--- - name: "Install Zabbix agent using yum/dnf/apt" hosts: all gather_facts: True become: true # Put the IPs/hostnames of Zabbix servers and proxies here: vars: MONSRC: - ***CONTENTS REDACTED*** MONSRCRANGE: - ***CONTENTS REDACTED*** tasks: - name: "msg print to stdout: Debug ansible_facts" debug: msg: # - "{{ ansible_facts.service_mgr }}" - ansible_facts.distribution "{{ ansible_facts.distribution }}" - ansible_facts.distribution_major_version "{{ ansible_facts.distribution_major_version }}" - ansible_facts.distribution_file_variety "{{ ansible_facts.distribution_file_variety }}" #- "{{ ansible_facts.services_iptables'].state }}" #- ansible_facts.services "{{ ansible_facts.services }}" - name: Populate systemd service_facts service_facts: - debug: msg: - ansible_facts.services['firewalld.service'] "{{ ansible_facts.services['firewalld.service'] }}" when: "'firewalld.service' in services" - debug: msg: - ansible_facts.services['iptables.service'] "{{ ansible_facts.services['iptables.service'] }}" when: "'iptables.service' in services" - debug: msg: - ansible_facts.services['iptables.service'] "{{ ansible_facts.services['iptables.service'] }}" when: "'ufw.service' in services" - name: Show MONSRC variables debug: msg: "MONSRCs: {{ MONSRC[0] }}" - name: Gather package facts package_facts: manager: auto - debug: msg: - ansible_all_ipv4_addresses "{{ ansible_all_ipv4_addresses}}" # - name: "Is firewalld.service or ufw.service enabled?" # debug: # msg: # - "{{ ansible_facts.services['firewalld.service'].status }}" # - "{{ ansible_facts.services['ufw.service'].status }}" - name: Install Zabbix repo GPG key for ALL RHEL like rpm_key: state: present key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD when: ansible_facts['distribution_file_variety'] == 'RedHat' #06-05-2024: added ignore_errors. Getting "Hash algorithm SHA1 not available." Not distro/version specific error. - name: Install OLD Zabbix repo GPG key for ALL RHEL like rpm_key: state: present key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591 when: ansible_facts['distribution_file_variety'] == 'RedHat' ignore_errors: true #RHEL-6 Like: - name: Install Zabbix rpm key if distro RHEL-6 like rpm_key: key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD state: present when: ansible_facts['distribution_file_variety'] == 'RedHat' - name: Install zabbix-agent2 from specified rpm if distro is RH6-like yum: name: https://repo.zabbix.com/zabbix/6.4/rhel/6/x86_64/zabbix-agent2-6.4.8-release2.el6.x86_64.rpm state: installed when: (ansible_facts['distribution_file_variety'] == 'RedHat') and (ansible_facts['distribution_major_version'] == '6') #RHEL-7 like: - name: Install Official Zabbix repo for RHEL-7 like, incl. Fedora 19 - 27 yum_repository: name: zabbix description: Install Zabbix official repo for RHEL-7 like baseurl: https://repo.zabbix.com/zabbix/6.4/rhel/$releasever/x86_64/ enabled: yes when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '7' or ansible_facts['distribution_major_version'] == '19' or ansible_facts['distribution_major_version'] == '20' or ansible_facts['distribution_major_version'] == '21' or ansible_facts['distribution_major_version'] == '22' or ansible_facts['distribution_major_version'] == '23' or ansible_facts['distribution_major_version'] == '24' or ansible_facts['distribution_major_version'] == '25' or ansible_facts['distribution_major_version'] == '26' or ansible_facts['distribution_major_version'] == '27' - name: yum-clean-metadata for RHEL-7 like, incl. Fedora 19 - 27 ansible.builtin.command: /usr/bin/yum clean metadata when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '7' or ansible_facts['distribution_major_version'] == '19' or ansible_facts['distribution_major_version'] == '20' or ansible_facts['distribution_major_version'] == '21' or ansible_facts['distribution_major_version'] == '22' or ansible_facts['distribution_major_version'] == '23' or ansible_facts['distribution_major_version'] == '24' or ansible_facts['distribution_major_version'] == '25' or ansible_facts['distribution_major_version'] == '26' or ansible_facts['distribution_major_version'] == '27' - name: Install zabbix-agent2 for RHEL-7 like yum: name: - zabbix-agent2 disablerepo: "epel" state: present when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '7' or ansible_facts['distribution_major_version'] == '19' or