diff --git a/defaults/main.yml b/defaults/main.yml index 4e88e25..61df425 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,3 +5,36 @@ zabbix_repo_version: '4.0' zabbix_agent_ubuntu_repo: 'https://repo.zabbix.com/zabbix/{{ zabbix_repo_version }}/{{ ansible_distribution | lower }}/pool/main/z/zabbix-release/zabbix-release_{{ zabbix_repo_version }}-2+{{ ansible_distribution_release }}_all.deb' zabbix_agent_centos_repo: 'https://repo.zabbix.com/zabbix/{{ zabbix_repo_version }}/rhel/{{ ansible_distribution_major_version }}/x86_64/zabbix-release-{{ zabbix_repo_version }}-1.el7.noarch.rpm' +zabbix_agent_conf_dir: /etc/zabbix +zabbix_agent_include_conf_dir: '{{ zabbix_agent_conf_dir }}/zabbix_agent.d' +zabbix_agent_log_dir: '/var/log/zabbix' +zabbix_agent_tcp_port: 10050 +zabbix_agent_debuglevel: 3 +# IP used for the outgoing connections +zabbix_agent_source_ip: '{{ ansible_lo.ipv4.address }}' +zabbix_agent_enable_remotecommands: '0' +zabbix_agent_log_remotecommands: '{{ zabbix_agent_enable_remotecommands }}' +zabbix_agent_listen_ip: '{{ ansible_lo.ipv4.address }}' +# No need to set it to 0 to disable the passive checks, there is a variable to enable/disable the passive checks +zabbix_agent_start_agents: 3 +# enable/disable the passive checks. Also used by the firewall roles. +zabbix_agent_passive_checks_status: 'disabled' +zabbix_agent_hostname: '{{ ansible_fqdn }}' +zabbix_agent_processing_timeout: 3 + +zabbix_agent_firewalld_services: + - { service: 'zabbix-agent', state: '{{ zabbix_agent_passive_checks_status }}', zone: '{{ firewalld_default_zone }}' } + +# CIDR, separate by comma +# This is the list of servers that can submit passive checks +zabbix_server_allowed_hosts: '127.0.0.1' +# This is the list of servers to which the agent sends the active checks +zabbix_server_active_hosts: '{{ zabbix_server_allowed_hosts }}' + +# Only PSK is supported for the time being +zabbix_authentication_method: 'psk' +# Define it in a vault file +# zabbix_psk_identity: '' +# zabbix_psk_string: '' +zabbix_agent_psk_file: '{{ zabbix_agent_conf_dir }}/zabbix_agentd.psk' + diff --git a/handlers/main.yml b/handlers/main.yml index 7a4b4dd..aa142dd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,3 @@ --- -# handlers file for zabbix-agent \ No newline at end of file +- name: restart zabbix-agent + service: name=zabbix-agent state=started enabled=yes diff --git a/tasks/main.yml b/tasks/main.yml index d8be42a..7109623 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,3 +7,29 @@ when: - ansible_distribution_file_variety == "RedHat" - zabbix_agent_install | bool +- import_tasks: zabbix-agent_firewalld_rules.yml + when: + - ansible_distribution_file_variety == "RedHat" + - zabbix_agent_install | bool + +- name: Manage the Zabbix agent configuration + block: + - name: Install the zabbix agent configuration file + template: src=zabbix_agentd.conf.j2 dest={{ zabbix_agent_conf_dir }}/zabbix_agentd.conf owner=root group=zabbix mode=0440 + notify: restart zabbix-agent + + - name: Install the zabbix PSK file + template: src=zabbix_agentd.psk.j2 dest={{ zabbix_agent_psk_file }} owner=root group=zabbix mode=0440 + notify: restart zabbix-agent + when: zabbix_authentication_method == "psk" + + when: zabbix_agent_install | bool + tags: [ 'zabbix', 'zabbix_agent', 'zabbix_agent_conf' ] + +- name: Manage the Zabbix agent service + block: + - name: Ensure that the zabbix agent service is running and enabled + service: name=zabbix-agent state=started enabled=yes + + when: zabbix_agent_install | bool + tags: [ 'zabbix', 'zabbix_agent', 'zabbix_agent_conf' ] diff --git a/tasks/zabbix-agent_firewalld_rules.yml b/tasks/zabbix-agent_firewalld_rules.yml new file mode 100644 index 0000000..094e955 --- /dev/null +++ b/tasks/zabbix-agent_firewalld_rules.yml @@ -0,0 +1,8 @@ +--- +- name: Manage the zabbix agent firewalld rules + block: + - name: Manage the zabbix agent firewall services + firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True + with_items: '{{ zabbix_agent_firewalld_services }}' + + tags: [ zabbix', 'zabbix_agent', 'firewall', 'firewalld', 'iptables', 'iptables_rules' ] diff --git a/templates/zabbix_agentd.conf.j2 b/templates/zabbix_agentd.conf.j2 new file mode 100644 index 0000000..3c9a012 --- /dev/null +++ b/templates/zabbix_agentd.conf.j2 @@ -0,0 +1,495 @@ +# This is a configuration file for Zabbix agent daemon (Unix) +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agentd.pid + +PidFile=/var/run/zabbix/zabbix_agentd.