Ansible_repo-pub/playbooks/packagemanagement/zabbix/install_zabbix-agent.playbook-condensed.yaml

---
  - name: "Install Zabbix agent using yum/dnf/apt"
    hosts: all
    gather_facts: True
    become: true
# Put the IPs/hostnames of Zabbix servers and proxies here:
    vars:
      MONSRC:
      - ***CONTENTS REDACTED***
      MONSRCRANGE:
      - ***CONTENTS REDACTED***

    tasks:
      - name: "msg print to stdout: Debug ansible_facts"
        debug:
          msg:
#            - "{{ ansible_facts.service_mgr }}"
            - ansible_facts.distribution "{{ ansible_facts.distribution }}"
            - ansible_facts.distribution_major_version "{{ ansible_facts.distribution_major_version }}"
            - ansible_facts.distribution_file_variety "{{ ansible_facts.distribution_file_variety }}"
            #- "{{  ansible_facts.services_iptables'].state  }}"
            #- ansible_facts.services "{{ ansible_facts.services }}"


      - name: Populate systemd service_facts
        service_facts:

      - debug:
          msg:
            - ansible_facts.services['firewalld.service'] "{{ ansible_facts.services['firewalld.service'] }}"
        when: "'firewalld.service' in services"

      - debug:
          msg:
            - ansible_facts.services['iptables.service'] "{{ ansible_facts.services['iptables.service'] }}"
        when: "'iptables.service' in services"

      - debug:
          msg:
            - ansible_facts.services['iptables.service'] "{{ ansible_facts.services['iptables.service'] }}"
        when: "'ufw.service' in services"

      - name: Show MONSRC variables
        debug:
          msg: "MONSRCs: {{ MONSRC[0] }}"

      - name: Gather package facts
        package_facts:
          manager: auto

      - debug:
          msg:
            -  ansible_all_ipv4_addresses "{{ ansible_all_ipv4_addresses}}"

#      - name: "Is firewalld.service or ufw.service enabled?"
#        debug:
#          msg:
#            - "{{ ansible_facts.services['firewalld.service'].status }}"
#            - "{{ ansible_facts.services['ufw.service'].status }}"

      - name: Install Zabbix repo GPG key for ALL RHEL like
        rpm_key:
          state: present
          key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD
        when: ansible_facts['distribution_file_variety'] == 'RedHat'

#06-05-2024: added ignore_errors. Getting "Hash algorithm SHA1 not available." Not distro/version specific error.
      - name: Install OLD Zabbix repo GPG key for ALL RHEL like
        rpm_key:
          state: present
          key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591
        when: ansible_facts['distribution_file_variety'] == 'RedHat'
        ignore_errors: true

#RHEL-6 Like:
      - name: Install Zabbix rpm key if distro RHEL-6 like
        rpm_key:
          key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD
          state: present
        when: ansible_facts['distribution_file_variety'] == 'RedHat'

      - name: Install zabbix-agent2 from specified rpm if distro is RH6-like
        yum:
          name: https://repo.zabbix.com/zabbix/6.4/rhel/6/x86_64/zabbix-agent2-6.4.8-release2.el6.x86_64.rpm
          state: installed
        when: (ansible_facts['distribution_file_variety'] == 'RedHat') and (ansible_facts['distribution_major_version'] == '6')

#RHEL-7 like:
      - name: Install Official Zabbix repo for RHEL-7 like, incl. Fedora 19 - 27
        yum_repository:
          name: zabbix
          description: Install Zabbix official repo for RHEL-7 like
          baseurl: https://repo.zabbix.com/zabbix/6.4/rhel/$releasever/x86_64/
          enabled: yes
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '7' or ansible_facts['distribution_major_version'] == '19' or ansible_facts['distribution_major_version'] == '20' or ansible_facts['distribution_major_version'] == '21' or ansible_facts['distribution_major_version'] == '22' or ansible_facts['distribution_major_version'] == '23' or ansible_facts['distribution_major_version'] == '24' or ansible_facts['distribution_major_version'] == '25' or ansible_facts['distribution_major_version'] == '26' or ansible_facts['distribution_major_version'] == '27'

      - name: yum-clean-metadata for RHEL-7 like, incl. Fedora 19 - 27
        ansible.builtin.command: /usr/bin/yum clean metadata
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '7' or ansible_facts['distribution_major_version'] == '19' or ansible_facts['distribution_major_version'] == '20' or ansible_facts['distribution_major_version'] == '21' or ansible_facts['distribution_major_version'] == '22' or ansible_facts['distribution_major_version'] == '23' or ansible_facts['distribution_major_version'] == '24' or ansible_facts['distribution_major_version'] == '25' or ansible_facts['distribution_major_version'] == '26' or ansible_facts['distribution_major_version'] == '27'

      - name: Install zabbix-agent2 for RHEL-7 like
        yum:
          name:
            - zabbix-agent2
          disablerepo: "epel"
          state: present
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '7' or ansible_facts['distribution_major_version'] == '19' or ansible_facts['distribution_major_version'] == '20' or ansible_facts['distribution_major_version'] == '21' or ansible_facts['distribution_major_version'] == '22' or ansible_facts['distribution_major_version'] == '23' or ansible_facts['distribution_major_version'] == '24' or ansible_facts['distribution_major_version'] == '25' or ansible_facts['distribution_major_version'] == '26' or ansible_facts['distribution_major_version'] == '27'

#RHEL-8 like:
      - name: Install Official Zabbix repo for RHEL-8 like incl. Fedora 28 - 33
        yum_repository:
          name: zabbix
          description: Install Zabbix official repo for RHEL-8 like incl. Fedora 28 - 33
          baseurl: https://repo.zabbix.com/zabbix/6.4/rhel/8/x86_64/
          enabled: yes
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '8' or ansible_facts['distribution_major_version'] == '28' or ansible_facts['distribution_major_version'] == '29' or ansible_facts['distribution_major_version'] == '30' or ansible_facts['distribution_major_version'] == '31' or ansible_facts['distribution_major_version'] == '32' or ansible_facts['distribution_major_version'] == '33'


      - name: yum-clean-metadata for RHEL-8 like incl. Fedora 28 - 33
        ansible.builtin.command: /usr/bin/yum clean metadata
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '8' or ansible_facts['distribution_major_version'] == '28' or ansible_facts['distribution_major_version'] == '29' or ansible_facts['distribution_major_version'] == '30' or ansible_facts['distribution_major_version'] == '31' or ansible_facts['distribution_major_version'] == '32' or ansible_facts['distribution_major_version'] == '33'

#RHEL-9 like:
      - name: Install Official Zabbix repo for RHEL-9 like incl. Fedora 34 - 40
        yum_repository:
          name: zabbix
          description: Install Zabbix official repo for RHEL-9 like incl. Fedora 34 - 40
          baseurl: https://repo.zabbix.com/zabbix/6.4/rhel/8/x86_64/
          enabled: yes
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '9' or ansible_facts['distribution_major_version'] == '34' or ansible_facts['distribution_major_version'] == '35' or ansible_facts['distribution_major_version'] == '36' or ansible_facts['distribution_major_version'] == '37' or ansible_facts['distribution_major_version'] == '38' or ansible_facts['distribution_major_version'] == '39' or ansible_facts['distribution_major_version'] == '40'



      - name: Install Zabbix repo GPG key for ALL RHEL like
        rpm_key:
          state: present
          key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD
        when: ansible_facts['distribution_file_variety'] == 'RedHat'

      - name: yum-clean-metadata for RHEL-9 like, incl. Fedora 34-40
        ansible.builtin.command: /usr/bin/yum clean metadata
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '9' or ansible_facts['distribution_major_version'] == '34' or ansible_facts['distribution_major_version'] == '35' or ansible_facts['distribution_major_version'] == '36' or ansible_facts['distribution_major_version'] == '37' or ansible_facts['distribution_major_version'] == '38' or ansible_facts['distribution_major_version'] == '39' or ansible_facts['distribution_major_version'] == '40'

      - name: Install zabbix-agent2 for RHEL-9 like, incl. Fedora 34-40
        yum:
          name:
            - zabbix-agent2
          disablerepo: "epel"
          state: present
          disable_gpg_check: true
        when:
          - ansible_facts['distribution_file_variety'] == 'RedHat'
          - ansible_facts['distribution_major_version'] == '9' or ansible_facts['distribution_major_version'] == '34' or ansible_facts['distribution_major_version'] == '35' or ansible_facts['distribution_major_version'] == '36' or ansible_facts['distribution_major_version'] == '37' or ansible_facts['distribution_major_version'] == '38' or ansible_facts['distribution_major_version'] == '39' or ansible_facts['distribution_major_version'] == '40'


