From 447a1e0ddec38889a391231e777ed653bc4192e3 Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 10:56:59 +0200 Subject: [PATCH 01/29] [nextcloud] Manual upgrade notes. --- devops/roles/icos.nextcloud/README.md | 6 ++++++ .../icos.zabbix_agent2/defaults/main.yml | 17 +++++++++++++++ .../icos.zabbix_agent2/handlers/main.yml | 9 ++++++++ .../roles/icos.zabbix_agent2/tasks/main.yml | 21 +++++++++++++++++++ 4 files changed, 53 insertions(+) create mode 100644 devops/roles/icos.zabbix_agent2/defaults/main.yml create mode 100644 devops/roles/icos.zabbix_agent2/handlers/main.yml create mode 100644 devops/roles/icos.zabbix_agent2/tasks/main.yml diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index 74f8fdf49..1cd19b7cd 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -40,3 +40,9 @@ container. [6]: https://www.postgresql.org/support/versioning/ [7]: https://hub.docker.com/_/postgres/?tab=tags [8]: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/security_setup_warnings.html + +## Upgrading Nextcloud ver 29 to 31 (manual steps) + +On fsicos2 + +cd /docker/nextcloud \ No newline at end of file diff --git a/devops/roles/icos.zabbix_agent2/defaults/main.yml b/devops/roles/icos.zabbix_agent2/defaults/main.yml new file mode 100644 index 000000000..9bd9b4dbb --- /dev/null +++ b/devops/roles/icos.zabbix_agent2/defaults/main.yml @@ -0,0 +1,17 @@ +--- +# Zabbix version +zabbix_version: "7.4" + +# Zabbix server configuration +zabbix_server: "127.0.0.1" +zabbix_server_active: "127.0.0.1" + +# Agent configuration +zabbix_agent2_listen_port: 10050 +zabbix_agent2_timeout: 30 + +# Optional: Add more defaults +zabbix_agent2_loglevel: 3 +zabbix_agent2_logfile_size: 0 +zabbix_agent2_enable_remote_commands: false +zabbix_agent2_log_type: "system" \ No newline at end of file diff --git a/devops/roles/icos.zabbix_agent2/handlers/main.yml b/devops/roles/icos.zabbix_agent2/handlers/main.yml new file mode 100644 index 000000000..090da9819 --- /dev/null +++ b/devops/roles/icos.zabbix_agent2/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart cron + service: + name: cron + state: restarted + register: _r + # cron might not be installed + failed_when: + - _r.failed + - _r.msg.find('Could not find the requested service cron') < 0 diff --git a/devops/roles/icos.zabbix_agent2/tasks/main.yml b/devops/roles/icos.zabbix_agent2/tasks/main.yml new file mode 100644 index 000000000..b4509f6dc --- /dev/null +++ b/devops/roles/icos.zabbix_agent2/tasks/main.yml @@ -0,0 +1,21 @@ +- name: Install public keys + authorized_key: + user: root + state: present + key: "{{ root_keys }}" + # Make sure to remove stale root keys + exclusive: True + when: root_keys is truthy + +- name: Set timezone to Europe/Stockholm + timezone: + name: Europe/Stockholm + notify: restart cron + +- name: Generate locale + locale_gen: + name: "{{ item }}" + state: present + loop: + - en_US.UTF-8 + - sv_SE.UTF-8 From 712173abc1a93da2209f4a178da2b03d445517ee Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 11:40:27 +0200 Subject: [PATCH 02/29] [nextcloud] Manual upgrade notes. --- devops/roles/icos.nextcloud/README.md | 52 +++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index 1cd19b7cd..13eccbaef 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -43,6 +43,54 @@ container. ## Upgrading Nextcloud ver 29 to 31 (manual steps) -On fsicos2 +### On fsicos2 -cd /docker/nextcloud \ No newline at end of file +```cd /docker/nextcloud + +# Check docker-compose version +docker compose version + +# Install Compose v2 plugin (from Docker’s repo) +apt-get update +apt-get install -y docker-compose-plugin + +# Set nextcloud in maintenance mode on +docker compose exec -u www-data app php occ maintenance:mode --on || true + +# Make a backup +docker-compose exec -u 33 db pg_dump -U nextcloud nextcloud > backup_29.0.11_$(date +%Y%m%d).sql + +# Continue with +docker compose stop app + +# Update docker-compose.yml to the next version +vi docker-compose.yml +grep "image: nextcloud:" docker-compose.yml + +# In another session window check logs +docker-compose logs -f app + +# Upgrade +# Pull the new image and recreate the app +docker compose pull app +docker compose up -d app + +docker compose exec -u 33 app php occ upgrade + +# Check nextcloud version +docker compose exec -u www-data app php occ config:system:get version + +# Check status +docker compose exec -u www-data app php occ status + +# Create backup +mkdir -p /docker/nextcloud/backups +sudo chown $(id -u):$(id -g) /docker/nextcloud/backups + +docker compose exec -T db pg_dump -U nextcloud -d nextcloud \ + > /docker/nextcloud/backups/pg_nextcloud_$(date +%F_%H%M%S).sql + + +# Config tarball +docker compose exec app bash -lc 'tar -C /var/www/html -czf - config' \ + > /docker/nextcloud/backups/nc_config_$(date +%F_%H%M%S).tar.gz \ No newline at end of file From e81e2b369c2853608fb98f0beedae8e6e2285932 Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 11:47:22 +0200 Subject: [PATCH 03/29] [nextcloud] Manual upgrade notes. --- devops/roles/icos.nextcloud/README.md | 50 +++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index 13eccbaef..428c90cda 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -43,9 +43,13 @@ container. ## Upgrading Nextcloud ver 29 to 31 (manual steps) -### On fsicos2 +The will be a an ansible script for upgrading version 31.0.9.1 to version 32. -```cd /docker/nextcloud +### ver 29.0.11 to 29.0.16 + +``` +# fsicos2 +cd /docker/nextcloud # Check docker-compose version docker compose version @@ -93,4 +97,44 @@ docker compose exec -T db pg_dump -U nextcloud -d nextcloud \ # Config tarball docker compose exec app bash -lc 'tar -C /var/www/html -czf - config' \ - > /docker/nextcloud/backups/nc_config_$(date +%F_%H%M%S).tar.gz \ No newline at end of file + > /docker/nextcloud/backups/nc_config_$(date +%F_%H%M%S).tar.gz +``` + +### ver 29.0.16 to 30 +``` +docker compose exec -u www-data app php occ maintenance:mode --on + +# Bump image to NC30 + +docker compose stop app +docker compose rm -f app +docker compose pull app +docker compose up -d app + +# Run the upgrade +docker compose exec -u www-data app php occ upgrade +docker compose exec -u www-data app php occ app:update --all + +# Repairs / schema checks (safe to run) +docker compose exec -u www-data app php occ maintenance:repair +docker compose exec -u www-data app php occ db:add-missing-indices +docker compose exec -u www-data app php occ db:add-missing-columns +docker compose exec -u www-data app php occ db:add-missing-primary-keys + +docker compose exec -u www-data app php occ db:convert-filecache-bigint --no-interaction + + +# Re-enable any apps you disabled (one by one is safest): +docker compose exec -u www-data app php occ maintenance:mode --off +docker compose exec -u www-data app php occ status + +docker compose exec -u www-data app php occ config:system:get version +........... +30.0.16.1 +........... + + +``` + + + From 39c1daacd0fa4c3efade6ffb54ab33868252cf4a Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 13:15:13 +0200 Subject: [PATCH 04/29] [nextcloud] Upgrade notes. --- devops/roles/icos.nextcloud/README.md | 89 ++++++++++++++++++++++++++- 1 file changed, 88 insertions(+), 1 deletion(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index 428c90cda..c93a130d6 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -1,3 +1,7 @@ +## Nextcloud upgrade procedure + +- [ ] test + ## Overview Note! All nextcloud links in this file goes to the latest ("stable") versions @@ -41,7 +45,8 @@ container. [7]: https://hub.docker.com/_/postgres/?tab=tags [8]: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/security_setup_warnings.html -## Upgrading Nextcloud ver 29 to 31 (manual steps) + +## Manual steps - Upgrading Nextcloud ver 29 to 31 The will be a an ansible script for upgrading version 31.0.9.1 to version 32. @@ -133,8 +138,90 @@ docker compose exec -u www-data app php occ config:system:get version 30.0.16.1 ........... +``` + + +### Upgrade from 30.0.16 to Nextcloud 31.0.9 ``` +# list enabled apps (spot non-shipped ones) +docker compose exec -u www-data app php occ app:list --enabled +docker compose exec -u www-data app php occ app:list --enabled --shipped +# Backup DB + config (recommended) +sudo mkdir -p /docker/nextcloud/backups +sudo chown $(id -u):$(id -g) /docker/nextcloud/backups + +# Postgres dump +docker compose exec -T db pg_dump -U nextcloud -d nextcloud \ + > /docker/nextcloud/backups/pg_nextcloud_$(date +%F_%H%M%S).sql + + +# Config directory +docker compose exec app bash -lc 'tar -C /var/www/html -czf - config' \ + > /docker/nextcloud/backups/nc_config_$(date +%F_%H%M%S).tar.gz + + +# Set maintenance ON +docker compose exec -u www-data app php occ maintenance:mode --on + +# Update docker-compose.yml the image to NC31 +vi docker-compose.yml + + +# Recreate only the app container +docker compose stop app +docker compose rm -f app +docker compose pull app +docker compose up -d app + +# Run the upgrade +docker compose exec -u www-data app php occ upgrade + + +# Post-upgrade +docker compose exec -u www-data app php occ app:update --all +.......... +Nextcloud or one of the apps require upgrade - only a limited number of commands are available +You may use your browser or the occ upgrade command to do the upgrade +passman new version available: 2.4.12 +passman couldn't be updated +.......... + + +# Repairs and schema checks +docker compose exec -u www-data app php occ maintenance:repair +docker compose exec -u www-data app php occ db:add-missing-indices +docker compose exec -u www-data app php occ db:add-missing-columns +docker compose exec -u www-data app php occ db:add-missing-primary-keys +docker compose exec -u www-data app php occ db:convert-filecache-bigint --no-interaction 2>/dev/null || true + +# if you use Redis - Clear caches +docker compose exec -u www-data app php occ memcache:flush 2>/dev/null || true + + +# Exit maintenance and verify +docker compose exec -u www-data app php occ maintenance:mode --off + + +# Check status +docker compose exec -u www-data app php occ status +Nextcloud or one of the apps require upgrade - only a limited number of commands are available +You may use your browser or the occ upgrade command to do the upgrade + - installed: true + - version: 31.0.9.1 + - versionstring: 31.0.9 + - edition: + - maintenance: false + - needsDbUpgrade: true + - productname: Nextcloud + - extendedSupport: false + +# Check NC version +docker compose exec -u www-data app php occ config:system:get version +Nextcloud or one of the apps require upgrade - only a limited number of commands are available +You may use your browser or the occ upgrade command to do the upgrade +30.0.16.1 +``` From 9ecded02a9d6126e808d3be1fbaaad6daf4e927d Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 13:29:54 +0200 Subject: [PATCH 05/29] [nextcloud] Upgrade notes ver1.0 --- devops/roles/icos.nextcloud/README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index c93a130d6..d9e9e6122 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -1,6 +1,10 @@ ## Nextcloud upgrade procedure -- [ ] test +- [ ] Anouce and set a date for upgrading Nextcloud +- [ ] Communicate and mail out date to users +- [ ] Test upgrade procedure in lab first + + ## Overview @@ -48,7 +52,7 @@ container. ## Manual steps - Upgrading Nextcloud ver 29 to 31 -The will be a an ansible script for upgrading version 31.0.9.1 to version 32. +The will be an ansible script for upgrading version 31.0.9.1 to version 32. ### ver 29.0.11 to 