From 29bec6f965a069635787035a103baa20b7c14194 Mon Sep 17 00:00:00 2001 From: Simon Cornet Date: Fri, 6 Jun 2025 18:08:13 +0200 Subject: [PATCH] feat: initial commit --- .ansible-lint | 23 +++++++++++++ .gitignore | 1 + .gitlab-ci.yml | 18 ++++++++++ .gitlab/deployment.yaml | 32 ++++++++++++++++++ .gitlab/gitleaks.yaml | 18 ++++++++++ .gitlab/linting.yaml | 30 +++++++++++++++++ .yamllint | 30 +++++++++++++++++ README.md | 30 +++++++++++++++++ defaults/main.yaml | 7 ++++ handlers/main.yaml | 8 +++++ meta/main.yaml | 8 +++++ renovate.json | 7 ++++ tasks/config.yaml | 21 ++++++++++++ tasks/install.yaml | 34 +++++++++++++++++++ tasks/main.yaml | 28 ++++++++++++++++ templates/zabbix/zabbix_proxy.conf.j2 | 47 +++++++++++++++++++++++++++ templates/zabbix/zabbix_proxy.psk.j2 | 1 + 17 files changed, 343 insertions(+) create mode 100644 .ansible-lint create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 .gitlab/deployment.yaml create mode 100644 .gitlab/gitleaks.yaml create mode 100644 .gitlab/linting.yaml create mode 100644 .yamllint create mode 100644 README.md create mode 100644 defaults/main.yaml create mode 100644 handlers/main.yaml create mode 100644 meta/main.yaml create mode 100644 renovate.json create mode 100644 tasks/config.yaml create mode 100644 tasks/install.yaml create mode 100644 tasks/main.yaml create mode 100644 templates/zabbix/zabbix_proxy.conf.j2 create mode 100644 templates/zabbix/zabbix_proxy.psk.j2 diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..9b9b52a --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,23 @@ +--- + +exclude_paths: + - ".gitlab/*" + - ".gitlab-ci.yml" + - "defaults/main.yaml" + - "meta/main.yaml" + - "vars/*" + +kinds: + - playbook: "**/*.{yml,yaml}" + +skip_list: + - "command-shell" + - "experimental" + - "git-latest" + - "no-changed-when" + - "no-handler" + - "name[casing]" + - "name[template]" + - "risky-file-permissions" + - "schema[playbook]" + - "var-naming[no-role-prefix]" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..904cae8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.ansible diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..fdb0b13 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,18 @@ +--- + +# gitLab ci stages +stages: + + # deployment + - "gitleaks" + - "linting" + - "deployment" + + +# include jobs +include: + + # deployment + - local: ".gitlab/gitleaks.yaml" + - local: ".gitlab/linting.yaml" + - local: ".gitlab/deployment.yaml" diff --git a/.gitlab/deployment.yaml b/.gitlab/deployment.yaml new file mode 100644 index 0000000..eab31d5 --- /dev/null +++ b/.gitlab/deployment.yaml @@ -0,0 +1,32 @@ +--- +# deploy ansible/roles/common code +deployment: + stage: "deployment" + image: + name: "cr.simoncor.net/siempie/ssh-client:v25.06.03" + entrypoint: ["/bin/sh", "-c"] + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # prepare ssh + before_script: + + # prepare ssh + - | + # prepare ssh + mkdir -p ~/.ssh + chmod 700 ~/.ssh + echo "$SSH_CONFIG" > ~/.ssh/config + echo "$SSH_DEPLOYMENT_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + # deployment commands + script: + + - | + # install ansible roles dependancies + ssh $SSH_DEPLOYMENT_USER@$ANSIBLE_SERVER \ + "sudo /usr/local/bin/ansible-galaxy install -r /etc/ansible/roles/requirements.yaml --force" diff --git a/.gitlab/gitleaks.yaml b/.gitlab/gitleaks.yaml new file mode 100644 index 0000000..e2b3247 --- /dev/null +++ b/.gitlab/gitleaks.yaml @@ -0,0 +1,18 @@ +--- + +# gitleaks +gitleaks: + stage: "gitleaks" + image: + name: "ghcr.io/gitleaks/gitleaks:latest" + variables: + GIT_DEPTH: 1 + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # start linting + script: + - "gitleaks detect --source . --verbose --redact --max-decode-depth 1" diff --git a/.gitlab/linting.yaml b/.gitlab/linting.yaml new file mode 100644 index 0000000..5361ac6 --- /dev/null +++ b/.gitlab/linting.yaml @@ -0,0 +1,30 @@ +--- + +# linting +ansible-lint: + stage: "linting" + image: "docker.io/pipelinecomponents/ansible-lint:0.79.0" + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # start linting + script: + - "ansible-lint -c .ansible-lint ." + +# yamllint +yamllint: + stage: "linting" + image: "registry.gitlab.com/pipeline-components/yamllint:0.35.0" + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + script: + + # run yamllint + - "yamllint ." diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..f11bd84 --- /dev/null +++ b/.yamllint @@ -0,0 +1,30 @@ +--- +extends: 'default' + +rules: + braces: + max-spaces-inside: 1 + forbid: true + comments: + min-spaces-from-content: 1 + comments-indentation: false + empty-lines: + max: 2 + indentation: + spaces: 2 + check-multi-line-strings: true + line-length: + max: 120 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + new-line-at-end-of-file: 'enable' + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true + truthy: + allowed-values: + - 'true' + - 'false' + quoted-strings: + quote-type: 'any' + required: true diff --git a/README.md b/README.md new file mode 100644 index 0000000..8a01b37 --- /dev/null +++ b/README.md @@ -0,0 +1,30 @@ +# Overview + +This role the opinionated installation and configuration of a Zabbix Proxy. + +## Supported Operating Systems + +| Operating System | Version | +| --- | ----- | +| Debian | 12 | + +## Variables + +| Variable | Type | Default | Required | +| --- | --- | --- | --- | +| zabbix_proxy_psk_id | string | | Yes | +| zabbix_proxy_psk | string(enc) | | Yes | +| zabbix_server_host | string | `zabbix.siempie.internal` | No | + +## Example usage + +```yaml +zabbix_server_host: "zabbix.siempie.internal" +zabbix_proxy_psk_id: "proxy-siempie" +zabbix_proxy_psk: !vault + $ANSIBLE_VAULT;1.1;AES256 + 31633463613336373164373333633038393164383835646633303163316665303934646363383530 + ... +``` + +``` diff --git a/defaults/main.yaml b/defaults/main.yaml new file mode 100644 index 0000000..c008335 --- /dev/null +++ b/defaults/main.yaml @@ -0,0 +1,7 @@ +--- + +# zabbix_version +zabbix_major_version: "7.2" + +# zabbix proxy +zabbix_server_host: "zabbix.siempie.internal" diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..b155844 --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,8 @@ +--- + +# zabbix proxy +- name: "restart zabbix-proxy" + ansible.builtin.service: + name: "zabbix-proxy" + state: "restarted" + enabled: true diff --git a/meta/main.yaml b/meta/main.yaml new file mode 100644 index 0000000..b1b81fc --- /dev/null +++ b/meta/main.yaml @@ -0,0 +1,8 @@ +--- + +galaxy_info: + author: "siempie" + description: "install and configure a Zabbix Server" + license: "MIT" + role_name: "zabbix_server" +dependencies: [] diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..da8f5e1 --- /dev/null +++ b/renovate.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ "local>cicd/renovate" ], + "ansible": { + "fileMatch": [ "(.*).ya?ml$" ] + } +} diff --git a/tasks/config.yaml b/tasks/config.yaml new file mode 100644 index 0000000..1c3d51c --- /dev/null +++ b/tasks/config.yaml @@ -0,0 +1,21 @@ +--- + +# configure psk +- name: "configure psk" + ansible.builtin.template: + src: "templates/zabbix/zabbix_proxy.psk.j2" + dest: "/etc/zabbix/zabbix_proxy.psk" + owner: "zabbix" + group: "zabbix" + mode: "0640" + notify: "restart zabbix-proxy" + +# config proxy +- name: "configure zabbix-proxy" + ansible.builtin.template: + src: "templates/zabbix/zabbix_proxy.conf.j2" + dest: "/etc/zabbix/zabbix_proxy.conf" + owner: "root" + group: "root" + mode: "0664" + notify: "restart zabbix-proxy" diff --git a/tasks/install.yaml b/tasks/install.yaml new file mode 100644 index 0000000..e18d302 --- /dev/null +++ b/tasks/install.yaml @@ -0,0 +1,34 @@ +--- + +# install zabbix-server +- name: "install zabbix-server" + when: "zabbix_major_version not in zabbix_current_version.stdout" + block: + + # install repository - debian + - name: "install repository" + when: 'ansible_os_family == "Debian"' + block: + + # remove old proxy + - name: "remove old proxy" + ansible.builtin.apt: + name: "zabbix-proxy" + state: "absent" + loop: + - "zabbix-proxy" + + # install zabbix proxy + - name: "install zabbix-proxy" + ansible.builtin.apt: + name: "zabbix-proxy-sqlite3" + state: "present" + update_cache: true + + # create zabbix db directory + - name: "create zabbix db directory" + ansible.builtin.file: + path: "/usr/lib/zabbix/proxy/" + state: "directory" + owner: "zabbix" + group: "zabbix" diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..dfdddcc --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,28 @@ +--- + +# load variables and collect version information +- name: "include vars and collect versions" + block: + + # collect zabbix-proxy version information + - name: "collect version information" + ansible.builtin.shell: + cmd: "zabbix_proxy --version | head -n 1" + changed_when: false + failed_when: false + ignore_errors: true + register: "zabbix_current_version" + + +# zabbix-proxy install +- name: "zabbix-proxy install" + ansible.builtin.import_tasks: "install.yaml" + tags: + - "zabbix_proxy_install" + + +# zabbix-proxy config +- name: "zabbix-proxy config" + ansible.builtin.import_tasks: "config.yaml" + tags: + - "zabbix_proxy_config" diff --git a/templates/zabbix/zabbix_proxy.conf.j2 b/templates/zabbix/zabbix_proxy.conf.j2 new file mode 100644 index 0000000..af3242b --- /dev/null +++ b/templates/zabbix/zabbix_proxy.conf.j2 @@ -0,0 +1,47 @@ +# general +ProxyMode=0 +Server={{ zabbix_server_host }} +Hostname={{ inventory_hostname }} +ListenPort=10051 +EnableRemoteCommands=1 +DBName=/usr/lib/zabbix/proxy/zabbix.db +PidFile=/run/zabbix/zabbix_proxy.pid +SocketDir=/run/zabbix +AllowRoot=0 +User=zabbix + +# logging +LogType=system +DebugLevel=1 + +# tls +TLSConnect=psk +TLSPSKIdentity={{ zabbix_proxy_psk_id }} +TLSPSKFile=/etc/zabbix/zabbix_proxy.psk + +# general proxy parameters +ProxyLocalBuffer=1 +ProxyOfflineBuffer=1 +DataSenderFrequency=2 + +# advanced proxy parameters +StartPollers=25 +StartIPMIPollers=1 +StartPreprocessors=5 +StartPollersUnreachable=10 +StartTrappers=25 +StartPingers=10 +StartDiscoverers=10 +StartHTTPPollers=25 + +# other +HousekeepingFrequency=1 +CacheSize=32M +Timeout=5 +UnreachablePeriod=10 +UnreachableDelay=5 +UnavailableDelay=60 +FpingLocation=/usr/bin/fping +Fping6Location=/usr/bin/fping6 +LogSlowQueries=3000 +StatsAllowedIP=127.0.0.1 diff --git a/templates/zabbix/zabbix_proxy.psk.j2 b/templates/zabbix/zabbix_proxy.psk.j2 new file mode 100644 index 0000000..18b0bf0 --- /dev/null +++ b/templates/zabbix/zabbix_proxy.psk.j2 @@ -0,0 +1 @@ +{{ zabbix_proxy_psk }}