Manage zabbix host configuration via ansible

This currently deploys the same configuration we used to have apart from
some '127.0.0.1' IPs for the agent IP, but those were incorrect anyways.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

group_vars/all/vault_zabbix_server.yml

 $ANSIBLE_VAULT;1.1;AES256
-36636132396234633434643932613839373739633135656364333063393332336461383535333131
-3832326361306632396666346139396465333238323464340a386161393437326633633433626236
-38663666313562646232303364656664333533653230613731353264656163343733333236626230
-3836316233343664300a666633653561633862646562366466303133643938663265396666383932
-31303764373563626630346434396337613266323639653935336261316565613033636137353838
-62326530366536396464306538363733326461663166316561343161313732323164633036323662
-656161613861626338376130333230643363
+61653339306335306538306231313962623561373262383030306539383936633663316637623935
+6665353831643337386464393830646462613436336538660a663536303335313336386531346364
+66376536323135393934383666323962323337353462643662623462623639613835393133333464
+6361346465306533640a396431643435356264623865393662633632313039656431653639663335
+36303666643730636430346465353436366435353436666331366138333639613334353232646439
+31313532353237383964363965396238303739623731366236623035366238376134363564383838
+31313131393234623562633432306533336630363231666664623032656366623433633562373831
+33303333643532623231303661643764623264353737316539616137326133356464333065653538
+63333638613632373232356462356164303730643966346261626361333235633132623661663739
+61626130376430373566663065326335626464316631386161306663353365346462386263313039
+66616435343431643734653933353430343834633264643132613735363130663036636165613165
+33646230313839356637

group_vars/mirrors.yml

@@ -6,3 +6,8 @@ archweb_db_host: 'apollo.archlinux.org'
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"
 tcp_wmem: "10240 87380 33554432"
+
+zabbix_agent_templates:
+  - Template OS Linux
+  - Template App Syncrepo
+  - Template App Syncrepo Arch32

host_vars/apollo.archlinux.org

@@ -20,6 +20,19 @@ mysql_backup_defaults: "/root/.backup-my.cnf"
 
 kanboard_version: "v1.2.5"
 
+# TODO use a list of enabled roles or groups to enable each template and also use the same to enable each role for a machine? duplicating and manually tracking this stuff sucks, but maybe we want to deploy roles without monitoring? maybe not?
+zabbix_agent_templates:
+  - Template OS Linux
+  - Template App Borg Backup
+  - Template App HTTP Service
+  - Template App HTTPS Service
+  - Template App MySQL
+  - Template App Nginx
+  - Template App Security Tracker
+  - Template App SMTP Service
+  - Template App SSH Service
+  - Template App Zabbix Server
+
 configure_firewall: true
 
 # this is needed to make ansible find the firewalld python

host_vars/luna.archlinux.org/misc

@@ -10,6 +10,12 @@ mysql_backup_defaults: "/root/.backup-my.cnf"
 vault_mariadb_users:
   root: "{{encrypted_mariadb_users_root_password}}"
 
+zabbix_agent_templates:
+  - Template OS Linux
+  - Template App Mailman
+  - Template App MySQL
+  - Template App Nginx
+
 configure_firewall: true
 
 # this is needed to make ansible find the firewalld python

host_vars/nymeria.archlinux.org

@@ -15,5 +15,8 @@ archweb_server_email: 'archweb-dev@archlinux.org'
 archweb_domain: 'archweb-dev.archlinux.org'
 archweb_version: release_2018-11-23
 
+zabbix_agent_templates:
+  - Template OS Linux
+
 configure_firewall: true
 ansible_python_interpreter: /usr/bin/python3.7

host_vars/orion.archlinux.org/misc

@@ -17,6 +17,10 @@ tcp_wmem: "10240 87380 33554432"
 dns_servers: ["127.0.0.1"]
 mail_domain: "mail.archlinux.org"
 
+zabbix_agent_templates:
+  - Template OS Linux
+  - Template App Borg Backup
+  - Template App Nginx
 configure_firewall: true
 
 # this is needed to make ansible find the firewalld python

host_vars/soyuz.archlinux.org

@@ -11,6 +11,11 @@ tcp_congestion_control: "bbr"
 filesystem: btrfs
 postgres_backup_dir: "/var/lib/postgres/backup"
 
+zabbix_agent_templates:
+  - Template OS Linux
+  - Template App Borg Backup
+  - Template App Syncrepo
+
 configure_firewall: true
 
 # this is needed to make ansible find the firewalld python

host_vars/vostok.archlinux.org

@@ -9,6 +9,9 @@ ipv4_gateway: "5.9.158.161"
 ipv6_gateway: "fe80::1"
 filesystem: ext4
 
+zabbix_agent_templates:
+  - Template OS Linux
+
 configure_firewall: true
 
 # this is needed to make ansible find the firewalld python

roles/zabbix-agent/defaults/main.yml

 ---
 zabbix_agent_server: zabbix.archlinux.org
+zabbix_agent_ip: ""
+zabbix_agent_dns: "{{inventory_hostname}}"
+zabbix_agent_useip: 0
+# TODO set this as a default here once the value has been set correctly for each host. Otherwise we might remove templates from a host by accident
+#zabbix_agent_template: ['Template OS Linux']

roles/zabbix-agent/tasks/main.yml

@@ -23,6 +23,35 @@
 - name: fix permissions of PSK file
   file: path=/etc/zabbix/zabbix_agentd.psk owner=zabbix-agent group=zabbix-agent mode=600
 
+- name: fetch PSK
+  command: cat /etc/zabbix/zabbix_agentd.psk
+  check_mode: no
+  register: zabbix_agent_psk
+
+- name: Set host config in zabbix
+  local_action:
+    module: zabbix_host
+    server_url: "https://{{zabbix_agent_server}}"
+    login_user: "{{vault_zabbix_admin_user}}"
+    login_password: "{{vault_zabbix_admin_password}}"
+    host_name: "{{inventory_hostname}}"
+    visible_name: "{{inventory_hostname}}"
+    link_templates: "{{zabbix_agent_templates}}"
+    status: enabled
+    state: present
+    inventory_mode: disabled
+    interfaces:
+      - type: 1
+        main: 1
+        useip: "{{zabbix_agent_useip}}"
+        ip: "{{zabbix_agent_ip}}"
+        dns: "{{inventory_hostname}}"
+        port: 10050
+    tls_psk_identity: "PSK{{inventory_hostname}}"
+    tls_accept: 2
+    tls_connect: 2
+    tls_psk: "{{zabbix_agent_psk.stdout}}"
+
 - name: install agent config
   template: src=zabbix_agentd.conf dest=/etc/zabbix/zabbix_agentd.conf owner=zabbix-agent group=zabbix-agent mode=600
   notify: