From 1df77aa74d97d83a24c5087f47e0348559676f59 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 14 Jul 2025 18:32:39 +0200 Subject: [PATCH] install zabbix agent in the baseline --- group_vars/all/zabbix.yml | 2 + roles/baseline/files/zabbix-sudoers | 1 + roles/baseline/handlers/main.yml | 5 +++ roles/baseline/tasks/main.yml | 3 ++ roles/baseline/tasks/zabbix.yml | 41 +++++++++++++++++++++ roles/baseline/templates/zabbix-agent.j2 | 10 +++++ roles/baseline/templates/zabbix-firewall.j2 | 5 +++ 7 files changed, 67 insertions(+) create mode 100644 group_vars/all/zabbix.yml create mode 100644 roles/baseline/files/zabbix-sudoers create mode 100644 roles/baseline/tasks/zabbix.yml create mode 100644 roles/baseline/templates/zabbix-agent.j2 create mode 100644 roles/baseline/templates/zabbix-firewall.j2 diff --git a/group_vars/all/zabbix.yml b/group_vars/all/zabbix.yml new file mode 100644 index 0000000..b61ffa4 --- /dev/null +++ b/group_vars/all/zabbix.yml @@ -0,0 +1,2 @@ +zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}" +zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}" diff --git a/roles/baseline/files/zabbix-sudoers b/roles/baseline/files/zabbix-sudoers new file mode 100644 index 0000000..266d2d5 --- /dev/null +++ b/roles/baseline/files/zabbix-sudoers @@ -0,0 +1 @@ +zabbix ALL=(ALL) NOPASSWD: /usr/sbin/smartctl diff --git a/roles/baseline/handlers/main.yml b/roles/baseline/handlers/main.yml index 5ceb761..7fb1494 100644 --- a/roles/baseline/handlers/main.yml +++ b/roles/baseline/handlers/main.yml @@ -6,3 +6,8 @@ ansible.builtin.systemd: name: ssh state: restarted + +- name: Restart zabbix-agent2 + ansible.builtin.service: + name: zabbix-agent2 + state: restarted diff --git a/roles/baseline/tasks/main.yml b/roles/baseline/tasks/main.yml index 3b3a112..b016df3 100644 --- a/roles/baseline/tasks/main.yml +++ b/roles/baseline/tasks/main.yml @@ -7,5 +7,8 @@ - name: Manage root user ansible.builtin.import_tasks: rootuser.yml +- name: Get zabbix agent installed + ansible.builtin.import_tasks: zabbix.yml + - name: Ensure handlers have ran ansible.builtin.meta: flush_handlers diff --git a/roles/baseline/tasks/zabbix.yml b/roles/baseline/tasks/zabbix.yml new file mode 100644 index 0000000..ec2d5e7 --- /dev/null +++ b/roles/baseline/tasks/zabbix.yml @@ -0,0 +1,41 @@ +- name: Install zabbix related packages + ansible.builtin.apt: + pkg: + - zabbix-agent2 + # To monitor our physical disks health, not needed for vm's. + - smartmontools + +- name: Zabbix firewall + ansible.builtin.template: + dest: /etc/firewall.d/zabbix + group: root + owner: root + mode: "0755" + src: zabbix-firewall.j2 + notify: Restart firewall + +- name: Write psk file + ansible.builtin.copy: + content: "{{ zabbix_psk }}\n" + dest: /etc/zabbix/zabbix.psk + group: root + owner: root + mode: "0644" + notify: Restart zabbix-agent2 + +- name: Zabbix agent config file + ansible.builtin.template: + dest: /etc/zabbix/zabbix_agent2.d/ansible.conf + group: root + owner: root + mode: "0644" + src: zabbix-agent.j2 + notify: Restart zabbix-agent2 + +- name: Zabbix sudoers file + ansible.builtin.copy: + dest: /etc/sudoers.d/zabbix + group: root + owner: root + mode: "0644" + src: zabbix-sudoers diff --git a/roles/baseline/templates/zabbix-agent.j2 b/roles/baseline/templates/zabbix-agent.j2 new file mode 100644 index 0000000..6bc423b --- /dev/null +++ b/roles/baseline/templates/zabbix-agent.j2 @@ -0,0 +1,10 @@ +Server={{ zabbix_server }} +ServerActive= + +TLSConnect=psk +TLSAccept=psk +TLSPSKFile=/etc/zabbix/zabbix.psk +TLSPSKIdentity={{ inventory_hostname }} + + +UserParameter=smartctl.health[*],sudo /usr/sbin/smartctl -H /dev/$1 | grep 'overall-health' | awk '{print $NF}' diff --git a/roles/baseline/templates/zabbix-firewall.j2 b/roles/baseline/templates/zabbix-firewall.j2 new file mode 100644 index 0000000..7681135 --- /dev/null +++ b/roles/baseline/templates/zabbix-firewall.j2 @@ -0,0 +1,5 @@ +#!/bin/bash + +# Zabbix agent firewall + +iptables -A INPUT -p tcp -s {{ zabbix_server }} --dport 10050 -j ACCEPT