feat: initial commit

.ansible-lint

@@ -0,0 +1,23 @@
+---
+
+exclude_paths:
+  - ".gitlab/*"
+  - ".gitlab-ci.yml"
+  - "defaults/main.yaml"
+  - "meta/main.yaml"
+  - "vars/*"
+
+kinds:
+  - playbook: "**/*.{yml,yaml}"
+
+skip_list:
+  - "command-shell"
+  - "experimental"
+  - "git-latest"
+  - "no-changed-when"
+  - "no-handler"
+  - "name[casing]"
+  - "name[template]"
+  - "risky-file-permissions"
+  - "schema[playbook]"
+  - "var-naming[no-role-prefix]"

.gitignore

@@ -0,0 +1 @@
+.ansible

.gitlab-ci.yml

@@ -0,0 +1,18 @@
+---
+
+# gitLab ci stages
+stages:
+
+  # deployment
+  - "gitleaks"
+  - "linting"
+  - "deployment"
+
+
+# include jobs
+include:
+
+  # deployment
+  - local: ".gitlab/gitleaks.yaml"
+  - local: ".gitlab/linting.yaml"
+  - local: ".gitlab/deployment.yaml"

.gitlab/deployment.yaml

@@ -0,0 +1,32 @@
+---
+# deploy ansible/roles/common code
+deployment:
+  stage: "deployment"
+  image:
+    name: "cr.simoncor.net/siempie/ssh-client:v25.06.03"
+    entrypoint: ["/bin/sh", "-c"]
+  rules:
+
+    # run only on push to default branch
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - when: "never"
+
+  # prepare ssh
+  before_script:
+
+    # prepare ssh
+    - |
+        # prepare ssh
+        mkdir -p ~/.ssh
+        chmod 700 ~/.ssh
+        echo "$SSH_CONFIG" > ~/.ssh/config
+        echo "$SSH_DEPLOYMENT_KEY" > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+
+  # deployment commands
+  script:
+
+    - |
+        # install ansible roles dependancies
+        ssh $SSH_DEPLOYMENT_USER@$ANSIBLE_SERVER \
+        "sudo /usr/local/bin/ansible-galaxy install -r /etc/ansible/roles/requirements.yaml --force"

.gitlab/gitleaks.yaml

@@ -0,0 +1,18 @@
+---
+
+# gitleaks
+gitleaks:
+  stage: "gitleaks"
+  image:
+    name: "ghcr.io/gitleaks/gitleaks:latest"
+  variables:
+    GIT_DEPTH: 1
+  rules:
+
+    # run only on push to default branch
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - when: "never"
+
+  # start linting
+  script:
+    - "gitleaks detect --source . --verbose --redact --max-decode-depth 1"

.gitlab/linting.yaml

@@ -0,0 +1,30 @@
+---
+
+# linting
+ansible-lint:
+  stage: "linting"
+  image: "docker.io/pipelinecomponents/ansible-lint:0.79.0"
+  rules:
+
+    # run only on push to default branch
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - when: "never"
+
+  # start linting
+  script:
+    - "ansible-lint -c .ansible-lint ."
+
+# yamllint
+yamllint:
+  stage: "linting"
+  image: "registry.gitlab.com/pipeline-components/yamllint:0.35.0"
+  rules:
+
+    # run only on push to default branch
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - when: "never"
+
+  script:
+
+    # run yamllint
+    - "yamllint ."

.yamllint

@@ -0,0 +1,30 @@
+---
+extends: 'default'
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    forbid: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
+  empty-lines:
+    max: 2
+  indentation:
+    spaces: 2
+    check-multi-line-strings: true
+  line-length:
+    max: 120
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: true
+  new-line-at-end-of-file: 'enable'
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  truthy:
+    allowed-values:
+      - 'true'
+      - 'false'
+  quoted-strings:
+    quote-type: 'any'
+    required: true

