mirror of
				https://git.lapiole.org/dani/ansible-roles.git
				synced 2025-10-26 16:31:33 +01:00 
			
		
		
		
	Update to 2022-03-21 17:00
This commit is contained in:
		| @@ -63,3 +63,26 @@ zabbix_server_backup_hooks: True | ||||
| # so its web monitoring can be direct | ||||
| # This will only have an effect if system_proxy is defined | ||||
| zabbix_server_uses_system_proxy: True | ||||
|  | ||||
| # If using SAML auth, you have to configure the certificate of the IDP | ||||
| # zabbix_server_saml_idp_cert: | | ||||
| #   -----BEGIN CERTIFICATE----- | ||||
| #   MIICsDCCAZigAwIBAgIEY42IsjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9z | ||||
| #   c28uZWh0cmFjZS5jb20wHhcNMjEwNDI5MTAyNDE1WhcNNDEwNDI0MTAyNDE1WjAa | ||||
| #   MRgwFgYDVQQDDA9zc28uZWh0cmFjZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB | ||||
| #   DwAwggEKAoIBAQCnkJTXog/iNhNGBWuwKFGurhwHJGQfAsOc0LfDcJC4MHCkaRdW | ||||
| #   f5nM2txxuDn2iCN6bhsPL9Q0XR9MOGfwc9cb0WNCpg91rFLG7FLxbevp81m2thRe | ||||
| #   gTwdBpJoUJkm/MoMa7+oU8/PYuG/XFTrlq9/TznE/7BcvNqUJQYT4k9LAnkusIBA | ||||
| #   yRj9mF3ZHNZKe9YcqD9e2kwOfA8uGFBAMw4UR2m158vyNmng2AMzHdgnKrIKwYjJ | ||||
| #   e1f8B+GQRc+C/o06jF+wRYpVTYitcJzaadNjDgUWsUwjaYeKB2Z2E0FUE5ybTkoh | ||||
| #   rfL0HQzCFC5beQkfq0vjHrMCInOvGGkaEDQBAgMBAAEwDQYJKoZIhvcNAQELBQAD | ||||
| #   ggEBACIWuRwpF6FYmlw224n9Pc14iOTazgWr41hJEw36cpQFEiN/ZYU2C8a2W7SV | ||||
| #   OBK2bzCMkELUlewuuzrodjflBdh55ZIDx3RKB8Db70hvw/fAe/US33oeSnngBQxm | ||||
| #   FazCQq5ijajSH76xuoUw9AkH2KPP+tm/Y8ReV2xj6JxMpPArJsQ9ITuaiC9Bt4bI | ||||
| #   LwXXqa+rnDtReBZBDjt8eyV0L5u5XvkfKlQoG/+UOdsfXavyJR6by2m6vv7/zGS+ | ||||
| #   fGpPuqtTWh0G4A3JEMJ5i0bajftWyYn7XGXOi2DIX5LGP1dhEml55m/NxLkPxTw8 | ||||
| #   vGPDSdbhHJZxQkilQsrPXNQqK38= | ||||
| #   -----END CERTIFICATE----- | ||||
|  | ||||
| # When using SAML, you should also set the public URL so SAML metadata are correctly generated | ||||
| # zabbix_server_public_url: https://monitoring.example.org | ||||
|   | ||||
| @@ -1,5 +1,30 @@ | ||||
| --- | ||||
|  | ||||
| - name: Create a selfsigned cert for SAML auth | ||||
|   import_tasks: ../includes/create_selfsigned_cert.yml | ||||
|   vars: | ||||
|     - cert_path: /etc/zabbix/ssl/sp.crt | ||||
|     - cert_key_path: /etc/zabbix/ssl/sp.key | ||||
|     - cert_key_group: apache | ||||
|     - cert_key_mode: '640' | ||||
|   tags: zabbix | ||||
|  | ||||
| - name: Read SAML certificate | ||||
|   shell: cat /etc/zabbix/ssl/sp.crt | perl -e 'my $out; while (<STDIN>){ next if /^\-\-\-\-\-(END|BEGIN) CERTIFICATE/; chomp; $out .= $_; }; print $out' | ||||
|   changed_when: False | ||||
|   register: zabbix_server_saml_sp_cert | ||||
|   tags: zabbix | ||||
|  | ||||
| - name: Deploy SAML IDP certificate | ||||
|   copy: content={{ zabbix_server_saml_idp_cert }} dest=/etc/zabbix/ssl/idp.crt mode=644 | ||||
|   when: zabbix_server_saml_idp_cert is defined | ||||
|   tags: zabbix | ||||
|  | ||||
| - name: Deploy SAML metadata | ||||
|   template: src=saml_metadata.xml.j2 dest=/usr/share/zabbix/saml-metadata.xml | ||||
|   when: zabbix_server_public_url is defined | ||||
|   tags: zabbix | ||||
|  | ||||
| - name: Deploy patrix configuration file | ||||
|   template: src=patrixrc.j2 dest=/var/lib/zabbix/.patrixrc owner=zabbix group=zabbix mode=600 | ||||
|   when: (zabbix_server_matrix_user is defined and zabbix_server_matrix_pass is defined) or zabbix_server_matrix_access_token is defined | ||||
|   | ||||
| @@ -10,6 +10,10 @@ | ||||
|       owner: apache | ||||
|       group: apache | ||||
|       mode: 700 | ||||
|     - dir: /etc/zabbix/ssl | ||||
|       owner: root | ||||
|       group: apache | ||||
|       mode: 750 | ||||
|   tags: zabbix | ||||
|  | ||||
|   #- name: Ensure proper permission on the web config dir | ||||
|   | ||||
							
