commit ac94980413a8b698ae649c65a6560f0e74209b6d Author: pmj Date: Thu Dec 19 20:36:21 2019 +0100 +Public first commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5c199eb --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# ---> Ansible +*.retry + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..00e73d9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,5 @@ +"THE BEER-WARE LICENSE" (Revision 42): + +PMJ wrote this file. As long as you retain this notice you can +do whatever you want with this stuff. If we meet some day, and you think this +stuff is worth it, you can buy me a beer in return PMJ diff --git a/README.md b/README.md new file mode 100644 index 0000000..2f1044c --- /dev/null +++ b/README.md @@ -0,0 +1,58 @@ +Zabbix Agent ansible role +========= + +This role can be used to deploy Zabbix agents via Ansible automation tool + +Requirements +------------ + +This role is only for Debian distributions. It will install 4.4 version of Zabbix agents from Zabbix official repo.\ +To use TLS encryption with Auto-Registration, your server needs to be on 4.4 version as well. + +Role Variables +-------------- + +Each variable is set with a default value in 'defaults/main.conf'. You could change the file or overide them when calling the role. + +- zabbix_server: "zabbix.example.net"\ + FQDN or IP address of Zabbix server. This variable is used to set 'ServerActive' parameter, so use only one FQDN/IP. + +- zabbix_proxies: "127.0.0.1"\ + Comma separated list of proxies or other hosts which should be able to poll passive Zabbix agent. It is used to set the 'Server' parameter along with the 'zabbix_server' variable. + +- zabbix_psk: False\ + PSK for TLS encryption. If set to 'False', TLS parameters won't be set in Zabbix agent configuration file. + +- zabbix_psk_id: "PSKAR"\ + PSK Identity for TLS encryption. See how to configure Auto-Registration with TLS here [#zabbix-auto-registration-with-tls] + +Zabbix Auto-Registration with TLS +--------------------------------- + +In Zabbix Web interface, go to 'Administration/General/Auto-Registration' ($ZABBIX_SERVER_URL/zabbix.php?action=autoreg.edit).\ + +Check the PSK option and fill the two field with your PSK Identity and PSK and save. +![Zabbix GUI Auto Registration configuration](pskar_gui.png) + +Example Playbook +---------------- + +Here is an example of how to use this role in a playbook: + + - hosts: servers + gather_facts: yes + become: yes + become_user: root + + roles: + - { role: zabbix-agent, tags: zabbix } # when not using TLS + - { role: zabbix-agent, tags: zabbix, zabbix_psk_id: PSKAR, zabbix_psk: jdkjnckdsjncdskncsdkcldsoijds } # when using TLS + +License +------- + +"THE BEER-WARE LICENSE" (Revision 42): + +PMJ wrote this file. As long as you retain this notice you can +do whatever you want with this stuff. If we meet some day, and you think this +stuff is worth it, you can buy me a beer in return. PMJ diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100755 index 0000000..a3fd77a --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# defaults file for zabbix-agent +zabbix_server: "zabbix.example.net" +zabbix_proxies: "127.0.0.1" +zabbix_psk: False +zabbix_psk_id: "PSKAR" \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100755 index 0000000..ec16c3b --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,7 @@ +--- +# handlers file for zabbix-agent +- name: zabbix-agent restart + systemd: + name: zabbix-agent + state: restarted + enabled: yes \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml new file mode 100755 index 0000000..7223799 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,57 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/pskar_gui.png b/pskar_gui.png new file mode 100644 index 0000000..3539041 Binary files /dev/null and b/pskar_gui.png differ diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100755 index 0000000..3c6594a --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,81 @@ +--- +# tasks file for zabbix-agent + +- name: Deploy zabbix repo + template: + src: templates/zabbix.list.j2 + dest: /etc/apt/sources.list.d/zabbix.list + force: yes + owner: root + group: root + mode: '0644' + when: ansible_distribution == 'Debian' + +- name: Deploy zabbix repo GPG + copy: + src: templates/zabbix-official-repo.gpg + dest: /etc/apt/trusted.gpg.d/zabbix-official-repo.gpg + force: yes + owner: root + group: root + mode: '0644' + when: ansible_distribution == 'Debian' + +- name: Install zabbix_agent Debian + apt: + name: + - zabbix-agent + - zabbix-get + - zabbix-sender + state: latest + update_cache: yes + when: ansible_distribution == 'Debian' + +- name: Deploy custom config + template: + src: templates/custom.conf.j2 + dest: /etc/zabbix/zabbix_agentd.d/custom.conf + owner: root + group: root + mode: '0644' + notify: zabbix-agent restart + +- name: Deploy custom TLS config + template: + src: templates/tls.conf.j2 + dest: /etc/zabbix/zabbix_agentd.d/tls.conf + owner: root + group: root + mode: '0644' + when: zabbix_psk != False + notify: zabbix-agent restart + +- name: Deploy zabbix PSK + template: + src: templates/zabbix_agentd.psk.j2 + dest: /etc/zabbix/zabbix_agentd.psk + force: yes + owner: zabbix + group: zabbix + mode: '0600' + when: zabbix_psk != False + notify: zabbix-agent restart + +# Using system hostname +- name: Change default config + lineinfile: + path: /etc/zabbix/zabbix_agentd.conf + regex: "^Hostname=" + line: "#Hostname=Zabbix server" + notify: zabbix-agent restart + +# Using ansible hostname +# - name: Change default config +# lineinfile: +# path: /etc/zabbix/zabbix_agentd.conf +# regex: "^Hostname=" +# line: "Hostname={{inventory_hostname | lower}}" +# notify: zabbix-agent restart + + + diff --git a/templates/custom.conf.j2 b/templates/custom.conf.j2 new file mode 100644 index 0000000..36ebbb5 --- /dev/null +++ b/templates/custom.conf.j2 @@ -0,0 +1,38 @@ +### Option: Server +# List of comma delimited IP addresses (or hostnames) of Zabbix servers. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally. +# +# Mandatory: no +# Default: +# Server= + +Server={{zabbix_server}},{{zabbix_proxies}} + +### Option: ServerActive +# List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# +# Mandatory: no +# Default: +# ServerActive= + +ServerActive={{zabbix_server}} + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +HostMetadataItem=system.uname + diff --git a/templates/tls.conf.j2 b/templates/tls.conf.j2 new file mode 100644 index 0000000..a5ea720 --- /dev/null +++ b/templates/tls.conf.j2 @@ -0,0 +1,45 @@ +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +TLSConnect=psk + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +TLSAccept=psk + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +TLSPSKIdentity={{zabbix_psk_id}} + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +TLSPSKFile=/etc/zabbix/zabbix_agentd.psk diff --git a/templates/zabbix-official-repo.gpg b/templates/zabbix-official-repo.gpg new file mode 100644 index 0000000..6bb416d Binary files /dev/null and b/templates/zabbix-official-repo.gpg differ diff --git a/templates/zabbix.list.j2 b/templates/zabbix.list.j2 new file mode 100644 index 0000000..795534c --- /dev/null +++ b/templates/zabbix.list.j2 @@ -0,0 +1,2 @@ +deb http://repo.zabbix.com/zabbix/4.4/debian {{ansible_distribution_release}} main +deb-src http://repo.zabbix.com/zabbix/4.4/debian {{ansible_distribution_release}} main \ No newline at end of file diff --git a/templates/zabbix_agentd.psk.j2 b/templates/zabbix_agentd.psk.j2 new file mode 100644 index 0000000..4d7b08f --- /dev/null +++ b/templates/zabbix_agentd.psk.j2 @@ -0,0 +1 @@ +{{zabbix_psk}} \ No newline at end of file diff --git a/tests/inventory b/tests/inventory new file mode 100755 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100755 index 0000000..400dc94 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - zabbix-agent \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml new file mode 100755 index 0000000..fedc36c --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for zabbix-agent \ No newline at end of file