---
- name: httpd installation & preparation
hosts: zabbix
become: true
tasks:
- name: httpd installation
ansible.builtin.dnf:
name: "{{ item }}"
state: latest
with_items:
- httpd
- mod_ssl
- name: firewalld - http service enable
ansible.builtin.firewalld:
service: http
permanent: yes
immediate: yes
state: enabled
- name: firewalld - https service enable
ansible.builtin.firewalld:
service: https
permanent: yes
immediate: yes
state: enabled
- name: sites-available directory create
ansible.builtin.file:
path: /etc/httpd/sites-available
state: directory
mode: '0755'
- name: sites-enabled directory create
ansible.builtin.file:
path: /etc/httpd/sites-enabled
state: directory
mode: '0755'
- name: sites-enabled add to the httpd configuration
ansible.builtin.lineinfile:
dest: /etc/httpd/conf/httpd.conf
insertafter: EOF
line: 'Include /etc/httpd/sites-enabled'
state: present
- name: httpd service enable
ansible.builtin.systemd:
name: httpd
enabled: true
- name: httpd service start
ansible.builtin.systemd:
name: httpd
state: started
- name: fail2ban installation & configuration
hosts: zabbix
become: true
tasks:
- name: fail2ban installation
ansible.builtin.dnf:
name: fail2ban
state: latest
- name: fail2ban configuration
ansible.builtin.copy:
src: /etc/ansible/templates/fail2ban/sshd.local
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
group: root
mode: "0644"
backup: true
- name: fail2ban httpd configuration
ansible.builtin.copy:
src: /etc/ansible/templates/fail2ban/httpd.local
dest: /etc/fail2ban/jail.d/httpd.local
owner: root
group: root
mode: "0644"
backup: true
- name: fail2ban service enable
ansible.builtin.systemd:
name: fail2ban
enabled: true
- name: fail2ban service restart
ansible.builtin.systemd:
name: fail2ban
state: restarted
- name: php 8 installation & configuration
hosts: zabbix
become: true
tasks:
- name: php 8 installation
ansible.builtin.dnf:
name: 'php'
state: present
- name: php 8 installation & configuration
hosts: zabbix
become: true
tasks:
- name: php-fpm module installation
ansible.builtin.dnf:
name: php-fpm
state: latest
- name: php post_max_size 512M set
ansible.builtin.lineinfile:
path: /etc/php.ini
regexp: "^post_max_size ="
line: "post_max_size = 512M"
state: present
- name: php upload_max_filesize 512M set
ansible.builtin.lineinfile:
path: /etc/php.ini
regexp: "^upload_max_filesize ="
line: "upload_max_filesize = 512M"
state: present
- name: php max_input_vars 5000 set
ansible.builtin.lineinfile:
path: /etc/php.ini
regexp: "^;max_input_vars = 1000"
line: "max_input_vars = 5000"
state: present
- name: php memory_limit 1024 set
ansible.builtin.lineinfile:
path: /etc/php.ini
regexp: "^memory_limit"
line: "memory_limit = 1024"
state: present
- name: httpd service restart
ansible.builtin.systemd:
name: httpd
state: restarted
- name: mariadb installation & configuration
hosts: zabbix
become: true
tasks:
- name: mariadb 10.11 repository add
ansible.builtin.copy:
src: /etc/ansible/templates/yum.repos.d/mariadb.repo
dest: /etc/yum.repos.d/mariadb.repo
owner: root
group: root
mode: "0644"
- name: autoremove unneeded packages installed as dependencies
ansible.builtin.dnf:
autoremove: yes
- name: update packages
ansible.builtin.dnf:
name: "*"
state: latest
- name: mariadb installation
ansible.builtin.dnf:
name: mariadb-server
state: latest
- name: python3-PyMySQL installation
ansible.builtin.dnf:
name: python3-PyMySQL
state: present
- name: mariadb service enable
ansible.builtin.systemd:
name: mariadb
enabled: true
- name: mariadb service restart
ansible.builtin.systemd:
name: mariadb
state: restarted
- name: mariadb secure installation & configuration
hosts: zabbix
become: true
become_user: root
tasks:
- name: anonymous user account for localhost delete
community.mysql.mysql_user:
check_implicit_admin: true
name: ''
host: localhost
state: absent
- name: all anonymous user accounts delete
community.mysql.mysql_user:
check_implicit_admin: true
name: ''
host_all: true
state: absent
- name: test database delete
community.mysql.mysql_db:
check_implicit_admin: true
name: test
state: absent
- name: mariadb optimalisation
ansible.builtin.copy:
src: /etc/ansible/templates/mariadb/10_my_tweaks.cnf
dest: /etc/my.cnf.d/10_my_tweaks.cnf
owner: root
group: root
mode: "0644"
backup: true
- name: mariadb service restart
ansible.builtin.systemd:
name: mariadb
state: restarted
- name: zabbix installation & configuration
hosts: zabbix
become: true
become_user: root
vars:
- dns_hostname: zabbix
- dns_domain: krolaki.eu
- mariadb_database_password: superStrongPassword
tasks:
- name: ssl certificate to the target server copy
ansible.builtin.copy:
src: "/etc/pki/tls/certs/{{ dns_hostname }}-{{ dns_domain }}.crt"
dest: "/etc/pki/tls/certs/{{ dns_hostname }}-{{ dns_domain }}.crt"
owner: root
group: root
mode: "0644"
- name: ssl key to the target server copy
ansible.builtin.copy:
