From 57d48dafc7a2e24e27fec8c6a670f04017eb7300 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 6 Apr 2022 11:00:07 +0200 Subject: [PATCH] Update to 2022-04-06 11:00 --- roles/zabbix_proxy/defaults/main.yml | 50 ++++++++++++++----- roles/zabbix_proxy/tasks/install.yml | 1 + roles/zabbix_proxy/tasks/iptables.yml | 2 +- roles/zabbix_proxy/tasks/main.yml | 7 +++ roles/zabbix_proxy/tasks/psk.yml | 12 +---- roles/zabbix_proxy/tasks/service.yml | 7 +++ roles/zabbix_proxy/tasks/upgrade.yml | 13 +++-- .../templates/zabbix_proxy.conf.j2 | 31 ++---------- 8 files changed, 66 insertions(+), 57 deletions(-) diff --git a/roles/zabbix_proxy/defaults/main.yml b/roles/zabbix_proxy/defaults/main.yml index c19dba6..dfa01ac 100644 --- a/roles/zabbix_proxy/defaults/main.yml +++ b/roles/zabbix_proxy/defaults/main.yml @@ -1,18 +1,44 @@ --- -# zabbix_proxy_encryption: none -# zabbix_proxy_port: 10051 +zabbix_proxy_port: 10051 zabbix_proxy_src_ip: - 0.0.0.0/0 -zabbix_proxy_server: zabbix.firewall-services.com -# zabbix_proxy_pollers: 5 -# zabbix_proxy_ipmi_pollers: 1 -# zabbix_proxy_unreachable_pollers: 2 -# zabbix_proxy_trappers: 5 -# zabbix_proxy_pingers: 4 -# zabbix_proxy_discoverers: 1 -# zabbix_proxy_http_pollers: 1 -# zabbix_proxy_timeout: 15 -zabbix_proxy_cache_size: 32M +zabbix_proxy_server: zabbix.example.org +zabbix_proxy_java_gateway_port: 10052 + +zabbix_proxy_base_conf: + Server: "{{ zabbix_proxy_server }}" + Hostname: "{{ inventory_hostname }}" + LogType: system + ListenPort: "{{ zabbix_proxy_port }}" + PidFile: /run/zabbix/zabbix_proxy.pid + DBName: /var/lib/zabbix/db/proxy.sqlite + ProxyOfflineBuffer: 72 + SocketDir: /run/zabbix + ConfigFrequency: 600 + DataSenderFrequency: 30 + CacheSize: 32M + StartPollers: 5 + StartIPMIPollers: 1 + StartPollersUnreachable: 2 + StartTrappers: 5 + StartPingers: 4 + StartDiscoverers: 1 + StartHTTPPollers: 1 + Timeout: 30 + ExternalScripts: /var/lib/zabbix/bin/ + TmpDir: /var/lib/zabbix/tmp + LoadModulePath: /usr/lib64/zabbix/modules + JavaGateway: 127.0.0.1 + JavaGatewayPort: "{{ zabbix_proxy_java_gateway_port }}" + StartJavaPollers: 0 + TLSPSKFile: /etc/zabbix/zabbix_proxy.psk + TLSPSKIdentity: "{{ inventory_hostname }}-proxy" + TLSConnect: psk + TLSAccept: psk + +zabbix_proxy_extra_conf: {} +zabbix_proxy_conf: "{{ zabbix_proxy_base_conf | combine(zabbix_proxy_extra_conf, recursive=True) }}" + # If update is set to False, the role will only ensure packages are installed # If set to True, it will update components to their latest version diff --git a/roles/zabbix_proxy/tasks/install.yml b/roles/zabbix_proxy/tasks/install.yml index cae0ab8..ae3f75f 100644 --- a/roles/zabbix_proxy/tasks/install.yml +++ b/roles/zabbix_proxy/tasks/install.yml @@ -11,6 +11,7 @@ name: - zabbix-proxy-sqlite3 - zabbix-get + - zabbix-java-gateway - perl-JSON - perl-IO-Socket-SSL - perl-libwww-perl diff --git a/roles/zabbix_proxy/tasks/iptables.yml b/roles/zabbix_proxy/tasks/iptables.yml index 920577b..156dd78 100644 --- a/roles/zabbix_proxy/tasks/iptables.yml +++ b/roles/zabbix_proxy/tasks/iptables.yml @@ -3,5 +3,5 @@ iptables_raw: name: zabbix_proxy_port state: "{{ (zabbix_proxy_src_ip | length > 0) | ternary('present','absent') }}" - rules: "-A INPUT -m state --state NEW -p tcp --dport {{ zabbix_proxy_port | default('10051') }} -s {{ zabbix_proxy_src_ip | join(',') }} -j ACCEPT" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ zabbix_proxy_port }} -s {{ zabbix_proxy_src_ip | join(',') }} -j ACCEPT" tags: zabbix diff --git a/roles/zabbix_proxy/tasks/main.yml b/roles/zabbix_proxy/tasks/main.yml index d688918..11214ca 100644 --- a/roles/zabbix_proxy/tasks/main.yml +++ b/roles/zabbix_proxy/tasks/main.yml @@ -2,19 +2,26 @@ - include_tasks: install.yml tags: always + - include_tasks: directories.yml tags: always + - include_tasks: upgrade.yml tags: always + - include_tasks: psk.yml tags: always + - include_tasks: selinux.yml when: ansible_selinux.status == 'enabled' tags: always + - include_tasks: conf.yml tags: always + - include_tasks: iptables.yml when: iptables_manage | default(True) + - include_tasks: service.yml tags: always diff --git a/roles/zabbix_proxy/tasks/psk.yml b/roles/zabbix_proxy/tasks/psk.yml index 2280729..ec94b50 100644 --- a/roles/zabbix_proxy/tasks/psk.yml +++ b/roles/zabbix_proxy/tasks/psk.yml @@ -1,19 +1,11 @@ --- -- name: Check if a TLS PSK key exists - stat: path=/etc/zabbix/zabbix_proxy.psk - register: zbx_proxy_psk - tags: zabbix - name: Generate random PSK key for TLS encryption shell: "openssl rand -hex 32 > /etc/zabbix/zabbix_proxy.psk" - when: - - not zbx_proxy_psk.stat.exists - - zabbix_proxy_encryption | default('none') == "psk" + args: + creates: /etc/zabbix/zabbix_proxy.psk tags: zabbix - name: Restrict permission on PSK file file: path=/etc/zabbix/zabbix_proxy.psk owner=root group=zabbix mode=0640 - when: - - not zbx_proxy_psk.stat.exists - - zabbix_proxy_encryption | default('none') == "psk" tags: zabbix diff --git a/roles/zabbix_proxy/tasks/service.yml b/roles/zabbix_proxy/tasks/service.yml index a0951b6..5df11ee 100644 --- a/roles/zabbix_proxy/tasks/service.yml +++ b/roles/zabbix_proxy/tasks/service.yml @@ -39,3 +39,10 @@ service: name=zabbix-proxy state=started enabled=True register: zabbix_proxy_started tags: zabbix + +- name: Handle Zabbix Java Gateway daemon + service: + name: zabbix-java-gateway + state: "{{ (zabbix_proxy_conf['StartJavaPollers'] is defined and zabbix_proxy_conf['StartJavaPollers'] > 0) | ternary('started','stopped') }}" + enabled: "{{ (zabbix_proxy_conf['StartJavaPollers'] is defined and zabbix_proxy_conf['StartJavaPollers'] > 0) | ternary(True,False) }}" + tags: zabbix diff --git a/roles/zabbix_proxy/tasks/upgrade.yml b/roles/zabbix_proxy/tasks/upgrade.yml index ce42521..8418dc9 100644 --- a/roles/zabbix_proxy/tasks/upgrade.yml +++ b/roles/zabbix_proxy/tasks/upgrade.yml @@ -1,11 +1,10 @@ --- -- name: Stop the service - service: name=zabbix-proxy state=stopped - when: zabbix_proxy_rpm.changed - tags: zabbix +- when: zabbix_proxy_rpm.changed + block: + - name: Stop the service + service: name=zabbix-proxy state=stopped -- name: Drop the SQLite database (no schema upgrade for SQLite) - file: path=/var/lib/zabbix/db/proxy.sqlite state=absent - when: zabbix_proxy_rpm.changed + - name: Drop the SQLite database (no schema upgrade for SQLite) + file: path=/var/lib/zabbix/db/proxy.sqlite state=absent tags: zabbix diff --git a/roles/zabbix_proxy/templates/zabbix_proxy.conf.j2 b/roles/zabbix_proxy/templates/zabbix_proxy.conf.j2 index cc29778..07fc73b 100644 --- a/roles/zabbix_proxy/templates/zabbix_proxy.conf.j2 +++ b/roles/zabbix_proxy/templates/zabbix_proxy.conf.j2 @@ -1,29 +1,6 @@ -Server={{ zabbix_proxy_server }} -Hostname={{ inventory_hostname }} -LogType=system -PidFile=/var/run/zabbix/zabbix_proxy.pid -DBName=/var/lib/zabbix/db/proxy.sqlite -ProxyOfflineBuffer=72 -SocketDir=/var/run/zabbix -ConfigFrequency=600 -DataSenderFrequency=30 -CacheSize={{ zabbix_proxy_cache_size | default('32M') }} -StartPollers={{ zabbix_proxy_pollers | default(5) }} -StartIPMIPollers={{ zabbix_proxy_ipmi_pollers | default(1) }} -StartPollersUnreachable={{ zabbix_proxy_unreachable_pollers | default(2) }} -StartTrappers={{ zabbix_proxy_trappers | default(5) }} -StartPingers={{ zabbix_proxy_pingers | default(4) }} -StartDiscoverers={{ zabbix_proxy_discoverers | default(1) }} -StartHTTPPollers={{ zabbix_proxy_http_pollers | default(1) }} -Timeout={{ zabbix_proxy_timeout | default(30) }} -ExternalScripts=/var/lib/zabbix/bin/ -TmpDir=/var/lib/zabbix/tmp -{% if zabbix_proxy_encryption | default('none') == 'psk' %} -TLSPSKFile=/etc/zabbix/zabbix_proxy.psk -TLSPSKIdentity={{ inventory_hostname }}-proxy -TLSConnect=psk -TLSAccept=psk -{% endif %} -{% if ansible_all_ipv6_addresses | length < 1 %} +{% for key in zabbix_proxy_conf.keys() | list %} +{{ key }}={{zabbix_proxy_conf[key] }} +{% endfor %} +{% if ansible_all_ipv6_addresses | length < 1 and zabbix_proxy_conf['Fping6Location'] is not defined %} Fping6Location= {% endif %}