diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios
index 326a9130b2..ab1bd14fe9 100644
--- a/inventory/group_vars/nagios
+++ b/inventory/group_vars/nagios
@@ -16,6 +16,7 @@ dns_external:
exclude_iad2_hostgroups:
- centos_ipa_client_stg
- zabbix_stg
+ - zabbix
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- can_send:
diff --git a/inventory/group_vars/zabbix b/inventory/group_vars/zabbix
new file mode 100644
index 0000000000..355b583ef5
--- /dev/null
+++ b/inventory/group_vars/zabbix
@@ -0,0 +1,27 @@
+---
+# Define resources for this group of hosts here.
+csi_primary_contact: []
+csi_purpose: []
+csi_relationship: |
+ Test instance for zabbix server
+# For the MOTD
+csi_security_category: []
+deployment_type: stg
+ipa_client_shell_groups:
+ - fi-apprentice
+ - sysadmin-noc
+ - sysadmin-veteran
+ - sysadmin-web
+ipa_client_sudo_groups:
+ - sysadmin-noc
+ipa_host_group: zabbix
+ipa_host_group_desc: Zabbix Network Monitoring
+lvm_size: 100000
+mem_size: 24576
+nagios_Can_Connect: false
+nagios_Check_Services:
+ ping: false
+num_cpus: 4
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+tcp_ports: [80, 443]
diff --git a/inventory/group_vars/zabbix_stg b/inventory/group_vars/zabbix_stg
index 91540eeefa..510c07f0bd 100644
--- a/inventory/group_vars/zabbix_stg
+++ b/inventory/group_vars/zabbix_stg
@@ -13,7 +13,7 @@ ipa_client_shell_groups:
- sysadmin-veteran
- sysadmin-web
ipa_client_sudo_groups:
- - sysadmin-web
+ - sysadmin-noc
ipa_host_group: zabbix
ipa_host_group_desc: Zabbix Network Monitoring
lvm_size: 100000
diff --git a/inventory/host_vars/zabbix01.iad2.fedoraproject.org b/inventory/host_vars/zabbix01.iad2.fedoraproject.org
new file mode 100644
index 0000000000..348b30ef5d
--- /dev/null
+++ b/inventory/host_vars/zabbix01.iad2.fedoraproject.org
@@ -0,0 +1,9 @@
+---
+datacenter: iad2
+eth0_ipv4_gw: 10.3.163.254
+eth0_ipv4_ip: 10.3.163.198
+eth0_nm: 255.255.255.0
+ks_repo: http://10.3.163.35/repo/rhel/RHEL9-x86_64/
+ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel
+vmhost: vmhost-x86-09.iad2.fedoraproject.org
+volgroup: /dev/vg_guests
diff --git a/inventory/inventory b/inventory/inventory
index 0363386c67..367bfeb8ec 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -623,6 +623,9 @@ smtp-mm-cc-rdu01.fedoraproject.org
[smtp_auth]
smtp-auth-cc-rdu01.fedoraproject.org
+[zabbix]
+zabbix01.iad2.fedoraproject.org
+
[zabbix_stg]
zabbix01.stg.iad2.fedoraproject.org
diff --git a/playbooks/groups/zabbix.yml b/playbooks/groups/zabbix.yml
index af580a6067..c101698de0 100644
--- a/playbooks/groups/zabbix.yml
+++ b/playbooks/groups/zabbix.yml
@@ -1,9 +1,9 @@
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml"
vars:
- myhosts: "zabbix_stg"
+ myhosts: "zabbix_stg:zabbix"
- name: make the box be real
- hosts: zabbix_stg
+ hosts: zabbix_stg #:zabbix
user: root
gather_facts: True
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 570b04af83..e6539d8626 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -50,6 +50,15 @@
remotepath: /
proxyurl: http://noc01.{{ datacenter }}.fedoraproject.org
+ - role: httpd/reverseproxy
+ website: zabbix.fedoraproject.org
+ destname: zabbix
+ remotepath: /
+ proxyurl: http://localhost:10068
+ keephost: true
+ header_scheme: true
+ tags: zabbix
+
- role: httpd/reverseproxy
website: zabbix.stg.fedoraproject.org
destname: zabbix
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 79b294b727..c98031742d 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -913,6 +913,13 @@
sslonly: true
cert_name: "{{wildcard_cert_name}}"
+ - role: httpd/website
+ site_name: zabbix.fedoraproject.org
+ sslonly: true
+ #server_aliases: [zabbix.fedoraproject.org]
+ cert_name: "{{wildcard_cert_name}}"
+ tags: zabbix
+
- role: httpd/website
site_name: zabbix.stg.fedoraproject.org
sslonly: true
diff --git a/roles/ipsilon/templates/saml2_data b/roles/ipsilon/templates/saml2_data
index a5c92c5b30..be2408543f 100644
--- a/roles/ipsilon/templates/saml2_data
+++ b/roles/ipsilon/templates/saml2_data
@@ -73,3 +73,8 @@ gitlab type = SP
gitlab name = gitlab.com
gitlab Allowed Attributes = ["email"]
gitlab metadata = urn:oasis:names:tc:SAML:2.0:nameid-format:persistentRequired attributes
+
+zabbix id = https://zabbix.fedoraproject.org
+zabbix type = SP
+zabbix name = Zabbix Production
+zabbix metadata = urn:oasis:names:tc:SAML:2.0:nameid-format:transientZabbix DashboardZabbix Monitoring Service
diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2
index 35977de966..fcd93f2b37 100644
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@@ -311,7 +311,7 @@ ALLOWHIDDENDIR=/etc/.java
#
# Allow the specified hidden files.
# One file per line (use multiple ALLOWHIDDENFILE lines).
-#
+#
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
@@ -398,7 +398,7 @@ ALLOWDEVFILE=/dev/shm/sem.slapd*.stats
{% if inventory_hostname in groups['retrace'] or inventory_hostname in groups['releng_compose'] or inventory_hostname in groups['releng_compose_stg'] %}
ALLOWDEVFILE=/dev/shm/libpod_*
{% endif %}
-{% if inventory_hostname in groups['dbserver'] or inventory_hostname in groups['dbserver_stg'] or inventory_hostname in groups['pkgs'] or inventory_hostname in groups['pagure'] or inventory_hostname in groups['pagure_stg'] or inventory_hostname in groups['zabbix_stg'] or inventory_hostname in groups['retrace'] %}
+{% if inventory_hostname in groups['dbserver'] or inventory_hostname in groups['dbserver_stg'] or inventory_hostname in groups['pkgs'] or inventory_hostname in groups['pagure'] or inventory_hostname in groups['pagure_stg'] or inventory_hostname in groups['zabbix'] or inventory_hostname in groups['zabbix_stg'] or inventory_hostname in groups['retrace'] %}
ALLOWDEVFILE=/dev/shm/PostgreSQL*
{% endif %}
@@ -531,16 +531,16 @@ ALLOW_SYSLOG_REMOTE_LOGGING=1
#
APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1"
-#
+#
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
-# Please consider adding all directories the user the (web)server runs as has
+# Please consider adding all directories the user the (web)server runs as has
# write access to including the document root (example: "/var/www") and log
-# directories (example: "/var/log/httpd").
+# directories (example: "/var/log/httpd").
#
# A space-separated list of directories to scan.
#
@@ -562,7 +562,7 @@ SUSPSCAN_MAXSIZE=10240000
#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
-# locally if necessary.
+# locally if necessary.
#
SUSPSCAN_THRESH=200