ansible – zabbix server playbook

---
- name: httpd installation & preparation
  hosts: zabbix
  become: true

  tasks:
  - name: httpd installation
    ansible.builtin.dnf:
      name: "{{ item }}"
      state: latest
    with_items:
      - httpd
      - mod_ssl
  - name: firewalld - http service enable
    ansible.builtin.firewalld:
      service: http
      permanent: yes
      immediate: yes
      state: enabled
  - name: firewalld - https service enable
    ansible.builtin.firewalld:
      service: https
      permanent: yes
      immediate: yes
      state: enabled
  - name: sites-available directory create
    ansible.builtin.file:
      path: /etc/httpd/sites-available
      state: directory
      mode: '0755'
  - name: sites-enabled directory create
    ansible.builtin.file:
      path: /etc/httpd/sites-enabled
      state: directory
      mode: '0755'
  - name: sites-enabled add to the httpd configuration
    ansible.builtin.lineinfile:
      dest: /etc/httpd/conf/httpd.conf
      insertafter: EOF
      line: 'Include /etc/httpd/sites-enabled'
      state: present
  - name: httpd service enable
    ansible.builtin.systemd:
      name: httpd
      enabled: true
  - name: httpd service start
    ansible.builtin.systemd:
      name: httpd
      state: started

- name: fail2ban installation & configuration
  hosts: zabbix
  become: true

  tasks:
  - name: fail2ban installation
    ansible.builtin.dnf:
      name: fail2ban
      state: latest
  - name: fail2ban configuration
    ansible.builtin.copy:
      src: /etc/ansible/templates/fail2ban/sshd.local
      dest: /etc/fail2ban/jail.d/sshd.local
      owner: root
      group: root
      mode: "0644"
      backup: true
  - name: fail2ban httpd configuration
    ansible.builtin.copy:
      src: /etc/ansible/templates/fail2ban/httpd.local
      dest: /etc/fail2ban/jail.d/httpd.local
      owner: root
      group: root
      mode: "0644"
      backup: true
  - name: fail2ban service enable
    ansible.builtin.systemd:
      name: fail2ban
      enabled: true
  - name: fail2ban service restart
    ansible.builtin.systemd:
      name: fail2ban
      state: restarted

- name: php 8 installation & configuration
  hosts: zabbix
  become: true

  tasks:
  - name: php 8 installation
    ansible.builtin.dnf:
      name: 'php'
      state: present

- name: php 8 installation & configuration
  hosts: zabbix
  become: true

  tasks:
  - name: php-fpm module installation
    ansible.builtin.dnf:
      name: php-fpm
      state: latest
  - name: php post_max_size 512M set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^post_max_size ="
      line: "post_max_size = 512M"
      state: present
  - name: php upload_max_filesize 512M set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^upload_max_filesize ="
      line: "upload_max_filesize = 512M"
      state: present
  - name: php max_input_vars 5000 set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^;max_input_vars = 1000"
      line: "max_input_vars = 5000"
      state: present
  - name: php memory_limit 1024 set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^memory_limit"
      line: "memory_limit = 1024"
      state: present
  - name: httpd service restart
    ansible.builtin.systemd:
      name: httpd
      state: restarted

- name: mariadb installation & configuration
  hosts: zabbix
  become: true

  tasks:
  - name: mariadb 10.11 repository add
    ansible.builtin.copy:
      src: /etc/ansible/templates/yum.repos.d/mariadb.repo
      dest: /etc/yum.repos.d/mariadb.repo
      owner: root
      group: root
      mode: "0644"
  - name: autoremove unneeded packages installed as dependencies
    ansible.builtin.dnf:
      autoremove: yes
  - name: update packages
    ansible.builtin.dnf:
      name: "*"
      state: latest
  - name: mariadb installation
    ansible.builtin.dnf:
      name: mariadb-server
      state: latest
  - name: python3-PyMySQL installation
    ansible.builtin.dnf:
      name: python3-PyMySQL
      state: present
  - name: mariadb service enable
    ansible.builtin.systemd:
      name: mariadb
      enabled: true
  - name: mariadb service restart
    ansible.builtin.systemd:
      name: mariadb
      state: restarted

- name: mariadb secure installation & configuration
  hosts: zabbix
  become: true
  become_user: root

  tasks:
  - name: anonymous user account for localhost delete
    community.mysql.mysql_user:
      check_implicit_admin: true
      name: ''
      host: localhost
      state: absent
  - name: all anonymous user accounts delete
    community.mysql.mysql_user:
      check_implicit_admin: true
      name: ''
      host_all: true
      state: absent
  - name: test database delete
    community.mysql.mysql_db:
      check_implicit_admin: true
      name: test
      state: absent
  - name: mariadb optimalisation
    ansible.builtin.copy:
      src: /etc/ansible/templates/mariadb/10_my_tweaks.cnf
      dest: /etc/my.cnf.d/10_my_tweaks.cnf
      owner: root
      group: root
      mode: "0644"
      backup: true
  - name: mariadb service restart
    ansible.builtin.systemd:
      name: mariadb
      state: restarted

- name: zabbix installation & configuration
  hosts: zabbix
  become: true
  become_user: root

  vars:
  - dns_hostname: zabbix
  - dns_domain: krolaki.eu
  - mariadb_database_password: superStrongPassword

  tasks:
  - name: ssl certificate to the target server copy
    ansible.builtin.copy:
      src: "/etc/pki/tls/certs/{{ dns_hostname }}-{{ dns_domain }}.crt"
      dest: "/etc/pki/tls/certs/{{ dns_hostname }}-{{ dns_domain }}.crt"
      owner: root
      group: root
      mode: "0644"
  - name: ssl key to the target server copy
    ansible.builtin.copy:
      src: "/etc/pki/tls/private/{{ dns_hostname }}-{{ dns_domain }}.key"
      dest: "/etc/pki/tls/private/{{ dns_hostname }}-{{ dns_domain }}.key"
      owner: root
      group: root
      mode: "0644"
  - name: vhost configuration
    ansible.builtin.template:
      src: /etc/ansible/templates/httpd/sites-available/zabbix.conf.j2
      dest: /etc/httpd/sites-available/{{ dns_hostname }}.conf
  - name: vhost enable
    ansible.builtin.file:
      src: /etc/httpd/sites-available/{{ dns_hostname }}.conf
      dest: /etc/httpd/sites-enabled/{{ dns_hostname }}.conf
      owner: root
      group: root
      state: link
  - name: zabbix repository gpg installation
    ansible.builtin.rpm_key:
      state: present
      key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD
  - name: zabbix repository installation
    ansible.builtin.dnf:
      name: https://repo.zabbix.com/zabbix/6.0/rhel/9/x86_64/zabbix-release-6.0-4.el9.noarch.rpm
      state: latest
  - name: exclude zabbix packages from epel
    ansible.builtin.lineinfile:
      path: /etc/yum.repos.d/epel.repo
      line: 'excludepkgs=zabbix*'
      insertbefore: '^(\[epel-debuginfo\])'
  - name: packages update
    ansible.builtin.dnf:
      name: "*"
      state: latest
  - name: unneeded packages remove
    ansible.builtin.dnf:
      autoremove: yes
  - name: zabbix installation
    ansible.builtin.dnf:
      name: "{{ item }}"
      state: latest
    with_items:
      - zabbix-server-mysql
      - zabbix-web-mysql
      - zabbix-apache-conf
      - zabbix-sql-scripts
      - zabbix-selinux-policy
      - zabbix-agent2
  - name: zabbix server configuration
    ansible.builtin.lineinfile:
      path: /etc/zabbix/zabbix_server.conf
      regexp: "^# DBPassword="
      line: DBPassword={{ mariadb_database_password }}
      state: present
  - name: database create
    community.mysql.mysql_db:
      check_implicit_admin: true 
      name: "{{ dns_hostname }}"
      encoding: utf8mb4
      collation: utf8mb4_bin
      state: present
  - name: database user create
    community.mysql.mysql_user:
      check_implicit_admin: true
      name: "{{ dns_hostname }}"
      password: "{{ mariadb_database_password }}"
      priv: "{{ dns_hostname }}.*:ALL"
