zabbix: Zabbix production configuration

inventory/group_vars/nagios

@@ -16,6 +16,7 @@ dns_external:
 exclude_iad2_hostgroups:
   - centos_ipa_client_stg
   - zabbix_stg
+  - zabbix
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
   - can_send:

inventory/group_vars/zabbix

@@ -0,0 +1,27 @@
+---
+# Define resources for this group of hosts here.
+csi_primary_contact: []
+csi_purpose: []
+csi_relationship: |
+  Test instance for zabbix server
+# For the MOTD
+csi_security_category: []
+deployment_type: stg
+ipa_client_shell_groups:
+  - fi-apprentice
+  - sysadmin-noc
+  - sysadmin-veteran
+  - sysadmin-web
+ipa_client_sudo_groups:
+  - sysadmin-noc
+ipa_host_group: zabbix
+ipa_host_group_desc: Zabbix Network Monitoring
+lvm_size: 100000
+mem_size: 24576
+nagios_Can_Connect: false
+nagios_Check_Services:
+  ping: false
+num_cpus: 4
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+tcp_ports: [80, 443]

inventory/group_vars/zabbix_stg

@@ -13,7 +13,7 @@ ipa_client_shell_groups:
   - sysadmin-veteran
   - sysadmin-web
 ipa_client_sudo_groups:
-  - sysadmin-web
+  - sysadmin-noc
 ipa_host_group: zabbix
 ipa_host_group_desc: Zabbix Network Monitoring
 lvm_size: 100000

inventory/host_vars/zabbix01.iad2.fedoraproject.org

@@ -0,0 +1,9 @@
+---
+datacenter: iad2
+eth0_ipv4_gw: 10.3.163.254
+eth0_ipv4_ip: 10.3.163.198
+eth0_nm: 255.255.255.0
+ks_repo: http://10.3.163.35/repo/rhel/RHEL9-x86_64/
+ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel
+vmhost: vmhost-x86-09.iad2.fedoraproject.org
+volgroup: /dev/vg_guests

inventory/inventory

@@ -623,6 +623,9 @@ smtp-mm-cc-rdu01.fedoraproject.org
 [smtp_auth]
 smtp-auth-cc-rdu01.fedoraproject.org
 
+[zabbix]
+zabbix01.iad2.fedoraproject.org
+
 [zabbix_stg]
 zabbix01.stg.iad2.fedoraproject.org
 

playbooks/groups/zabbix.yml

@@ -1,9 +1,9 @@
 - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml"
   vars:
-    myhosts: "zabbix_stg"
+    myhosts: "zabbix_stg:zabbix"
 
 - name: make the box be real
-  hosts: zabbix_stg
+  hosts: zabbix_stg #:zabbix
   user: root
   gather_facts: True
 

playbooks/include/proxies-reverseproxy.yml

@@ -50,6 +50,15 @@
     remotepath: /
     proxyurl: http://noc01.{{ datacenter }}.fedoraproject.org
 
+  - role: httpd/reverseproxy
+    website: zabbix.fedoraproject.org
+    destname: zabbix
+    remotepath: /
+    proxyurl: http://localhost:10068
+    keephost: true
+    header_scheme: true
+    tags: zabbix
+
   - role: httpd/reverseproxy
     website: zabbix.stg.fedoraproject.org
     destname: zabbix

playbooks/include/proxies-websites.yml

@@ -913,6 +913,13 @@
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
 
+  - role: httpd/website
+    site_name: zabbix.fedoraproject.org
+    sslonly: true
+    #server_aliases: [zabbix.fedoraproject.org]
+    cert_name: "{{wildcard_cert_name}}"
+    tags: zabbix
+
   - role: httpd/website
     site_name: zabbix.stg.fedoraproject.org
     sslonly: true

roles/ipsilon/templates/saml2_data

@@ -73,3 +73,8 @@ gitlab type = SP
 gitlab name = gitlab.com
 gitlab Allowed Attributes = ["email"]
 gitlab metadata = <?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_1b989820-b3a1-4fda-bed3-39c77422a44e' entityID='https://gitlab.com/groups/fedora' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.com/groups/fedora/-/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
+
+zabbix id = https://zabbix.fedoraproject.org
+zabbix type = SP
+zabbix name = Zabbix Production
+zabbix metadata = <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="https://zabbix.fedoraproject.org"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://zabbix.fedoraproject.org/index_sso.php?sls" /><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://zabbix.fedoraproject.org/index_sso.php?acs" index="0" /><md:AttributeConsumingService index="1"><md:ServiceName xml:lang="en">Zabbix Dashboard</md:ServiceName><md:ServiceDescription xml:lang="en">Zabbix Monitoring Service</md:ServiceDescription><md:RequestedAttribute Name="uid" isRequired="true" /></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>

roles/rkhunter/templates/rkhunter.conf.j2

@@ -311,7 +311,7 @@ ALLOWHIDDENDIR=/etc/.java
 #
 # Allow the specified hidden files.
 # One file per line (use multiple ALLOWHIDDENFILE lines).
-# 
+#
 ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
 ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
 ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
@@ -398,7 +398,7 @@ ALLOWDEVFILE=/dev/shm/sem.slapd*.stats
 {% if inventory_hostname in groups['retrace'] or inventory_hostname in groups['releng_compose'] or inventory_hostname in groups['releng_compose_stg'] %}
 ALLOWDEVFILE=/dev/shm/libpod_*
 {% endif %}
-{% if inventory_hostname in groups['dbserver'] or inventory_hostname in groups['dbserver_stg'] or inventory_hostname in groups['pkgs'] or inventory_hostname in groups['pagure'] or inventory_hostname in groups['pagure_stg'] or inventory_hostname in groups['zabbix_stg'] or inventory_hostname in groups['retrace'] %}
+{% if inventory_hostname in groups['dbserver'] or inventory_hostname in groups['dbserver_stg'] or inventory_hostname in groups['pkgs'] or inventory_hostname in groups['pagure'] or inventory_hostname in groups['pagure_stg'] or inventory_hostname in groups['zabbix'] or  inventory_hostname in groups['zabbix_stg'] or inventory_hostname in groups['retrace'] %}
 ALLOWDEVFILE=/dev/shm/PostgreSQL*
 {% endif %}
 
@@ -531,16 +531,16 @@ ALLOW_SYSLOG_REMOTE_LOGGING=1
 #
 APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1"
 
-# 
+#
 # Scan for suspicious files in directories containing temporary files and
 # directories posing a relatively higher risk due to user write access.
 # Please do not enable by default as suspscan is CPU and I/O intensive and prone to
 # producing false positives. Do review all settings before usage.
 # Also be aware that running suspscan in combination with verbose logging on,
 # RKH's default, will show all ignored files.
-# Please consider adding all directories the user the (web)server runs as has 
+# Please consider adding all directories the user the (web)server runs as has
 # write access to including the document root (example: "/var/www") and log
-# directories (example: "/var/log/httpd"). 
+# directories (example: "/var/log/httpd").
 #
 # A space-separated list of directories to scan.
 #
@@ -562,7 +562,7 @@ SUSPSCAN_MAXSIZE=10240000
 #
 # Score threshold. Below this value no hits will be reported.
 # A value of "200" seems "good" after testing on malware. Please adjust
-# locally if necessary. 
+# locally if necessary.
 #
 SUSPSCAN_THRESH=200