diff --git a/requirements.yml b/requirements.yml index 5559238a..746075ba 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ collections: - name: "community.crypto" version: ">=1.7,<2.0" - name: "community.zabbix" - version: "<2.0" + version: ">=2.3,<3.0" - name: "community.docker" version: ">=3.8" - name: "ansible.posix" diff --git a/roles/zabbix-server/library/zabbix_role.py b/roles/zabbix-server/library/zabbix_role.py deleted file mode 100644 index 0cc7308c..00000000 --- a/roles/zabbix-server/library/zabbix_role.py +++ /dev/null @@ -1,210 +0,0 @@ -#!/usr/bin/python - -# Copyright: (c) 2018, Terry Jones -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - - -DOCUMENTATION = r''' ---- -module: zabbix_role -https://www.zabbix.com/documentation/current/en/manual/api/reference/role -https://www.zabbix.com/documentation/current/en/manual/api/reference/role/create - -short_description: Adds or removes zabbix roles - -description: This module adds or removes zabbix roles - -options: - server_url: http://localhost/zabbix - login_user: username - login_password: password - state: exact - name: Operators - The name of the role - type: 1 - https://www.zabbix.com/documentation/current/en/manual/api/reference/role/object#role - rules: - https://www.zabbix.com/documentation/current/en/manual/api/reference/role/object#role-rules - -author: - - Martin van Es -''' - -EXAMPLES = r''' -# Creat role Operators with ui elements monitoring.hosts -# disabled and monitoring.maps enabled - -- name: Create Zabbix role - local_action: - module: zabbix_role - server_url: http://zabbix.scz-vm.net/ - login_user: username - login_password: login_password - state: present - name: Operators - type: 1 - rules: - ui: - - name: "monitoring.hosts" - status: 0 - - name: "monitoring.maps" - status: 1 -''' - -RETURN = r''' -# Return values -msg: - description: The result of the action - type: str - returned: always - sample: 'No action' -changed: - description: The consequence of the action - type: bool - returned: always - sample: False -''' - -import traceback - -from ansible.module_utils.basic import AnsibleModule, missing_required_lib - -try: - from zabbix_api import ZabbixAPI - - HAS_ZABBIX_API = True - ZBX_IMP_ERR = Exception() -except ImportError: - ZBX_IMP_ERR = traceback.format_exc() - HAS_ZABBIX_API = False - - -def find_val(outval, inval): - if outval == str(inval): - return True - return False - - -def find_list(outval, inval): - if set(outval) == set(inval): - return True - return False - - -def find_dict(outval, inval): - for out in outval: - m = True - for k, v in inval.items(): - if out[k] == str(v): - continue - else: - m = False - if m: - break - return m - - -def equal(inp, out): - verdict = True - for rule, value in inp.items(): - if not isinstance(value, list): - verdict = verdict and find_val(out.get(rule, ''), value) - else: - if len(value): - if not isinstance(value[0], dict): - verdict = verdict and find_list(out.get(rule, []), value) - else: - for v in value: - verdict = verdict and find_dict(out.get(rule, {}), v) - else: - verdict = verdict and find_list(rule, value) - return verdict - - -def run_module(): - # seed the result dict in the object - changed = False - msg = "No action" - - # define available arguments/parameters a user can pass to the module - module_args = dict( - server_url=dict(type='str', required=True), - login_user=dict(type='str', required=True), - login_password=dict(type='str', required=True, no_log=True), - validate_certs=dict(type='bool', required=False, default=True), - state=dict(type='str', required=False, default='present'), - name=dict(type='str', required=True), - type=dict(type='int', required=False, default=1), - rules=dict(type='dict', required=True), - ) - - # the