Ansible Role to deploy Zabbix Server/Proxy/Agent components on a linux server.
The roles target is it to configure the Zabbix components foundational.
You will need to manage the zabbix-agent integration(s) into your systems on your own! (per example: adding MySQL users and client-config to monitor its status)
NOTE: Check out the Zabbix Server dockerized Role if you prefer Docker setups.
Tested:
- Debian 11
# latest
ansible-galaxy role install git+https://github.com/ansibleguy/sw_zabbix
# from galaxy
ansible-galaxy install ansibleguy.sw_zabbix
# or to custom role-path
ansible-galaxy install ansibleguy.sw_zabbix --roles-path ./roles
# install dependencies
ansible-galaxy install -r requirements.yml
-
Need professional support using Ansible or Zabbix? Contact us:
E-Mail: [email protected]
Tel: +43 3115 40 900 0
Language: German or English
-
You want a simple Ansible GUI?
Check-out this Ansible WebUI
Define the zabbix dictionary as needed.
Example for a zabbix server:
zabbix:
manage:
agent2: true # activated by default
server: true
server:
nginx: # configure the webserver settings => see: https://github.com/ansibleguy/infra_nginx
domain: 'zabbix.template.ansibleguy.net'
aliases: ['zbx.template.ansibleguy.net']
ssl:
mode: 'letsencrypt' # or snakeoil/selfsigned/ca
# if you use 'selfsigned', 'snakeoil' or 'ca':
# cert:
# cn: 'Zabbix Server'
# org: 'AnsibleGuy'
# email: '[email protected]'
letsencrypt:
email: '[email protected]'
tls_cert_copy: 'server.crt' # will be copied from the roles 'files/certs' directory to the target system
tls_key_copy: 'server.key' # must be configured for server-authentication
tls_ca_copy: 'ca.crt'
settings:
ListenIP: '172.16.0.54'
ProxyDataFrequency: 10
ProxyConfigFrequency: 600
SSHKeyLocation: '/etc/zabbix/private/id_rsa'
agent2:
tls_psk: !vault ...
settings:
Server: '172.16.0.54'
TLSPSKIdentity: 'RandomIdentity_O(73odfs23'
Example for a zabbix proxy:
zabbix:
manage:
agent2: true
proxy: true
proxy:
tls_cert_copy: 'proxy01.crt' # will be copied from the roles 'files/certs' directory to the target system
tls_key_copy: 'proxy01.key' # must be configured for client-authentication
tls_ca_copy: 'ca.crt'
settings:
Server: '172.16.0.54'
TLSConnect: 'cert'
TLSAccept: 'cert'
ConfigFrequency: 600
ListenIP: '172.18.15.7'
agent2:
tls_psk: !vault ... # plain key may only contain hexdigits (0-9 & a-f)
settings:
Server: '172.18.15.7'
ListenIP: '172.18.15.7'
Example for zabbix agent V2:
zabbix:
# agent version 2 is enabled by default
# manage:
# agent2: true
agent2:
tls_psk: !vault ... # plain key may only contain hexdigits (0-9 & a-f)
settings:
Server: '172.16.0.54'
TLSPSKIdentity: 'RandomIdentity_lUF(o3s4kjh3o'
ListenIP: '172.16.0.80'
Example for the older zabbix agent:
zabbix:
manage:
agent1: true
agent1:
tls_psk: !vault ... # plain key may only contain hexdigits (0-9 & a-f)
settings:
Server: '172.16.0.54'
TLSPSKIdentity: 'RandomIdentity_lUF(o3s4kjh3o'
ListenIP: '172.16.0.80'
Example - if you don't want to use the ansible-managed nginx web-proxy:
zabbix:
manage:
server: true
webserver: false # <=
server:
...
settings:
...
You might want to use 'ansible-vault' to encrypt your passwords:
ansible-vault encrypt_string
Run the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass
There are also some useful tags available:
- config
- install
- uninstall
- agent
- proxy
- server
-
Package installation
-
Configuration
-
Features:
-
Copying your..
- scripts (agent scripts, externalscripts, alertscripts)
- userparameters
- certificates
-
.. to the target system; just put them in the prepared 'files' directory of this role!
-
-
Default config:
- Using ansible-hostnames as Zabbix hostnames
- Traffic encryption using PSK
- Using a Self-Signed certificate for the Zabbix server
- not running as root
- Webserver best-practices => see: THIS Role
- Agent/Proxy/Server listening on all interfaces
-
Default opt-ins:
- Logging to syslog
- Zabbix agent installation
- MariaDB setup for Zabbix proxy and server
- Nginx setup for Zabbix server
-
Default opt-outs:
- Zabbix proxy and server installation
- Settings: UnsafeUserParameters, EnableRemoteCommands
-
Security:
- Traffic encryption per PSK or Certificate is ENFORCED
-
-
Note: The lowest version supported is 6.0!
-
Warning: The target server/os for the Zabbix server-component should host only this service! Else you might possibly run into configuration/compatibility issues!
-
Note: this role currently only supports debian-based systems
-
Info: We chose to use Nginx and Apache2 so that the configuration managed by Zabbix (Apache2) and the one we manage using this role (Nginx) can co-exist safely. This may be important in the future. Else incompatibilities would break future setups if Zabbix changes their config-handling.
-
Info: Zabbix-Server apache2 config is stored at: /etc/zabbix/apache.conf (default)
-
Info: The default login for the Zabbix server is: User = Admin | Password = zabbix
-
Info: If the server installation fails for some reason you might want to uninstall the 'zabbix-server-mysql' package before re-running this role!
-
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
-
Info: If you use PSKs to encrypt your traffic - it must be at least 32 hex-digits long!