diff --git a/roles/zabbix-server/defaults/main.yml b/roles/zabbix-server/defaults/main.yml new file mode 100644 index 0000000..ff912d6 --- /dev/null +++ b/roles/zabbix-server/defaults/main.yml @@ -0,0 +1,9 @@ +zabbix_db_name: zabbix +zabbix_db_user: "{{ zabbix_db_name }}" +zabbix_db_host: "" +zabbix_php_max_execution_time: 300 +zabbix_php_memory_limit: 128M +zabbix_php_post_max_size: 16M +zabbix_php_upload_max_filesize: 2M +zabbix_php_max_input_time: 300 +zabbix_web_redir: true diff --git a/roles/zabbix-server/handlers/main.yml b/roles/zabbix-server/handlers/main.yml new file mode 100644 index 0000000..617487f --- /dev/null +++ b/roles/zabbix-server/handlers/main.yml @@ -0,0 +1,6 @@ +- name: restart zabbix server + service: + name=zabbix-server + state=restarted +- name: save firewalld configuration + command: firewall-cmd --runtime-to-permanent diff --git a/roles/zabbix-server/library/zabbix_db_schema b/roles/zabbix-server/library/zabbix_db_schema new file mode 100644 index 0000000..ec5fc50 --- /dev/null +++ b/roles/zabbix-server/library/zabbix_db_schema @@ -0,0 +1,69 @@ +#!/usr/bin/python +import os +import psycopg2 + + +SCHEMA_DIRECTORY = '/usr/share/zabbix-postgresql' +SCHEMA_FILES = [ + 'schema.sql', +] +DATA_FILES = [ + 'images.sql', + 'data.sql', +] + +def main(): + module = AnsibleModule( + argument_spec=dict( + database=dict(required=True), + username=dict(required=True), + password=dict(no_log=True), + host=dict(), + schema_only=dict(type='bool', default=False), + ), + supports_check_mode=True, + ) + + database = module.params['database'] + username = module.params['username'] + password = module.params['password'] + host = module.params['host'] + schema_only = module.params['schema_only'] + + dsn = { + 'dbname': database, + 'user': username, + } + if password: + dsn['password'] = password + if host: + dsn['host'] = host + + conn = psycopg2.connect(**dsn) + with conn.cursor() as cur: + cur.execute('SELECT tablename FROM pg_tables ' + "WHERE schemaname = 'public'") + changed = cur.rowcount == 0 + + if changed and not module.check_mode: + psql = module.get_bin_path('psql') + if password: + os.environ['PGPASSWORD'] = password + if schema_only: + scripts = SCHEMA_FILES + else: + scripts = SCHEMA_FILES + DATA_FILES + for filename in scripts: + path = os.path.join(SCHEMA_DIRECTORY, filename) + cmd = ['psql', '-U', username, '-f', path] + if host: + cmd.extend(('-h', host)) + cmd.append(database) + module.run_command(cmd, check_rc=True) + + module.exit_json(changed=changed) + + +from ansible.module_utils.basic import * + +main() diff --git a/roles/zabbix-server/meta/main.yml b/roles/zabbix-server/meta/main.yml new file mode 100644 index 0000000..9838d9f --- /dev/null +++ b/roles/zabbix-server/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- apache diff --git a/roles/zabbix-server/tasks/main.yml b/roles/zabbix-server/tasks/main.yml new file mode 100644 index 0000000..22e65b3 --- /dev/null +++ b/roles/zabbix-server/tasks/main.yml @@ -0,0 +1,109 @@ +- name: load zabbix secrets + include_vars: '{{ item }}' + with_fileglob: + - vault/zabbix + tags: always + +- name: ensure zabbix packages are installed + package: + name={{ zbx_srv_required_packages|join(',') }} + state=present + tags: + - install + +- name: ensure users can connect to postgresql socket + seboolean: + name=selinuxuser_postgresql_connect_enabled + state=yes + persistent=yes + +- name: ensure zabbix database user exists + become: true + become_user: postgres + postgresql_user: + name: "{{ zabbix_db_user }}" + password: "{{ zabbix_db_password|d(omit) }}" + state: present +- name: ensure zabbix database exists + become: true + become_user: postgres + postgresql_db: + name={{ zabbix_db_name }} + owner={{ zabbix_db_user }} + state=present +- name: ensure zabbix database is populated + become: false + zabbix_db_schema: + username: '{{ zabbix_db_user }}' + database: '{{ zabbix_db_name }}' + password: '{{ zabbix_db_password|d(omit) }}' + host: '{{ zabbix_db_host|d(omit) }}' + +- name: ensure zabbix server