Update to 2021-12-01 19:13

roles/zabbix_agent/defaults/main.yml

@@ -0,0 +1,31 @@
+---
+zabbix_agent_port: 10050
+# List of servers allowed to connect to the agent (passive checks)
+zabbix_agent_servers:
+  - 51.91.175.34
+# List of IP allowed to access TCP port 10050
+zabbix_agent_src_ip: "{{ zabbix_agent_servers }}"
+# List of servers the agent will push active checks to
+zabbix_agent_server_active: []
+
+zabbix_agent_base_conf:
+  PidFile: /var/run/zabbix/zabbix_agentd.pid
+  LogType: system
+  Server: "{{ zabbix_agent_servers | join(',') }}"
+  ListenPort: "{{ zabbix_agent_port }}"
+  ServerActive: "{{ zabbix_agent_server_active | join(',') }}"
+  HostnameItem: 'system.hostname'
+  Timeout: 29 # just a bit less than the proxies' Timeout
+  Include: '/etc/zabbix/zabbix_agentd.conf.d/*.conf'
+  TLSPSKFile: '/etc/zabbix/zabbix_agentd.psk'
+  TLSPSKIdentity: "{{ inventory_hostname }}-agent"
+  TLSConnect: psk
+  TLSAccept: 'unencrypted,psk'
+  StartAgents: 5
+zabbix_agent_extra_conf: {}
+zabbix_agent_conf: "{{ zabbix_agent_base_conf | combine(zabbix_agent_extra_conf, recursive=True) }}"
+
+# If update is set to False, the role will only ensure packages are installed
+# If set to True, it will update components to their latest version
+zabbix_agent_update: False
+...

roles/zabbix_agent/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart zabbix-agent
+  service: name=zabbix-agent state=restarted enabled=yes

roles/zabbix_agent/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: repo_zabbix

roles/zabbix_agent/tasks/conf.yml

@@ -0,0 +1,17 @@
+---
+- name: Deploy Zabbix Agent configuration
+  template: src=zabbix_agentd.conf.j2 dest=/etc/zabbix/zabbix_agentd.conf
+  notify: restart zabbix-agent
+  tags: zabbix
+
+- name: Detect if vfs.dev.discovery is supported natively
+  shell: zabbix_agentd -t vfs.dev.discovery -c /dev/null | grep -q ZBX_NOTSUPPORTED
+  register: zabbix_dev_disco
+  failed_when: False
+  changed_when: False
+  tags: zabbix
+
+- name: Handle block dev discovery config
+  template: src=block_devices.conf.j2 dest=/etc/zabbix/zabbix_agentd.conf.d/block_devices.conf
+  notify: restart zabbix-agent
+  tags: zabbix

roles/zabbix_agent/tasks/facts.yml

@@ -0,0 +1,9 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: zabbix

roles/zabbix_agent/tasks/install_Debian.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Install agent and dependencies
+  apt:
+    name: "{{ zabbix_agent_packages }}"
+    state: "{{ zabbix_agent_update | ternary('latest','present') }}"
+    policy_rc_d: 101 # Prevent the daemon from starting automatically after install
+  tags: zabbix
+
+- name: Create needed directories
+  file: path={{ item }} state=directory
+  with_items:
+    - /etc/zabbix/zabbix_agentd.conf.d
+    - /var/lib/zabbix/bin
+    - /var/lib/zabbix/addons
+    - /usr/local/lib/site_perl/Zabbix/Agent/Addons
+  tags: zabbix
+
+- name: Checkout Addons script
+  git:
+    repo: https://git.fws.fr/fws/zabbix-agent-addons.git
+    dest: /var/lib/zabbix/addons
+  environment:
+    - https_proxy: "{{ system_proxy | default('') }}"
+  register: zabbix_agent_addons_git
+  notify: restart zabbix-agent
+  tags: zabbix
+
+- name: Install addons
+  shell: cp -af /var/lib/zabbix/addons/{{ item.src }}/* {{ item.dest }}/
+  with_items:
+    - src: zabbix_conf
+      dest: /etc/zabbix/zabbix_agentd.conf.d
+    - src: zabbix_scripts
+      dest: /var/lib/zabbix/bin
+    - src: lib
+      dest: /usr/local/lib/site_perl
+  when: zabbix_agent_addons_git.changed
+  tags: zabbix
+
+- name: Set permissions on Addons Scripts
+  shell: chmod +x /var/lib/zabbix/bin/*
+  args:
+    warn: False
+  when: zabbix_agent_addons_git.changed
+  tags: zabbix
+
+- name: Install sudo fragment
+  shell: cp -af /var/lib/zabbix/addons/conf/sudo.conf /etc/sudoers.d/zabbix_agent && chmod 600 /etc/sudoers.d/zabbix_agent
+  when: zabbix_agent_addons_git.changed
+  tags: zabbix
+
+- name: Don't log pam's sudo session for zabbix
+  lineinfile:
+    path: /etc/pam.d/sudo
+    regexp: '^session.*ruser\s?=\s?zabbix.*'
+    line: 'session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = zabbix'
+    insertbefore: '^@include\scommon-session-noninteractive'
+    state: present
+  tags: zabbix