AnsibleModule object - module = AnsibleModule( - argument_spec=module_args, - supports_check_mode=True - ) - - if not HAS_ZABBIX_API: - module.fail_json(msg=missing_required_lib( - 'zabbix-api', url='https://pypi.org/project/zabbix-api/'), exception=ZBX_IMP_ERR) - - server_url = module.params['server_url'] - login_user = module.params['login_user'] - login_password = module.params['login_password'] - validate_certs = module.params['validate_certs'] - state = module.params['state'] - name = module.params['name'] - type = module.params['type'] - rules = module.params['rules'] - - # This may help with debugging as print() will not work - # raise Exception(rules) - - # the Zabbix api object - zapi = ZabbixAPI(server_url, validate_certs=validate_certs) - zapi.login(user=login_user, password=login_password) - - msg = zapi.role.get({ - "output": "extend", - "selectRules": "extend", - "filter": {"name": name} - }) - - if msg: - if len(msg) == 1: - r = msg[0] - if r['readonly'] != 1: - roleid = r['roleid'] - if state == 'absent': - msg = zapi.role.delete([f"{roleid}"]) - changed = True - msg = "Role deleted" - else: - if not equal(rules, r['rules']): - msg = zapi.role.update({"roleid": roleid, "rules": rules}) - changed = True - msg = "Role updated" - else: - module.fail_json(msg='Too many role matches', exception=ZBX_IMP_ERR) - else: - msg = zapi.role.create({ - "name": name, - "type": type, - "rules": rules - }) - changed = True - msg = "Role created" - - zapi.logout() - - module.exit_json(msg=msg, changed=changed) - - -def main(): - run_module() - - -if __name__ == '__main__': - main() diff --git a/roles/zabbix-server/tasks/main.yml b/roles/zabbix-server/tasks/main.yml index f34fd85a..59e8fd7c 100644 --- a/roles/zabbix-server/tasks/main.yml +++ b/roles/zabbix-server/tasks/main.yml @@ -48,7 +48,7 @@ - name: "install zabbix TLS key" copy: content: "{{zabbix_cert.priv}}" - dest: "{{zabbix_nginx_tls_key}}" + dest: "{{zabbix_web_tls_key}}" owner: "root" group: "ssl-cert" mode: "0640" @@ -56,7 +56,7 @@ - name: "install zabbix TLS certificate" copy: content: "{{zabbix_cert.pub}}" - dest: "{{zabbix_nginx_tls_crt}}" + dest: "{{zabbix_web_tls_crt}}" owner: "root" group: "ssl-cert" mode: "0644" @@ -76,92 +76,90 @@ create: true line: "CacheSize=64M" -# workaround for https://github.com/ansible-collections/community.zabbix/issues/425 +# workaround for https://github.com/ansible-collections/community.zabbix/pull/1227 - name: "fix nginx access to fpm socket" - user: - name: "www-data" - groups: "{{zabbix_php_fpm_conf_group}}" - append: true - notify: "restart nginx" + lineinfile: + path: "/etc/php/7.4/fpm/pool.d/zabbix.conf" + regexp: "^listen.mode ?=" + line: "listen.mode = 0660" + notify: "restart php-fpm-version" - meta: "flush_handlers" -# check if we can login with the default password -# if so, then we need to update the Admin user below -- name: "check if zabbix admin user has been configured" - community.zabbix.zabbix_user_info: - server_url: "{{zabbix_api_url}}" - login_user: "Admin" - login_password: "zabbix" - alias: "Admin" - validate_certs: "{{zabbix_validate_certs}}" - failed_when: false - register: "can_login" - -- name: "set zabbix admin password" - community.zabbix.zabbix_user: - server_url: "{{zabbix_api_url}}" - login_user: "Admin" - login_password: "zabbix" - alias: "Admin" - name: "Admin" - surname: "Administein" - passwd: "{{zabbix_admin_password}}" - override_passwd: true - usrgrps: - - "Zabbix administrators" - state: "present" - validate_certs: "{{zabbix_validate_certs}}" - when: "'zabbix_user' in can_login" - -# create user for client registration -- name: "Create user group for API access" - community.zabbix.zabbix_usergroup: - server_url: "{{zabbix_api_url}}" - login_user: "Admin" - login_password: "{{zabbix_admin_password}}" - name: "Host registration" - gui_access: "disable" - validate_certs: "{{zabbix_validate_certs}}" - -- name: Create Zabbix role - zabbix_role: - server_url: "{{zabbix_api_url}}" - validate_certs: "{{ not is_docker }}" - login_user: "Admin" - login_password: "{{zabbix_admin_password}}" - state: "present" - name: "Host registration" - type: 3 - rules: - ui.default_access: 0 - ui: - - { name: "inventory.overview", status: 1 } - api.access: 1 - api.mode: 1 - api: - - "host.get" - - "host.update" - - "host.create" - - "host.delete" - - "hostgroup.get" - - "hostgroup.update" - - "hostgroup.create" - - "hostinterface.get" - - "hostinterface.update" - - "template.get" - -- name: "Create user for API access" - community.zabbix.zabbix_user: - server_url: "{{zabbix_api_url}}" - login_user: "Admin" - login_password: "{{zabbix_admin_password}}" - alias: "{{zabbix_api_user}}" - passwd: "{{zabbix_api_password}}" - role_name: "Host registration" - usrgrps: ["Host registration"] - state: "present" - validate_certs: "{{zabbix_validate_certs}}" + +- name: zabbix + vars: + ansible_network_os: "community.zabbix.zabbix" + ansible_connection: "httpapi" + ansible_httpapi_port: 443 + ansible_httpapi_use_ssl: true + ansible_httpapi_validate_certs: "{{zabbix_validate_certs}}" + ansible_host: "{{zabbix_url}}" + ansible_zabbix_url_path: '/' + ansible_user: "Admin" + ansible_httpapi_pass: "{{zabbix_admin_password}}" + become: false + block: + # check if we can login with the default password + # if so, then we need to update the Admin user below + - name: "check if zabbix admin user has been configured" + community.zabbix.zabbix_user_info: + username: "Admin" + register: "can_login" + become: false + + - name: "set zabbix admin groups" + community.zabbix.zabbix_user: + username: "Admin" + name: "Admin" + surname: "Administein" + passwd: "{{zabbix_admin_password}}" + current_passwd: "{{zabbix_admin_password}}" + usrgrps: + - "Zabbix administrators" + state: "present" + when: "'zabbix_user' in can_login" + + # create user for client registration + - name: "Create user group for API access" + community.zabbix.zabbix_usergroup: + name: "Host registration" + gui_access: "disable" + become: false + + - name: Create Zabbix role + community.zabbix.zabbix_user_role: + name: "Host registration" + state: "present" + type: "Super Admin" + rules: + ui.default_access: 0 + ui: + - { name: "inventory.overview", status: 1 } + api.access: 1 + api.mode: 1 + api: + - "host.get" + - "host.update" + - "host.create" + - "host.delete" + - "hostgroup.get" + - "hostgroup.update" + - "hostgroup.create" + - "hostinterface.get" + - "hostinterface.update" + - "template.get" + + - name: "Create user for API access" + community.zabbix.zabbix_user: + username: "{{zabbix_api_user}}" + passwd: "{{zabbix_api_password}}" + role_name: "Host registration" + usrgrps: ["Host registration"] + state: "present" + + # end of block + - name: Install zabbix backup script template: diff --git a/surf-deploy b/surf-deploy index 08af9013..459f3182 100755 --- a/surf-deploy +++ b/surf-deploy @@ -140,7 +140,7 @@ do break fi done -if [ -n "$MITOGEN_PATH" ] +if [ -n "$MITOGEN_PATH" -a "$NO_MITOGEN" != "1" ] then echo "Found Mitogen at $MITOGEN_PATH" export ANSIBLE_STRATEGY_PLUGINS=$MITOGEN_PATH/$MITOGEN_SUBPATH/