      state: present
  - name: mariadb database schema import
    ansible.builtin.mysql_db:
      name: "{{ dns_hostname }}"
      login_user: "{{ dns_hostname }}"
      login_password: "{{ mariadb_database_password }}"
      state: import
      target: /usr/share/zabbix-sql-scripts/mysql/server.sql.gz
      encoding: utf8mb4
  - name: zabbix server configuration
    ansible.builtin.blockinfile:
      path: /etc/zabbix/zabbix_server.conf
      insertafter: "EOF"
      block: |
        StartPollers=100
        StartPollersUnreachable=50
        StartPingers=50
        StartTrappers=10
        StartDiscoverers=15
        StartPreprocessors=15
        StartHTTPPollers=5
        StartAlerters=5
        StartTimers=2
        StartEscalators=2
        CacheSize=128M
        HistoryCacheSize=64M
        HistoryIndexCacheSize=32M
        TrendCacheSize=32M
        ValueCacheSize=256M
  - name: firewalld - port 10050/tcp configuration
    ansible.builtin.firewalld:
      zone: public
      port: 10050/tcp
      permanent: yes
      immediate: yes
      state: enabled
  - name: firewalld - port 10051/tcp configuration
    ansible.builtin.firewalld:
      zone: public
      port: 10051/tcp
      permanent: yes
      immediate: yes
      state: enabled
  - name: httpd_can_connect_zabbix set
    ansible.posix.seboolean:
      name: httpd_can_connect_zabbix 
      state: true
      persistent: true
  - name: httpd_can_connect_zabbix set
    ansible.posix.seboolean:
      name: zabbix_can_network
      state: true
      persistent: true
  - name: httpd_can_connect_zabbix set
    ansible.posix.seboolean:
      name: daemons_enable_cluster_mode
      state: true
      persistent: true
  - name: zabbix agent 2 configuration
    ansible.builtin.lineinfile:
      path: /etc/zabbix/zabbix_agent2.conf
      regexp: "^Server="
      line: "Server=127.0.0.1"
      state: present
  - name: zabbix agent server configuration
    ansible.builtin.lineinfile:
      path: /etc/zabbix/zabbix_agent2.conf
      regexp: "^ServerActive="
      line: "ServerActive=127.0.0.1"
      state: present
  - name: zabbix agent hostmetadata set
    ansible.builtin.lineinfile:
      path: /etc/zabbix/zabbix_agent2.conf
      regexp: "^# HostMetadata="
      line: "HostMetadata==rhel9"
      state: present
  - name: zabbix agent hostname set
    ansible.builtin.lineinfile:
      path: /etc/zabbix/zabbix_agent2.conf
      regexp: "^# HostnameItem=system.hostname"
      line: "HostnameItem=system.hostname"
      state: present
  - name: zabbix server && agent enable
    ansible.builtin.systemd:
      name: "{{ item }}"
      enabled: true
    with_items:
    - zabbix-server
    - zabbix-agent2
  - name: httpd service restart
    ansible.builtin.systemd:
      name: "{{ item }}"
      state: restarted
    with_items:
    - httpd
    - php-fpm
    - zabbix-server
    - zabbix-agent2
  - name: selinux load module
    ansible.builtin.shell: "{{ item }}"
    loop:
      - ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver
      - semodule -X 300 -i my-zabbixserver.pp
  - name: httpd service restart
    ansible.builtin.systemd:
      name: "{{ item }}"
      state: restarted
    with_items:
    - httpd
    - php-fpm
    - zabbix-server
    - zabbix-agent2
  - name: selinux load module
    ansible.builtin.shell: "{{ item }}"
    loop:
      - ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
      - semodule -X 300 -i my-phpfpm.pp
  - name: zabbix proxy processes set
    ansible.builtin.shell: egrep "^Start.+=[0-9]" /etc/zabbix/zabbix_server.conf | awk -F "=" '{s+=$2} END {print s+150}'
...

Leave a Reply

Your email address will not be published. Required fields are marked *