roles/zabbix_agent/tasks/install_RedHat.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Install Zabbix Agent and additional scripts
+  yum:
+    name: "{{ zabbix_agent_packages }}"
+    state: "{{ zabbix_agent_update | ternary('latest','present') }}"
+  notify: restart zabbix-agent
+  tags: zabbix

roles/zabbix_agent/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+- name: Handle Zabbix Agent port
+  iptables_raw:
+    name: zabbix_agent_port
+    state: "{{ (zabbix_agent_src_ip | length > 0) | ternary('present', 'absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ zabbix_agent_port }} -s {{ zabbix_agent_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zabbix

roles/zabbix_agent/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- include: facts.yml
+- include: install_{{ ansible_os_family }}.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: conf.yml
+- include: psk.yml
+- include: sensors.yml
+- include: iptables.yml
+- include: service.yml

roles/zabbix_agent/tasks/psk.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Generate random PSK key for TLS encryption
+  shell: openssl rand -hex 32 > /etc/zabbix/zabbix_agentd.psk
+  args:
+    creates: /etc/zabbix/zabbix_agentd.psk
+  tags: zabbix
+
+- name: Restrict permission on PSK file
+  file: path=/etc/zabbix/zabbix_agentd.psk owner=root group=zabbix mode=0640
+  tags: zabbix
+

roles/zabbix_agent/tasks/selinux.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Relaxe SELinux restrictions for Zabbix Agent
+  selinux_permissive: name=zabbix_agent_t permissive=True
+  tags: zabbix
+
+- name: Allow Zabbix to use sudo
+  seboolean: name={{ item }} state=True persistent=True
+  loop:
+    - zabbix_run_sudo
+  when: ansible_distribution != 'CentOS' or ansible_distribution_version | default(0) is version('7.6', '>=') # This bool is only available for CentOS 7.6.1810 or newer
+  tags: zabbix

roles/zabbix_agent/tasks/sensors.yml

@@ -0,0 +1,26 @@
+---
+- include: sensors_{{ ansible_os_family }}.yml
+
+- name: Check if hardware sensors should be detected
+  stat: path=/etc/zabbix/sensors.ini
+  register: zbx_hw_sensors
+  tags: zabbix
+
+- set_fact: zbx_conf_sensors={{ (ansible_virtualization_role != "guest" and (not zbx_hw_sensors.stat.exists or zbx_hw_sensors.stat.checksum == "4112359dc054a50d8ee2fcf03fb97ad6c7401533")) | ternary(True, False) }}
+  tags: zabbix
+
+- name: Detect hardware sensors (please review /etc/zabbix/sensors.ini to set thresholds)
+  command: "/var/lib/zabbix/bin/util_generate_sensors_ini -o /etc/zabbix/sensors.ini"
+  when: zbx_conf_sensors
+  tags: zabbix
+
+- name: Retrieve hardware sensors configuration
+  fetch: src=/etc/zabbix/sensors.ini dest=config fail_on_missing=yes
+  when: zbx_conf_sensors
+  tags: zabbix
+
+- name: Update hardware sensors configuration
+  copy: src=config/{{ inventory_hostname }}/etc/zabbix/sensors.ini dest=/etc/zabbix/sensors.ini
+  when: ansible_virtualization_role != "guest" and zbx_hw_sensors.stat.exists
+  tags: zabbix
+

roles/zabbix_agent/tasks/sensors_Debian.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Install hardware sensors support
+  apt:
+    name:
+      - smartmontools
+      - lm-sensors
+  when: ansible_virtualization_role != "guest"
+  tags: zabbix
+
+- name: Check if lm-sensors is configured
+  stat: path=/etc/sysconfig/lm_sensors
+  register: lm_sensors
+  when: ansible_virtualization_role != "guest"
+  tags: zabbix
+
+- name: Check if there's an ipmi controler
+  stat: path=/dev/ipmi0
+  register: zabbix_ipmi
+  tags: zabbix
+
+- name: Install ipmi support
+  apt:
+    name:
+      - openipmi
+      - ipmitool
+  when:
+    - ansible_virtualization_role != "guest"
+    - zabbix_ipmi.stat.exists
+  tags: zabbix
+
+- name: Start and enable lm_sensors service
+  service: name=lm-sensors state=started enabled=yes
+  when: ansible_virtualization_role != "guest"
+  tags: zabbix
+
+- name: Start and enable ipmi service
+  service: name=ipmievd state=started enabled=yes
+  when:
+    - ansible_virtualization_role != "guest"
+    - zabbix_ipmi.stat.exists
+  tags: zabbix

roles/zabbix_agent/tasks/sensors_RedHat.yml

@@ -0,0 +1,50 @@
+---
+
+- name: Install hardware sensors support
+  yum:
+    name:
+      - smartmontools
+      - lm_sensors
+  when: ansible_virtualization_role != "guest"
+  tags: zabbix
+
+- name: Check if lm_sensors is configured
+  stat: path=/etc/sysconfig/lm_sensors
+  register: lm_sensors
+  when: ansible_virtualization_role != "guest"
+  tags: zabbix
+
+- name: Configure lm_sensors
+  shell: "/sbin/sensors-detect < /dev/null"
+  # Configure only if /etc/sysconfig/lm_sensors doesn't exists or has been customized
+  when:
+    - ansible_virtualization_role != "guest"
+    - not lm_sensors.stat.exists or lm_sensors.stat.checksum == "c27ae43795d152a7fc7503c7109288e3fdc2207c"
+  tags: zabbix
+
+- name: Check if there's an ipmi controler
+  stat: path=/dev/ipmi0
+  register: zabbix_ipmi
+  tags: zabbix
+
+- name: Install ipmi support
+  yum:
+    name:
+      - OpenIPMI
+      - ipmitool
+  when:
+    - ansible_virtualization_role != "guest"
+    - zabbix_ipmi.stat.exists
+  tags: zabbix
+
+- name: Start and enable lm_sensors service
+  service: name=lm_sensors state=started enabled=yes
+  when: ansible_virtualization_role != "guest"
+  tags: zabbix
+
+- name: Start and enable ipmi service
+  service: name=ipmi state=started enabled=yes
+  when:
+    - ansible_virtualization_role != "guest"
+    - zabbix_ipmi.stat.exists
+  tags: zabbix

roles/zabbix_agent/tasks/service.yml

@@ -0,0 +1,4 @@
+---
+- name: Start Zabbix Agent
+  service: name=zabbix-agent state=started enabled=True
+  tags: zabbix

roles/zabbix_agent/templates/block_devices.conf.j2

@@ -0,0 +1,6 @@
+{% if zabbix_dev_disco.rc == 0 %}
+# Discover block devices
+UserParameter=vfs.dev.discovery,/var/lib/zabbix/bin/disco_block_devices
+{% else %}
+# vfs.dev.discovery is natively supported, not UserParameter needed
+{% endif %}

roles/zabbix_agent/templates/zabbix_agentd.conf.j2

@@ -0,0 +1,9 @@
+{% for key in zabbix_agent_conf.keys() | list %}
+{% if not zabbix_agent_conf[key] is string and zabbix_agent_conf[key] is iterable %}
+{% for x in zabbix_agent_conf[key] %}
+{{ key }}={{ x }}
+{% endfor %}
+{% else %}
+{{ key }}={{ zabbix_agent_conf[key] }}
+{% endif %}
+{% endfor %}

roles/zabbix_agent/vars/Debian-10.yml

@@ -0,0 +1,14 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - openssl
+  - git
+  - libconfig-simple-perl
+  - libjson-perl
+  - libfile-which-perl
+  - smartmontools
+  - lm-sensors
+  - patch
+  - fping
+  - libstatistics-descriptive-perl

roles/zabbix_agent/vars/Debian-11.yml

@@ -0,0 +1,14 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - openssl
+  - git
+  - libconfig-simple-perl
+  - libjson-perl
+  - libfile-which-perl
+  - smartmontools
+  - lm-sensors
+  - patch
+  - fping
+  - libstatistics-descriptive-perl

roles/zabbix_agent/vars/Debian-8.yml

@@ -0,0 +1,13 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - openssl
+  - git
+  - libconfig-simple-perl
+  - libjson-perl
+  - libfile-which-perl
+  - smartmontools
+  - lm-sensors
+  - patch
+  - fping

roles/zabbix_agent/vars/Debian-9.yml

@@ -0,0 +1,14 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - openssl
+  - git
+  - libconfig-simple-perl
+  - libjson-perl
+  - libfile-which-perl
+  - smartmontools
+  - lm-sensors
+  - patch
+  - fping
+  - libstatistics-descriptive-perl

roles/zabbix_agent/vars/RedHat-7.yml

@@ -0,0 +1,7 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - zabbix-agent-addons
+  - policycoreutils-python
+  - openssl

roles/zabbix_agent/vars/RedHat-8.yml

@@ -0,0 +1,8 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - zabbix-agent-addons
+  - policycoreutils-python-utils
+  - openssl
+

roles/zabbix_agent/vars/Ubuntu-20.yml

@@ -0,0 +1,14 @@
+---
+
+zabbix_agent_packages:
+  - zabbix-agent
+  - openssl
+  - git
+  - libconfig-simple-perl
+  - libjson-perl
+  - libfile-which-perl
+  - smartmontools
+  - lm-sensors
+  - patch
+  - fping
+  - libstatistics-descriptive-perl