diff --git a/playbooks/groups/zabbix.yml b/playbooks/groups/zabbix.yml index e209667873..2b7bb2012c 100644 --- a/playbooks/groups/zabbix.yml +++ b/playbooks/groups/zabbix.yml @@ -2,42 +2,20 @@ vars: myhosts: "zabbix_stg" + - name: make the box be real hosts: zabbix_stg user: root - gather_facts: True + gather_facts: false vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - base - - rkhunter - - hosts - - ipa/client - - role: keytab/service - owner_user: apache - owner_group: apache - service: HTTP - host: "zabbix{{env_suffix}}.fedoraproject.org" - when: datacenter == 'iad2' - - role: keytab/service - owner_user: apache - owner_group: apache - service: HTTP - host: "zabbix-external{{env_suffix}}.fedoraproject.org" - when: datacenter != 'iad2' - - collectd/base - - apache - - sudo - - pre_tasks: - - import_tasks: "{{ tasks_path }}/yumrepos.yml" + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - - import_tasks: "{{ tasks_path }}/motd.yml" + - name: Run the zabbix_server Role + include_role: + name: zabbix/zabbix_server + tasks_from: main - handlers: - - import_tasks: "{{ handlers_path }}/restart_services.yml" diff --git a/roles/zabbix/zabbix_server/defaults/main.yml b/roles/zabbix/zabbix_server/defaults/main.yml new file mode 100644 index 0000000000..53f3efe020 --- /dev/null +++ b/roles/zabbix/zabbix_server/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# defaults file for zabbix-server +# DB settings +zabbix_db_type: POSTGRESQL # OVERRIDE +zabbix_db_host: localhost # OVERRIDE +zabbix_db_port: 0 # OVERRIDE +zabbix_db_name: zabbix # OVERRIDE +zabbix_db_user: zabbix # OVERRIDE +zabbix_db_pass: zabbix # OVERRIDE + +zabbix_server_pkgs: + - zabbix-server-pgsql + - zabbix-web-pgsql + - zabbix-nginx-conf + - zabbix-sql-scripts + - zabbix-selinux-policy + - zabbix-agent + - postgresql-server + diff --git a/roles/zabbix/zabbix_server/files/alertscripts/.empty b/roles/zabbix/zabbix_server/files/alertscripts/.empty new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/zabbix/zabbix_server/files/externalscripts/zext_ipv6_icmp.sh b/roles/zabbix/zabbix_server/files/externalscripts/zext_ipv6_icmp.sh new file mode 100755 index 0000000000..a5547535c2 --- /dev/null +++ b/roles/zabbix/zabbix_server/files/externalscripts/zext_ipv6_icmp.sh @@ -0,0 +1,18 @@ +#!/bin/bash +#------------------------------------------------------------ +# zext_mirrorlist_check.sh +# Script checks for mirrorlist.centos.org (needs to return a list for unknown countries +# +# Macro : {$MIRRORLIST_VHOST_IP} : if apache/httpd not running on the default ip, specify it at the host level in zabbix +#------------------------------------------------------------ + +host=$1 +is_ipv6=$(dig +short -t AAAA ${host}|wc -l) + + + +if [ "$is_ipv6" -eq "0" ] ;then + echo 0 +else + ping6 -n -W 2 -q -c 1 $1 >/dev/null 2>&1 ; echo $? +fi diff --git a/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check.sh b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check.sh new file mode 100755 index 0000000000..dcae0f70c4 --- /dev/null +++ b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check.sh @@ -0,0 +1,14 @@ +#!/bin/bash +#------------------------------------------------------------ +# zext_mirrorlist_check.sh +# Script checks for mirrorlist.centos.org (needs to return a list for unknown countries +# +# Macro : {$MIRRORLIST_VHOST_IP} : if apache/httpd not running on the default ip, specify it at the host level in zabbix +#------------------------------------------------------------ + +host=$1 + + export host_to_check=${host} + + + curl --silent -4 -H 'Host: mirrorlist.centos.org' "http://${host_to_check}/?repo=os&release=7&arch=x86_64&cc=unknown"|grep -q "os/x86_64" && echo $? || echo $? diff --git a/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_country.sh b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_country.sh new file mode 100755 index 0000000000..17f5519def --- /dev/null +++ b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_country.sh @@ -0,0 +1,14 @@ +#!/bin/bash +#------------------------------------------------------------ +# zext_mirrorlist_check.sh +# Script checks for mirrorlist.centos.org (needs to return a list for unknown countries +# +# Macro : {$MIRRORLIST_VHOST_IP} : if apache/httpd not running on the default ip, specify it at the host level in zabbix +#------------------------------------------------------------ + +host=$1 + +export host_to_check=${host} + +curl --silent -H 'Host: mirrorlist.centos.org' "http://${host_to_check}/?release=7&arch=x86_64&repo=os&cc=nl"|grep -q '.nl/' && echo $? || echo $? + diff --git a/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_number.sh b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_number.sh new file mode 100755 index 0000000000..9aa956bf05 --- /dev/null +++ b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_number.sh @@ -0,0 +1,13 @@ +#!/bin/bash +#------------------------------------------------------------ +# zext_mirrorlist_check.sh +# Script checks for mirrorlist.centos.org (needs to return a list of mirrors) +# +# Macro : {$MIRRORLIST_VHOST_IP} : if apache/httpd not running on the default ip, specify it at the host level in zabbix +#------------------------------------------------------------ + +host=$1 + + export host_to_check=${host} + +curl --silent -H 'Host: mirrorlist.centos.org' "http://${host_to_check}/?repo=os&release=7&arch=x86_64"|wc -l diff --git a/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_time.sh b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_time.sh new file mode 100755 index 0000000000..8dfd605936 --- /dev/null +++ b/roles/zabbix/zabbix_server/files/externalscripts/zext_mirrorlist_check_time.sh @@ -0,0 +1,13 @@ +#!/bin/bash +#------------------------------------------------------------ +# zext_mirrorlist_check.sh +# Script checks for mirrorlist.centos.org : response time +# Macro : {$MIRRORLIST_VHOST_IP} : if apache/httpd not running on the default ip, specify it at the host level in zabbix +#------------------------------------------------------------ + +host=$1 + +export host_to_check=${host} + +curl --silent -w "%{time_total}" -H 'Host: mirrorlist.centos.org' "http://${host_to_check}/?repo=os&release=7&arch=x86_64" -o /dev/null + diff --git a/roles/zabbix/zabbix_server/files/externalscripts/zext_ssl_cert.sh b/roles/zabbix/zabbix_server/files/externalscripts/zext_ssl_cert.sh new file mode 100755 index 0000000000..c68b004c0e --- /dev/null +++ b/roles/zabbix/zabbix_server/files/externalscripts/zext_ssl_cert.sh @@ -0,0 +1,51 @@ +#!/bin/sh +#------------------------------------------------------------ +# zext_ssl_cert.sh +# Script checks for number of days until certificate expires or the issuing authority +# depending on switch passed on command line. +#------------------------------------------------------------ + +DEBUG=0 +if [ $DEBUG -gt 0 ] +then + exec 2>>/tmp/my.log + set -x +fi + +f=$1 +host=$2 +port=$3 + +case $f in +-d) +end_date=`openssl s_client -host $host -port $port -showcerts /dev/null | + sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | + openssl x509 -text 2>/dev/null | + sed -n 's/ *Not After : *//p'` + +if [ -n "$end_date" ] +then + end_date_seconds=`date '+%s' --date "$end_date"` + now_seconds=`date '+%s'` + echo "($end_date_seconds-$now_seconds)/24/3600" | bc +fi +;; + +-i) +issue_dn=`openssl s_client -host $host -port $port -showcerts /dev/null | + sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | + openssl x509 -text 2>/dev/null | + sed -n 's/ *Issuer: *//p'` + +if [ -n "$issue_dn" ] +then + issuer=`echo $issue_dn | sed -n 's/.*CN=*//p'` + echo $issuer +fi +;; +*) +echo "usage: $0 [-i|-d] hostname port" +echo " -i Show Issuer" +echo " -d Show valid days remaining" +;; +esac diff --git a/roles/zabbix/zabbix_server/tasks/db.yml b/roles/zabbix/zabbix_server/tasks/db.yml new file mode 100644 index 0000000000..83f5df1306 --- /dev/null +++ b/roles/zabbix/zabbix_server/tasks/db.yml @@ -0,0 +1,45 @@ +--- + +- name: Run the postgresql-setup initdb command + ansible.builtin.shell: postgresql-setup initdb + args: + executable: /bin/bash + tags: + - db-configure + +# db needs to be running at this step +- name: Ensuring postgresql server is started + ansible.builtin.service: + name: postgresql + state: reloaded + enabled: True + tags: + - zabbix-services + +- name: Configure the zabbix db user + ansible.builtin.shell: | + sudo -u postgres createuser --pwprompt {{ zabbix_db_user }} + + expect "Enter password for new role: " + send "{{ zabbix_db_pass }}\n" + + exit 0 + args: + executable: /usr/bin/expect + tags: + - db-configure + +- name: Configure the zabbix db + ansible.builtin.shell: "sudo -u postgres createdb -O {{ zabbix_db_user }} {{ zabbix_db_name }}" + args: + executable: /bin/bash + tags: + - db-configure + +- name: Import the zabbix db schemas + ansible.builtin.shell: "zcat /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql zabbix" + args: + executable: /bin/bash + tags: + - db-configure + diff --git a/roles/zabbix/zabbix_server/tasks/install.yml b/roles/zabbix/zabbix_server/tasks/install.yml new file mode 100644 index 0000000000..72369d1851 --- /dev/null +++ b/roles/zabbix/zabbix_server/tasks/install.yml @@ -0,0 +1,77 @@ +--- +# tasks file for zabbix-server +# Install guide: Zabbix 6 LTS, postgres and nginx: +# https://www.zabbix.com/download?zabbix=6.0&os_distribution=red_hat_enterprise_linux&os_version=9&components=server_frontend_agent&db=pgsql&ws=nginx + +- name: Configure the EPEL repository + ansible.builtin.yum_repository: + name: epel + description: "Extras Packages for Enterprise Linux $releasever - $basearch" + enabled: true + gpgcheck: true + baseurl: "http://infrastructure.fedoraproject.org/pub/epel/9/Everything/$basearch/" + gpgkey: "http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9" + exclude: "zabbix*" + tags: + - configure-dnf + +- name: Install the zabbix rpm + ansible.builtin.dnf: + name: 'https://repo.zabbix.com/zabbix/6.0/rhel/9/x86_64/zabbix-release-6.0-4.el9.noarch.rpm' + state: present + tags: + - packages + +- name: Installing required pkgs for Zabbix + ansible.builtin.dnf: + name: "{{ zabbix_server_pkgs }}" + state: latest + tags: + - packages + +- name: Configuring postgres server + ansible.builtin.template: + src: pg_hba.conf.j2 + dest: /var/lib/pgsql/data/pg_hba.conf + mode: 0600 + tags: + - zabbix-configuration + +- name: Configuring zabbix server + ansible.builtin.template: + src: zabbix_server.conf.j2 + dest: /etc/zabbix/zabbix_server.conf + mode: 0600 + tags: + - zabbix-configuration + +- name: Configure Zabbix web UI + ansible.builtin.template: + src: zabbix.conf.php.j2 + dest: /etc/zabbix/web/zabbix.conf.php + mode: 0600 + owner: nginx + group: nginx + tags: + - zabbix-configuration + +- name: Configure nginx nginx.conf + ansible.builtin.template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + mode: 0644 + owner: nginx + group: nginx + tags: + - zabbix-configuration + +- name: Configure nginx conf.d/zabbix.conf + ansible.builtin.template: + src: nginx_zabbix.conf.j2 + dest: /etc/nginx/conf.d/zabbix.conf + mode: 0644 + owner: nginx + group: nginx + tags: + - zabbix-configuration + diff --git a/roles/zabbix/zabbix_server/tasks/main.yml b/roles/zabbix/zabbix_server/tasks/main.yml new file mode 100644 index 0000000000..a53cfce7b5 --- /dev/null +++ b/roles/zabbix/zabbix_server/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: install.yml +- include_tasks: db.yml +# - include_tasks: plugins.yml +- include_tasks: start_services.yml + diff --git a/roles/zabbix/zabbix_server/tasks/plugins.yml b/roles/zabbix/zabbix_server/tasks/plugins.yml new file mode 100644 index 0000000000..8bc807947a --- /dev/null +++ b/roles/zabbix/zabbix_server/tasks/plugins.yml @@ -0,0 +1,17 @@ +--- +# tasks file for zabbix-server +# Contains the task for external scripts or alertscripts +# Can be included on proxies automatically too + +# Custom zabbix scripts +- name: Importing zabbix scripts + copy: + src: "{{ item }}" + dest: /usr/lib/zabbix/ + mode: 0755 + with_items: + - alertscripts + - externalscripts + tags: + - plugin-scripts + diff --git a/roles/zabbix/zabbix_server/tasks/start_services.yml b/roles/zabbix/zabbix_server/tasks/start_services.yml new file mode 100644 index 0000000000..f42163850e --- /dev/null +++ b/roles/zabbix/zabbix_server/tasks/start_services.yml @@ -0,0 +1,33 @@ +--- +- name: Ensuring Zabbix server is started + ansible.builtin.service: + name: zabbix-server + state: reloaded + enabled: True + tags: + zabbix-services + +- name: Ensuring Zabbix agent is started + ansible.builtin.service: + name: zabbix-agent + state: reloaded + enabled: True + tags: + zabbix-services + +- name: Ensuring nginx server is started + ansible.builtin.service: + name: nginx + state: reloaded + enabled: True + tags: + zabbix-services + +- name: Ensuring php-fpm service is started + ansible.builtin.service: + name: php-fpm + state: reloaded + enabled: True + tags: + zabbix-services + diff --git a/roles/zabbix/zabbix_server/templates/nginx.conf b/roles/zabbix/zabbix_server/templates/nginx.conf new file mode 100644 index 0000000000..763fdee31e --- /dev/null +++ b/roles/zabbix/zabbix_server/templates/nginx.conf @@ -0,0 +1,84 @@ +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 4096; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + +# server { +# listen 80; +# listen [::]:80; +# server_name _; +# root /usr/share/nginx/html; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# error_page 404 /404.html; +# location = /404.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } + +# Settings for a TLS enabled server. +# +# server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# server_name _; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/pki/nginx/server.crt"; +# ssl_certificate_key "/etc/pki/nginx/private/server.key"; +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 10m; +# ssl_ciphers PROFILE=SYSTEM; +# ssl_prefer_server_ciphers on; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# error_page 404 /404.html; +# location = /40x.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } + +} + diff --git a/roles/zabbix/zabbix_server/templates/nginx_zabbix.conf b/roles/zabbix/zabbix_server/templates/nginx_zabbix.conf new file mode 100644 index 0000000000..7145dfe2fa --- /dev/null +++ b/roles/zabbix/zabbix_server/templates/nginx_zabbix.conf @@ -0,0 +1,61 @@ +server { + listen 80; + server_name _; + + root /usr/share/zabbix; + + index index.php; + + location = /favicon.ico { + log_not_found off; + } + + location / { + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /\.ht { + deny all; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + + location /vendor { + deny all; + return 404; + } + + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/run/php-fpm/zabbix.sock; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } +} diff --git a/roles/zabbix/zabbix_server/templates/pg_hba.conf.j2 b/roles/zabbix/zabbix_server/templates/pg_hba.conf.j2 new file mode 100644 index 0000000000..d0d07489a0 --- /dev/null +++ b/roles/zabbix/zabbix_server/templates/pg_hba.conf.j2 @@ -0,0 +1,94 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a +# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a +# non-GSSAPI socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all peer +host replication all 127.0.0.1/32 ident +host replication all ::1/128 ident + diff --git a/roles/zabbix/zabbix_server/templates/zabbix.conf.php.j2 b/roles/zabbix/zabbix_server/templates/zabbix.conf.php.j2 new file mode 100644 index 0000000000..5ee5d0b5a7 --- /dev/null +++ b/roles/zabbix/zabbix_server/templates/zabbix.conf.php.j2 @@ -0,0 +1,56 @@ + 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//$SSO['SETTINGS'] = []; + + diff --git a/roles/zabbix/zabbix_server/templates/zabbix_server.conf.j2 b/roles/zabbix/zabbix_server/templates/zabbix_server.conf.j2 new file mode 100644 index 0000000000..b641fa5ed6 --- /dev/null +++ b/roles/zabbix/zabbix_server/templates/zabbix_server.conf.j2 @@ -0,0 +1,992 @@ +# This is a configuration file for Zabbix server daemon +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: ListenPort +# Listen port for trapper. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10051 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/var/log/zabbix/zabbix_server.