Update to 2021-12-01 19:13

roles/zabbix_proxy/tasks/conf.yml

@@ -0,0 +1,9 @@
+---
+- name: Deploy Zabbix Proxy configuration
+  template: src=zabbix_proxy.conf.j2 dest=/etc/zabbix/zabbix_proxy.conf
+  notify: restart zabbix-proxy
+  tags: zabbix
+
+- name: Install server scripts
+  copy: src=../zabbix_server/files/scripts/ dest=/var/lib/zabbix/bin/
+  tags: zabbix

roles/zabbix_proxy/tasks/directories.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Create needed directories
+  file: path=/var/lib/zabbix/{{ item }} state=directory owner=root group=zabbix mode=770
+  with_items:
+    - db
+    - tmp
+  tags: zabbix

roles/zabbix_proxy/tasks/install.yml

@@ -0,0 +1,23 @@
+---
+- name: Remove previous zabbix packages
+  yum:
+    name:
+      - zabbix
+    state: absent
+  tags: zabbix
+
+- name: Install Zabbix Proxy
+  yum:
+   name:
+      - zabbix-proxy-sqlite3
+      - zabbix-get
+      - perl-JSON
+      - perl-IO-Socket-SSL
+      - perl-libwww-perl
+      - perl-URI
+      - perl-DateTime-Format-ISO8601
+      - perl-Getopt-Long
+      - perl-Pod-Usage
+  notify: restart zabbix-proxy
+  register: zabbix_proxy_rpm
+  tags: zabbix

roles/zabbix_proxy/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+- name: Handle Zabbix Proxy port
+  iptables_raw:
+    name: zabbix_proxy_port
+    state: "{{ (zabbix_proxy_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ zabbix_proxy_port | default('10051') }} -s {{ zabbix_proxy_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zabbix

roles/zabbix_proxy/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+
+- include: install.yml
+- include: directories.yml
+- include: upgrade.yml
+- include: psk.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+

roles/zabbix_proxy/tasks/psk.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if a TLS PSK key exists
+  stat: path=/etc/zabbix/zabbix_proxy.psk
+  register: zbx_proxy_psk
+  tags: zabbix
+
+- name: Generate random PSK key for TLS encryption
+  shell: "openssl rand -hex 32 > /etc/zabbix/zabbix_proxy.psk"
+  when:
+    - not zbx_proxy_psk.stat.exists
+    - zabbix_proxy_encryption | default('none') == "psk"
+  tags: zabbix
+
+- name: Restrict permission on PSK file
+  file: path=/etc/zabbix/zabbix_proxy.psk owner=root group=zabbix mode=0640
+  when:
+    - not zbx_proxy_psk.stat.exists
+    - zabbix_proxy_encryption | default('none') == "psk"
+  tags: zabbix

roles/zabbix_proxy/tasks/selinux.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Copy SELinux policy
+  copy: src=zabbix_proxy.te dest=/etc/selinux/targeted/local/
+  register: zabbix_proxy_selinux_policy
+  tags: zabbix
+
+- name: Install needed packages
+  yum:
+    name: policycoreutils
+  tags: zabbix
+
+- name: Compile SELinux policy
+  shell: |
+    cd /etc/selinux/targeted/local/
+    checkmodule -M -m -o zabbix_proxy.mod zabbix_proxy.te
+    semodule_package -o zabbix_proxy.pp -m zabbix_proxy.mod
+  when: zabbix_proxy_selinux_policy.changed
+  tags: zabbix
+
+- name: Load policy for Zabbix Proxy
+  command: semodule -i /etc/selinux/targeted/local/zabbix_proxy.pp
+  when: zabbix_proxy_selinux_policy.changed
+  tags: zabbix
+
+- name: Allow Zabbix to use network (SELinux)
+  seboolean: name=zabbix_can_network state=True persistent=True
+  tags: zabbix

roles/zabbix_proxy/tasks/service.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Remove custom unit
+  file: path=/etc/systemd/system/zabbix-proxy.service state=absent
+  register: zabbix_proxy_custom_unit
+  notify: restart zabbix-proxy
+  tags: zabbix
+
+- name: Create unit snippet dir
+  file: path=/etc/systemd/system/zabbix-proxy.service.d state=directory
+  tags: zabbix
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      ExecReload=/usr/sbin/zabbix_proxy -R config_cache_reload
+      PrivateTmp=yes
+      PrivateDevices=yes
+      ProtectSystem=full
+      ProtectHome=yes
+      {% if not zabbix_proxy_uses_system_proxy %}
+      # Disable system proxy
+      {% for proto in ['http_proxy','https_proxy','HTTP_PROXY','HTTPS_PROXY'] %}
+      Environment={{ proto }}=
+      {% endfor %}
+      {% endif %}
+    dest: /etc/systemd/system/zabbix-proxy.service.d/99-ansible.conf
+  register: zabbix_proxy_snippet_unit
+  notify: restart zabbix-proxy
+  tags: zabbix
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: zabbix_proxy_custom_unit.changed or zabbix_proxy_snippet_unit.changed
+  tags: zabbix
+
+- name: Start and enable the service
+  service: name=zabbix-proxy state=started enabled=True
+  register: zabbix_proxy_started
+  tags: zabbix

roles/zabbix_proxy/tasks/upgrade.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Stop the service
+  service: name=zabbix-proxy state=stopped
+  when: zabbix_proxy_rpm.changed
+  tags: zabbix
+
+- name: Drop the SQLite database (no schema upgrade for SQLite)
+  file: path=/var/lib/zabbix/db/proxy.sqlite state=absent
+  when: zabbix_proxy_rpm.changed
+  tags: zabbix