ansible_facts['distribution_major_version'] == '20' or ansible_facts['distribution_major_version'] == '21' or ansible_facts['distribution_major_version'] == '22' or ansible_facts['distribution_major_version'] == '23' or ansible_facts['distribution_major_version'] == '24' or ansible_facts['distribution_major_version'] == '25' or ansible_facts['distribution_major_version'] == '26' or ansible_facts['distribution_major_version'] == '27' #RHEL-8 like: - name: Install Official Zabbix repo for RHEL-8 like incl. Fedora 28 - 33 yum_repository: name: zabbix description: Install Zabbix official repo for RHEL-8 like incl. Fedora 28 - 33 baseurl: https://repo.zabbix.com/zabbix/6.4/rhel/8/x86_64/ enabled: yes when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '8' or ansible_facts['distribution_major_version'] == '28' or ansible_facts['distribution_major_version'] == '29' or ansible_facts['distribution_major_version'] == '30' or ansible_facts['distribution_major_version'] == '31' or ansible_facts['distribution_major_version'] == '32' or ansible_facts['distribution_major_version'] == '33' - name: yum-clean-metadata for RHEL-8 like incl. Fedora 28 - 33 ansible.builtin.command: /usr/bin/yum clean metadata when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '8' or ansible_facts['distribution_major_version'] == '28' or ansible_facts['distribution_major_version'] == '29' or ansible_facts['distribution_major_version'] == '30' or ansible_facts['distribution_major_version'] == '31' or ansible_facts['distribution_major_version'] == '32' or ansible_facts['distribution_major_version'] == '33' #RHEL-9 like: - name: Install Official Zabbix repo for RHEL-9 like incl. Fedora 34 - 40 yum_repository: name: zabbix description: Install Zabbix official repo for RHEL-9 like incl. Fedora 34 - 40 baseurl: https://repo.zabbix.com/zabbix/6.4/rhel/8/x86_64/ enabled: yes when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '9' or ansible_facts['distribution_major_version'] == '34' or ansible_facts['distribution_major_version'] == '35' or ansible_facts['distribution_major_version'] == '36' or ansible_facts['distribution_major_version'] == '37' or ansible_facts['distribution_major_version'] == '38' or ansible_facts['distribution_major_version'] == '39' or ansible_facts['distribution_major_version'] == '40' - name: Install Zabbix repo GPG key for ALL RHEL like rpm_key: state: present key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD when: ansible_facts['distribution_file_variety'] == 'RedHat' - name: yum-clean-metadata for RHEL-9 like, incl. Fedora 34-40 ansible.builtin.command: /usr/bin/yum clean metadata when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '9' or ansible_facts['distribution_major_version'] == '34' or ansible_facts['distribution_major_version'] == '35' or ansible_facts['distribution_major_version'] == '36' or ansible_facts['distribution_major_version'] == '37' or ansible_facts['distribution_major_version'] == '38' or ansible_facts['distribution_major_version'] == '39' or ansible_facts['distribution_major_version'] == '40' - name: Install zabbix-agent2 for RHEL-9 like, incl. Fedora 34-40 yum: name: - zabbix-agent2 disablerepo: "epel" state: present disable_gpg_check: true when: - ansible_facts['distribution_file_variety'] == 'RedHat' - ansible_facts['distribution_major_version'] == '9' or ansible_facts['distribution_major_version'] == '34' or ansible_facts['distribution_major_version'] == '35' or ansible_facts['distribution_major_version'] == '36' or ansible_facts['distribution_major_version'] == '37' or ansible_facts['distribution_major_version'] == '38' or ansible_facts['distribution_major_version'] == '39' or ansible_facts['distribution_major_version'] == '40' ############################################### Debian section ################################################################################################# - name: Install zabbix-agent2 from specified deb file if distro is Deb12, "Bookworm" apt: deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian12_amd64.deb state: present when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '12') - name: Install zabbix-agent2 from specified deb file if distro is Deb11, "Bullseye" apt: deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian11_amd64.deb state: present