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_server.pid + +PidFile=/run/zabbix/zabbix_server.pid + +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp + +SocketDir=/run/zabbix + +### Option: DBHost +# Database host name. +# If set to localhost, socket is used for MySQL. +# If set to empty string, socket is used for PostgreSQL. +# If set to empty string, the Net Service Name connection method is used to connect to Oracle database; also see +# the TNS_ADMIN environment variable to specify the directory where the tnsnames.ora file is located. +# +# Mandatory: no +# Default: +DBHost={{ zabbix_db_host }} + +### Option: DBName +# Database name. +# If the Net Service Name connection method is used to connect to Oracle database, specify the service name from +# the tnsnames.ora file or set to empty string; also see the TWO_TASK environment variable if DBName is set to +# empty string. +# +# Mandatory: yes +# Default: +# DBName= + +DBName={{ zabbix_db_name }} + +### Option: DBSchema +# Schema name. Used for PostgreSQL. +# +# Mandatory: no +# Default: +# DBSchema= + +### Option: DBUser +# Database user. +# +# Mandatory: no +# Default: +# DBUser= + +DBUser={{ zabbix_db_user }} + +### Option: DBPassword +# Database password. +# Comment this line if no password is used. +# +# Mandatory: no +# Default: +DBPassword={{ zabbix_db_pass }} + +### Option: DBSocket +# Path to MySQL socket. +# +# Mandatory: no +# Default: +# DBSocket= + +### Option: DBPort +# Database port when not using local socket. +# If the Net Service Name connection method is used to connect to Oracle database, the port number from the +# tnsnames.ora file will be used. The port number set here will be ignored. +# +# Mandatory: no +# Range: 1024-65535 +# Default: +# DBPort= + +### Option: AllowUnsupportedDBVersions +# Allow server to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 + +### Option: HistoryStorageURL +# History storage HTTP[S] URL. +# +# Mandatory: no +# Default: +# HistoryStorageURL= + +### Option: HistoryStorageTypes +# Comma separated list of value types to be sent to the history storage. +# +# Mandatory: no +# Default: +# HistoryStorageTypes=uint,dbl,str,log,text + +### Option: HistoryStorageDateIndex +# Enable preprocessing of history values in history storage to store values in different indices based on date. +# 0 - disable +# 1 - enable +# +# Mandatory: no +# Default: +# HistoryStorageDateIndex=0 + +### Option: ExportDir +# Directory for real time export of events, history and trends in newline delimited JSON format. +# If set, enables real time export. +# +# Mandatory: no +# Default: +# ExportDir= + +### Option: ExportFileSize +# Maximum size per export file in bytes. +# Only used for rotation if ExportDir is set. +# +# Mandatory: no +# Range: 1M-1G +# Default: +# ExportFileSize=1G + +### Option: ExportType +# List of comma delimited types of real time export - allows to control export entities by their +# type (events, history, trends) individually. +# Valid only if ExportDir is set. +# +# Mandatory: no +# Default: +# ExportType=events,history,trends + +############ ADVANCED PARAMETERS ################ + +### Option: StartPollers +# Number of pre-forked instances of pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollers=5 + +### Option: StartIPMIPollers +# Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartIPMIPollers=0 + +### Option: StartPreprocessors +# Number of pre-forked instances of preprocessing workers. +# The preprocessing manager process is automatically started when preprocessor worker is started. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=3 + +### Option: StartPollersUnreachable +# Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). +# At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers +# are started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollersUnreachable=1 + +### Option: StartHistoryPollers +# Number of pre-forked instances of history pollers. +# Only required for calculated and internal checks. +# A database connection is required for each history poller instance. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHistoryPollers=5 + +### Option: StartTrappers +# Number of pre-forked instances of trappers. +# Trappers accept incoming connections from Zabbix sender, active agents and active proxies. +# At least one trapper process must be running to display server availability and view queue +# in the frontend. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartTrappers=5 + +### Option: StartPingers +# Number of pre-forked instances of ICMP pingers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPingers=1 + +### Option: StartDiscoverers +# Number of pre-forked instances of discoverers. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartDiscoverers=1 + +### Option: StartHTTPPollers +# Number of pre-forked instances of HTTP pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPPollers=1 + +### Option: StartTimers +# Number of pre-forked instances of timers. +# Timers process maintenance periods. +# Only the first timer process handles host maintenance updates. Problem suppression updates are shared +# between all timers. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartTimers=1 + +### Option: StartEscalators +# Number of pre-forked instances of escalators. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartEscalators=1 + +### Option: StartAlerters +# Number of pre-forked instances of alerters. +# Alerters send the notifications created by action operations. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartAlerters=3 + +### Option: JavaGateway +# IP address (or hostname) of Zabbix Java gateway. +# Only required if Java pollers are started. +# +# Mandatory: no +# Default: +# JavaGateway= + +### Option: JavaGatewayPort +# Port that Zabbix Java gateway listens on. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# JavaGatewayPort=10052 + +### Option: StartJavaPollers +# Number of pre-forked instances of Java pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartJavaPollers=0 + +### Option: StartVMwareCollectors +# Number of pre-forked vmware collector instances. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartVMwareCollectors=0 + +### Option: VMwareFrequency +# How often Zabbix will connect to VMware service to obtain a new data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwareFrequency=60 + +### Option: VMwarePerfFrequency +# How often Zabbix will connect to VMware service to obtain performance data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwarePerfFrequency=60 + +### Option: VMwareCacheSize +# Size of VMware cache, in bytes. +# Shared memory size for storing VMware data. +# Only used if VMware collectors are started. +# +# Mandatory: no +# Range: 256K-2G +# Default: +# VMwareCacheSize=8M + +### Option: VMwareTimeout +# Specifies how many seconds vmware collector waits for response from VMware service. +# +# Mandatory: no +# Range: 1-300 +# Default: +# VMwareTimeout=10 + +### Option: SNMPTrapperFile +# Temporary file used for passing data from SNMP trap daemon to the server. +# Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. +# +# Mandatory: no +# Default: +# SNMPTrapperFile=/tmp/zabbix_traps.tmp + +SNMPTrapperFile=/var/log/snmptrap/snmptrap.log + +### Option: StartSNMPTrapper +# If 1, SNMP trapper process is started. +# +# Mandatory: no +# Range: 0-1 +# Default: +# StartSNMPTrapper=0 + +### Option: ListenIP +# List of comma delimited IP addresses that the trapper should listen on. +# Trapper will listen on all network interfaces if this parameter is missing. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: HousekeepingFrequency +# How often Zabbix will perform housekeeping procedure (in hours). +# Housekeeping is removing outdated information from the database. +# To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency +# hours of outdated information are deleted in one housekeeping cycle, for each item. +# To lower load on server startup housekeeping is postponed for 30 minutes after server start. +# With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option. +# In this case the period of outdated information deleted in one housekeeping cycle is 4 times the +# period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. +# +# Mandatory: no +# Range: 0-24 +# Default: +# HousekeepingFrequency=1 + +### Option: MaxHousekeeperDelete +# The table "housekeeper" contains "tasks" for housekeeping procedure in the format: +# [housekeeperid], [tablename], [field], [value]. +# No