src: "/etc/pki/tls/private/{{ dns_hostname }}-{{ dns_domain }}.key"
dest: "/etc/pki/tls/private/{{ dns_hostname }}-{{ dns_domain }}.key"
owner: root
group: root
mode: "0644"
- name: vhost configuration
ansible.builtin.template:
src: /etc/ansible/templates/httpd/sites-available/zabbix.conf.j2
dest: /etc/httpd/sites-available/{{ dns_hostname }}.conf
- name: vhost enable
ansible.builtin.file:
src: /etc/httpd/sites-available/{{ dns_hostname }}.conf
dest: /etc/httpd/sites-enabled/{{ dns_hostname }}.conf
owner: root
group: root
state: link
- name: zabbix repository gpg installation
ansible.builtin.rpm_key:
state: present
key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD
- name: zabbix repository installation
ansible.builtin.dnf:
name: https://repo.zabbix.com/zabbix/6.0/rhel/9/x86_64/zabbix-release-6.0-4.el9.noarch.rpm
state: latest
- name: exclude zabbix packages from epel
ansible.builtin.lineinfile:
path: /etc/yum.repos.d/epel.repo
line: 'excludepkgs=zabbix*'
insertbefore: '^(\[epel-debuginfo\])'
- name: packages update
ansible.builtin.dnf:
name: "*"
state: latest
- name: unneeded packages remove
ansible.builtin.dnf:
autoremove: yes
- name: zabbix installation
ansible.builtin.dnf:
name: "{{ item }}"
state: latest
with_items:
- zabbix-server-mysql
- zabbix-web-mysql
- zabbix-apache-conf
- zabbix-sql-scripts
- zabbix-selinux-policy
- zabbix-agent2
- name: zabbix server configuration
ansible.builtin.lineinfile:
path: /etc/zabbix/zabbix_server.conf
regexp: "^# DBPassword="
line: DBPassword={{ mariadb_database_password }}
state: present
- name: database create
community.mysql.mysql_db:
check_implicit_admin: true
name: "{{ dns_hostname }}"
encoding: utf8mb4
collation: utf8mb4_bin
state: present
- name: database user create
community.mysql.mysql_user:
check_implicit_admin: true
name: "{{ dns_hostname }}"
password: "{{ mariadb_database_password }}"
priv: "{{ dns_hostname }}.*:ALL"
state: present
- name: mariadb database schema import
ansible.builtin.mysql_db:
name: "{{ dns_hostname }}"
login_user: "{{ dns_hostname }}"
login_password: "{{ mariadb_database_password }}"
state: import
target: /usr/share/zabbix-sql-scripts/mysql/server.sql.gz
encoding: utf8mb4
- name: zabbix server configuration
ansible.builtin.blockinfile:
path: /etc/zabbix/zabbix_server.conf
insertafter: "EOF"
block: |
StartPollers=100
StartPollersUnreachable=50
StartPingers=50
StartTrappers=10
StartDiscoverers=15
StartPreprocessors=15
StartHTTPPollers=5
StartAlerters=5
StartTimers=2
StartEscalators=2
CacheSize=128M
HistoryCacheSize=64M
HistoryIndexCacheSize=32M
TrendCacheSize=32M
ValueCacheSize=256M
- name: firewalld - port 10050/tcp configuration
ansible.builtin.firewalld:
zone: public
port: 10050/tcp
permanent: yes
immediate: yes
state: enabled
- name: firewalld - port 10051/tcp configuration
ansible.builtin.firewalld:
zone: public
port: 10051/tcp
permanent: yes
immediate: yes
state: enabled
- name: httpd_can_connect_zabbix set
ansible.posix.seboolean:
name: httpd_can_connect_zabbix
state: true
persistent: true
- name: httpd_can_connect_zabbix set
ansible.posix.seboolean:
name: zabbix_can_network
state: true
persistent: true
- name: httpd_can_connect_zabbix set
ansible.posix.seboolean:
name: daemons_enable_cluster_mode
state: true
persistent: true
- name: zabbix agent 2 configuration
ansible.builtin.lineinfile:
path: /etc/zabbix/zabbix_agent2.conf
regexp: "^Server="
line: "Server=127.0.0.1"
state: present
- name: zabbix agent server configuration
ansible.builtin.lineinfile:
path: /etc/zabbix/zabbix_agent2.conf
regexp: "^ServerActive="
line: "ServerActive=127.0.0.1"
state: present
- name: zabbix agent hostmetadata set
ansible.builtin.lineinfile:
path: /etc/zabbix/zabbix_agent2.conf
regexp: "^# HostMetadata="
line: "HostMetadata==rhel9"
state: present
- name: zabbix agent hostname set
ansible.builtin.lineinfile:
path: /etc/zabbix/zabbix_agent2.conf
regexp: "^# HostnameItem=system.hostname"
line: "HostnameItem=system.hostname"
state: present
- name: zabbix server && agent enable
ansible.builtin.systemd:
name: "{{ item }}"
enabled: true
with_items:
- zabbix-server
- zabbix-agent2
- name: httpd service restart
ansible.builtin.systemd:
name: "{{ item }}"
state: restarted
with_items:
- httpd
- php-fpm
- zabbix-server
- zabbix-agent2
- name: selinux load module
ansible.builtin.shell: "{{ item }}"
loop:
- ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver
- semodule -X 300 -i my-zabbixserver.pp
- name: httpd service restart
ansible.builtin.systemd:
name: "{{ item }}"
state: restarted
with_items:
- httpd
- php-fpm
- zabbix-server
- zabbix-agent2
- name: selinux load module
ansible.builtin.shell: "{{ item }}"
loop:
- ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
- semodule -X 300 -i my-phpfpm.pp
- name: zabbix proxy processes set
ansible.builtin.shell: egrep "^Start.+=[0-9]" /etc/zabbix/zabbix_server.conf | awk -F "=" '{s+=$2} END {print s+150}'
...