From ecfba7bb01923d2784ca2b44ebd8fdf052a19a91 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 4 Sep 2024 10:00:14 +0200 Subject: [PATCH] Update to 2024-09-04 10:00 --- roles/zabbix_server/defaults/main.yml | 2 +- roles/zabbix_server/files/zabbix_server.te | 7 +++++-- roles/zabbix_server/tasks/facts.yml | 18 +++++++++++++----- roles/zabbix_server/tasks/install.yml | 19 ++----------------- roles/zabbix_server/tasks/selinux.yml | 2 +- roles/zabbix_server/templates/php.conf.j2 | 2 +- roles/zabbix_server/vars/RedHat-8.yml | 17 +++++++++++++++++ roles/zabbix_server/vars/RedHat-9.yml | 18 ++++++++++++++++++ 8 files changed, 58 insertions(+), 27 deletions(-) create mode 100644 roles/zabbix_server/vars/RedHat-8.yml create mode 100644 roles/zabbix_server/vars/RedHat-9.yml diff --git a/roles/zabbix_server/defaults/main.yml b/roles/zabbix_server/defaults/main.yml index a069e98..6064dfa 100644 --- a/roles/zabbix_server/defaults/main.yml +++ b/roles/zabbix_server/defaults/main.yml @@ -15,7 +15,7 @@ zabbix_server_db_name: zabbix # zabbix_server_db_pass: secret zabbix_server_php_user: zabbix -zabbix_server_php_version: 74 +zabbix_server_php_version: 82 # If you want to use a custom php pool # zabbix_server_php_fpm_pool: php70 diff --git a/roles/zabbix_server/files/zabbix_server.te b/roles/zabbix_server/files/zabbix_server.te index 6b25c02..b2f20a3 100644 --- a/roles/zabbix_server/files/zabbix_server.te +++ b/roles/zabbix_server/files/zabbix_server.te @@ -1,10 +1,12 @@ -module zabbix_server 1.2; +module zabbix_server 1.4; require { type zabbix_var_run_t; type zabbix_t; type zabbix_var_lib_t; type mysqld_db_t; + type httpd_t; + type unconfined_service_t; class sock_file { create unlink write }; class unix_stream_socket connectto; class file { execute execute_no_trans }; @@ -17,4 +19,5 @@ allow zabbix_t self:capability dac_override; allow zabbix_t zabbix_var_lib_t:file { execute execute_no_trans }; allow zabbix_t zabbix_var_run_t:sock_file { create unlink }; allow zabbix_t mysqld_db_t:sock_file write; - +allow zabbix_t unconfined_service_t:unix_stream_socket connectto; +allow httpd_t unconfined_service_t:unix_stream_socket connectto; diff --git a/roles/zabbix_server/tasks/facts.yml b/roles/zabbix_server/tasks/facts.yml index b11f696..10d8fe6 100644 --- a/roles/zabbix_server/tasks/facts.yml +++ b/roles/zabbix_server/tasks/facts.yml @@ -1,11 +1,19 @@ --- -- import_tasks: ../includes/get_rand_pass.yml - vars: - - pass_file: /etc/zabbix/ansible_db_pass - when: zabbix_server_db_pass is not defined +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" tags: zabbix -- set_fact: zabbix_server_db_pass={{ rand_pass }} + +# Create a random app secret if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "/etc/zabbix/ansible_db_pass" + - set_fact: zabbix_server_db_pass={{ rand_pass }} when: zabbix_server_db_pass is not defined tags: zabbix diff --git a/roles/zabbix_server/tasks/install.yml b/roles/zabbix_server/tasks/install.yml index c799111..11eaa2f 100644 --- a/roles/zabbix_server/tasks/install.yml +++ b/roles/zabbix_server/tasks/install.yml @@ -1,22 +1,7 @@ --- -- name: Install packages - yum: - name: - - zabbix-server-mysql - - zabbix-web - - zabbix-java-gateway - - zabbix-get - - mariadb - - fping - - patrix - - perl-JSON - - perl-IO-Socket-SSL - - perl-libwww-perl - - perl-URI - - perl-DateTime-Format-ISO8601 - - perl-Getopt-Long - - perl-Pod-Usage +- name: Installed packages + package: name={{ zabbix_server_packages }} tags: zabbix - name: Install backup scripts diff --git a/roles/zabbix_server/tasks/selinux.yml b/roles/zabbix_server/tasks/selinux.yml index 06cf7b4..701f3f6 100644 --- a/roles/zabbix_server/tasks/selinux.yml +++ b/roles/zabbix_server/tasks/selinux.yml @@ -18,7 +18,7 @@ when: zabbix_server_selinux_policy.changed tags: zabbix -- name: Load policy for Zabbix Proxy +- name: Load policy for Zabbix Server command: semodule -i /etc/selinux/targeted/local/zabbix_server.pp when: zabbix_server_selinux_policy.changed tags: zabbix diff --git a/roles/zabbix_server/templates/php.conf.j2 b/roles/zabbix_server/templates/php.conf.j2 index f87e81f..d0a0860 100644 --- a/roles/zabbix_server/templates/php.conf.j2 +++ b/roles/zabbix_server/templates/php.conf.j2 @@ -27,7 +27,7 @@ php_admin_value[upload_tmp_dir] = /tmp php_admin_value[post_max_size] = 32M php_admin_value[upload_max_filesize] = 5M php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd -php_admin_value[open_basedir] = /usr/share/zabbix:/etc/zabbix:/tmp:/var/lib/zabbix/sessions:/etc/alternative/:/usr/share/fonts/dejavu/ +php_admin_value[open_basedir] = /usr/share/zabbix:/etc/zabbix:/tmp:/var/lib/zabbix/sessions:/etc/alternative/:/usr/share/fonts/dejavu/:/usr/share/zabbix/assets/fonts/graphfont.ttf php_admin_value[max_execution_time] = 600 php_admin_value[max_input_time] = 600 php_admin_flag[allow_url_include] = off diff --git a/roles/zabbix_server/vars/RedHat-8.yml b/roles/zabbix_server/vars/RedHat-8.yml new file mode 100644 index 0000000..179a129 --- /dev/null +++ b/roles/zabbix_server/vars/RedHat-8.yml @@ -0,0 +1,17 @@ +--- + +zabbix_server_packages: + - zabbix-server-mysql + - zabbix-web + - zabbix-java-gateway + - zabbix-get + - mariadb + - fping + - patrix + - perl-JSON + - perl-IO-Socket-SSL + - perl-libwww-perl + - perl-URI + - perl-DateTime-Format-ISO8601 + - perl-Getopt-Long + - perl-Pod-Usage diff --git a/roles/zabbix_server/vars/RedHat-9.yml b/roles/zabbix_server/vars/RedHat-9.yml new file mode 100644 index 0000000..c46af07 --- /dev/null +++ b/roles/zabbix_server/vars/RedHat-9.yml @@ -0,0 +1,18 @@ +--- + +zabbix_server_packages: + - glibc-langpack-en + - zabbix-server-mysql + - zabbix-web + - zabbix-java-gateway + - zabbix-get + - mariadb + - fping + - patrix + - perl-JSON + - perl-IO-Socket-SSL + - perl-libwww-perl + - perl-URI + - perl-DateTime-Format-ISO8601 + - perl-Getopt-Long + - perl-Pod-Usage