diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 45bae97..76b8ce9 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -11,6 +11,8 @@ smtp_internal_host: 192.168.122.101 smtp_service_user: noreply smtp_service_pass: HISTORY_PURGED_SECRET +pki_domain: pki.atlantishq.de + # overwritten in monitoring master group var monitoring_master: false @@ -77,3 +79,15 @@ keycloak_clients: groups: "soundlib" master_address: "https://sounds.atlantishq.de" skips: + + pki: + party_secret : "HISTORY_PURGED_SECRET" + client_id: z_hashicorp_vault + client_secret: "HISTORY_PURGED_SECRET" + redirect_uris: + - "https://pki.atlantishq.de/*" + description: "PKI Vault" + keycloak_id: "00000000-0000-0000-0000-000000000004" + groups: "pki" + master_address: "https://pki.atlantishq.de" + skips: diff --git a/roles/vault-pki/files/hashicorp-archive-keyring.gpg b/roles/vault-pki/files/hashicorp-archive-keyring.gpg new file mode 100644 index 0000000..674dd40 Binary files /dev/null and b/roles/vault-pki/files/hashicorp-archive-keyring.gpg differ diff --git a/roles/vault-pki/files/hashicorp.list b/roles/vault-pki/files/hashicorp.list new file mode 100644 index 0000000..db4192e --- /dev/null +++ b/roles/vault-pki/files/hashicorp.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com bullseye main diff --git a/roles/vault-pki/tasks/main.yaml b/roles/vault-pki/tasks/main.yaml new file mode 100644 index 0000000..6c76215 --- /dev/null +++ b/roles/vault-pki/tasks/main.yaml @@ -0,0 +1,30 @@ +- name: Copy Hashicorp APT-key + copy: + src: hashicorp-archive-keyring.gpg + dest: /usr/share/keyrings/ + mode: 0644 + notify: + - apt update + +- name: Add hashicorp apt repo + copy: + src: hashicorp.list + dest: /etc/apt/sources.list.d/ + mode: 0644 + notify: + - apt update + +- meta: flush_handlers + +- name: Install vault + apt: + name: vault + state: present + +- name: Template config + template: + src: "{{ item }}" + dest: "/etc/vault.d/" + with_items: + - vault.hcl + - vault.env diff --git a/roles/vault-pki/templates/vault.env b/roles/vault-pki/templates/vault.env new file mode 100644 index 0000000..e69de29 diff --git a/roles/vault-pki/templates/vault.hcl b/roles/vault-pki/templates/vault.hcl new file mode 100644 index 0000000..4fc06f7 --- /dev/null +++ b/roles/vault-pki/templates/vault.hcl @@ -0,0 +1,106 @@ +ui = true + +storage "file" { + path = "/opt/vault/data" +} + +listener "tcp" { + address = "0.0.0.0:8200" + tls_disable = 1 +} + +api_addr = "http://127.0.0.1:8200" + +# Terraform OIDC config for reference +#path "/secret/*" { +# capabilities = ["read", "list"] +#} +# +#resource "vault_identity_oidc_key" "keycloak_provider_key" { +# name = "keycloak" +# algorithm = "RS256" +#} +# +#resource "vault_jwt_auth_backend" "keycloak" { +# path = "oidc" +# type = "oidc" +# default_role = "{{ keycloak_clients['pki']['groups'] }}" +# +# oidc_discovery_url="https://{{ keycloak_address }}/realms/master" +# oidc_client_id="{{ keycloak_clients['pki']['client_id'] }}" +# oidc_client_secret="{{ keycloak_clients['pki']['client_secret'] }}" +# +# tune { +# audit_non_hmac_request_keys = [] +# audit_non_hmac_response_keys = [] +# default_lease_ttl = "1h" +# listing_visibility = "unauth" +# max_lease_ttl = "1h" +# passthrough_request_headers = [] +# token_type = "default-service" +# } +#} +# +#resource "vault_jwt_auth_backend_role" "pki" { +# backend = vault_jwt_auth_backend.keycloak.path +# role_name = "pki" +# role_type = "oidc" +# token_ttl = 3600 +# token_max_ttl = 3600 +# +# bound_audiences="{{ pki_domain }}" +# user_claim = "sub" +# claim_mappings = { +# preferred_username = "username" +# email = "email" +# } +# +# allowed_redirect_uris = [ +# "https://{{ pki_domain }}/oidc/oidc/callback", +# "https://{{ pki_domain }}/ui/vault/auth/oidc/oidc/callback" +# ] +# groups_claim = format("/resource_access/%s/roles", +# keycloak_openid_client.openid_client.client_id) +#} +# +#data "vault_policy_document" "reader_policy" { +# rule { +# path = "/secret/*" +# capabilities = ["list", "read"] +# } +#} +# +#resource "vault_policy" "reader_policy" { +# name = "reader" +# policy = data.vault_policy_document.reader_policy.hcl +#} +#data "vault_policy_document" "manager_policy" { +# rule { +# path = "/secret/*" +# capabilities = ["create", "update", "delete"] +# } +#} +# +#resource "vault_policy" "manager_policy" { +# name = "management" +# policy = data.vault_policy_document.manager_policy.hcl +#} +# +#resource "vault_identity_oidc_role" "management_role" { +# name = "management" +# key = vault_identity_oidc_key.keycloak_provider_key.name +#} +# +#resource "vault_identity_group" "management_group" { +# name = vault_identity_oidc_role.management_role.name +# type = "external" +# policies = [ +# vault_policy.manager_policy.name +# ] +#} +# +#resource "vault_identity_group_alias" "management_group_alias" { +# name = "pki" +# mount_accessor = vault_jwt_auth_backend.keycloak.accessor +# canonical_id = vault_identity_group.management_group.id +#} diff --git a/roles/zabbix-agent/handlers/main.yml b/roles/zabbix-agent/handlers/main.yml new file mode 100644 index 0000000..c43d2f8 --- /dev/null +++ b/roles/zabbix-agent/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart zabbix-agent + systemd: + name: zabbix-agent + state: restarted diff --git a/roles/zabbix-agent/tasks/main.yaml b/roles/zabbix-agent/tasks/main.yaml new file mode 100644 index 0000000..4f5da80 --- /dev/null +++ b/roles/zabbix-agent/tasks/main.yaml @@ -0,0 +1,25 @@ +- name: Install zabbix Agent + apt: + pkg: + - zabbix-agent + notify: + - restart zabbix-agent + +- name: Copy agent conf file + template: + src: zabbix_agentd.conf + dest: /etc/zabbix/zabbix_agentd.conf + owner: zabbix + notify: + - restart zabbix-agent + +- name: Create legacy directories for backwards compability + file: + path: "{{ item }}" + state: directory + owner: zabbix + with_items: + - /var/log/zabbix-agent/ + - /etc/zabbix/zabbix_agentd.conf.d + notify: + - restart zabbix-agent diff --git a/roles/zabbix-agent/templates/zabbix_agentd.conf b/roles/zabbix-agent/templates/zabbix_agentd.conf new file mode 100644 index 0000000..5b53319 --- /dev/null +++ b/roles/zabbix-agent/templates/zabbix_agentd.conf @@ -0,0 +1,507 @@ +# This is a configuration file for Zabbix agent daemon (Unix) +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agentd.pid + +PidFile=/run/zabbix/zabbix_agentd.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/var/log/zabbix-agent/zabbix_agentd.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. +# +# Mandatory: no +# Default: +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes, if StartAgents is not explicitly set to 0 +# Default: +# Server= + +Server=192.168.122.92 + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StartAgents +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# If set to 0, disables passive checks and the agent will not listen on any TCP port. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartAgents=3 + +##### Active checks related + +### Option: ServerActive +# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# +# Mandatory: no +# Default: +# ServerActive= + +ServerActive=192.168.122.92 + +### Option: Hostname +# Unique, case sensitive hostname. +# Required for active checks and must match hostname as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostMetadata= +HostMetadata=Linux + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 60-3600 +# Default: +# RefreshActiveChecks=120 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=100 + +### Option: MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxLinesPerSecond=20 + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Spend no more than Timeout seconds on processing +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option: AllowRoot +# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /etc/zabbix, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/etc/zabbix/zabbix_agentd.userparams.conf +# Include=/etc/zabbix/zabbix_agentd.conf.d/ +Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=, +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of agent modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at agent startup. Modules are used to extend functionality of the agent. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll=