Update to 2021-12-01 19:13

roles/zabbix_proxy/defaults/main.yml

@@ -0,0 +1,26 @@
+---
+# zabbix_proxy_encryption: none
+# zabbix_proxy_port: 10051
+zabbix_proxy_src_ip:
+  - 0.0.0.0/0
+zabbix_proxy_server: zabbix.firewall-services.com
+# zabbix_proxy_pollers: 5
+# zabbix_proxy_ipmi_pollers: 1
+# zabbix_proxy_unreachable_pollers: 2
+# zabbix_proxy_trappers: 5
+# zabbix_proxy_pingers: 4
+# zabbix_proxy_discoverers: 1
+# zabbix_proxy_http_pollers: 1
+# zabbix_proxy_timeout: 15
+zabbix_proxy_cache_size: 32M
+
+# If update is set to False, the role will only ensure packages are installed
+# If set to True, it will update components to their latest version
+zabbix_proxy_update: False
+
+# You might want to ignore system proxy for Zabbix proxy itself,
+# so its web monitoring can be direct
+# This will only have an effect if system_proxy is defined
+zabbix_proxy_uses_system_proxy: True
+
+...

roles/zabbix_proxy/files/zabbix_proxy.te

@@ -0,0 +1,20 @@
+module zabbix_proxy 1.1;
+
+require {
+        type zabbix_var_run_t;
+        type zabbix_var_lib_t;
+        type zabbix_t;
+        type ping_t;
+        class sock_file { create unlink };
+        class unix_stream_socket connectto;
+        class file { getattr read };
+        class capability dac_override;
+}
+
+#============= ping_t ==============
+allow ping_t zabbix_var_lib_t:file { getattr read };
+
+#============= zabbix_t ==============
+allow zabbix_t self:unix_stream_socket connectto;
+allow zabbix_t zabbix_var_run_t:sock_file { create unlink };
+allow zabbix_t self:capability dac_override;

roles/zabbix_proxy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart zabbix-proxy
+  service: name=zabbix-proxy state=restarted
+  when: not zabbix_proxy_started.changed # Do not restart if the service has just started
+...

roles/zabbix_proxy/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: repo_zabbix
+  - role: snmp_mibs

roles/zabbix_proxy/tasks/conf.yml

@@ -0,0 +1,9 @@
+---
+- name: Deploy Zabbix Proxy configuration
+  template: src=zabbix_proxy.conf.j2 dest=/etc/zabbix/zabbix_proxy.conf
+  notify: restart zabbix-proxy
+  tags: zabbix
+
+- name: Install server scripts
+  copy: src=../zabbix_server/files/scripts/ dest=/var/lib/zabbix/bin/
+  tags: zabbix

roles/zabbix_proxy/tasks/directories.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Create needed directories
+  file: path=/var/lib/zabbix/{{ item }} state=directory owner=root group=zabbix mode=770
+  with_items:
+    - db
+    - tmp
+  tags: zabbix

roles/zabbix_proxy/tasks/install.yml

@@ -0,0 +1,23 @@
+---
+- name: Remove previous zabbix packages
+  yum:
+    name:
+      - zabbix
+    state: absent
+  tags: zabbix
+
+- name: Install Zabbix Proxy
+  yum:
+   name:
+      - zabbix-proxy-sqlite3
+      - zabbix-get
+      - perl-JSON
+      - perl-IO-Socket-SSL
+      - perl-libwww-perl
+      - perl-URI
+      - perl-DateTime-Format-ISO8601
+      - perl-Getopt-Long
+      - perl-Pod-Usage
+  notify: restart zabbix-proxy
+  register: zabbix_proxy_rpm
+  tags: zabbix

roles/zabbix_proxy/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+- name: Handle Zabbix Proxy port
+  iptables_raw:
+    name: zabbix_proxy_port
+    state: "{{ (zabbix_proxy_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ zabbix_proxy_port | default('10051') }} -s {{ zabbix_proxy_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zabbix

roles/zabbix_proxy/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+
+- include: install.yml
+- include: directories.yml
+- include: upgrade.yml
+- include: psk.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+

roles/zabbix_proxy/tasks/psk.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if a TLS PSK key exists
+  stat: path=/etc/zabbix/zabbix_proxy.psk
+  register: zbx_proxy_psk
+  tags: zabbix
+
+- name: Generate random PSK key for TLS encryption
+  shell: "openssl rand -hex 32 > /etc/zabbix/zabbix_proxy.psk"
+  when:
+    - not zbx_proxy_psk.stat.exists
+    - zabbix_proxy_encryption | default('none') == "psk"
+  tags: zabbix
+
+- name: Restrict permission on PSK file
+  file: path=/etc/zabbix/zabbix_proxy.psk owner=root group=zabbix mode=0640
+  when:
+    - not zbx_proxy_psk.stat.exists
+    - zabbix_proxy_encryption | default('none') == "psk"
+  tags: zabbix

roles/zabbix_proxy/tasks/selinux.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Copy SELinux policy
+  copy: src=zabbix_proxy.te dest=/etc/selinux/targeted/local/
+  register: zabbix_proxy_selinux_policy
+  tags: zabbix
+
+- name: Install needed packages
+  yum:
+    name: policycoreutils
+  tags: zabbix
+
+- name: Compile SELinux policy
+  shell: |
+    cd /etc/selinux/targeted/local/
+    checkmodule -M -m -o zabbix_proxy.mod zabbix_proxy.te
+    semodule_package -o zabbix_proxy.pp -m zabbix_proxy.mod
+  when: zabbix_proxy_selinux_policy.changed
+  tags: zabbix
+
+- name: Load policy for Zabbix Proxy
+  command: semodule -i /etc/selinux/targeted/local/zabbix_proxy.pp
+  when: zabbix_proxy_selinux_policy.changed
+  tags: zabbix
+
+- name: Allow Zabbix to use network (SELinux)
+  seboolean: name=zabbix_can_network state=True persistent=True
+  tags: zabbix

roles/zabbix_proxy/tasks/service.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Remove custom unit
+  file: path=/etc/systemd/system/zabbix-proxy.service state=absent
+  register: zabbix_proxy_custom_unit
+  notify: restart zabbix-proxy
+  tags: zabbix
+
+- name: Create unit snippet dir
+  file: path=/etc/systemd/system/zabbix-proxy.service.d state=directory
+  tags: zabbix
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      ExecReload=/usr/sbin/zabbix_proxy -R config_cache_reload
+      PrivateTmp=yes
+      PrivateDevices=yes
+      ProtectSystem=full
+      ProtectHome=yes
+      {% if not zabbix_proxy_uses_system_proxy %}
+      # Disable system proxy
+      {% for proto in ['http_proxy','https_proxy','HTTP_PROXY','HTTPS_PROXY'] %}
+      Environment={{ proto }}=
+      {% endfor %}
+      {% endif %}
+    dest: /etc/systemd/system/zabbix-proxy.service.d/99-ansible.conf
+  register: zabbix_proxy_snippet_unit
+  notify: restart zabbix-proxy
+  tags: zabbix
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: zabbix_proxy_custom_unit.changed or zabbix_proxy_snippet_unit.changed
+  tags: zabbix
+
+- name: Start and enable the service
+  service: name=zabbix-proxy state=started enabled=True
+  register: zabbix_proxy_started
+  tags: zabbix

roles/zabbix_proxy/tasks/upgrade.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Stop the service
+  service: name=zabbix-proxy state=stopped
+  when: zabbix_proxy_rpm.changed
+  tags: zabbix
+
+- name: Drop the SQLite database (no schema upgrade for SQLite)
+  file: path=/var/lib/zabbix/db/proxy.sqlite state=absent
+  when: zabbix_proxy_rpm.changed
+  tags: zabbix

roles/zabbix_proxy/templates/zabbix_proxy.conf.j2

@@ -0,0 +1,29 @@
+Server={{ zabbix_proxy_server }}
+Hostname={{ inventory_hostname }}
+LogType=system
+PidFile=/var/run/zabbix/zabbix_proxy.pid
+DBName=/var/lib/zabbix/db/proxy.sqlite
+ProxyOfflineBuffer=72
+SocketDir=/var/run/zabbix
+ConfigFrequency=600
+DataSenderFrequency=30
+CacheSize={{ zabbix_proxy_cache_size | default('32M') }}
+StartPollers={{ zabbix_proxy_pollers | default(5) }}
+StartIPMIPollers={{ zabbix_proxy_ipmi_pollers | default(1) }}
+StartPollersUnreachable={{ zabbix_proxy_unreachable_pollers | default(2) }}
+StartTrappers={{ zabbix_proxy_trappers | default(5) }}
+StartPingers={{ zabbix_proxy_pingers | default(4) }}
+StartDiscoverers={{ zabbix_proxy_discoverers | default(1) }}
+StartHTTPPollers={{ zabbix_proxy_http_pollers | default(1) }}
+Timeout={{ zabbix_proxy_timeout | default(30) }}
+ExternalScripts=/var/lib/zabbix/bin/
+TmpDir=/var/lib/zabbix/tmp
+{% if zabbix_proxy_encryption | default('none') == 'psk' %}
+TLSPSKFile=/etc/zabbix/zabbix_proxy.psk
+TLSPSKIdentity={{ inventory_hostname }}-proxy
+TLSConnect=psk
+TLSAccept=psk
+{% endif %}
+{% if ansible_all_ipv6_addresses | length < 1 %}
+Fping6Location=
+{% endif %}