Changed file structure. Added zabbix proxy playbook

2025-08-24 14:30:55 +02:00
parent 7bd28950ca
commit 1197e92bd8
4 changed files with 96 additions and 28 deletions
--- a/Ansible/playbooks/apt_upgrade.yml
+++ b/Ansible/playbooks/apt_upgrade.yml
@@ -0,0 +1,14 @@
+- name: Upgrade packages
+  hosts: ubuntu
+  become: true
+
+  tasks:
+   - name: Update cache 
+     ansible.builtin.apt:
+      update_cache: true
+     register: cache_updated
+
+   - name: Upgrade packages if something is changed
+     ansible.builtin.apt:
+      upgrade: "yes"
+     when: cache_updated.changed
--- a/Ansible/playbooks/lxc_setup_ubuntu.yml
+++ b/Ansible/playbooks/lxc_setup_ubuntu.yml
@@ -0,0 +1,63 @@
+---
+- name: Secure and Configure a New LXC Container
+  hosts: '{{ hosts_to_work_on }}' # Hosts or group defined in your inventory
+  become: yes # Run all tasks as root (sudo)
+  tasks:
+    - name: 1. Create user '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        shell: /bin/bash
+        groups: sudo # Add to sudo (for Debian/Ubuntu)
+        state: present
+
+    - name: 1.1. Allow '{{ target_user }}' to use sudo without a password
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
+        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+
+    - name: 2. Set up authorized_keys for '{{ target_user }}'
+      ansible.posix.authorized_key:
+        user: '{{ target_user }}'
+        key: "{{ item }}"
+        state: present
+        path: /home/{{ target_user }}/.ssh/authorized_keys
+      loop: "{{ my_public_keys }}"
+      # ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
+
+    - name: 3. Lock password for '{{ target_user }}'
+      ansible.builtin.user:
+        name: '{{ target_user }}'
+        password_lock: yes
+
+    - name: 4.0. Install software-properties-common
+      ansible.builtin.apt:
+        name: software-properties-common
+        state: present
+        update_cache: yes
+
+    - name: 4.1. Disallow root login over SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 4.2. Disallow password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+  handlers:
+    # This block will only run if at least one task sends a notification.
+    # This prevents unnecessary service restarts.
+    - name: 5. Restart sshd server
+      listen: "restart sshd"
+      ansible.builtin.service:
+        name: sshd
+        state: restarted
--- a/Ansible/playbooks/zabbix_agent_upgrade.yml
+++ b/Ansible/playbooks/zabbix_agent_upgrade.yml
@@ -0,0 +1,16 @@
+- name: Upgrade zabbix agent
+  hosts: zagents
+  become: true
+
+  tasks:
+   - name: Ensure that Zabbix agent is at the latest version 
+     ansible.builtin.apt:
+      name: zabbix-agent2
+      state: latest
+     register: zabbix_agent2_status
+
+   - name: Upgrade Zabbix agent if not latest
+     ansible.builtin.apt:
+      name: zabbix-agent2
+      upgrade: yes
+     when: zabbix_agent2_status.changed
--- a/Ansible/playbooks/zabbix_proxy_install.yml
+++ b/Ansible/playbooks/zabbix_proxy_install.yml
@@ -0,0 +1,68 @@
+---
+- name: Install and Configure Zabbix Proxy
+  hosts: zabbix-proxy # Assuming you have a group for zabbix proxy in your inventory
+  become: yes
+  vars_files:
+    - ../secrets.yml
+  tasks:
+    - name: Add Zabbix repository
+      ansible.builtin.apt_repository:
+        repo: "deb https://repo.zabbix.com/zabbix/7.4/ubuntu {{ ansible_distribution_release }} main"
+        state: present
+        filename: zabbix
+
+    - name: Install Zabbix proxy
+      ansible.builtin.apt:
+        name: zabbix-proxy-sqlite3
+        state: present
+        update_cache: yes
+
+    - name: Create Zabbix proxy configuration file
+      ansible.builtin.copy:
+        dest: /etc/zabbix/zabbix_proxy.conf.d/mbuz.conf
+        content: |
+          Server={{ zabbix_server_address }}:10051
+          Hostname={{ zabbix_proxy_hostname }}
+          DBName=/tmp/zabbix_proxy
+          StartPollers=2
+          StartPreprocessors=1
+          StartTrappers=1
+          StartDiscoverers=1
+          StartDBSyncers=1
+          StartAgentPollers=2
+          EnableRemoteCommands=1
+          TLSConnect=psk
+          TLSAccept=psk
+          TLSPSKFile=/etc/zabbix/lxc-proxy.psk
+          TLSPSKIdentity={{ zabbix_psk_identity }}
+      notify: restart zabbix-proxy
+
+    - name: Create Zabbix proxy PSK file
+      ansible.builtin.copy:
+        dest: /etc/zabbix/proxy.psk
+        content: "{{ zabbix_proxy_psk }}"
+        owner: zabbix
+        group: zabbix
+        mode: '0600'
+      notify: restart zabbix-proxy
+
+  handlers:
+    - name: restart zabbix-proxy
+      ansible.builtin.service:
+        name: zabbix-proxy
+        state: restarted
+        enabled: yes
+
+- name: Verify Zabbix Proxy Service
+  hosts: zabbix_proxy
+  become: yes
+  tasks:
+    - name: Check if Zabbix proxy service is running
+      ansible.builtin.service_facts:
+
+    - name: Assert that Zabbix proxy is running
+      ansible.builtin.assert:
+        that:
+          - "ansible_facts.services['zabbix-proxy.service'].state == 'running'"
+        fail_msg: "Zabbix proxy is not running"
+        success_msg: "Zabbix proxy is running"