temporary directory exists + file: + path=/var/tmp/zabbixsrv + mode=0750 + owner=zabbixsrv + group=zabbixsrv + seuser=system_u + setype=zabbix_tmp_t + state=directory + +- name: ensure zabbix server is configured + template: + src=zabbix_server.conf.j2 + dest=/etc/zabbix_server.conf + owner=root + group=zabbixsrv + mode=0640 + notify: restart zabbix server + +- name: ensure zabbix is allowed in firewall + firewalld: + port=10051/tcp + permanent=no + immediate=yes + state=enabled + notify: save firewalld configuration + tags: + - firewalld +- name: ensure zabbix server can connect to the network + seboolean: + name=zabbix_can_network + state=yes + persistent=yes + +- name: ensure zabbix server starts at boot + service: + name=zabbix-server-pgsql + enabled=yes +- meta: flush_handlers +- name: ensure zabbix server is running + service: + name=zabbix-server-pgsql + state=started + +- name: ensure php is configured for zabbix front end + template: + src=zabbix-php.httpd.conf.j2 + dest=/etc/httpd/conf.d/zabbix-php.conf + mode=0644 + notify: reload httpd +- name: ensure zabbix web gui is configured + template: + src=zabbix.conf.php.j2 + dest=/etc/zabbix/web/zabbix.conf.php + owner=root + group=apache + mode=0640 +- name: ensure zabbix web gui redirect is configured + template: + src=zabbix-redir.httpd.conf.j2 + dest=/etc/httpd/conf.d/zabbix-redir.conf + mode=0644 + notify: reload httpd +- name: ensure apache can connect to zabbix + seboolean: + name=httpd_can_network_connect + persistent=yes + state=yes diff --git a/roles/zabbix-server/templates/zabbix-php.httpd.conf.j2 b/roles/zabbix-server/templates/zabbix-php.httpd.conf.j2 new file mode 100644 index 0000000..a04445c --- /dev/null +++ b/roles/zabbix-server/templates/zabbix-php.httpd.conf.j2 @@ -0,0 +1,6 @@ +php_value max_execution_time {{ zabbix_php_max_execution_time }} +php_value memory_limit {{ zabbix_php_memory_limit }} +php_value post_max_size {{ zabbix_php_post_max_size }} +php_value upload_max_filesize {{ zabbix_php_upload_max_filesize }} +php_value max_input_time {{ zabbix_php_max_input_time }} +php_value date.timezone {{ zabbix_php_timezone|d('UTC') }} diff --git a/roles/zabbix-server/templates/zabbix-redir.httpd.conf.j2 b/roles/zabbix-server/templates/zabbix-redir.httpd.conf.j2 new file mode 100644 index 0000000..ad9dca2 --- /dev/null +++ b/roles/zabbix-server/templates/zabbix-redir.httpd.conf.j2 @@ -0,0 +1,6 @@ +# vim: set ft=apache : + +# Automatically redirect requests for / to /zabbix/ +{% if zabbix_web_redir|bool %} +RedirectMatch 301 ^/$ /zabbix/ +{% endif %} diff --git a/roles/zabbix-server/templates/zabbix.conf.php.j2 b/roles/zabbix-server/templates/zabbix.conf.php.j2 new file mode 100644 index 0000000..7ce430e --- /dev/null +++ b/roles/zabbix-server/templates/zabbix.conf.php.j2 @@ -0,0 +1,20 @@ + diff --git a/roles/zabbix-server/templates/zabbix_server.conf.j2 b/roles/zabbix-server/templates/zabbix_server.conf.j2 new file mode 100644 index 0000000..547cd85 --- /dev/null +++ b/roles/zabbix-server/templates/zabbix_server.conf.j2 @@ -0,0 +1,643 @@ +# This is a configuration file for Zabbix server daemon +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: ListenPort +# Listen port for trapper. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10051 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: no +# Default: +# LogFile= + +LogFile=/var/log/zabbixsrv/zabbix_server.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_server.pid +PidFile=/run/zabbixsrv/zabbix_server.pid + +### Option: DBHost +# Database host name. +# If set to localhost, socket is used for MySQL. +# If set to empty string, socket is used for PostgreSQL. +# +# Mandatory: no +# Default: +# DBHost=localhost +DBHost={{ zabbix_db_host }} + +### Option: DBName +# Database name. +# For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. +# +# Mandatory: yes +# Default: +# DBName= + +DBName={{ zabbix_db_name }} + +### Option: DBSchema +# Schema name. Used for IBM DB2 and PostgreSQL. +# +# Mandatory: no +# Default: +# DBSchema= + +### Option: DBUser +# Database user. Ignored for SQLite. +# +# Mandatory: no +# Default: +# DBUser= + +DBUser={{ zabbix_db_user }} + +### Option: DBPassword +# Database password. Ignored for SQLite. +# Comment this line if no password is used. +# +# Mandatory: no +# Default: +# DBPassword= +{% if zabbix_db_password is defined %} + +DBPassword={{ zabbix_db_password }} +{% endif %} + +### Option: DBSocket +# Path to MySQL socket. +# +# Mandatory: no +# Default: +# DBSocket=/var/lib/mysql/mysql.sock + +### Option: DBPort +# Database port when not using local socket. Ignored for SQLite. +# +# Mandatory: no +# Range: 1024-65535 +# Default (for MySQL): +# DBPort=3306 + +############ ADVANCED PARAMETERS ################ + +### Option: StartPollers +# Number of pre-forked instances of pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollers=5 + +### Option: StartIPMIPollers +# Number of pre-forked instances of IPMI pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartIPMIPollers=0 + +### Option: StartPollersUnreachable +# Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). +# At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers +# are started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollersUnreachable=1 + +### Option: StartTrappers +# Number of pre-forked instances of trappers. +# Trappers accept incoming connections from Zabbix sender, active agents and active proxies. +# At least one trapper process must be running to display server availability and view queue +# in the frontend. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartTrappers=5 + +### Option: StartPingers +# Number of pre-forked instances of ICMP pingers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPingers=1 + +### Option: StartDiscoverers +# Number of pre-forked instances of discoverers. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartDiscoverers=1 +{% if zabbix_start_discoverers is defined %} +StartDiscoverers={{ zabbix_start_discoverers }} +{% endif %} + +### Option: StartHTTPPollers +# Number of pre-forked instances of HTTP pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPPollers=1 + +### Option: StartTimers +# Number of pre-forked instances of timers. +# Timers process time-based trigger functions and maintenance periods. +# Only the first timer process handles the maintenance periods. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartTimers=1 + +### Option: StartEscalators +# Number of pre-forked instances of escalators. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartEscalators=1 + +### Option: JavaGateway +# IP address (or hostname) of Zabbix Java gateway. +# Only required if Java pollers are started. +# +# Mandatory: no +# Default: +# JavaGateway= + +### Option: JavaGatewayPort +# Port that Zabbix Java gateway listens on. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# JavaGatewayPort=10052 + +### Option: StartJavaPollers +# Number of pre-forked instances of Java pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartJavaPollers=0 + +### Option: StartVMwareCollectors +# Number of pre-forked vmware collector instances. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartVMwareCollectors=0 + +### Option: VMwareFrequency +# How often Zabbix will connect to VMware service to obtain a new data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwareFrequency=60 + +### Option: VMwarePerfFrequency +# How often Zabbix will connect to VMware service to obtain performance data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwarePerfFrequency=60 + +### Option: VMwareCacheSize +# Size of VMware cache, in bytes. +# Shared memory size for storing VMware data. +# Only used if VMware collectors are started. +# +# Mandatory: no +# Range: 256K-2G +# Default: +# VMwareCacheSize=8M + +### Option: VMwareTimeout +# Specifies how many seconds vmware collector waits for response from VMware service. +# +# Mandatory: no +# Range: 1-300 +# Default: +# VMwareTimeout=10 + +### Option: SNMPTrapperFile +# Temporary file used for passing data from SNMP trap daemon to the server. +# Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. +# +# Mandatory: no +# Default: +# SNMPTrapperFile=/tmp/zabbix_traps.tmp + +### Option: StartSNMPTrapper +# If 1, SNMP trapper process is started. +# +# Mandatory: no +# Range: 0-1 +# Default: +# StartSNMPTrapper=0 + +### Option: ListenIP +# List of comma delimited IP addresses that the trapper should listen on. +# Trapper will listen on all network interfaces if this parameter is missing. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +# ListenIP=127.0.0.1 + +### Option: HousekeepingFrequency +# How often Zabbix will perform housekeeping procedure (in hours). +# Housekeeping is removing outdated information from the database. +# To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency +# hours of outdated information are deleted in one housekeeping cycle, for each item. +# To lower load on server startup housekeeping is postponed for 30 minutes after server start. +# With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option. +# In this case the period of outdated information deleted in one housekeeping cycle is 4 times the +# period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. +# +# Mandatory: no +# Range: 0-24 +# Default: +# HousekeepingFrequency=1 + +### Option: MaxHousekeeperDelete +# The table "housekeeper" contains "tasks" for housekeeping procedure in the format: +# [housekeeperid], [tablename], [field], [value]. +# No more than 'MaxHousekeeperDelete' rows (corresponding to [tablename], [field], [value]) +# will be deleted per one task in one housekeeping cycle. +# SQLite3 does not use this parameter, deletes all corresponding rows without a limit. +# If set to 0 then no limit is used at all. In this case you must know what you are doing! +# +# Mandatory: no +# Range: 0-1000000 +# Default: +# MaxHousekeeperDelete=5000 + +### Option: SenderFrequency +# How often Zabbix will try to send unsent alerts (in seconds). +# +# Mandatory: no +# Range: 5-3600 +# Default: +# SenderFrequency=30 + +### Option: CacheSize +# Size of configuration cache, in bytes. +# Shared memory size for storing host, item and trigger data. +# +# Mandatory: no +# Range: 128K-8G +# Default: +# CacheSize=8M + +### Option: CacheUpdateFrequency +# How often Zabbix will perform update of configuration cache, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# CacheUpdateFrequency=60 + +### Option: StartDBSyncers +# Number of pre-forked instances of DB Syncers. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartDBSyncers=4 + +### Option: HistoryCacheSize +# Size of history cache, in bytes. +# Shared memory size for storing history data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryCacheSize=16M + +### Option: HistoryIndexCacheSize +# Size of history index cache, in bytes. +# Shared memory size for indexing history cache. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryIndexCacheSize=4M + +### Option: TrendCacheSize +# Size of trend cache, in bytes. +# Shared memory size for storing trends data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendCacheSize=4M + +### Option: ValueCacheSize +# Size of history value cache, in bytes. +# Shared memory size for caching item history data requests. +# Setting to 0 disables value cache. +# +# Mandatory: no +# Range: 0,128K-64G +# Default: +# ValueCacheSize=8M + +### Option: Timeout +# Specifies how long we wait for agent, SNMP device or external check (in seconds). +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +Timeout=4 + +### Option: TrapperTimeout +# Specifies how many seconds trapper may spend processing new data. +# +# Mandatory: no +# Range: 1-300 +# Default: +# TrapperTimeout=300 + +### Option: UnreachablePeriod +# After how many seconds of unreachability treat a host as unavailable. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachablePeriod=45 + +### Option: UnavailableDelay +# How often host is checked for availability during the unavailability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnavailableDelay=60 + +### Option: UnreachableDelay +# How often host is checked for availability during the unreachability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachableDelay=15 + +### Option: AlertScriptsPath +# Full path to location of custom alert scripts. +# Default depends on compilation options. +# +# Mandatory: no +# Default: +# AlertScriptsPath=/usr/share/zabbix/alertscripts + +### Option: ExternalScripts +# Full path to location of external scripts. +# Default depends on compilation options. +# +# Mandatory: no +# Default: +# ExternalScripts=/usr/share/zabbix/externalscripts +ExternalScripts=/var/lib/zabbixsrv/externalscripts + +### Option: FpingLocation +# Location of fping. +# Make sure that fping binary has root ownership and SUID flag set. +# +# Mandatory: no +# Default: +# FpingLocation=/usr/sbin/fping + +### Option: Fping6Location +# Location of fping6. +# Make sure that fping6 binary has root ownership and SUID flag set. +# Make empty if your fping utility is capable to process IPv6 addresses. +# +# Mandatory: no +# Default: +# Fping6Location=/usr/sbin/fping6 + +### Option: SSHKeyLocation +# Location of public and private keys for SSH checks and actions. +# +# Mandatory: no +# Default: +# SSHKeyLocation= + +### Option: LogSlowQueries +# How long a database query may take before being logged (in milliseconds). +# Only works if DebugLevel set to 3, 4 or 5. +# 0 - don't log slow queries. +# +# Mandatory: no +# Range: 1-3600000 +# Default: +# LogSlowQueries=0 + +LogSlowQueries=3000 + +### Option: TmpDir +# Temporary directory. +# +# Mandatory: no +# Default: +# TmpDir=/tmp +TmpDir=/var/tmp/zabbixsrv + +### Option: StartProxyPollers +# Number of pre-forked instances of pollers for passive proxies. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartProxyPollers=1 + +### Option: ProxyConfigFrequency +# How often Zabbix Server sends configuration data to a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600*24*7 +# Default: +# ProxyConfigFrequency=3600 + +### Option: ProxyDataFrequency +# How often Zabbix Server requests history data from a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProxyDataFrequency=1 + +### Option: AllowRoot +# Allow the server to run as 'root'. If disabled and the server is started by 'root', the server +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/etc/zabbix_server.general.conf +# Include=/etc/zabbix_server.conf.d/ +# Include=/etc/zabbix_server.conf.d/*.conf + +### Option: SSLCertLocation +# Location of SSL client certificates. +# This parameter is used only in web monitoring. +# +# Mandatory: no +# Default: +# SSLCertLocation=/usr/share/zabbix/ssl/certs + +### Option: SSLKeyLocation +# Location of private keys for SSL client certificates. +# This parameter is used only in web monitoring. +# +# Mandatory: no +# Default: +# SSLKeyLocation=/usr/share/zabbix/ssl/keys + +### Option: SSLCALocation +# Override the location of certificate authority (CA) files for SSL server certificate verification. +# If not set, system-wide directory will be used. +# This parameter is used only in web monitoring and SMTP authentication. +# +# Mandatory: no +# Default: +# SSLCALocation= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of server modules. +# Default depends on compilation options. +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at server startup. Modules are used to extend functionality of the server. +# Format: LoadModule= +# The modules must be located in directory specified by LoadModulePath. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSCertFile +# Full pathname of a file containing the server certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the server private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= diff --git a/roles/zabbix-server/vars/main.yml b/roles/zabbix-server/vars/main.yml new file mode 100644 index 0000000..f9678a6 --- /dev/null +++ b/roles/zabbix-server/vars/main.yml @@ -0,0 +1,4 @@ +zbx_srv_required_packages: +- python3-psycopg2 +- zabbix-server-pgsql +- zabbix-web-pgsql