web/templates/nginx_vhost.conf.j2 @@ -20,7 +20,7 @@ server { try_files $uri $uri/ =404; } - location /assets { + location /assets/ { access_log off; expires 10d; } @@ -70,9 +70,9 @@ server { ssl_certificate {{ zabbix_web_tls_crt }}; ssl_certificate_key {{ zabbix_web_tls_key }}; - {{ (zabbix_web_ssl_cipher_suite is defined and zabbix_web_ssl_cipher_suite is not none) | ternary('', '# ') }}ssl_ciphers {{ zabbix_web_ssl_cipher_suite | default('') }} - {{ (zabbix_web_SSLSessionCache is defined and zabbix_web_SSLSessionCache is not none) | ternary('', '# ') }}ssl_session_cache {{ zabbix_web_SSLSessionCache | default('') }} - {{ (zabbix_web_SSLSessionCacheTimeout is defined and zabbix_web_SSLSessionCacheTimeout is not none) | ternary('', '# ') }}ssl_session_timeout {{ zabbix_web_SSLSessionCacheTimeout | default('') }} + {{ (zabbix_web_ssl_cipher_suite is defined and zabbix_web_ssl_cipher_suite is not none) | ternary('', '# ') }}ssl_ciphers {{ zabbix_web_ssl_cipher_suite | default('') }}; + {{ (zabbix_web_SSLSessionCache is defined and zabbix_web_SSLSessionCache is not none) | ternary('', '# ') }}ssl_session_cache {{ zabbix_web_SSLSessionCache | default('') }}; + {{ (zabbix_web_SSLSessionCacheTimeout is defined and zabbix_web_SSLSessionCacheTimeout is not none) | ternary('', '# ') }}ssl_session_timeout {{ zabbix_web_SSLSessionCacheTimeout | default('') }}; root /usr/share/zabbix; index index.php; @@ -85,7 +85,7 @@ server { try_files $uri $uri/ =404; } - location /assets { + location /assets/ { access_log off; expires 10d; } diff --git a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml index 7b60c70bd..f49b27155 100644 --- a/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml +++ b/ansible_collections/community/zabbix/roles/zabbix_web/vars/Debian.yml @@ -47,5 +47,4 @@ zabbix_valid_web_versions: - 6.0 debian_keyring_path: /etc/apt/keyrings/ -zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" -_zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_web_version }}" +zabbix_gpg_key: "{{ debian_keyring_path }}zabbix-repo.asc" |