commit 8cee41cfa80f7f93d6f489aed5da77caa90fa62e Author: Simon Cornet Date: Fri Jun 6 17:53:55 2025 +0200 feat: initial commit diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..9b9b52a --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,23 @@ +--- + +exclude_paths: + - ".gitlab/*" + - ".gitlab-ci.yml" + - "defaults/main.yaml" + - "meta/main.yaml" + - "vars/*" + +kinds: + - playbook: "**/*.{yml,yaml}" + +skip_list: + - "command-shell" + - "experimental" + - "git-latest" + - "no-changed-when" + - "no-handler" + - "name[casing]" + - "name[template]" + - "risky-file-permissions" + - "schema[playbook]" + - "var-naming[no-role-prefix]" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..904cae8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.ansible diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..fdb0b13 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,18 @@ +--- + +# gitLab ci stages +stages: + + # deployment + - "gitleaks" + - "linting" + - "deployment" + + +# include jobs +include: + + # deployment + - local: ".gitlab/gitleaks.yaml" + - local: ".gitlab/linting.yaml" + - local: ".gitlab/deployment.yaml" diff --git a/.gitlab/deployment.yaml b/.gitlab/deployment.yaml new file mode 100644 index 0000000..eab31d5 --- /dev/null +++ b/.gitlab/deployment.yaml @@ -0,0 +1,32 @@ +--- +# deploy ansible/roles/common code +deployment: + stage: "deployment" + image: + name: "cr.simoncor.net/siempie/ssh-client:v25.06.03" + entrypoint: ["/bin/sh", "-c"] + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # prepare ssh + before_script: + + # prepare ssh + - | + # prepare ssh + mkdir -p ~/.ssh + chmod 700 ~/.ssh + echo "$SSH_CONFIG" > ~/.ssh/config + echo "$SSH_DEPLOYMENT_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + # deployment commands + script: + + - | + # install ansible roles dependancies + ssh $SSH_DEPLOYMENT_USER@$ANSIBLE_SERVER \ + "sudo /usr/local/bin/ansible-galaxy install -r /etc/ansible/roles/requirements.yaml --force" diff --git a/.gitlab/gitleaks.yaml b/.gitlab/gitleaks.yaml new file mode 100644 index 0000000..e2b3247 --- /dev/null +++ b/.gitlab/gitleaks.yaml @@ -0,0 +1,18 @@ +--- + +# gitleaks +gitleaks: + stage: "gitleaks" + image: + name: "ghcr.io/gitleaks/gitleaks:latest" + variables: + GIT_DEPTH: 1 + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # start linting + script: + - "gitleaks detect --source . --verbose --redact --max-decode-depth 1" diff --git a/.gitlab/linting.yaml b/.gitlab/linting.yaml new file mode 100644 index 0000000..5361ac6 --- /dev/null +++ b/.gitlab/linting.yaml @@ -0,0 +1,30 @@ +--- + +# linting +ansible-lint: + stage: "linting" + image: "docker.io/pipelinecomponents/ansible-lint:0.79.0" + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # start linting + script: + - "ansible-lint -c .ansible-lint ." + +# yamllint +yamllint: + stage: "linting" + image: "registry.gitlab.com/pipeline-components/yamllint:0.35.0" + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + script: + + # run yamllint + - "yamllint ." diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..f11bd84 --- /dev/null +++ b/.yamllint @@ -0,0 +1,30 @@ +--- +extends: 'default' + +rules: + braces: + max-spaces-inside: 1 + forbid: true + comments: + min-spaces-from-content: 1 + comments-indentation: false + empty-lines: + max: 2 + indentation: + spaces: 2 + check-multi-line-strings: true + line-length: + max: 120 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + new-line-at-end-of-file: 'enable' + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true + truthy: + allowed-values: + - 'true' + - 'false' + quoted-strings: + quote-type: 'any' + required: true diff --git a/README.md b/README.md new file mode 100644 index 0000000..655c726 --- /dev/null +++ b/README.md @@ -0,0 +1,30 @@ +# Overview + +This role the opinionated installation and configuration of a Zabbix Server. + +## Supported Operating Systems + +| Operating System | Version | +| --- | ----- | +| Debian | 12 | + +## Variables + +| Variable | Type | Default | Required | +| --- | --- | --- | --- | +| zabbix_server_db_name | string | `zabbix` | No | +| zabbix_server_db_user | string | `zabbix` | No | +| zabbix_server_db_pass | string(enc) | `zabbixpass` | No | + +## Example usage + +```yaml +zabbix_server_db_name: "zabbix" +zabbix_server_db_user: "zabbix" +zabbix_server_db_pass: !vault + $ANSIBLE_VAULT;1.1;AES256 + 31633463613336373164373333633038393164383835646633303163316665303934646363383530 + ... +``` + +``` diff --git a/defaults/main.yaml b/defaults/main.yaml new file mode 100644 index 0000000..bb067c7 --- /dev/null +++ b/defaults/main.yaml @@ -0,0 +1,9 @@ +--- + +# zabbix_version +zabbix_major_version: "7.2" + +# zabbix server +zabbix_server_db_name: "zabbix" +zabbix_server_db_user: "zabbix" +zabbix_server_db_pass: "zabbixpass" diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..adb44a9 --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,8 @@ +--- + +# zabbix server +- name: "restart zabbix-server" + ansible.builtin.service: + name: "zabbix-server" + state: "restarted" + enabled: true diff --git a/meta/main.yaml b/meta/main.yaml new file mode 100644 index 0000000..b1b81fc --- /dev/null +++ b/meta/main.yaml @@ -0,0 +1,8 @@ +--- + +galaxy_info: + author: "siempie" + description: "install and configure a Zabbix Server" + license: "MIT" + role_name: "zabbix_server" +dependencies: [] diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..da8f5e1 --- /dev/null +++ b/renovate.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ "local>cicd/renovate" ], + "ansible": { + "fileMatch": [ "(.*).ya?ml$" ] + } +} diff --git a/tasks/config.yaml b/tasks/config.yaml new file mode 100644 index 0000000..49e83d9 --- /dev/null +++ b/tasks/config.yaml @@ -0,0 +1,11 @@ +--- + +# config server +- name: "config server" + ansible.builtin.template: + src: "templates/zabbix/server/zabbix_server.conf.j2" + dest: "/etc/zabbix/zabbix_server.conf" + owner: "root" + group: "root" + mode: "0664" + notify: "restart zabbix-server" diff --git a/tasks/install.yaml b/tasks/install.yaml new file mode 100644 index 0000000..6fdcb4f --- /dev/null +++ b/tasks/install.yaml @@ -0,0 +1,31 @@ +--- + +# install zabbix-server +- name: "install zabbix-server" + when: "zabbix_major_version not in zabbix_current_version.stdout" + block: + + # install repository - debian + - name: "install repository" + when: 'ansible_os_family == "Debian"' + block: + + # remove old server + - name: "remove old server" + ansible.builtin.apt: + name: "{{ item }}" + state: "absent" + loop: + - "zabbix-server-mysql" + - "zabbix-sql-scripts" + + # install agent + - name: "install agent" + ansible.builtin.apt: + name: "{{ item }}" + state: "present" + update_cache: true + when: 'ansible_os_family == "Debian"' + loop: + - "zabbix-server-mysql" + - "zabbix-sql-scripts" diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..f59b431 --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,31 @@ +--- + +# load variables and collect version information +- name: "include vars and collect versions" + tags: + - "zabbix_agent_install" + - "zabbix_agent_config" + block: + + # collect zabbix-agent2 version information + - name: "collect version information" + ansible.builtin.shell: + cmd: "zabbix_agent2 --version | head -n 1" + changed_when: false + failed_when: false + ignore_errors: true + register: "zabbix_current_version" + + +# zabbix-agent install +- name: "zabbix-agent install" + ansible.builtin.import_tasks: "install.yaml" + tags: + - "zabbix_agent_install" + + +# zabbix-agent config +- name: "zabbix-agent config" + ansible.builtin.import_tasks: "config.yaml" + tags: + - "zabbix_agent_config" diff --git a/templates/zabbix/zabbix_server.conf.j2 b/templates/zabbix/zabbix_server.conf.j2 new file mode 100644 index 0000000..1b8741c --- /dev/null +++ b/templates/zabbix/zabbix_server.conf.j2 @@ -0,0 +1,41 @@ +# general +ListenPort=10051 +LogType=system +DebugLevel=1 +PidFile=/var/run/zabbix/zabbix_server.pid + +# database +DBHost=127.0.0.1 +DBPort=3306 +DBName={{ zabbix_server_db_name }} +DBUser={{ zabbix_server_db_user }} +DBPassword={{ zabbix_server_db_pass }} +DBSocket=/var/run/mysqld/mysqld.sock + +# poller parameters +StartPollers=10 +StartPollersUnreachable=10 +StartTrappers=10 +StartPingers=5 +StartDiscoverers=5 +StartHTTPPollers=5 +StartTimers=5 + +# other parameters +HousekeepingFrequency=1 +MaxHousekeeperDelete=10000 +CacheSize=64M +CacheUpdateFrequency=90 +StartDBSyncers=30 +HistoryCacheSize=64M +TrendCacheSize=32M +ValueCacheSize=32M +Timeout=15 +UnreachablePeriod=30 +UnavailableDelay=30 +UnreachableDelay=10 +LogSlowQueries=1000 + +# locations +FpingLocation=/usr/bin/fping +Fping6Location=/usr/bin/fping6