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile={{ zabbix_agent_log_dir }}/zabbix_agentd.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 +# +# The packages install a logrotate directive, so stick to 0 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 +DebugLevel={{ zabbix_agent_debuglevel }} + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= +SourceIP={{ zabbix_agent_source_ip }} +### Option: EnableRemoteCommands +# Whether remote commands from Zabbix server are allowed. +# 0 - not allowed +# 1 - allowed +# +# Mandatory: no +# Default: +# EnableRemoteCommands=0 +EnableRemoteCommands={{ zabbix_agent_enable_remotecommands }} + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 +LogRemoteCommands={{ zabbix_agent_log_remotecommands }} + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes, if StartAgents is not explicitly set to 0 +# Default: +# Server= + +{% if zabbix_agent_passive_checks_status == "enabled" %} +Server=127.0.0.1,{{ zabbix_server_allowed_hosts }} +{% else %} +Server=127.0.0.1 +{% endif %} + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 +ListenPort={{ zabbix_agent_tcp_port }} + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 +ListenIP={{ zabbix_agent_listen_ip }} + +### Option: StartAgents +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# If set to 0, disables passive checks and the agent will not listen on any TCP port. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartAgents=3 +{% if zabbix_agent_passive_checks_status == "enabled" %} +StartAgents={{ zabbix_agent_start_agents}} +{% else %} +StartAgents=0 +{% endif %} + +##### Active checks related + +### Option: ServerActive +# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# +# Mandatory: no +# Default: +# ServerActive= + +ServerActive={{ zabbix_server_active_hosts }} + +### Option: Hostname +# Unique, case sensitive hostname. +# Required for active checks and must match hostname as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +Hostname={{ zabbix_agent_hostname }} + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostMetadata= +{% if zabbix_authentication_method == "psk" %} +HostMetadata={{ ansible_system }} {{ zabbix_psk_string }} +{% else %} +HostMetadata={{ ansible_system }} +{% endif %} + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 60-3600 +# Default: +# RefreshActiveChecks=120 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=100 + +### Option: MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxLinesPerSecond=20 + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Spend no more than Timeout seconds on processing +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 +Timeout={{ zabbix_agent_processing_timeout }} + +### Option: AllowRoot +# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +Include={{ zabbix_agent_include_conf_dir }}/*.conf + +# Include=/usr/local/etc/zabbix_agentd.userparams.conf +# Include=/usr/local/etc/zabbix_agentd.conf.d/ +# Include=/usr/local/etc/zabbix_agentd.conf.d/*.conf + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=, +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of agent modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at agent startup. Modules are used to extend functionality of the agent. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted +TLSConnect={{ zabbix_authentication_method }} + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted +TLSAccept={{ zabbix_authentication_method }} + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= +{% if zabbix_authentication_method == "psk" %} +TLSPSKIdentity={{ zabbix_psk_identity }} + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= +TLSPSKFile={{ zabbix_agent_psk_file }} +{% endif %} +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= diff --git a/templates/zabbix_agentd.psk.j2 b/templates/zabbix_agentd.psk.j2 new file mode 100644 index 0000000..2993e32 --- /dev/null +++ b/templates/zabbix_agentd.psk.j2 @@ -0,0 +1 @@ +{{ zabbix_psk_string }}