diff --git a/roles/zabbix_agent/defaults/main.yml b/roles/zabbix_agent/defaults/main.yml index 9eb9e58..85c22f7 100644 --- a/roles/zabbix_agent/defaults/main.yml +++ b/roles/zabbix_agent/defaults/main.yml @@ -1,8 +1,30 @@ --- -zabbix_agent_servers: [ '212.129.1.224' ] -zabbix_agent_encryption: psk -zabbix_agent_port: '10050' +zabbix_agent_port: 10050 +# List of servers allowed to connect to the agent (passive checks) +zabbix_agent_servers: + - 51.91.175.34 +# List of IP allowed to access TCP port 10050 zabbix_agent_src_ip: "{{ zabbix_agent_servers }}" +# List of servers the agent will push active checks to +zabbix_agent_server_active: [] + +zabbix_agent_base_conf: + PidFile: /var/run/zabbix/zabbix_agentd.pid + LogType: system + Server: "{{ zabbix_agent_servers | join(',') }}" + ListenPort: "{{ zabbix_agent_port }}" + ServerActive: "{{ zabbix_agent_server_active | join(',') }}" + HostnameItem: 'system.hostname' + Timeout: 30 + Include: '/etc/zabbix/zabbix_agentd.conf.d/*.conf' + TLSPSKFile: '/etc/zabbix/zabbix_agentd.psk' + TLSPSKIdentity: "{{ inventory_hostname }}-agent" + TLSConnect: psk + TLSAccept: 'unencrypted,psk' + StartAgents: 5 +zabbix_agent_extra_conf: {} +zabbix_agent_conf: "{{ zabbix_agent_base_conf | combine(zabbix_agent_extra_conf, recursive=True) }}" + # If update is set to False, the role will only ensure packages are installed # If set to True, it will update components to their latest version zabbix_agent_update: False diff --git a/roles/zabbix_agent/tasks/psk.yml b/roles/zabbix_agent/tasks/psk.yml index b34c989..d2ab42d 100644 --- a/roles/zabbix_agent/tasks/psk.yml +++ b/roles/zabbix_agent/tasks/psk.yml @@ -1,21 +1,12 @@ --- -- name: Check if a TLS PSK key exists - stat: path=/etc/zabbix/zabbix_agentd.psk - register: zbx_psk - tags: zabbix - - name: Generate random PSK key for TLS encryption shell: openssl rand -hex 32 > /etc/zabbix/zabbix_agentd.psk - when: - - not zbx_psk.stat.exists - - zabbix_agent_encryption == "psk" + args: + creates: /etc/zabbix/zabbix_agentd.psk tags: zabbix - name: Restrict permission on PSK file file: path=/etc/zabbix/zabbix_agentd.psk owner=root group=zabbix mode=0640 - when: - - not zbx_psk.stat.exists - - zabbix_agent_encryption == "psk" tags: zabbix diff --git a/roles/zabbix_agent/tasks/selinux.yml b/roles/zabbix_agent/tasks/selinux.yml index 04f520e..e2c72ed 100644 --- a/roles/zabbix_agent/tasks/selinux.yml +++ b/roles/zabbix_agent/tasks/selinux.yml @@ -6,7 +6,7 @@ - name: Allow Zabbix to use sudo seboolean: name={{ item }} state=True persistent=True - with_items: + loop: - zabbix_run_sudo when: ansible_distribution != 'CentOS' or ansible_distribution_version | default(0) is version('7.6', '>=') # This bool is only available for CentOS 7.6.1810 or newer tags: zabbix diff --git a/roles/zabbix_agent/templates/zabbix_agentd.conf.j2 b/roles/zabbix_agent/templates/zabbix_agentd.conf.j2 index ea820c2..d4e5938 100644 --- a/roles/zabbix_agent/templates/zabbix_agentd.conf.j2 +++ b/roles/zabbix_agent/templates/zabbix_agentd.conf.j2 @@ -1,13 +1,3 @@ -PidFile=/var/run/zabbix/zabbix_agentd.pid -Server={{ zabbix_agent_servers | join(',') }} -ServerActive= -HostnameItem=system.hostname -Timeout=30 -LogType=system -Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf -{% if zabbix_agent_encryption == "psk" %} -TLSPSKFile=/etc/zabbix/zabbix_agentd.psk -TLSPSKIdentity={{ inventory_hostname }}-agent -TLSConnect=psk -TLSAccept=unencrypted,psk -{% endif %} +{% for key in zabbix_agent_conf.keys() | list %} +{{ key }}={{ zabbix_agent_conf[key] }} +{% endfor %}