								
								
									
										24
									
								
								roles/zabbix_server/templates/saml_metadata.xml.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								roles/zabbix_server/templates/saml_metadata.xml.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| <?xml version="1.0" encoding="utf-8"?> | ||||
| <EntityDescriptor entityID="{{ zabbix_server_public_url }}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> | ||||
|   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | ||||
|     <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ zabbix_server_public_url | regex_replace('/$', '') }}/index_sso.php?acs" index="0" /> | ||||
|     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ zabbix_server_public_url | regex_replace('/$', '') }}/index_sso.php?sls" /> | ||||
|     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> | ||||
|     <KeyDescriptor use="signing"> | ||||
|       <ds:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> | ||||
|         <ds:X509Data> | ||||
|           <ds:X509Certificate>{{ zabbix_server_saml_sp_cert.stdout }}</ds:X509Certificate> | ||||
|         </ds:X509Data> | ||||
|       </ds:KeyInfo> | ||||
|     </KeyDescriptor> | ||||
|   </SPSSODescriptor> | ||||
|   <Organization> | ||||
|     <OrganizationName xml:lang="en">{{ ansible_domain }}</OrganizationName> | ||||
|     <OrganizationDisplayName xml:lang="en">Zabbix {{ ansible_domain }}</OrganizationDisplayName> | ||||
|     <OrganizationURL xml:lang="en">{{ zabbix_server_public_url }}</OrganizationURL> | ||||
|   </Organization> | ||||
|   <ContactPerson contactType="administrative"> | ||||
|     <GivenName>System Administrator</GivenName> | ||||
|     <EmailAddress>{{ system_admin_email | default('admin@' ~ ansible_domain) }}</EmailAddress> | ||||
|   </ContactPerson> | ||||
| </EntityDescriptor> | ||||
| @@ -12,4 +12,8 @@ $IMAGE_FORMAT_DEFAULT   = IMAGE_FORMAT_PNG; | ||||
| {% if zabbix_server_version.stdout is version('5.0', '>=') %} | ||||
| $DB['DOUBLE_IEEE754'] = 'true'; | ||||
| {% endif %} | ||||
| $SSO['SP_KEY']          = '/etc/zabbix/ssl/sp.key'; | ||||
| $SSO['SP_CERT']         = '/etc/zabbix/ssl/sp.crt'; | ||||
| $SSO['IDP_CERT']        = '/etc/zabbix/ssl/idp.crt'; | ||||
|  | ||||
| ?> | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Daniel Berteaud
					Daniel Berteaud