more than 'MaxHousekeeperDelete' rows (corresponding to [tablename], [field], [value]) +# will be deleted per one task in one housekeeping cycle. +# If set to 0 then no limit is used at all. In this case you must know what you are doing! +# +# Mandatory: no +# Range: 0-1000000 +# Default: +# MaxHousekeeperDelete=5000 + +### Option: CacheSize +# Size of configuration cache, in bytes. +# Shared memory size for storing host, item and trigger data. +# +# Mandatory: no +# Range: 128K-64G +# Default: +# CacheSize=32M + +### Option: CacheUpdateFrequency +# How often Zabbix will perform update of configuration cache, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# CacheUpdateFrequency=60 + +### Option: StartDBSyncers +# Number of pre-forked instances of DB Syncers. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartDBSyncers=4 + +### Option: HistoryCacheSize +# Size of history cache, in bytes. +# Shared memory size for storing history data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryCacheSize=16M + +### Option: HistoryIndexCacheSize +# Size of history index cache, in bytes. +# Shared memory size for indexing history cache. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryIndexCacheSize=4M + +### Option: TrendCacheSize +# Size of trend write cache, in bytes. +# Shared memory size for storing trends data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendCacheSize=4M + +### Option: TrendFunctionCacheSize +# Size of trend function cache, in bytes. +# Shared memory size for caching calculated trend function data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendFunctionCacheSize=4M + +### Option: ValueCacheSize +# Size of history value cache, in bytes. +# Shared memory size for caching item history data requests. +# Setting to 0 disables value cache. +# +# Mandatory: no +# Range: 0,128K-64G +# Default: +# ValueCacheSize=8M + +### Option: Timeout +# Specifies how long we wait for agent, SNMP device or external check (in seconds). +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +Timeout=4 + +### Option: TrapperTimeout +# Specifies how many seconds trapper may spend processing new data. +# +# Mandatory: no +# Range: 1-300 +# Default: +# TrapperTimeout=300 + +### Option: UnreachablePeriod +# After how many seconds of unreachability treat a host as unavailable. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachablePeriod=45 + +### Option: UnavailableDelay +# How often host is checked for availability during the unavailability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnavailableDelay=60 + +### Option: UnreachableDelay +# How often host is checked for availability during the unreachability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachableDelay=15 + +### Option: AlertScriptsPath +# Full path to location of custom alert scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# AlertScriptsPath=/usr/lib/zabbix/alertscripts + +### Option: ExternalScripts +# Full path to location of external scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# ExternalScripts=/usr/lib/zabbix/externalscripts + +### Option: FpingLocation +# Location of fping. +# Make sure that fping binary has root ownership and SUID flag set. +# +# Mandatory: no +# Default: +# FpingLocation=/usr/sbin/fping + +### Option: Fping6Location +# Location of fping6. +# Make sure that fping6 binary has root ownership and SUID flag set. +# Make empty if your fping utility is capable to process IPv6 addresses. +# +# Mandatory: no +# Default: +# Fping6Location=/usr/sbin/fping6 + +### Option: SSHKeyLocation +# Location of public and private keys for SSH checks and actions. +# +# Mandatory: no +# Default: +# SSHKeyLocation= + +### Option: LogSlowQueries +# How long a database query may take before being logged (in milliseconds). +# Only works if DebugLevel set to 3, 4 or 5. +# 0 - don't log slow queries. +# +# Mandatory: no +# Range: 1-3600000 +# Default: +# LogSlowQueries=0 + +LogSlowQueries=3000 + +### Option: TmpDir +# Temporary directory. +# +# Mandatory: no +# Default: +# TmpDir=/tmp + +### Option: StartProxyPollers +# Number of pre-forked instances of pollers for passive proxies. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartProxyPollers=1 + +### Option: ProxyConfigFrequency +# How often Zabbix Server sends configuration data to a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600*24*7 +# Default: +# ProxyConfigFrequency=3600 + +### Option: ProxyDataFrequency +# How often Zabbix Server requests history data from a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProxyDataFrequency=1 + +### Option: StartLLDProcessors +# Number of pre-forked instances of low level discovery processors. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartLLDProcessors=2 + +### Option: AllowRoot +# Allow the server to run as 'root'. If disabled and the server is started by 'root', the server +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/usr/local/etc/zabbix_server.general.conf +# Include=/usr/local/etc/zabbix_server.conf.d/ +# Include=/usr/local/etc/zabbix_server.conf.d/*.conf + +### Option: SSLCertLocation +# Location of SSL client certificates. +# This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# SSLCertLocation=${datadir}/zabbix/ssl/certs + +### Option: SSLKeyLocation +# Location of private keys for SSL client certificates. +# This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# SSLKeyLocation=${datadir}/zabbix/ssl/keys + +### Option: SSLCALocation +# Override the location of certificate authority (CA) files for SSL server certificate verification. +# If not set, system-wide directory will be used. +# This parameter is used in web monitoring, SMTP authentication, HTTP agent items and for communication with Vault. +# +# Mandatory: no +# Default: +# SSLCALocation= + +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP= +StatsAllowedIP=127.0.0.1 + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of server modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at server startup. Modules are used to extend functionality of the server. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSCertFile +# Full pathname of a file containing the server certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the server private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix server certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= + +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix server with read only permission +# to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath +# configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# Default: +# VaultToken= + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +# VaultURL=https://127.0.0.1:8200 + +### Option: VaultDBPath +# Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. +# Example: secret/zabbix/database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +# VaultDBPath= + +### Option: StartReportWriters +# Number of pre-forked report writer instances. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartReportWriters=0 + +### Option: WebServiceURL +# URL to Zabbix web service, used to perform web related tasks. +# Example: http://localhost:10053/report +# +# Mandatory: no +# Default: +# WebServiceURL= + +### Option: ServiceManagerSyncFrequency +# How often Zabbix will synchronize configuration of a service manager (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ServiceManagerSyncFrequency=60 + +### Option: ProblemHousekeepingFrequency +# How often Zabbix will delete problems for deleted triggers (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProblemHousekeepingFrequency=60 + +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + + +####### High availability cluster parameters ####### + +## Option: HANodeName +# The high availability cluster node name. +# When empty, server is working in standalone mode; a node with empty name is registered with address for the frontend to connect to. +# +# Mandatory: no +# Default: +# HANodeName= + +## Option: NodeAddress +# IP or hostname with optional port to specify how frontend should connect to the server. +# Format:
[:port] +# +# This option can be overridden by address specified in frontend configuration. +# +# Mandatory: no +# Default: +# NodeAddress=localhost:10051