README.md

@@ -0,0 +1,32 @@
+# Overview
+
+This role the opinionated installation and configuration of a Zabbix Web Server.
+
+## Supported Operating Systems
+
+| Operating System | Version |
+| --- | ----- |
+| Debian | 12 |
+
+## Variables
+
+| Variable | Type | Default | Required |
+| --- | --- | --- | --- |
+| zabbix_web_name | string | `Siempie's Monitoring` | No |
+| zabbix_server_db_name | string | `zabbix` | No |
+| zabbix_server_db_user | string | `zabbix` | No |
+| zabbix_server_db_pass | string(enc) | `zabbixpass` | No |
+
+## Example usage
+
+```yaml
+zabbix_web_name: "Zabbix Monitoring"
+zabbix_server_db_name: "zabbix"
+zabbix_server_db_user: "zabbix"
+zabbix_server_db_pass: !vault
+  $ANSIBLE_VAULT;1.1;AES256
+  31633463613336373164373333633038393164383835646633303163316665303934646363383530
+  ...
+```
+
+```

defaults/main.yaml

@@ -0,0 +1,10 @@
+---
+
+# zabbix_version
+zabbix_major_version: "7.2"
+
+# zabbix web
+zabbix_web_name: "Siempie's Monitoring"
+zabbix_server_db_name: "zabbix"
+zabbix_server_db_user: "zabbix"
+zabbix_server_db_pass: "zabbixpass"

meta/main.yaml

@@ -0,0 +1,8 @@
+---
+
+galaxy_info:
+  author: "siempie"
+  description: "install and configure a Zabbix Web server"
+  license: "MIT"
+  role_name: "zabbix_web"
+dependencies: []

renovate.json

@@ -0,0 +1,7 @@
+{ 
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [ "local>cicd/renovate" ],
+  "ansible": {
+    "fileMatch": [ "(.*).ya?ml$" ]
+  }
+}

tasks/config.yaml

@@ -0,0 +1,19 @@
+---
+
+# config zabbix-web-server
+- name: "config zabbix-web-server"
+  ansible.builtin.template:
+    src: "templates/zabbix/zabbix.conf.php.j2"
+    dest: "/etc/zabbix/web/zabbix.conf.php"
+    owner: "www-data"
+    group: "www-data"
+    mode: "0600"
+
+# configure branding
+- name: "configure branding"
+  ansible.builtin.template:
+    src: "templates/zabbix/brand.conf.php.j2"
+    dest: "/usr/share/zabbix/local/conf/brand.conf.php"
+    owner: "root"
+    group: "root"
+    mode: "0664"

tasks/install.yaml

@@ -0,0 +1,11 @@
+---
+
+# install zabbix-web-server
+- name: "install zabbix-web-server"
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: "present"
+    update_cache: true
+  with_items:
+    - "zabbix-frontend-php"
+    - "zabbix-apache-conf"

tasks/main.yaml

@@ -0,0 +1,9 @@
+---
+
+# zabbix-web-server install
+- name: "zabbix-web-server install"
+  ansible.builtin.import_tasks: "install.yaml"
+
+# zabbix-web-server config
+- name: "zabbix-web-server config"
+  ansible.builtin.import_tasks: "config.yaml"

templates/zabbix/brand.conf.php.j2

@@ -0,0 +1 @@
+<?php return [];

templates/zabbix/zabbix.conf.php.j2

@@ -0,0 +1,24 @@
+<?php
+
+// zabbix settings
+$ZBX_SERVER_NAME  		= '{{ zabbix_web_name }}';
+$IMAGE_FORMAT_DEFAULT	= IMAGE_FORMAT_PNG;
+
+// database - general
+$DB['TYPE']			= 'MYSQL';
+$DB['SERVER']	  = 'localhost';
+$DB['PORT']			= '0';
+$DB['DATABASE']	= '{{ zabbix_server_db_name }}';
+$DB['USER']			= '{{ zabbix_server_db_user }}';
+$DB['PASSWORD']	= '{{ zabbix_server_db_pass }}';
+
+// database - tls
+$DB['ENCRYPTION']	 = false;
+$DB['KEY_FILE']		 = '';
+$DB['CERT_FILE']	 = '';
+$DB['CA_FILE']		 = '';
+$DB['VERIFY_HOST'] = false;
+$DB['CIPHER_LIST'] = '';
+
+// database - other
+$DB['DOUBLE_IEEE754']	= true;