when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '11') - name: Install zabbix-agent2 from specified deb file if distro is Deb10, "Buster" apt: deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian10_amd64.deb state: present when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '10') - name: Install zabbix-agent2 from specified deb file if distro is Deb9, "Stretch" apt: deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian9_amd64.deb state: present when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '9') ############################################## Begin Ubuntu section ################################################### - name: Install zabbix-agent2 from specified deb file if distro is Ubuntu 22.xx, "Jammy Jellyfish" apt: deb: https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bubuntu22.04_amd64.deb state: present when: (ansible_facts['distribution'] == 'Ubuntu') and (ansible_facts['distribution_major_version'] == '22') - name: Install zabbix-agent2 from specified deb file if distro is Ubuntu 20.xx, "Focal Fossa" apt: deb: https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bubuntu20.04_amd64.deb state: present when: (ansible_facts['distribution'] == 'Ubuntu') and (ansible_facts['distribution_major_version'] == '20') - name: Install zabbix-agent2 from specified deb file if distro is Ubuntu 18.xx, "Bionic Bever" apt: deb: https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bubuntu18.04_amd64.deb state: present when: (ansible_facts['distribution'] == 'Ubuntu') and (ansible_facts['distribution_major_version'] == '18') - name: Create /etc/zabbix w/ appropriate permissinos file: path: /etc/zabbix owner: zabbix group: root mode: '0755' state: directory # Copy Zabbix agent config file to host - name: use stat module to determine if /etc/zabbix/zabbix_agent2.conf already exists on the hosts stat: path: "/etc/zabbix/zabbix_agent2.conf" register: result - name: perform copy of zabbix agent config if it doesn't already exist copy: src: include/zabbix_agent2.conf dest: /etc/zabbix/zabbix_agent2.conf owner: zabbix group: root mode: '0640' when: not result.stat.exists - name: Show result of stat debug: msg: "/etc/zabbix/zabbix_agent2.conf DOES NOT exist!" when: not result.stat.exists - name: Show result debug: msg: "/etc/zabbix/zabbix_agent2.conf exists!" when: result.stat.exists # Create /etc/zabbix w/ appropriate permissinos - name: Create /etc/zabbix/certs w/ appropriate permissions file: path: /etc/zabbix/certs owner: zabbix group: root mode: '0750' state: directory # Copy Zabbix ca.cert to host - name: perform copy ca.cert copy: src: include/certs/ca.cert dest: /etc/zabbix/certs/ca.cert owner: zabbix group: root mode: '0640' # Copy Zabbix client.cert to host - name: perform copy client.cert copy: src: include/certs/client.cert dest: /etc/zabbix/certs/client.cert owner: zabbix group: root mode: '0640' # Copy Zabbix client_private.key to host - name: perform copy ca.cert copy: src: include/certs/client_private.key dest: /etc/zabbix/certs/client_private.key owner: zabbix group: root mode: '0640' - name : remove /var/log/zabbix/zabbix_agent2.log file if present file: path: /var/log/zabbix/zabbix_agent2.log state: absent # Copy Zabbix agent PSK - name: perform copy of Zabbix agent PSK copy: src: include/psk.key dest: /etc/zabbix/psk.key owner: zabbix group: root mode: '0440' # Ensure /var/log/zabbix/ exists w/ correct permissions - name: Create /var/log/zabbix if needed file: path: /var/log/zabbix state: directory owner: zabbix group: zabbix mode: '0775' # Remove /var/log/zabbix/zabbix_agent2.log doesn't exist - name: rm /var/log/zabbix/zabbix_agent2.log file: path: /var/log/zabbix/zabbix_agent2.log state: absent ############## Add special permissions for the zabbix user to collect certain data from soures like the dmidecode program ######### (Addded 05-13-2024) - name: Allow the zabbix user to run sudo dmidecode w/o a nopassword sudoers: name: zabbix_dmidecode state: present user: zabbix commands: - /usr/sbin/dmidecode nopassword: true ############################################################################################################################################ ############################################################################################################################################ ######### Firewall stuff ################################################################################################################### ########## firewalld section ################################################################################################################ ################################# # Determine and set the firewall method - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "ufw" when: "'ufw' in ansible_facts.packages" - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "iptables" when: "'iptables' in ansible_facts.packages" - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "firewalld" when: - ansible_facts.distribution_file_variety != "Debian" - ansible_facts.services['firewalld.service']['status'] == 'enabled' or ansible_facts.services['firewalld.service']['status'] == 'running' - name: Show value of FW_METHOD debug: msg: FW_METHOD is "{{ FW_METHOD }}" # Allow connections to :10050 on systems using firewalld: - name: allow :10050-10051/tcp incoming from $MONSRC0 ("{{ MONSRC[0] }}") using firewalld firewalld: port: 10050-10051/tcp permanent: True state: enabled immediate: True when: FW_METHOD is "firewalld" - name: allow :10050-10051/tcp incoming from $MONSRC1 ("{{ MONSRC[1] }}") using firewalld firewalld: port: 10050-10051/tcp permanent: True state: enabled immediate: True when: FW_METHOD is "firewalld" - name: allow :10050-10051/tcp incoming from $MONSRC2 ("{{ MONSRC[2] }}") using firewalld firewalld: port: 10050-10051/tcp permanent: True state: enabled immediate: True when: - FW_METHOD is "firewalld" - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") ########## iptables section ################################################################################################################# - name: Open 10050/tcp from $MONSRC0 ("{{ MONSRC[0] }}") if iptables.service is enabled iptables: action: insert chain: INPUT source: "{{ MONSRC[0] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: FW_METHOD is "iptables" - name: Open 10050/tcp from $MONSRC1 ("{{ MONSRC[1] }}") if iptables.service is enabled iptables: action: insert chain: INPUT source: "{{ MONSRC[1] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: FW_METHOD is "iptables" - name: Open 10050/tcp from $MONSRC2 ("{{ MONSRC[2] }}") if iptables.service is enabled AND IP contains ***CONTENTS REDACTED*** iptables: action: insert chain: INPUT source: "{{ MONSRC[2] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: - FW_METHOD is "iptables" - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") - name: Open 10050/tcp from $MONSRCRANGE0 ("{{ MONSRCRANGE[0] }}") if iptables.service is enabled iptables: action: insert chain: INPUT src_range: "{{ MONSRCRANGE[0] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: FW_METHOD is "iptables" - name: Open 10050/tcp from $MONSRCRANGE1 ("{{ MONSRCRANGE[1] }}") if iptables.service is enabled iptables: action: insert chain: INPUT src_range: "{{ MONSRCRANGE[1] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: FW_METHOD is "iptables" - name: Save current state of the firewall in system file if iptables is enabled iptables_state: state: saved path: /etc/sysconfig/iptables when: FW_METHOD is "iptables" ########## ufw section ###################################################################################################################### # Allow connections to :10050 on systems using UFW: - name: allow :10050/tcp incoming, ufw ufw: rule: allow port: '10050' proto: tcp comment: Zabbix agent on 10050 when: - FW_METHOD is "ufw" ######### End of firewall stuff ############################################################################################################ ############################################################################################################################################ ############################################################################################################################################ # Enable zabbix-agent on systemd-enabled systems: - name: enable zabbix-agent2 service systemd: name: zabbix-agent2 enabled: True masked: no state: started ignore_errors: False when: ansible_facts.service_mgr == "systemd" # Restart systemd service - name: restart zabbix-agent2.service, systemd systemd: name: zabbix-agent2 enabled: True masked: no state: restarted ignore_errors: False when: ansible_facts.service_mgr == "systemd"