###############################################  Debian section  #################################################################################################
      - name: Install zabbix-agent2 from specified deb file if distro is Deb12, "Bookworm"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian12_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '12')
      - name: Install zabbix-agent2 from specified deb file if distro is Deb11, "Bullseye"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian11_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '11')
      - name: Install zabbix-agent2 from specified deb file if distro is Deb10, "Buster"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian10_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '10')
      - name: Install zabbix-agent2 from specified deb file if distro is Deb9, "Stretch"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bdebian9_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Debian') and (ansible_facts['distribution_major_version'] == '9')
##############################################   Begin Ubuntu section   ###################################################
      - name: Install zabbix-agent2 from specified deb file if distro is Ubuntu 22.xx, "Jammy Jellyfish"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bubuntu22.04_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Ubuntu') and (ansible_facts['distribution_major_version'] == '22')
      - name: Install zabbix-agent2 from specified deb file if distro is Ubuntu 20.xx, "Focal Fossa"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bubuntu20.04_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Ubuntu') and (ansible_facts['distribution_major_version'] == '20')
      - name: Install zabbix-agent2 from specified deb file if distro is Ubuntu 18.xx, "Bionic Bever"
        apt:
          deb: https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix/zabbix-agent2_6.4.8-2%2Bubuntu18.04_amd64.deb
          state: present
        when: (ansible_facts['distribution'] == 'Ubuntu') and (ansible_facts['distribution_major_version'] == '18')

      - name: Create /etc/zabbix w/ appropriate permissinos
        file:
          path: /etc/zabbix
          owner: zabbix
          group: root
          mode: '0755'
          state: directory

# Copy Zabbix agent config file to host
      - name: use stat module to determine if /etc/zabbix/zabbix_agent2.conf already exists on the hosts
        stat:
          path: "/etc/zabbix/zabbix_agent2.conf"
        register: result

      - name: perform copy of zabbix agent config if it doesn't already exist
        copy:
          src: include/zabbix_agent2.conf
          dest: /etc/zabbix/zabbix_agent2.conf
          owner: zabbix
          group: root
          mode: '0640'
        when: not result.stat.exists

      - name: Show result of stat
        debug:
          msg: "/etc/zabbix/zabbix_agent2.conf DOES NOT exist!"
        when: not result.stat.exists

      - name: Show result
        debug:
          msg: "/etc/zabbix/zabbix_agent2.conf exists!"
        when: result.stat.exists
# Create /etc/zabbix w/ appropriate permissinos
      - name: Create /etc/zabbix/certs w/ appropriate permissions
        file:
          path: /etc/zabbix/certs
          owner: zabbix
          group: root
          mode: '0750'
          state: directory

# Copy Zabbix ca.cert to host
      - name: perform copy ca.cert
        copy:
          src: include/certs/ca.cert
          dest: /etc/zabbix/certs/ca.cert
          owner: zabbix
          group: root
          mode: '0640'

# Copy Zabbix client.cert to host
      - name: perform copy client.cert
        copy:
          src: include/certs/client.cert
          dest: /etc/zabbix/certs/client.cert
          owner: zabbix
          group: root
          mode: '0640'

# Copy Zabbix client_private.key to host
      - name: perform copy ca.cert
        copy:
          src: include/certs/client_private.key
          dest: /etc/zabbix/certs/client_private.key
          owner: zabbix
          group: root
          mode: '0640'

      - name : remove /var/log/zabbix/zabbix_agent2.log file if present
        file:
          path: /var/log/zabbix/zabbix_agent2.log
          state: absent

# Copy Zabbix agent PSK
      - name: perform copy of Zabbix agent PSK
        copy:
          src: include/psk.key
          dest: /etc/zabbix/psk.key
          owner: zabbix
          group: root
          mode: '0440'

# Ensure /var/log/zabbix/ exists w/ correct permissions
      - name: Create /var/log/zabbix if needed
        file:
          path: /var/log/zabbix
          state: directory
          owner: zabbix
          group: zabbix
          mode: '0775'


# Remove /var/log/zabbix/zabbix_agent2.log doesn't exist
      - name: rm /var/log/zabbix/zabbix_agent2.log
        file:
          path: /var/log/zabbix/zabbix_agent2.log
          state: absent

##############  Add special permissions for the zabbix user to collect certain data from soures like the dmidecode program  #########  (Addded 05-13-2024)
      - name: Allow the zabbix user to run sudo dmidecode w/o a nopassword
        sudoers:
          name: zabbix_dmidecode
          state: present
          user: zabbix
          commands:
            - /usr/sbin/dmidecode
          nopassword: true


############################################################################################################################################
############################################################################################################################################
######### Firewall stuff ###################################################################################################################

########## firewalld section ################################################################################################################
#################################
# Determine and set the firewall method
      - name: Set variable to indicate which firewall method is being used by a systemd
        set_fact:
          FW_METHOD: "ufw"
        when: "'ufw' in ansible_facts.packages"

      - name: Set variable to indicate which firewall method is being used by a systemd
        set_fact:
          FW_METHOD: "iptables"
        when: "'iptables' in ansible_facts.packages"

      - name: Set variable to indicate which firewall method is being used by a systemd
        set_fact:
          FW_METHOD: "firewalld"
        when:
          - ansible_facts.distribution_file_variety != "Debian"
          - ansible_facts.services['firewalld.service']['status'] == 'enabled' or ansible_facts.services['firewalld.service']['status'] == 'running'

      - name: Show value of FW_METHOD
        debug:
          msg: FW_METHOD is "{{ FW_METHOD }}"

# Allow connections to :10050 on systems using firewalld:
      - name: allow :10050-10051/tcp incoming from $MONSRC0 ("{{ MONSRC[0] }}") using firewalld
        firewalld:
          port: 10050-10051/tcp
          permanent: True
          state: enabled
          immediate: True
        when: FW_METHOD is "firewalld"

      - name: allow :10050-10051/tcp incoming from $MONSRC1 ("{{ MONSRC[1] }}") using firewalld
        firewalld:
          port: 10050-10051/tcp
          permanent: True
          state: enabled
          immediate: True
        when: FW_METHOD is "firewalld"

      - name: allow :10050-10051/tcp incoming from $MONSRC2 ("{{ MONSRC[2] }}") using firewalld
        firewalld:
          port: 10050-10051/tcp
          permanent: True
          state: enabled
          immediate: True
        when:
          - FW_METHOD is "firewalld"
          - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***")

########## iptables section #################################################################################################################

      - name: Open 10050/tcp from $MONSRC0 ("{{ MONSRC[0] }}") if iptables.service is enabled
        iptables:
          action: insert
          chain: INPUT
          source: "{{ MONSRC[0] }}"
          protocol: tcp
          destination_port: 10050:10051
          state: present
          jump: ACCEPT
        when: FW_METHOD is "iptables"

      - name: Open 10050/tcp from $MONSRC1 ("{{ MONSRC[1] }}") if iptables.service is enabled
        iptables:
          action: insert
          chain: INPUT
          source:  "{{ MONSRC[1] }}"
          protocol: tcp
          destination_port: 10050:10051
          state: present
          jump: ACCEPT
        when: FW_METHOD is "iptables"

      - name: Open 10050/tcp from $MONSRC2 ("{{ MONSRC[2] }}") if iptables.service is enabled AND IP contains ***CONTENTS REDACTED***
        iptables:
          action: insert
          chain: INPUT
          source:  "{{ MONSRC[2] }}"
          protocol: tcp
          destination_port: 10050:10051
          state: present
          jump: ACCEPT
        when:
          - FW_METHOD is "iptables"
          - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***")

      - name: Open 10050/tcp from $MONSRCRANGE0 ("{{ MONSRCRANGE[0] }}") if iptables.service is enabled
        iptables:
          action: insert
          chain: INPUT
          src_range:  "{{ MONSRCRANGE[0] }}"
          protocol: tcp
          destination_port: 10050:10051
          state: present
          jump: ACCEPT
        when: FW_METHOD is "iptables"

      - name: Open 10050/tcp from $MONSRCRANGE1 ("{{ MONSRCRANGE[1] }}") if iptables.service is enabled
        iptables:
          action: insert
          chain: INPUT
          src_range:  "{{ MONSRCRANGE[1] }}"
          protocol: tcp
          destination_port: 10050:10051
          state: present
          jump: ACCEPT
        when: FW_METHOD is "iptables"

      - name: Save current state of the firewall in system file if iptables is enabled
        iptables_state:
          state: saved
          path: /etc/sysconfig/iptables
        when: FW_METHOD is "iptables"

########## ufw section ######################################################################################################################

# Allow connections to :10050 on systems using UFW:
      - name: allow :10050/tcp incoming, ufw
        ufw:
          rule: allow
          port: '10050'
          proto: tcp
          comment: Zabbix agent on 10050
        when:
          - FW_METHOD is "ufw"

######### End of firewall stuff ############################################################################################################
############################################################################################################################################
############################################################################################################################################

# Enable zabbix-agent on systemd-enabled systems:
      - name: enable zabbix-agent2 service
        systemd:
          name: zabbix-agent2
          enabled: True
          masked: no
          state: started
        ignore_errors: False
        when: ansible_facts.service_mgr == "systemd"

# Restart systemd service
      - name: restart zabbix-agent2.service, systemd
        systemd:
          name: zabbix-agent2
          enabled: True
          masked: no
          state: restarted
        ignore_errors: False
        when: ansible_facts.service_mgr == "systemd"