29.0.16 From 192f0b8fa53fbacba4ebd839b441b0a8d718d818 Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 15:20:34 +0200 Subject: [PATCH 06/29] [nextcloud] Upgrade notes ver2.0 --- devops/roles/icos.nextcloud/README.md | 97 +++++++++++++++++++++------ 1 file changed, 77 insertions(+), 20 deletions(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index d9e9e6122..e10029977 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -1,8 +1,62 @@ ## Nextcloud upgrade procedure -- [ ] Anouce and set a date for upgrading Nextcloud +# Nextcloud Container Upgrade Checklist + +## Step 1 - Preparation + +- [ ] Test upgrade nextcloud in lab first +- [ ] Review nextcloud release notes for breaking changes +- [ ] Verify system requirements (PHP version, docker-compose, database) +- [ ] Document current state: + - [ ] Make a list of all enabled apps + - [ ] Verify group/team fileshare + - [ ] Verify calendar functionality + - [ ] Verify all general mount settings and configuration + - [ ] Screenshot/document current settings +- [ ] Create comprehensive backup: + - [ ] Database backup + - [ ] Config files backup (docker-compose.yml, config.php) + +## Step 2 - Announce Update + +- [ ] Announce and set a date for upgrading nextcloud - [ ] Communicate and mail out date to users -- [ ] Test upgrade procedure in lab first +- [ ] Schedule maintenance window +- [ ] Prepare rollback plan and communicate it to team + +## Step 3 - Update Execution + +- [ ] Enable maintenance mode +- [ ] Stop containers gracefully +- [ ] Update docker-compose.yml with new version +- [ ] Pull new nextcloud image +- [ ] Start containers +- [ ] Run upgrade command(s) +- [ ] Check logs for errors (separate window) +- [ ] Disable maintenance mode + +## Step 4 - Post-Update Verification + +- [ ] Verify nextcloud version and status +- [ ] Compare enabled apps list with pre-update list +- [ ] Re-enable any disabled apps (if compatible) +- [ ] Verify critical functionality: + - [ ] User login + - [ ] File upload/download + - [ ] Group/team fileshare + - [ ] Calendar functionality + - [ ] General mounting points + - [ ] External storage +- [ ] Check system warnings in admin panel +- [ ] Review error logs + +## Step 5 - Post-Update Communication + +- [ ] Notify users that upgrade is complete +- [ ] Report any known issues or changes +- [ ] Update internal documentation +- [ ] Document update ansible script for next upgrade + @@ -54,7 +108,7 @@ container. The will be an ansible script for upgrading version 31.0.9.1 to version 32. -### ver 29.0.11 to 29.0.16 +### From ver 29.0.11 to 29.0.16 ``` # fsicos2 @@ -109,11 +163,13 @@ docker compose exec app bash -lc 'tar -C /var/www/html -czf - config' \ > /docker/nextcloud/backups/nc_config_$(date +%F_%H%M%S).tar.gz ``` -### ver 29.0.16 to 30 + +### From ver 29.0.16 to 30.0.16.1 ``` +# Set maintenace mode docker compose exec -u www-data app php occ maintenance:mode --on -# Bump image to NC30 +# Download image to Nextcloud 30 docker compose stop app docker compose rm -f app @@ -124,7 +180,7 @@ docker compose up -d app docker compose exec -u www-data app php occ upgrade docker compose exec -u www-data app php occ app:update --all -# Repairs / schema checks (safe to run) +# Repairs and checks schema docker compose exec -u www-data app php occ maintenance:repair docker compose exec -u www-data app php occ db:add-missing-indices docker compose exec -u www-data app php occ db:add-missing-columns @@ -138,14 +194,14 @@ docker compose exec -u www-data app php occ maintenance:mode --off docker compose exec -u www-data app php occ status docker compose exec -u www-data app php occ config:system:get version -........... +................................................... 30.0.16.1 -........... +................................................... ``` -### Upgrade from 30.0.16 to Nextcloud 31.0.9 +### Upgrade steps from version 30.0.16 to Nextcloud 31.0.9 ``` # list enabled apps (spot non-shipped ones) @@ -187,12 +243,12 @@ docker compose exec -u www-data app php occ upgrade # Post-upgrade docker compose exec -u www-data app php occ app:update --all -.......... +................................................... Nextcloud or one of the apps require upgrade - only a limited number of commands are available You may use your browser or the occ upgrade command to do the upgrade passman new version available: 2.4.12 passman couldn't be updated -.......... +................................................... # Repairs and schema checks @@ -202,18 +258,15 @@ docker compose exec -u www-data app php occ db:add-missing-columns docker compose exec -u www-data app php occ db:add-missing-primary-keys docker compose exec -u www-data app php occ db:convert-filecache-bigint --no-interaction 2>/dev/null || true -# if you use Redis - Clear caches +# If we use Redis when clear caches docker compose exec -u www-data app php occ memcache:flush 2>/dev/null || true - # Exit maintenance and verify docker compose exec -u www-data app php occ maintenance:mode --off - # Check status docker compose exec -u www-data app php occ status -Nextcloud or one of the apps require upgrade - only a limited number of commands are available -You may use your browser or the occ upgrade command to do the upgrade +................................................... - installed: true - version: 31.0.9.1 - versionstring: 31.0.9 @@ -222,10 +275,14 @@ You may use your browser or the occ upgrade command to do the upgrade - needsDbUpgrade: true - productname: Nextcloud - extendedSupport: false - +................................................... + + # Check NC version docker compose exec -u www-data app php occ config:system:get version -Nextcloud or one of the apps require upgrade - only a limited number of commands are available -You may use your browser or the occ upgrade command to do the upgrade -30.0.16.1 +................................................... +31.0.9.1 +................................................... ``` + + From b3cacef9a073b75f20551885eded018c2644f24f Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 13 Oct 2025 15:29:43 +0200 Subject: [PATCH 07/29] [nextcloud] Upgrade notes ver2.1 --- .../icos.zabbix_agent2/defaults/main.yml | 17 --------------- .../icos.zabbix_agent2/handlers/main.yml | 9 -------- .../roles/icos.zabbix_agent2/tasks/main.yml | 21 ------------------- 3 files changed, 47 deletions(-) delete mode 100644 devops/roles/icos.zabbix_agent2/defaults/main.yml delete mode 100644 devops/roles/icos.zabbix_agent2/handlers/main.yml delete mode 100644 devops/roles/icos.zabbix_agent2/tasks/main.yml diff --git a/devops/roles/icos.zabbix_agent2/defaults/main.yml b/devops/roles/icos.zabbix_agent2/defaults/main.yml deleted file mode 100644 index 9bd9b4dbb..000000000 --- a/devops/roles/icos.zabbix_agent2/defaults/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Zabbix version -zabbix_version: "7.4" - -# Zabbix server configuration -zabbix_server: "127.0.0.1" -zabbix_server_active: "127.0.0.1" - -# Agent configuration -zabbix_agent2_listen_port: 10050 -zabbix_agent2_timeout: 30 - -# Optional: Add more defaults -zabbix_agent2_loglevel: 3 -zabbix_agent2_logfile_size: 0 -zabbix_agent2_enable_remote_commands: false -zabbix_agent2_log_type: "system" \ No newline at end of file diff --git a/devops/roles/icos.zabbix_agent2/handlers/main.yml b/devops/roles/icos.zabbix_agent2/handlers/main.yml deleted file mode 100644 index 090da9819..000000000 --- a/devops/roles/icos.zabbix_agent2/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: restart cron - service: - name: cron - state: restarted - register: _r - # cron might not be installed - failed_when: - - _r.failed - - _r.msg.find('Could not find the requested service cron') < 0 diff --git a/devops/roles/icos.zabbix_agent2/tasks/main.yml b/devops/roles/icos.zabbix_agent2/tasks/main.yml deleted file mode 100644 index b4509f6dc..000000000 --- a/devops/roles/icos.zabbix_agent2/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Install public keys - authorized_key: - user: root - state: present - key: "{{ root_keys }}" - # Make sure to remove stale root keys - exclusive: True - when: root_keys is truthy - -- name: Set timezone to Europe/Stockholm - timezone: - name: Europe/Stockholm - notify: restart cron - -- name: Generate locale - locale_gen: - name: "{{ item }}" - state: present - loop: - - en_US.UTF-8 - - sv_SE.UTF-8 From 4319454551c903deeeedce0cfb9304ee8abece2c Mon Sep 17 00:00:00 2001 From: robban-github Date: Fri, 24 Oct 2025 13:56:39 +0200 Subject: [PATCH 08/29] [nextcloud] Upgraded notes ver2.1 --- devops/roles/icos.nextcloud/README.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index e10029977..7b374f23d 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -6,14 +6,10 @@ - [ ] Test upgrade nextcloud in lab first - [ ] Review nextcloud release notes for breaking changes -- [ ] Verify system requirements (PHP version, docker-compose, database) +- [ ] Verify package requirements (PHP version, docker-compose, database) - [ ] Document current state: - [ ] Make a list of all enabled apps - - [ ] Verify group/team fileshare - - [ ] Verify calendar functionality - - [ ] Verify all general mount settings and configuration - - [ ] Screenshot/document current settings -- [ ] Create comprehensive backup: +- [ ] Create backup: - [ ] Database backup - [ ] Config files backup (docker-compose.yml, config.php) @@ -27,12 +23,12 @@ ## Step 3 - Update Execution - [ ] Enable maintenance mode +- [ ] Pull new nextcloud image - [ ] Stop containers gracefully - [ ] Update docker-compose.yml with new version -- [ ] Pull new nextcloud image - [ ] Start containers - [ ] Run upgrade command(s) -- [ ] Check logs for errors (separate window) +- [ ] Check logs for errors (in separate window) - [ ] Disable maintenance mode ## Step 4 - Post-Update Verification @@ -55,9 +51,10 @@ - [ ] Notify users that upgrade is complete - [ ] Report any known issues or changes - [ ] Update internal documentation -- [ ] Document update ansible script for next upgrade +- [ ] Document and update ansible script for next upgrade +--- ## Overview @@ -107,6 +104,8 @@ container. ## Manual steps - Upgrading Nextcloud ver 29 to 31 The will be an ansible script for upgrading version 31.0.9.1 to version 32. +These notes were for upgrading from (old) minor versions, and will not be relevant for upgrading from the current version to version 32.X. + ### From ver 29.0.11 to 29.0.16 From d87b8ffaea4a0fddcb7180348d6c041828880e36 Mon Sep 17 00:00:00 2001 From: robban-github Date: Fri, 24 Oct 2025 13:58:04 +0200 Subject: [PATCH 09/29] [nextcloud] Upgraded notes ver2.1 --- devops/roles/icos.nextcloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devops/roles/icos.nextcloud/README.md b/devops/roles/icos.nextcloud/README.md index 7b374f23d..6cd92e23b 100644 --- a/devops/roles/icos.nextcloud/README.md +++ b/devops/roles/icos.nextcloud/README.md @@ -6,7 +6,7 @@ - [ ] Test upgrade nextcloud in lab first - [ ] Review nextcloud release notes for breaking changes -- [ ] Verify package requirements (PHP version, docker-compose, database) +- [ ] Verify package requirements versions (PHP version, docker-compose, database) - [ ] Document current state: - [ ] Make a list of all enabled apps - [ ] Create backup: From 638a8f66522ddebc5d9d264a74fbbc01f2a74eec Mon Sep 17 00:00:00 2001 From: robban-github Date: Tue, 4 Nov 2025 11:23:05 +0100 Subject: [PATCH 10/29] [onlyoffice] Update fonts. --- devops/get_onlyoffice_container_id.yml | 62 ++++++++++++++++++++++++++ devops/server-icos-srv1.yml | 19 ++++++++ 2 files changed, 81 insertions(+) create mode 100644 devops/get_onlyoffice_container_id.yml create mode 100644 devops/server-icos-srv1.yml diff --git a/devops/get_onlyoffice_container_id.yml b/devops/get_onlyoffice_container_id.yml new file mode 100644 index 000000000..14aad66c4 --- /dev/null +++ b/devops/get_onlyoffice_container_id.yml @@ -0,0 +1,62 @@ +--- +# +# Overview: Get onlyoffice container id +# Ver: 251103 +# Updated: +# +# get_onlyoffice_container_id_and_load_fonts.yml + +- hosts: fsicos2 + become: true + gather_facts: false + + vars: + container_name: "onlyoffice" + host_fonts_dir: "/docker/nextcloud/onlyoffice-fonts/aptos_fonts" + container_fonts_dir: "/usr/share/fonts/truetype/custom" + + tasks: + - name: Detect ONLYOFFICE container ID (short) + check_mode: no + shell: > + docker ps -q --filter "name={{ container_name }}" | head -n1 + args: + executable: /bin/bash + register: container_id + changed_when: false + + - name: Fail if container not found + assert: + that: container_id.stdout | trim | length > 0 + fail_msg: "ONLYOFFICE container not found (name={{ container_name }})." + + - name: Ensure fonts directory exists inside the container + check_mode: no + shell: > + docker exec -u 0 {{ container_id.stdout | trim }} + bash -lc 'mkdir -p {{ container_fonts_dir }}' + args: + executable: /bin/bash + changed_when: false + + - name: Copy fonts into the container + check_mode: no + shell: > + docker cp {{ host_fonts_dir }}/. + {{ container_id.stdout | trim }}:{{ container_fonts_dir }}/ + args: + executable: /bin/bash + changed_when: false + + - name: Refresh font caches and ONLYOFFICE metadata + check_mode: no + shell: > + docker exec -u 0 {{ container_id.stdout | trim }} + bash -lc 'fc-cache -f -v && /usr/bin/documentserver-generate-allfonts.sh' + args: + executable: /bin/bash + changed_when: false + + - name: Print container ID + debug: + msg: "{{ container_id.stdout | trim }}" diff --git a/devops/server-icos-srv1.yml b/devops/server-icos-srv1.yml new file mode 100644 index 000000000..530106d05 --- /dev/null +++ b/devops/server-icos-srv1.yml @@ -0,0 +1,19 @@ +# Upgrade certbot +# icos play fsicos2 nginx_certbot -ecertbot_state=latest + +- hosts: fsicos2 + roles: + - role: icos.server + tags: server + + - role: icos.docker + tags: docker + + - role: icos.nginx + tags: nginx + + - role: icos.bbserver + tags: bbserver + + - role: icos.nfs4 + tags: nfs From 44145f1e949d520d44701813a5c00008265565ba Mon Sep 17 00:00:00 2001 From: robban-github Date: Sun, 16 Nov 2025 22:17:33 +0100 Subject: [PATCH 11/29] Add Zabbix LXC monitoring role for fsicos3 --- .../roles/icos.zabbix_lxc_monitor/.DS_Store | Bin 0 -> 6148 bytes .../icos.zabbix_lxc_monitor/defaults/main.yml | 0 .../files/check_docker_status.sh | 27 ++++++++++++++++++ .../files/check_lxc_config_hash.sh | 19 ++++++++++++ .../files/userparam_check_docker_status.conf | 1 + .../userparam_check_lxc_config_hash.conf | 1 + .../icos.zabbix_lxc_monitor/files/zabbix | 4 +++ .../icos.zabbix_lxc_monitor/handlers/main.yml | 0 .../icos.zabbix_lxc_monitor/meta/main.yml | 0 .../icos.zabbix_lxc_monitor/tasks/main.yml | 0 10 files changed, 52 insertions(+) create mode 100644 devops/roles/icos.zabbix_lxc_monitor/.DS_Store create mode 100644 devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml create mode 100755 devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh create mode 100755 devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh create mode 100644 devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf create mode 100644 devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf create mode 100644 devops/roles/icos.zabbix_lxc_monitor/files/zabbix create mode 100644 devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml create mode 100644 devops/roles/icos.zabbix_lxc_monitor/meta/main.yml create mode 100644 devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml diff --git a/devops/roles/icos.zabbix_lxc_monitor/.DS_Store b/devops/roles/icos.zabbix_lxc_monitor/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..67e4b851173cc63e067b7b49c918c848ddaaadb1 GIT binary patch literal 6148 zcmeHKOG*SW5UtV?8r;m%Wv(#b%2m(Mg8R9Ej5B_qn;sDNIe_=_HlD%vQl;1!5M0P8 zRgk<&sw$t?bdnMgT|I3VB6AUGP>4#UBJ8f3j@)?$)H23nf45lQjKjV%%wcwM?I&_8 z57Ns{YU}@G9mcNP^y3CG&Fj_q^TqCEIgKC2?Kd9#`#;9eVScw*RWJ|?1Ovgq&l$j- zO=(UIqYegwfneZ+0iF*Dh1fb~!*X<>Dk%Vv&*&o1nM*JxIkt}35Eh79D9}RHQw+6m z^e6Xg9kZc@i+b{*KJ$C>qGfiBpNhL^YZ!Gf5DZKiIJV}T_x~k+nQD?h4T)AT5Dfe? z26Wb~yA?L&ck7q!@vcoM*C-VFWhxNplScp=JV(xo(d>yj{94Cs$Who|!h!J+D1<~6 I4EzEEZ*j;evH$=8 literal 0 HcmV?d00001 diff --git a/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml b/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml new file mode 100644 index 000000000..e69de29bb diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh b/devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh new file mode 100755 index 000000000..53b36809c --- /dev/null +++ b/devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +#################################################### +# Docker status checker in LXC container +# OUTPUT: 1 = running, 0 = not running +#################################################### + +LXC_BIN="/snap/bin/lxc" +LXC_CONTAINER=$1 +DOCKER_CONTAINER=$2 + + +if [ -z "$DOCKER_CONTAINER" ]; then + echo "*** Missing parameter" + exit 1 +fi + +STATE=$(sudo $LXC_BIN exec $LXC_CONTAINER -- bash -lc "docker inspect -f '{{.State.Status}}' '$DOCKER_CONTAINER'" 2>/dev/null) + + +if [ "$STATE" = "running" ]; then + echo 1 +else + echo 0 +fi + +exit 0 diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh b/devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh new file mode 100755 index 000000000..156015826 --- /dev/null +++ b/devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +#################################################### +# Docker status checker in LXC container +# OUTPUT: 1 = changed, 0 = unchanged. +#################################################### + +CURRENT_HASH=$(sudo lxc config show exploredata | md5sum | awk '{print $1}') +BASELINE_HASH=$(cat /etc/zabbix/scripts/hash-keys/exploredata-hash) + + +if [ "$CURRENT_HASH" = "$BASELINE_HASH" ]; then + # Configuration unchanged + echo 0 +else + # Configuration has changed + echo 1 +fi + diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf b/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf new file mode 100644 index 000000000..70aaf6293 --- /dev/null +++ b/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf @@ -0,0 +1 @@ +UserParameter=docker.status[*],/etc/zabbix/scripts/check_docker_status.sh $1 $2 diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf b/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf new file mode 100644 index 000000000..dc2265b38 --- /dev/null +++ b/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf @@ -0,0 +1 @@ +UserParameter=hash.status,sudo /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/zabbix b/devops/roles/icos.zabbix_lxc_monitor/files/zabbix new file mode 100644 index 000000000..7e2a84ea4 --- /dev/null +++ b/devops/roles/icos.zabbix_lxc_monitor/files/zabbix @@ -0,0 +1,4 @@ +zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc exec * +zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc config show * +zabbix ALL=(ALL) NOPASSWD: /usr/bin/md5sum +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml b/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml new file mode 100644 index 000000000..e69de29bb diff --git a/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml b/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml new file mode 100644 index 000000000..e69de29bb diff --git a/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml b/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml new file mode 100644 index 000000000..e69de29bb From b2694cd7cb00cb7a6bc93be40c9ac1091708dd3e Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 17 Nov 2025 09:47:25 +0100 Subject: [PATCH 12/29] Add Zabbix LXC monitoring role for fsicos3. --- devops/.gitignore | 3 ++- devops/host_vars/fsicos3.yml | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/devops/.gitignore b/devops/.gitignore index 975f2e135..57cf61bcf 100644 --- a/devops/.gitignore +++ b/devops/.gitignore @@ -3,4 +3,5 @@ local_vars.yml .metals/ -.vscode/ \ No newline at end of file +.vscode/**/.DS_Store +.DS_Store diff --git a/devops/host_vars/fsicos3.yml b/devops/host_vars/fsicos3.yml index c5546a0d4..141ecdf6c 100644 --- a/devops/host_vars/fsicos3.yml +++ b/devops/host_vars/fsicos3.yml @@ -110,3 +110,9 @@ icosdata_nfs_mounts: - path: /data/cupcake src: cupcake.nebula:/data/flexpart/output opts: "rw,soft,x-systemd.after=nebula.service" + + +# LXC containers to monitor on fsicos3 +lxc_containers_to_monitor: + - exploredata + From 71bce80c1c154efc6f4246b24df8dced3bee93fb Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 17 Nov 2025 09:50:20 +0100 Subject: [PATCH 13/29] Add Zabbix LXC configuration monitoring for fsicos3 --- .../icos.zabbix_lxc_monitor/defaults/main.yml | 10 ++++ .../icos.zabbix_lxc_monitor/handlers/main.yml | 5 ++ .../icos.zabbix_lxc_monitor/meta/main.yml | 15 +++++ .../icos.zabbix_lxc_monitor/tasks/main.yml | 58 +++++++++++++++++++ 4 files changed, 88 insertions(+) diff --git a/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml b/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml index e69de29bb..4c83579ee 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# Zabbix LXC monitoring defaults +zabbix_scripts_dir: /etc/zabbix/scripts +zabbix_hash_keys_dir: /etc/zabbix/scripts/hash-keys +zabbix_agent_conf_dir: /etc/zabbix/zabbix_agent2.d +zabbix_agent_service: zabbix-agent2 + +# LXC containers to monitor (can be overridden in host_vars) +lxc_containers_to_monitor: + - exploredata diff --git a/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml b/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml index e69de29bb..ffd504fdf 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart zabbix-agent2 + ansible.builtin.service: + name: "{{ zabbix_agent_service }}" + state: restarted \ No newline at end of file diff --git a/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml b/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml index e69de29bb..fa37af0bd 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml @@ -0,0 +1,15 @@ +--- +dependencies: [] + +galaxy_info: + author: ICOS Infrastructure Team + description: Zabbix monitoring for LXC container configuration changes + company: ICOS + + min_ansible_version: "2.9" + + platforms: + - name: Ubuntu + versions: + - focal + - jammy \ No newline at end of file diff --git a/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml b/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml index e69de29bb..66bc9f543 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- name: Ensure Zabbix scripts directory exists + ansible.builtin.file: + path: "{{ zabbix_scripts_dir }}" + state: directory + owner: root + group: root + mode: '0750' + +- name: Ensure hash-keys directory exists + ansible.builtin.file: + path: "{{ zabbix_hash_keys_dir }}" + state: directory + owner: root + group: root + mode: '0755' + +- name: Ensure Zabbix agent conf.d directory exists + ansible.builtin.file: + path: "{{ zabbix_agent_conf_dir }}" + state: directory + owner: root + group: root + mode: '0750' + +- name: Copy LXC config hash check script + ansible.builtin.copy: + src: check_lxc_config_hash.sh + dest: "{{ zabbix_scripts_dir }}/check_lxc_config_hash.sh" + owner: root + group: root + mode: '0750' + +- name: Copy sudoers file for Zabbix + ansible.builtin.copy: + src: zabbix + dest: /etc/sudoers.d/zabbix + owner: root + group: root + mode: '0440' + validate: 'visudo -cf %s' + +- name: Copy Zabbix userparameter config + ansible.builtin.copy: + src: userparam_check_lxc_config_hash.conf + dest: "{{ zabbix_agent_conf_dir }}/userparam_check_lxc_config_hash.conf" + owner: root + group: root + mode: '0644' + notify: Restart zabbix-agent2 + +- name: Generate baseline hash for LXC containers + ansible.builtin.shell: | + /snap/bin/lxc config show {{ item }} | md5sum | awk '{print $1}' > {{ zabbix_hash_keys_dir }}/{{ item }}-hash + args: + creates: "{{ zabbix_hash_keys_dir }}/{{ item }}-hash" + loop: "{{ lxc_containers_to_monitor }}" + when: lxc_containers_to_monitor is defined \ No newline at end of file From cc1ea714b689c7f9937aab8799cc9de6da8147e6 Mon Sep 17 00:00:00 2001 From: robban-github Date: Mon, 17 Nov 2025 09:51:50 +0100 Subject: [PATCH 14/29] Add Zabbix LXC monitoring role for fsicos3. --- devops/server-fsicos3.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/devops/server-fsicos3.yml b/devops/server-fsicos3.yml index 48e20eb03..1ef506c84 100644 --- a/devops/server-fsicos3.yml +++ b/devops/server-fsicos3.yml @@ -17,3 +17,8 @@ - role: ops.zfs tags: zfs + + - role: icos.zabbix_lxc_monitor + tags: + - zabbix + - lxc-monitor \ No newline at end of file From b0b0a74c5364f8a4fed2472ae11edef0543a9f4d Mon Sep 17 00:00:00 2001 From: robban-github Date: Tue, 18 Nov 2025 14:48:16 +0100 Subject: [PATCH 15/29] [zabbix-agent] Update server-fsicos3.yml configuration --- devops/server-fsicos3.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/devops/server-fsicos3.yml b/devops/server-fsicos3.yml index 1ef506c84..f88459af3 100644 --- a/devops/server-fsicos3.yml +++ b/devops/server-fsicos3.yml @@ -18,7 +18,7 @@ - role: ops.zfs tags: zfs - - role: icos.zabbix_lxc_monitor - tags: - - zabbix - - lxc-monitor \ No newline at end of file + - role: icos.zabbix_agent + tags: zabbix-agent + + From 4178d69f23f2ace045f508104d186d1163adbf7d Mon Sep 17 00:00:00 2001 From: robban-github Date: Tue, 18 Nov 2025 14:50:50 +0100 Subject: [PATCH 16/29] [zabbix-agent] Add role for installing zabbix agent and update configurations --- .../roles/icos.zabbix_agent/defaults/main.yml | 7 + .../zabbix-release_7.0-2+ubuntu22.04_all.deb | Bin 0 -> 8288 bytes .../files/zabbix_agent2.conf | 576 ++++++++++++++++++ .../roles/icos.zabbix_agent/handlers/main.yml | 6 + devops/roles/icos.zabbix_agent/tasks/main.yml | 74 +++ 5 files changed, 663 insertions(+) create mode 100644 devops/roles/icos.zabbix_agent/defaults/main.yml create mode 100644 devops/roles/icos.zabbix_agent/files/zabbix-release_7.0-2+ubuntu22.04_all.deb create mode 100644 devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf create mode 100644 devops/roles/icos.zabbix_agent/handlers/main.yml create mode 100644 devops/roles/icos.zabbix_agent/tasks/main.yml diff --git a/devops/roles/icos.zabbix_agent/defaults/main.yml b/devops/roles/icos.zabbix_agent/defaults/main.yml new file mode 100644 index 000000000..d7ba572fc --- /dev/null +++ b/devops/roles/icos.zabbix_agent/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# Zabbix variables +zabbix_scripts_dir: /etc/zabbix/scripts +zabbix_agent_conf_file: /etc/zabbix/zabbix_agent2.conf +zabbix_agent_service: zabbix-agent2 +zabbix_server_host: icos-zbx1,127.0.0.1 + diff --git a/devops/roles/icos.zabbix_agent/files/zabbix-release_7.0-2+ubuntu22.04_all.deb b/devops/roles/icos.zabbix_agent/files/zabbix-release_7.0-2+ubuntu22.04_all.deb new file mode 100644 index 0000000000000000000000000000000000000000..ad93d8b03ad95f0ecd312370d85c1ed974d7150d GIT binary patch literal 8288 zcmbuEQ*b4WvhQQtwr$(C%}FMl*jjNi$;8gYnb@}Ntk||S!Aj1z_dfU3t^0BwZdX@V zb$4|?{raKnPcCHcYH2HiU}bIb-Q0=U;=7Z%s}C6&89NUjHzyZAKQ|W{8QVYk|B38u zY&=~5)c*1RHZuec7B&P+XD4@8X9pH{b5|B`-~WC7-%I|z!3+V!>#Jt~1_pJ!+$00l z*AEq}Mh=bx_8+4-8|2xg{es{(2E#?{A_@Rc?ITtY@xdOLqA4=LW<~I}@hPH~tXGs9 z{J@c*4lw1YNhHVl{eDKVF)?eA)UTS=l%}YdUYkAyYmSl0X(Cg0k7!zhBif5NA}nbz z;_XekOUi%DjsrA+(XsM)1TXRpZn1NulEVjB6~YI)%`Ea>3f zmqZ|8y(%9YlbxbOPJq+>eFmpW_BvVPHS!u2pt*#rGv#J!N$_Y7w;CZq2xIprAeOJ7hjX25M0j%?kw9V z^S=A-jW~AjZs6lyHQXv+6DhY`rrN9p+&=C|PiytlIxP?_qk)<0o&>HG{2Vsj**=(+krDU|0ul+$~Q?mO<)RJn-&aS4YTwNjNh?`3rLU_n3JiSfAHKlAY>pD}>xXRKA^z2c(l@X& zcQ^kZc>m$@f8(E*i<{#=2k`&$yT%`U3;sU<11~oncfG!d=KnwVHS>y0;si-u-A`sp zoYa(R5GbWcxU&!cM82m=l0^1r%iEt05`fc4M=FEyCLsEt4rML!7nKuM)EqLllrmF7 zG!!WNb`#;&X0(;aB(VptAbXMO9(v!q^2d0P+KI6%!y?XL#L0)amJy4>crYMStg{@N z*xkVBypY?jaF~XmUD^HH5L!f?@D)FrA1lJ--I2&cBNxLkHN6Kj`|qV6(ze0VLw3O5 zujR0VD!LywyWNUZ5r*{|lo(6gfWTb)X+O@9n z%kjmO4G3~H&$qu^iCOS>$#s0H=a3)n$FaO0QbXq7l%b2t1Xn~FdJ**?C&XNA_EKRR zu?dD|l>KPT;!*(Vc_ z%7zI;tjP8jHL{t`Q3c}+(8#eeK4J#cfibP%??62i+gcBKdp@nr6&9La`w`?0_NLru zL1W(F&%aZVR5ltmw!C$a-*9eW|TMQ$1BHLm%W`Qo(itp1jGQ( zXOuggqVqJe+eG$CYBFlE^}7Ux)RX7g(+36>N53!>y%UyrRsKRY z>H{pl<-|3BK5GSr!p+8Wb+y4taxn~2#$If)%Cy>JQPwMRehEGrt|C_&@z-CXFSi*C zoiUSb;cD}nnGbCzAihO%y82cJB);xs zN_~PojHF>zoMbJL=fQqQU{>y~cuey+9U78Cis##^uJZ&3XFddH32~OTk`=OD-~Ktk zAazhT#pT4B>px*jyGxK24L7pq{4-TXq!S^R;!yojSN$nsKhJa~a1_BVvP)giKHu$^ z|1{I2{E$l<&)VuoF(mTHS^)NW>K26h0((-w-7HUhCyNA&rLWIJC2?-%FRv%C6mi^w zxD=K%l;ltuh&WvTX&0`+RTj*I4Z&NhEWZ%mBLHSH)M2v^ znGAd8eL%HO+(Sp7RO>=#Aoa)|XD-iur|S?r&!*MiVF8qpBi6xmv~an5Xs5O?sD62U zJLiCScY>8e?-%1!;Qr|YY(c31QQq>+X{D1yB9KQ+n2rnXqVDJsqt}RD?edU&J(M1e zP5RZ>pq4n3l_Kv8F(Mz=zo%*EOCsRixHYZURRElB6PElLT!dn08<1x!O-~m~5jxwq zDWqa!u4zn2PjdHCaUHXQyjS41)chAh?{(4F!q?!3iT+hH{el*e@LZ}mHP@=_!|V1v z&fU2udvxH$0oCO}t~^Hj4IgYBA#oouG&rNxz%i)bI79s-Gz(el7^t%LZ4Gn&8Bv+U zNvq1}%!*|pZCE}Z_hNA@eR)!nP=D^bH2Wl_U?`hwm&!#KmG;H2hTdw-797W%ETxe^ zV;W(Izks$0Ga4?+t|Z5ljSVd5t(JyC8QKNFC67+yw!1D#6+zER+%}*#dUd0eRi$-Tot8X4l>Z8Fjm=NWX)Fs8 z+VD4L2x6X&21Io2PFvx$K#je#hPXd5G+02HYx@?9JGbCm{z4@R%%o~t& zagjlwE@Ixj+7Nu_%k{|aXFS9$$B&N*cq6SmTwkm12wila7OkO)`O6b#YAsrj2%si) zVwnSj41H{+sd4>Ax?B4;rPdlMmA!N8VoY9%{unZ5IE~)1q)xXw#Lv5a!I^-(y6wuC z+)fT}9wsD*5n4k1ll|9Vd)rykyzA}vV}0&fpfg7J#kE(DC%;nZM9*QbMx~R;Ko8_F z?LvOE)K5@z?0YMU%&$nK`oah`+8y<#Nj{UUg(xh&6)vP`KCf6BGIRz%qFKY=eRF;9 z3^45=pS(XNp7Q3&&sDT(2IE04EYn}C6wd8rgp;q7ItLRGLf1P|{I+`=Zo<^`!p=kK zZe4ialRi&Rh-pK1r1vovg#*lC;1;%-)(%#=5KRYuMrYSST&2e*!$g^2jiF|{m0e!2h146bb zLBnrHm2`D;ch6?6;!(vCI+*Y`Rb!_sIikYYo*<<8AkOz1S-9BkTIjL=mlEJL<$0rLycx*PUjT-k|a)QLi%GhqOOkoFzByEP-{~QyTu96 z@ieKu)5#)G%>)?eI_abX=l9#GPh%T;csj?~85y>vMgdWB?T%_8Cf6bH(sVinsfX}3 zo7Po9xEsmhtyG#`ASxuKwzsItpd0i$gab6wPr#Nl|E(-cgN4VT(UQU^rwvXxq^glA zOtim>tbwkKsU{;?sULVJiXZq$KR?aJAJEOWeASm#CZn`?!@>U-H_E4XFJpIKLH+r? zbZm}2?ONj^`fW?pu_Yaa^=1xLsOh&N0as+4GLkKX zFa}wQ{Q%0GOPvXPgOkj7g{@^eH9G#AA>XyTN_$R|)0PJwHsPlIcel{$!>9h^A%F35 zu&`sacp&0*T8D(Hv;+tK70w8DxC#vKS8R-wZ*m`MXNoUp2o^uoDGr z`qBD%IX`f?5scl8dnFrlfkC|D(wR;BVt*-I2tUKSh(;Q%4<|ddVTpvAWeO?Hi+88l z{<)uBd~8i&h3I|VqFj*F>@Q1+|*ts z&A;RsWrsy|$-UwMVC+J5zwNlW5FLWD)r!mY0hO8qXx}j$N;ncG)AGU_N1(-{>93Yap&t7e~zZv04TbBlna{oQbG>PYK6N%Pu#O;OrT#C9o{R zg3WJ&$fu~!7Q9#Q2RT7OKG-f2T5>Or{b%&VX9EU8*}W1T4d|gU>nV!;{1?3;#kz#D zUS~Lb5Lt{_yl{gd&Fk%Rm;Di>nFeohRXiXV2Hw6avtD?&fyfvQtivj2zK6D*00*f* z=7p!1BN`P4r>O?h&Q;=^?;~}K%qi;KU*C2TP}AwJOt{=bMVpK$o8H%%fOtPmX66m& z16CF>6FJr<@-(>&tR}*kSnF1y^KBJ8tOu9=QxQcq#V_99rz!9((TP5 zpArQhfZYC&AXNHtrwZ5;-L>tbQ@CyFU^Ofb#N!e_1_l4ke5nAay}YpG?US~-Hdgr{ zAydGqb&qE4)h1yv<;re+`=G_QxZUAP5c#dv{C+{9MfG)jkUceN90vUL`kz>o91|9Q zmDI5XCdn_-in9cg5ds$H%O6ygIuvKI%JoDYck}E1?7#m$kdMqkK;>t2>O%jN$9}k- zWYT6RFbF3>Lmh?0#1ztCBU^Bp)S5N6qBTxZ!MJ9jzvX}oErLj9f@=L{27}j%&}G;- z_vr)r=54gz?uJ#WwrNjfqEB+^ziKsFFQ~c|L~aW;El;UFhD-l3{WojH8(|NLR4Q>X zq+X?mhCZKSGrBs?wEo&|JI(s&L&k3+$_4u62D%@o-b23q%cFK>!i9==`~D-tUMw<> zCWQ}ibq-jx8@sT_^VyuyxA@Xcp{P$=nHG#53yPZ5qw9zq0!iZ1rq?ZV`4#Z-yGRh) z-oDoTNr5!OFnrv4f9SNfuck4s0u>Fc6*&S!yg9gG+V|%>C)KA@+&N{_{B!W(6VR#^m+m#BEkm7MCSZ@a(d*(4}Dkj1U8GBn_KF|nj^PkL}oUgh(LKp zeSFmkUQ^db_LM>fgE>9|Aka>9%ZS+g1;+k{=STn~jyb`>SQ?W<TwmdyBOBuy<{#B}+%a>QR8t^s)DdEb6k^;kDI z`!5@7>Cd#oAlI6b929Vq>re#PPAyJ`wjHm&ofx@YU%D#~JbY?~E>UBT7b)>Orb$~j zW{U6+j_&I@56u1Rra(-=4ZHFBN`Y{!C^MS9C0E)D=Zd0{acesJEbb^U+T3#ZBj>x0 z`fBnYUkasTxKH#|YL@|uIR5BICKTXZ!Fb?r z2&Xp*FYbpWHa6C<)pTp&#q_wykUV+Ruh$T1&WYK>x0X-ZDuAFv6n^AiU8W$ zwzK#Zt^WIFolz)D){9s+H;xAoQ>!G`ssXWrTDpeb$l&HWc2geI2M!VwIBPi1CCZAf zPAG`cJx~ayfmTmy>Xp2Q?tN}56V1d{XNj48;YNW7A11l_!o}*^Ee}Zujy?^hmT!DW zUd$L&=6}*sIrdW<{el~ZF`pavtjJ##(&;x*;D_^o6bw?mHrX}j1yhRUYWxGeYRHm~ z%RUfJJBx{6lo2vxH5t(kcW#bAEJsJrQBhfuU^_fI)^;zc)Q&^Ar6NWb?@UqC@sdVS znQLP29nMh|K4PrCh`){l%!xt~rfzUL+&!b(`D-+ZtzXL>;1YpC`oa#Tjuef_ex!F% zJA)>+iYtykhH|y}5R;p$qoU?D0j+zl78xa<`17YtB(lREj{Ao-#iJ3Y-@J5~;3Gsc zT9lnnC_osEUNSmN_a?Czqa|@Ini~Js_{@1?5lN^=w|9|pJlE0H)Pt?fO$673P>lL` z)W6kwnfa{reI8S#h|*a*v#RXTr$rKzm(T}hKQ8srAcm*^7Z0rm9{sQ$FJ!9k$;R_( z$Mfw{ek~~(s#PV%kJ9EYNt*V>^rdjw3Y`va1mS#Q-57mr@B#rRgn^fW; zA{@bB-PoK+3xXl(xGHd(`&P^p&@oT>v`>c(({Itmov*eZW=o!*v}6s;&|tWh@-KtX z8F3@GK7?SM^vh?7TMQ*v%KFpHp-PfsO3rcqnYljvD;_Gh4m@GM4k1G|8#8REp0k}7 zHsQ{s#hs&a5bDO_epH~m>+)@Y4EIMux(rM)qF6SSsl0wPWwvIPdTPB zXS&+o_9X{G>iXS(0+l@?ODp*2o;Uv1qn&%<#e64LmmZNKIUGMy2X*z zT>Zv#nR<^dV%@2bOu-X~JOF;*=U4(k_6imbbk>-3$sLMx(>yV-?K!^-GB|Xf<164^ z|CiCcyz#r>&}YQ~g1EkR&b##^Gz6WT+l_VuR5i^h@}Z1W9D<>SOCheJBM1e0`i4y*=EkD2f4<}&}ITi&&Dy}3w4902`aFop$GM#nu*7^5}Q=- z0>GDq+LQqFfJxX4@OX2+wGj`MB+#4Q_@tn_Q@RVJ1^+=WjsAYNE5#Y~StWpu^8m2Y zcO21T4Pfv|!GKmX>&iq>DR06_rM{}sP}#AklAowY12OCeGBRe-+aZwkl=Jp*8UvF` z>!rSzESMu32~81*2|bF$D~i6hPE|X?ex(k2vCK|%Dz;3;KqoCvn>1GNpvq&w^Zm-S zd>PciI-)+=yYF4HPy$FXdT?{fYi}QcF$7zb;PORi_OWWwASW6}jp`IM7SAGGS~gd? zL~0gN;z@z%ZzcOIzn{5uQaBjKbTiChLo1(3O8n_-vZ(lBwEX}ww6=%m4R27+BD({> z`P)^;o~?MdQDD5>J@8;-iU)Ukho&L$X!AaCY$f>Zg0c0l4kLPQ4j3OcM?JSpIeugU zLil%zxT!xwivUd|2`H-V8J-C2IY`>aIGc{JZ;OIn4{;aas@R-X`02k>(&J(-u2=30 zyNbEBR!JJ)Wqiv*TxRa!t#bHD2e78EQmr=D?{R6;+W0 z*$Y?P<*I;!5>1gEDme*g&2`C-HWozU8>&Zd{t^QEcjpXoOrK4>cUKwO;XxIFa8(fgX)vZNQ$XqZ;%Lqf- z!I|b`<9)RhM1{4__a<ji2^}#WU&<_$ZsaJ{1y9-DvAD^!*v$2S-5;R6 z#R#s&DBLP=%mg^;%MhZng|w0`Dqv#q^WgwoU?eB^jtwFERKNw^d`Dh}Zz-8wO7UP+ z3)0Sfj#zOrLMTar8@~76RQMh(cSRidu`|{h0d1cFp(JeRLz7*ca4d6*6OB?1plMAbcGfQWWAVL&i}BmLe^<=iza>&o2sX7NuAR;TnJ{75sT=tKk1GLKo*BsU0rhb%DoyA!pf%Md4E$v zYk}&ttUwS?^hi=dAg_kIm$X45%?b-`885uVxw}2yjRz1Kc+A_M5gylv8_9?Ldf+qt zfp-+Z7o`GUl9@&rCQ;K)E{xCJ-8Ms~T@7Fd7Z<`CvBDXY$Oi|P25yoF;q-2@>+E9= zpjYXDcq`LaPlBEpRaIi640O6Rp2lkYeWR_s9ncj*pP`wm91Vy6_|OJ=qV7w4_+9I_ z6E>{hNnb7MNrZ(E!<65m2Yi$H-V;%yIv51PPM)(Ll(PIeq+Mqu7jM>j>;4A>jgudY zfPO&&Z+4{V!1sx=sK9 literal 0 HcmV?d00001 diff --git a/devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf b/devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf new file mode 100644 index 000000000..0ae68d0d2 --- /dev/null +++ b/devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf @@ -0,0 +1,576 @@ +# This is a configuration file for Zabbix agent 2 (Unix) +# To get more information about Zabbix, visit https://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agent2.pid + +PidFile=/run/zabbix/zabbix_agent2.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile=/tmp/zabbix_agent2.log + +LogFile=/var/log/zabbix/zabbix_agent2.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# If left empty or not set will disable passive checks, and Zabbix agent 2 will not listen on the ListenPort. +# +# Mandatory: no +# Default: +# Server= + +Server=icos-zbx1,127.0.0.1 + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StatusPort +# Agent will listen on this port for HTTP status requests. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# StatusPort= + +##### Active checks related + +### Option: ServerActive +# Zabbix server/proxy address or cluster configuration to get active checks from. +# Server/proxy address is IP address or DNS name and optional port separated by colon. +# Cluster configuration is one or more server addresses separated by semicolon. +# Multiple Zabbix servers/clusters and Zabbix proxies can be specified, separated by comma. +# More than one Zabbix proxy should not be specified from each Zabbix server/cluster. +# If Zabbix proxy is specified then Zabbix server/cluster for that proxy should not be specified. +# Multiple comma-delimited addresses can be provided to use several independent Zabbix servers in parallel. Spaces are allowed. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example for Zabbix proxy: +# ServerActive=127.0.0.1:10051 +# Example for multiple servers: +# ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# Example for high availability: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051;zabbix.cluster.node3 +# Example for high availability with two clusters and one server: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051,zabbix.cluster2.node1;zabbix.cluster2.node2,zabbix.domain +# +# Mandatory: no +# Default: +# ServerActive= + +ServerActive=icos-zbx1 + +### Option: Hostname +# List of comma delimited unique, case sensitive hostnames. +# Required for active checks and must match hostnames as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +Hostname=fsicos3 + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 2034 bytes. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-2034 bytes +# Default: +# HostMetadata= + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 65535 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 1-86400 +# Default: +# RefreshActiveChecks=5 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# Option is not valid if EnablePersistentBuffer=1 +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=1000 + +### Option: EnablePersistentBuffer +# Enable usage of local persistent storage for active items. +# 0 - disabled, in-memory buffer is used (default); 1 - use persistent buffer +# Mandatory: no +# Range: 0-1 +# Default: +# EnablePersistentBuffer=0 + +### Option: PersistentBufferPeriod +# Zabbix Agent2 will keep data for this time period in case of no +# connectivity with Zabbix server or proxy. Older data will be lost. Log data will be preserved. +# Option is valid if EnablePersistentBuffer=1 +# +# Mandatory: no +# Range: 1m-365d +# Default: +# PersistentBufferPeriod=1h + +### Option: PersistentBufferFile +# Full filename. Zabbix Agent2 will keep SQLite database in this file. +# Option is valid if EnablePersistentBuffer=1 +# +# Mandatory: no +# Default: +# PersistentBufferFile= + +### Option: HeartbeatFrequency +# Frequency of heartbeat messages in seconds. +# Used for monitoring availability of active checks. +# 0 - heartbeat messages disabled. +# +# Mandatory: no +# Range: 0-3600 +# Default: 60 +# HeartbeatFrequency= + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Specifies how long to wait (in seconds) for establishing connection and exchanging data with Zabbix proxy or server. +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option:PluginTimeout +# Timeout for connections with external plugins. +# +# Mandatory: no +# Range: 1-30 +# Default: +# PluginTimeout= + +### Option:PluginSocket +# Path to unix socket for external plugin communications. +# +# Mandatory: no +# Default:/tmp/agent.plugin.sock +# PluginSocket= + +PluginSocket=/run/zabbix/agent.plugin.sock + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=, +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +### Option: UserParameterDir +# Directory to execute UserParameter commands from. Only one entry is allowed. +# When executing UserParameter commands the agent will change the working directory to the one +# specified in the UserParameterDir option. +# This way UserParameter commands can be specified using the relative ./ prefix. +# +# Mandatory: no +# Default: +# UserParameterDir= + +### Option: ControlSocket +# The control socket, used to send runtime commands with '-R' option. +# +# Mandatory: no +# Default: +# ControlSocket= + +ControlSocket=/run/zabbix/agent.sock + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +TLSConnect=psk + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +TLSAccept=psk + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +TLSPSKIdentity=fsicos3 + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +TLSPSKFile=/etc/zabbix/psk_secret.psk + +####### PLUGIN-SPECIFIC PARAMETERS ####### + +### Option: Plugins +# A plugin can have one or more plugin specific configuration parameters in format: +# Plugins..= +# Plugins..= +# +# Mandatory: no +# Range: +# Default: + +### Option: Plugins.Log.MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# Plugins.Log.MaxLinesPerSecond=20 + +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. +# +# Mandatory: no +# Default: +# DenyKey=system.run[*] + + +AllowKey=system.run[*] +Timeout=10 + +### Option: Plugins.SystemRun.LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# Plugins.SystemRun.LogRemoteCommands=0 + +### Option: ForceActiveChecksOnStart +# Perform active checks immediately after restart for first received configuration. +# Also available as per plugin configuration, example: Plugins.Uptime.System.ForceActiveChecksOnStart=1 +# +# Mandatory: no +# Range: 0-1 +# Default: +# ForceActiveChecksOnStart=0 + +# Include configuration files for plugins +Include=/etc/zabbix/zabbix_agent2.d/plugins.d/*.conf + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### Additional configuration files ####### + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +Include=/etc/zabbix/zabbix_agent2.d/*.conf + +# Include=/usr/local/etc/zabbix_agent2.userparams.conf +# Include=/usr/local/etc/zabbix_agent2.conf.d/ +# Include=/usr/local/etc/zabbix_agent2.conf.d/*.conf diff --git a/devops/roles/icos.zabbix_agent/handlers/main.yml b/devops/roles/icos.zabbix_agent/handlers/main.yml new file mode 100644 index 000000000..a7120ec77 --- /dev/null +++ b/devops/roles/icos.zabbix_agent/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart zabbix-agent2 + systemd: + name: "{{ zabbix_agent_service }}" + state: restarted + daemon_reload: yes \ No newline at end of file diff --git a/devops/roles/icos.zabbix_agent/tasks/main.yml b/devops/roles/icos.zabbix_agent/tasks/main.yml new file mode 100644 index 000000000..5b8cdb08f --- /dev/null +++ b/devops/roles/icos.zabbix_agent/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Install Zabbix repository package on fsicos2 and fsicos3 + when: ansible_hostname in ['fsicos2', 'fsicos3'] + block: + - name: Copy Zabbix release package to /root/ + copy: + src: files/zabbix-release_7.0-2+ubuntu22.04_all.deb + dest: /root/zabbix-release_7.0-2+ubuntu22.04_all.deb + owner: root + group: root + mode: '0644' + check_mode: no + + - name: Install Zabbix repository package + apt: + deb: /root/zabbix-release_7.0-2+ubuntu22.04_all.deb + state: present + + - name: Update apt cache after adding Zabbix repository + apt: + update_cache: yes + + +- name: Install Zabbix agent2 + apt: + name: zabbix-agent2 + state: present + update_cache: yes + +- name: Configure Zabbix agent2 - Set Server parameter + lineinfile: + path: "{{ zabbix_agent_conf_file }}" + regexp: '^Server=.*$' + line: 'Server={{ zabbix_server_host }}' + register: server_changed + + + + +- name: Configure Zabbix agent2 - Set ServerActive parameter + lineinfile: + path: "{{ zabbix_agent_conf_file }}" + regexp: '^ServerActive=.*$' + line: 'ServerActive={{ zabbix_server_host }}' + register: serveractive_changed + +- name: Configure Zabbix agent2 - Set Hostname parameter + lineinfile: + path: "{{ zabbix_agent_conf_file }}" + regexp: '^Hostname=Zabbix server$' + line: "Hostname={{ ansible_hostname }}" + register: hostname_changed + +- name: Create Zabbix scripts directory + file: + path: "{{ zabbix_scripts_dir }}" + state: directory + owner: root + group: root + mode: '0755' + +- name: Trigger restart if configuration changed + debug: + msg: "Zabbix agent2 configuration has been modified" + when: server_changed.changed or serveractive_changed.changed or hostname_changed.changed + notify: restart zabbix-agent2 + changed_when: true + +- name: Ensure Zabbix agent2 service is started and enabled + systemd: + name: "{{ zabbix_agent_service }}" + state: started + enabled: yes + daemon_reload: yes \ No newline at end of file From 92cd0c769e996e3c1ba26527cc38ff1e7e41dbfb Mon Sep 17 00:00:00 2001 From: robban-github Date: Tue, 18 Nov 2025 14:52:48 +0100 Subject: [PATCH 17/29] [zabbix-agent] Update inventory and configurations --- devops/install_onlyoffice_fonts.yml | 62 +++++++++++++++++++++++++++ devops/production.inventory/stilt.yml | 11 ++--- devops/vm-fsicos3-dokku.yml | 1 + 3 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 devops/install_onlyoffice_fonts.yml diff --git a/devops/install_onlyoffice_fonts.yml b/devops/install_onlyoffice_fonts.yml new file mode 100644 index 000000000..14aad66c4 --- /dev/null +++ b/devops/install_onlyoffice_fonts.yml @@ -0,0 +1,62 @@ +--- +# +# Overview: Get onlyoffice container id +# Ver: 251103 +# Updated: +# +# get_onlyoffice_container_id_and_load_fonts.yml + +- hosts: fsicos2 + become: true + gather_facts: false + + vars: + container_name: "onlyoffice" + host_fonts_dir: "/docker/nextcloud/onlyoffice-fonts/aptos_fonts" + container_fonts_dir: "/usr/share/fonts/truetype/custom" + + tasks: + - name: Detect ONLYOFFICE container ID (short) + check_mode: no + shell: > + docker ps -q --filter "name={{ container_name }}" | head -n1 + args: + executable: /bin/bash + register: container_id + changed_when: false + + - name: Fail if container not found + assert: + that: container_id.stdout | trim | length > 0 + fail_msg: "ONLYOFFICE container not found (name={{ container_name }})." + + - name: Ensure fonts directory exists inside the container + check_mode: no + shell: > + docker exec -u 0 {{ container_id.stdout | trim }} + bash -lc 'mkdir -p {{ container_fonts_dir }}' + args: + executable: /bin/bash + changed_when: false + + - name: Copy fonts into the container + check_mode: no + shell: > + docker cp {{ host_fonts_dir }}/. + {{ container_id.stdout | trim }}:{{ container_fonts_dir }}/ + args: + executable: /bin/bash + changed_when: false + + - name: Refresh font caches and ONLYOFFICE metadata + check_mode: no + shell: > + docker exec -u 0 {{ container_id.stdout | trim }} + bash -lc 'fc-cache -f -v && /usr/bin/documentserver-generate-allfonts.sh' + args: + executable: /bin/bash + changed_when: false + + - name: Print container ID + debug: + msg: "{{ container_id.stdout | trim }}" diff --git a/devops/production.inventory/stilt.yml b/devops/production.inventory/stilt.yml index 662782bc0..a7308eefe 100644 --- a/devops/production.inventory/stilt.yml +++ b/devops/production.inventory/stilt.yml @@ -20,8 +20,9 @@ stiltcluster_hosts: # The machine has 24 stiltcluster_maxcores: 20 - # fsicos3: - # stiltrun_user: stiltcluster - # stiltcluster_docker: false - # stiltcluster_maxcores: 40 - # stilt_input_dir: /data/stilt_legacy/Input + fsicos3: + stiltrun_user: stiltcluster + stiltcluster_docker: false + stilt_input_dir: /data/stilt_legacy/Input + #stilt_input_mount: /data/stilt_legacy/Input + stiltcluster_maxcores: 20 diff --git a/devops/vm-fsicos3-dokku.yml b/devops/vm-fsicos3-dokku.yml index 7fb6d91ac..6679b51d2 100644 --- a/devops/vm-fsicos3-dokku.yml +++ b/devops/vm-fsicos3-dokku.yml @@ -49,3 +49,4 @@ - role: icos.dokku tags: dokku + From eb71a6eff54d9be5b73cfd23ddf0024f76a265e4 Mon Sep 17 00:00:00 2001 From: Andrew Debevec Date: Tue, 18 Nov 2025 15:12:10 +0100 Subject: [PATCH 18/29] Revert "Add Zabbix LXC monitoring role for fsicos3." This reverts commit cc1ea714b689c7f9937aab8799cc9de6da8147e6. --- devops/server-fsicos3.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/devops/server-fsicos3.yml b/devops/server-fsicos3.yml index f88459af3..75791fc2e 100644 --- a/devops/server-fsicos3.yml +++ b/devops/server-fsicos3.yml @@ -20,5 +20,3 @@ - role: icos.zabbix_agent tags: zabbix-agent - - From 5bf1da3746d533be31232923bf87e0ff5beaf4d3 Mon Sep 17 00:00:00 2001 From: Andrew Debevec Date: Tue, 18 Nov 2025 15:12:26 +0100 Subject: [PATCH 19/29] Revert "Add Zabbix LXC configuration monitoring for fsicos3" This reverts commit 71bce80c1c154efc6f4246b24df8dced3bee93fb. --- .../icos.zabbix_lxc_monitor/defaults/main.yml | 10 ---- .../icos.zabbix_lxc_monitor/handlers/main.yml | 5 -- .../icos.zabbix_lxc_monitor/meta/main.yml | 15 ----- .../icos.zabbix_lxc_monitor/tasks/main.yml | 58 ------------------- 4 files changed, 88 deletions(-) diff --git a/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml b/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml index 4c83579ee..e69de29bb 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml @@ -1,10 +0,0 @@ ---- -# Zabbix LXC monitoring defaults -zabbix_scripts_dir: /etc/zabbix/scripts -zabbix_hash_keys_dir: /etc/zabbix/scripts/hash-keys -zabbix_agent_conf_dir: /etc/zabbix/zabbix_agent2.d -zabbix_agent_service: zabbix-agent2 - -# LXC containers to monitor (can be overridden in host_vars) -lxc_containers_to_monitor: - - exploredata diff --git a/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml b/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml index ffd504fdf..e69de29bb 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml @@ -1,5 +0,0 @@ ---- -- name: Restart zabbix-agent2 - ansible.builtin.service: - name: "{{ zabbix_agent_service }}" - state: restarted \ No newline at end of file diff --git a/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml b/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml index fa37af0bd..e69de29bb 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml @@ -1,15 +0,0 @@ ---- -dependencies: [] - -galaxy_info: - author: ICOS Infrastructure Team - description: Zabbix monitoring for LXC container configuration changes - company: ICOS - - min_ansible_version: "2.9" - - platforms: - - name: Ubuntu - versions: - - focal - - jammy \ No newline at end of file diff --git a/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml b/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml index 66bc9f543..e69de29bb 100644 --- a/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml +++ b/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml @@ -1,58 +0,0 @@ ---- -- name: Ensure Zabbix scripts directory exists - ansible.builtin.file: - path: "{{ zabbix_scripts_dir }}" - state: directory - owner: root - group: root - mode: '0750' - -- name: Ensure hash-keys directory exists - ansible.builtin.file: - path: "{{ zabbix_hash_keys_dir }}" - state: directory - owner: root - group: root - mode: '0755' - -- name: Ensure Zabbix agent conf.d directory exists - ansible.builtin.file: - path: "{{ zabbix_agent_conf_dir }}" - state: directory - owner: root - group: root - mode: '0750' - -- name: Copy LXC config hash check script - ansible.builtin.copy: - src: check_lxc_config_hash.sh - dest: "{{ zabbix_scripts_dir }}/check_lxc_config_hash.sh" - owner: root - group: root - mode: '0750' - -- name: Copy sudoers file for Zabbix - ansible.builtin.copy: - src: zabbix - dest: /etc/sudoers.d/zabbix - owner: root - group: root - mode: '0440' - validate: 'visudo -cf %s' - -- name: Copy Zabbix userparameter config - ansible.builtin.copy: - src: userparam_check_lxc_config_hash.conf - dest: "{{ zabbix_agent_conf_dir }}/userparam_check_lxc_config_hash.conf" - owner: root - group: root - mode: '0644' - notify: Restart zabbix-agent2 - -- name: Generate baseline hash for LXC containers - ansible.builtin.shell: | - /snap/bin/lxc config show {{ item }} | md5sum | awk '{print $1}' > {{ zabbix_hash_keys_dir }}/{{ item }}-hash - args: - creates: "{{ zabbix_hash_keys_dir }}/{{ item }}-hash" - loop: "{{ lxc_containers_to_monitor }}" - when: lxc_containers_to_monitor is defined \ No newline at end of file From e717f8f70b002ec3e91e79dad3a4082508976cb7 Mon Sep 17 00:00:00 2001 From: Andrew Debevec Date: Tue, 18 Nov 2025 15:12:33 +0100 Subject: [PATCH 20/29] Revert "Add Zabbix LXC monitoring role for fsicos3." This reverts commit b2694cd7cb00cb7a6bc93be40c9ac1091708dd3e. --- devops/.gitignore | 3 +-- devops/host_vars/fsicos3.yml | 6 ------ 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/devops/.gitignore b/devops/.gitignore index 57cf61bcf..975f2e135 100644 --- a/devops/.gitignore +++ b/devops/.gitignore @@ -3,5 +3,4 @@ local_vars.yml .metals/ -.vscode/**/.DS_Store -.DS_Store +.vscode/ \ No newline at end of file diff --git a/devops/host_vars/fsicos3.yml b/devops/host_vars/fsicos3.yml index 141ecdf6c..c5546a0d4 100644 --- a/devops/host_vars/fsicos3.yml +++ b/devops/host_vars/fsicos3.yml @@ -110,9 +110,3 @@ icosdata_nfs_mounts: - path: /data/cupcake src: cupcake.nebula:/data/flexpart/output opts: "rw,soft,x-systemd.after=nebula.service" - - -# LXC containers to monitor on fsicos3 -lxc_containers_to_monitor: - - exploredata - From 2d2efc4d7c7fc78222c9cc82a3d3af25900222a7 Mon Sep 17 00:00:00 2001 From: Andrew Debevec Date: Tue, 18 Nov 2025 15:12:43 +0100 Subject: [PATCH 21/29] Revert "Add Zabbix LXC monitoring role for fsicos3" This reverts commit 44145f1e949d520d44701813a5c00008265565ba. --- .../roles/icos.zabbix_lxc_monitor/.DS_Store | Bin 6148 -> 0 bytes .../icos.zabbix_lxc_monitor/defaults/main.yml | 0 .../files/check_docker_status.sh | 27 ------------------ .../files/check_lxc_config_hash.sh | 19 ------------ .../files/userparam_check_docker_status.conf | 1 - .../userparam_check_lxc_config_hash.conf | 1 - .../icos.zabbix_lxc_monitor/files/zabbix | 4 --- .../icos.zabbix_lxc_monitor/handlers/main.yml | 0 .../icos.zabbix_lxc_monitor/meta/main.yml | 0 .../icos.zabbix_lxc_monitor/tasks/main.yml | 0 10 files changed, 52 deletions(-) delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/.DS_Store delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml delete mode 100755 devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh delete mode 100755 devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/files/zabbix delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/meta/main.yml delete mode 100644 devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml diff --git a/devops/roles/icos.zabbix_lxc_monitor/.DS_Store b/devops/roles/icos.zabbix_lxc_monitor/.DS_Store deleted file mode 100644 index 67e4b851173cc63e067b7b49c918c848ddaaadb1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKOG*SW5UtV?8r;m%Wv(#b%2m(Mg8R9Ej5B_qn;sDNIe_=_HlD%vQl;1!5M0P8 zRgk<&sw$t?bdnMgT|I3VB6AUGP>4#UBJ8f3j@)?$)H23nf45lQjKjV%%wcwM?I&_8 z57Ns{YU}@G9mcNP^y3CG&Fj_q^TqCEIgKC2?Kd9#`#;9eVScw*RWJ|?1Ovgq&l$j- zO=(UIqYegwfneZ+0iF*Dh1fb~!*X<>Dk%Vv&*&o1nM*JxIkt}35Eh79D9}RHQw+6m z^e6Xg9kZc@i+b{*KJ$C>qGfiBpNhL^YZ!Gf5DZKiIJV}T_x~k+nQD?h4T)AT5Dfe? z26Wb~yA?L&ck7q!@vcoM*C-VFWhxNplScp=JV(xo(d>yj{94Cs$Who|!h!J+D1<~6 I4EzEEZ*j;evH$=8 diff --git a/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml b/devops/roles/icos.zabbix_lxc_monitor/defaults/main.yml deleted file mode 100644 index e69de29bb..000000000 diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh b/devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh deleted file mode 100755 index 53b36809c..000000000 --- a/devops/roles/icos.zabbix_lxc_monitor/files/check_docker_status.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -#################################################### -# Docker status checker in LXC container -# OUTPUT: 1 = running, 0 = not running -#################################################### - -LXC_BIN="/snap/bin/lxc" -LXC_CONTAINER=$1 -DOCKER_CONTAINER=$2 - - -if [ -z "$DOCKER_CONTAINER" ]; then - echo "*** Missing parameter" - exit 1 -fi - -STATE=$(sudo $LXC_BIN exec $LXC_CONTAINER -- bash -lc "docker inspect -f '{{.State.Status}}' '$DOCKER_CONTAINER'" 2>/dev/null) - - -if [ "$STATE" = "running" ]; then - echo 1 -else - echo 0 -fi - -exit 0 diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh b/devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh deleted file mode 100755 index 156015826..000000000 --- a/devops/roles/icos.zabbix_lxc_monitor/files/check_lxc_config_hash.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -#################################################### -# Docker status checker in LXC container -# OUTPUT: 1 = changed, 0 = unchanged. -#################################################### - -CURRENT_HASH=$(sudo lxc config show exploredata | md5sum | awk '{print $1}') -BASELINE_HASH=$(cat /etc/zabbix/scripts/hash-keys/exploredata-hash) - - -if [ "$CURRENT_HASH" = "$BASELINE_HASH" ]; then - # Configuration unchanged - echo 0 -else - # Configuration has changed - echo 1 -fi - diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf b/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf deleted file mode 100644 index 70aaf6293..000000000 --- a/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_docker_status.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=docker.status[*],/etc/zabbix/scripts/check_docker_status.sh $1 $2 diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf b/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf deleted file mode 100644 index dc2265b38..000000000 --- a/devops/roles/icos.zabbix_lxc_monitor/files/userparam_check_lxc_config_hash.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=hash.status,sudo /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_lxc_monitor/files/zabbix b/devops/roles/icos.zabbix_lxc_monitor/files/zabbix deleted file mode 100644 index 7e2a84ea4..000000000 --- a/devops/roles/icos.zabbix_lxc_monitor/files/zabbix +++ /dev/null @@ -1,4 +0,0 @@ -zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc exec * -zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc config show * -zabbix ALL=(ALL) NOPASSWD: /usr/bin/md5sum -zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml b/devops/roles/icos.zabbix_lxc_monitor/handlers/main.yml deleted file mode 100644 index e69de29bb..000000000 diff --git a/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml b/devops/roles/icos.zabbix_lxc_monitor/meta/main.yml deleted file mode 100644 index e69de29bb..000000000 diff --git a/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml b/devops/roles/icos.zabbix_lxc_monitor/tasks/main.yml deleted file mode 100644 index e69de29bb..000000000 From 4cacc7175a2f1c5918b4cc90f713564b52a7c542 Mon Sep 17 00:00:00 2001 From: Andrew Debevec Date: Tue, 18 Nov 2025 15:14:00 +0100 Subject: [PATCH 22/29] Remove install_onlyoffice_fonts --- devops/install_onlyoffice_fonts.yml | 62 ----------------------------- 1 file changed, 62 deletions(-) delete mode 100644 devops/install_onlyoffice_fonts.yml diff --git a/devops/install_onlyoffice_fonts.yml b/devops/install_onlyoffice_fonts.yml deleted file mode 100644 index 14aad66c4..000000000 --- a/devops/install_onlyoffice_fonts.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -# -# Overview: Get onlyoffice container id -# Ver: 251103 -# Updated: -# -# get_onlyoffice_container_id_and_load_fonts.yml - -- hosts: fsicos2 - become: true - gather_facts: false - - vars: - container_name: "onlyoffice" - host_fonts_dir: "/docker/nextcloud/onlyoffice-fonts/aptos_fonts" - container_fonts_dir: "/usr/share/fonts/truetype/custom" - - tasks: - - name: Detect ONLYOFFICE container ID (short) - check_mode: no - shell: > - docker ps -q --filter "name={{ container_name }}" | head -n1 - args: - executable: /bin/bash - register: container_id - changed_when: false - - - name: Fail if container not found - assert: - that: container_id.stdout | trim | length > 0 - fail_msg: "ONLYOFFICE container not found (name={{ container_name }})." - - - name: Ensure fonts directory exists inside the container - check_mode: no - shell: > - docker exec -u 0 {{ container_id.stdout | trim }} - bash -lc 'mkdir -p {{ container_fonts_dir }}' - args: - executable: /bin/bash - changed_when: false - - - name: Copy fonts into the container - check_mode: no - shell: > - docker cp {{ host_fonts_dir }}/. - {{ container_id.stdout | trim }}:{{ container_fonts_dir }}/ - args: - executable: /bin/bash - changed_when: false - - - name: Refresh font caches and ONLYOFFICE metadata - check_mode: no - shell: > - docker exec -u 0 {{ container_id.stdout | trim }} - bash -lc 'fc-cache -f -v && /usr/bin/documentserver-generate-allfonts.sh' - args: - executable: /bin/bash - changed_when: false - - - name: Print container ID - debug: - msg: "{{ container_id.stdout | trim }}" From 035d4c0e039260635852cae454f390964281ff0e Mon Sep 17 00:00:00 2001 From: Andrew Debevec Date: Tue, 18 Nov 2025 15:16:02 +0100 Subject: [PATCH 23/29] Remove changes to production_inventory/stilt.yml --- devops/production.inventory/stilt.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/devops/production.inventory/stilt.yml b/devops/production.inventory/stilt.yml index a7308eefe..662782bc0 100644 --- a/devops/production.inventory/stilt.yml +++ b/devops/production.inventory/stilt.yml @@ -20,9 +20,8 @@ stiltcluster_hosts: # The machine has 24 stiltcluster_maxcores: 20 - fsicos3: - stiltrun_user: stiltcluster - stiltcluster_docker: false - stilt_input_dir: /data/stilt_legacy/Input - #stilt_input_mount: /data/stilt_legacy/Input - stiltcluster_maxcores: 20 + # fsicos3: + # stiltrun_user: stiltcluster + # stiltcluster_docker: false + # stiltcluster_maxcores: 40 + # stilt_input_dir: /data/stilt_legacy/Input From 8cf50671ce99af226bfe5ea38a49ec9652b517f4 Mon Sep 17 00:00:00 2001 From: robban-github Date: Wed, 19 Nov 2025 10:54:30 +0100 Subject: [PATCH 24/29] [zabbix-agent] Adding role for installing zabbix agent on fsicos2. --- .../files/zabbix_agent2.conf | 576 ------------------ devops/server-fsicos2.yml | 3 + 2 files changed, 3 insertions(+), 576 deletions(-) delete mode 100644 devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf diff --git a/devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf b/devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf deleted file mode 100644 index 0ae68d0d2..000000000 --- a/devops/roles/icos.zabbix_agent/files/zabbix_agent2.conf +++ /dev/null @@ -1,576 +0,0 @@ -# This is a configuration file for Zabbix agent 2 (Unix) -# To get more information about Zabbix, visit https://www.zabbix.com - -############ GENERAL PARAMETERS ################# - -### Option: PidFile -# Name of PID file. -# -# Mandatory: no -# Default: -# PidFile=/tmp/zabbix_agent2.pid - -PidFile=/run/zabbix/zabbix_agent2.pid - -### Option: LogType -# Specifies where log messages are written to: -# system - syslog -# file - file specified with LogFile parameter -# console - standard output -# -# Mandatory: no -# Default: -# LogType=file - -### Option: LogFile -# Log file name for LogType 'file' parameter. -# -# Mandatory: yes, if LogType is set to file, otherwise no -# Default: -# LogFile=/tmp/zabbix_agent2.log - -LogFile=/var/log/zabbix/zabbix_agent2.log - -### Option: LogFileSize -# Maximum size of log file in MB. -# 0 - disable automatic log rotation. -# -# Mandatory: no -# Range: 0-1024 -# Default: -# LogFileSize=1 - -LogFileSize=0 - -### Option: DebugLevel -# Specifies debug level: -# 0 - basic information about starting and stopping of Zabbix processes -# 1 - critical information -# 2 - error information -# 3 - warnings -# 4 - for debugging (produces lots of information) -# 5 - extended debugging (produces even more information) -# -# Mandatory: no -# Range: 0-5 -# Default: -# DebugLevel=3 - -### Option: SourceIP -# Source IP address for outgoing connections. -# -# Mandatory: no -# Default: -# SourceIP= - -##### Passive checks related - -### Option: Server -# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. -# Incoming connections will be accepted only from the hosts listed here. -# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally -# and '::/0' will allow any IPv4 or IPv6 address. -# '0.0.0.0/0' can be used to allow any IPv4 address. -# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com -# -# If left empty or not set will disable passive checks, and Zabbix agent 2 will not listen on the ListenPort. -# -# Mandatory: no -# Default: -# Server= - -Server=icos-zbx1,127.0.0.1 - -### Option: ListenPort -# Agent will listen on this port for connections from the server. -# -# Mandatory: no -# Range: 1024-32767 -# Default: -# ListenPort=10050 - -### Option: ListenIP -# List of comma delimited IP addresses that the agent should listen on. -# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. -# -# Mandatory: no -# Default: -# ListenIP=0.0.0.0 - -### Option: StatusPort -# Agent will listen on this port for HTTP status requests. -# -# Mandatory: no -# Range: 1024-32767 -# Default: -# StatusPort= - -##### Active checks related - -### Option: ServerActive -# Zabbix server/proxy address or cluster configuration to get active checks from. -# Server/proxy address is IP address or DNS name and optional port separated by colon. -# Cluster configuration is one or more server addresses separated by semicolon. -# Multiple Zabbix servers/clusters and Zabbix proxies can be specified, separated by comma. -# More than one Zabbix proxy should not be specified from each Zabbix server/cluster. -# If Zabbix proxy is specified then Zabbix server/cluster for that proxy should not be specified. -# Multiple comma-delimited addresses can be provided to use several independent Zabbix servers in parallel. Spaces are allowed. -# If port is not specified, default port is used. -# IPv6 addresses must be enclosed in square brackets if port for that host is specified. -# If port is not specified, square brackets for IPv6 addresses are optional. -# If this parameter is not specified, active checks are disabled. -# Example for Zabbix proxy: -# ServerActive=127.0.0.1:10051 -# Example for multiple servers: -# ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] -# Example for high availability: -# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051;zabbix.cluster.node3 -# Example for high availability with two clusters and one server: -# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051,zabbix.cluster2.node1;zabbix.cluster2.node2,zabbix.domain -# -# Mandatory: no -# Default: -# ServerActive= - -ServerActive=icos-zbx1 - -### Option: Hostname -# List of comma delimited unique, case sensitive hostnames. -# Required for active checks and must match hostnames as configured on the server. -# Value is acquired from HostnameItem if undefined. -# -# Mandatory: no -# Default: -# Hostname= - -Hostname=fsicos3 - -### Option: HostnameItem -# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. -# Does not support UserParameters or aliases. -# -# Mandatory: no -# Default: -# HostnameItem=system.hostname - -### Option: HostMetadata -# Optional parameter that defines host metadata. -# Host metadata is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 2034 bytes. -# If not defined, value will be acquired from HostMetadataItem. -# -# Mandatory: no -# Range: 0-2034 bytes -# Default: -# HostMetadata= - -### Option: HostMetadataItem -# Optional parameter that defines an item used for getting host metadata. -# Host metadata is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 65535 characters. -# This option is only used when HostMetadata is not defined. -# -# Mandatory: no -# Default: -# HostMetadataItem= - -### Option: HostInterface -# Optional parameter that defines host interface. -# Host interface is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostInterfaceItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostInterface= - -### Option: HostInterfaceItem -# Optional parameter that defines an item used for getting host interface. -# Host interface is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostInterface is not defined. -# -# Mandatory: no -# Default: -# HostInterfaceItem= - -### Option: RefreshActiveChecks -# How often list of active checks is refreshed, in seconds. -# -# Mandatory: no -# Range: 1-86400 -# Default: -# RefreshActiveChecks=5 - -### Option: BufferSend -# Do not keep data longer than N seconds in buffer. -# -# Mandatory: no -# Range: 1-3600 -# Default: -# BufferSend=5 - -### Option: BufferSize -# Maximum number of values in a memory buffer. The agent will send -# all collected data to Zabbix Server or Proxy if the buffer is full. -# Option is not valid if EnablePersistentBuffer=1 -# -# Mandatory: no -# Range: 2-65535 -# Default: -# BufferSize=1000 - -### Option: EnablePersistentBuffer -# Enable usage of local persistent storage for active items. -# 0 - disabled, in-memory buffer is used (default); 1 - use persistent buffer -# Mandatory: no -# Range: 0-1 -# Default: -# EnablePersistentBuffer=0 - -### Option: PersistentBufferPeriod -# Zabbix Agent2 will keep data for this time period in case of no -# connectivity with Zabbix server or proxy. Older data will be lost. Log data will be preserved. -# Option is valid if EnablePersistentBuffer=1 -# -# Mandatory: no -# Range: 1m-365d -# Default: -# PersistentBufferPeriod=1h - -### Option: PersistentBufferFile -# Full filename. Zabbix Agent2 will keep SQLite database in this file. -# Option is valid if EnablePersistentBuffer=1 -# -# Mandatory: no -# Default: -# PersistentBufferFile= - -### Option: HeartbeatFrequency -# Frequency of heartbeat messages in seconds. -# Used for monitoring availability of active checks. -# 0 - heartbeat messages disabled. -# -# Mandatory: no -# Range: 0-3600 -# Default: 60 -# HeartbeatFrequency= - -############ ADVANCED PARAMETERS ################# - -### Option: Alias -# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. -# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. -# Different Alias keys may reference the same item key. -# For example, to retrieve the ID of user 'zabbix': -# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] -# Now shorthand key zabbix.userid may be used to retrieve data. -# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. -# -# Mandatory: no -# Range: -# Default: - -### Option: Timeout -# Specifies how long to wait (in seconds) for establishing connection and exchanging data with Zabbix proxy or server. -# -# Mandatory: no -# Range: 1-30 -# Default: -# Timeout=3 - -### Option:PluginTimeout -# Timeout for connections with external plugins. -# -# Mandatory: no -# Range: 1-30 -# Default: -# PluginTimeout= - -### Option:PluginSocket -# Path to unix socket for external plugin communications. -# -# Mandatory: no -# Default:/tmp/agent.plugin.sock -# PluginSocket= - -PluginSocket=/run/zabbix/agent.plugin.sock - -####### USER-DEFINED MONITORED PARAMETERS ####### - -### Option: UnsafeUserParameters -# Allow all characters to be passed in arguments to user-defined parameters. -# The following characters are not allowed: -# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ -# Additionally, newline characters are not allowed. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Range: 0-1 -# Default: -# UnsafeUserParameters=0 - -### Option: UserParameter -# User-defined parameter to monitor. There can be several user-defined parameters. -# Format: UserParameter=, -# See 'zabbix_agentd' directory for examples. -# -# Mandatory: no -# Default: -# UserParameter= - -### Option: UserParameterDir -# Directory to execute UserParameter commands from. Only one entry is allowed. -# When executing UserParameter commands the agent will change the working directory to the one -# specified in the UserParameterDir option. -# This way UserParameter commands can be specified using the relative ./ prefix. -# -# Mandatory: no -# Default: -# UserParameterDir= - -### Option: ControlSocket -# The control socket, used to send runtime commands with '-R' option. -# -# Mandatory: no -# Default: -# ControlSocket= - -ControlSocket=/run/zabbix/agent.sock - -####### TLS-RELATED PARAMETERS ####### - -### Option: TLSConnect -# How the agent should connect to server or proxy. Used for active checks. -# Only one value can be specified: -# unencrypted - connect without encryption -# psk - connect using TLS and a pre-shared key -# cert - connect using TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSConnect=unencrypted - -TLSConnect=psk - -### Option: TLSAccept -# What incoming connections to accept. -# Multiple values can be specified, separated by comma: -# unencrypted - accept connections without encryption -# psk - accept connections secured with TLS and a pre-shared key -# cert - accept connections secured with TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSAccept=unencrypted - -TLSAccept=psk - -### Option: TLSCAFile -# Full pathname of a file containing the top-level CA(s) certificates for -# peer certificate verification. -# -# Mandatory: no -# Default: -# TLSCAFile= - -### Option: TLSCRLFile -# Full pathname of a file containing revoked certificates. -# -# Mandatory: no -# Default: -# TLSCRLFile= - -### Option: TLSServerCertIssuer -# Allowed server certificate issuer. -# -# Mandatory: no -# Default: -# TLSServerCertIssuer= - -### Option: TLSServerCertSubject -# Allowed server certificate subject. -# -# Mandatory: no -# Default: -# TLSServerCertSubject= - -### Option: TLSCertFile -# Full pathname of a file containing the agent certificate or certificate chain. -# -# Mandatory: no -# Default: -# TLSCertFile= - -### Option: TLSKeyFile -# Full pathname of a file containing the agent private key. -# -# Mandatory: no -# Default: -# TLSKeyFile= - -### Option: TLSPSKIdentity -# Unique, case sensitive string used to identify the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKIdentity= - -TLSPSKIdentity=fsicos3 - -### Option: TLSPSKFile -# Full pathname of a file containing the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKFile= - -TLSPSKFile=/etc/zabbix/psk_secret.psk - -####### PLUGIN-SPECIFIC PARAMETERS ####### - -### Option: Plugins -# A plugin can have one or more plugin specific configuration parameters in format: -# Plugins..= -# Plugins..= -# -# Mandatory: no -# Range: -# Default: - -### Option: Plugins.Log.MaxLinesPerSecond -# Maximum number of new lines the agent will send per second to Zabbix Server -# or Proxy processing 'log' and 'logrt' active checks. -# The provided value will be overridden by the parameter 'maxlines', -# provided in 'log' or 'logrt' item keys. -# -# Mandatory: no -# Range: 1-1000 -# Default: -# Plugins.Log.MaxLinesPerSecond=20 - -### Option: AllowKey -# Allow execution of item keys matching pattern. -# Multiple keys matching rules may be defined in combination with DenyKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# -# Mandatory: no - -### Option: DenyKey -# Deny execution of items keys matching pattern. -# Multiple keys matching rules may be defined in combination with AllowKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. -# -# Mandatory: no -# Default: -# DenyKey=system.run[*] - - -AllowKey=system.run[*] -Timeout=10 - -### Option: Plugins.SystemRun.LogRemoteCommands -# Enable logging of executed shell commands as warnings. -# 0 - disabled -# 1 - enabled -# -# Mandatory: no -# Default: -# Plugins.SystemRun.LogRemoteCommands=0 - -### Option: ForceActiveChecksOnStart -# Perform active checks immediately after restart for first received configuration. -# Also available as per plugin configuration, example: Plugins.Uptime.System.ForceActiveChecksOnStart=1 -# -# Mandatory: no -# Range: 0-1 -# Default: -# ForceActiveChecksOnStart=0 - -# Include configuration files for plugins -Include=/etc/zabbix/zabbix_agent2.d/plugins.d/*.conf - -####### For advanced users - TLS ciphersuite selection criteria ####### - -### Option: TLSCipherCert13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# -# Mandatory: no -# Default: -# TLSCipherCert13= - -### Option: TLSCipherCert -# OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# Example: -# EECDH+aRSA+AES128:RSA+aRSA+AES128 -# -# Mandatory: no -# Default: -# TLSCipherCert= - -### Option: TLSCipherPSK13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example: -# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherPSK13= - -### Option: TLSCipherPSK -# OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example: -# kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherPSK= - -### Option: TLSCipherAll13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example: -# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherAll13= - -### Option: TLSCipherAll -# OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example: -# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherAll= - -####### Additional configuration files ####### - -### Option: Include -# You may include individual files or all files in a directory in the configuration file. -# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. -# -# Mandatory: no -# Default: -# Include= - -Include=/etc/zabbix/zabbix_agent2.d/*.conf - -# Include=/usr/local/etc/zabbix_agent2.userparams.conf -# Include=/usr/local/etc/zabbix_agent2.conf.d/ -# Include=/usr/local/etc/zabbix_agent2.conf.d/*.conf diff --git a/devops/server-fsicos2.yml b/devops/server-fsicos2.yml index 530106d05..30a84d8e2 100644 --- a/devops/server-fsicos2.yml +++ b/devops/server-fsicos2.yml @@ -17,3 +17,6 @@ - role: icos.nfs4 tags: nfs + + - role: icos.zabbix_agent + tags: zabbix-agent \ No newline at end of file From 7c45834b5e09a8b1ab6603cebbb6619396f9ce9b Mon Sep 17 00:00:00 2001 From: robban-github Date: Wed, 19 Nov 2025 11:12:21 +0100 Subject: [PATCH 25/29] Add .DS_Store to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c9524f066..4f6cf22ca 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ devops/roles/icos.postgresql/postgis_restore_log.txt devops/roles/icos.postgresql/rdflog_restore_log.txt devops/roles/icos.restheart/restheart_restore_log.txt +.DS_Store From 64697b6168bd54866e89ee640f249da4018d509b Mon Sep 17 00:00:00 2001 From: robban-github Date: Wed, 19 Nov 2025 11:13:33 +0100 Subject: [PATCH 26/29] Add .DS_Store to gitignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 4f6cf22ca..d13491d9d 100644 --- a/.gitignore +++ b/.gitignore @@ -42,4 +42,4 @@ devops/roles/icos.postgresql/postgis_restore_log.txt devops/roles/icos.postgresql/rdflog_restore_log.txt devops/roles/icos.restheart/restheart_restore_log.txt -.DS_Store +**/.DS_Store From ff50e51badcde23b82830d82e21c2539de2e4739 Mon Sep 17 00:00:00 2001 From: robban-github Date: Wed, 19 Nov 2025 15:22:58 +0100 Subject: [PATCH 27/29] [zabbix-custom checks] Adding zabbix custom checks role for fsicos2 and fsicos3. --- .../roles/icos.zabbix_custom_checks/README.md | 73 ++++++++ .../defaults/main.yml | 5 + .../files/fsicos2/check_borg_backup.sh | 33 ++++ .../files/fsicos2/check_certbot_valid_days.py | 131 +++++++++++++++ .../files/fsicos2/check_docker_running.sh | 6 + .../files/fsicos2/check_lxc_running.sh | 13 ++ .../files/fsicos2/check_mounts.sh | 25 +++ .../files/fsicos2/check_ping.sh | 26 +++ .../files/fsicos2/custom_certbot_monitor.conf | 1 + .../fsicos2/custom_check_borg_backup.conf | 2 + .../fsicos2/custom_check_docker_running.conf | 1 + .../fsicos2/custom_check_lxc_running.conf | 1 + .../files/fsicos2/custom_check_mount.conf | 1 + .../files/fsicos2/custom_ping_check.conf | 1 + .../files/fsicos2/zabbix | 4 + .../files/fsicos3/check_certbot_valid_days.py | 131 +++++++++++++++ .../files/fsicos3/check_docker_status.sh | 27 +++ .../files/fsicos3/check_lxc_config_hash.sh | 19 +++ .../files/fsicos3/check_mounts.sh | 25 +++ .../fsicos3/userparam_certbot_monitor.conf | 1 + .../userparam_check_docker_status.conf | 1 + .../userparam_check_lxc_config_hash.conf | 1 + .../files/fsicos3/userparam_check_mount.conf | 1 + .../files/fsicos3/zabbix | 4 + .../handlers/main.yml | 6 + .../icos.zabbix_custom_checks/tasks/main.yml | 158 ++++++++++++++++++ devops/server-fsicos2.yml | 7 +- devops/server-fsicos3.yml | 3 + 28 files changed, 706 insertions(+), 1 deletion(-) create mode 100644 devops/roles/icos.zabbix_custom_checks/README.md create mode 100644 devops/roles/icos.zabbix_custom_checks/defaults/main.yml create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh create mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf create mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix create mode 100644 devops/roles/icos.zabbix_custom_checks/handlers/main.yml create mode 100644 devops/roles/icos.zabbix_custom_checks/tasks/main.yml diff --git a/devops/roles/icos.zabbix_custom_checks/README.md b/devops/roles/icos.zabbix_custom_checks/README.md new file mode 100644 index 000000000..1f763192e --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/README.md @@ -0,0 +1,73 @@ +# Ansible Role: icos.zabbix_custom_checks + +This Ansible role deploys custom Zabbix monitoring checks to specific hosts (fsicos2 and fsicos3). + +## Role Structure + +``` +icos.zabbix_custom_checks/ +├── defaults/ +│ └── main.yml # Default variables +├── handlers/ +│ └── main.yml # Service restart handlers +├── tasks/ +│ └── main.yml # Main tasks with blocks and tags +├── files/ +│ ├── fsicos2/ # Files specific to fsicos2 +│ │ ├── check_*.sh # Shell check scripts +│ │ ├── check_*.py # Python check scripts +│ │ ├── custom_*.conf # Custom configuration files +│ │ └── zabbix # Sudoers file (optional) +│ └── fsicos3/ # Files specific to fsicos3 +│ ├── check_*.sh # Shell check scripts +│ ├── check_*.py # Python check scripts +│ ├── custom_*.conf # Custom configuration files +│ └── zabbix # Sudoers file (optional) +└── README.md # This file +``` + +## Variables + +The following variables are defined in `defaults/main.yml`: + +- `zabbix_scripts_dir`: Directory for Zabbix scripts (default: `/etc/zabbix/scripts`) +- `zabbix_custom_dir`: Directory for custom configurations (default: `/etc/zabbix/zabbix_agent2.d`) +- `zabbix_sudoers_dir`: Directory for sudoers files (default: `/etc/sudoers.d`) +- `zabbix_agent_service`: Zabbix agent service name (default: `zabbix-agent2`) + +## Tags + +The role uses the following tags for selective deployment: + +- `fsicos2-custom`: Deploy only fsicos2 custom checks +- `fsicos3-custom`: Deploy only fsicos3 custom checks +- `zabbix-custom`: Deploy all custom checks + +## Usage + +### Deploy only to fsicos2 +``` +just play server-fsicos2 -t fsicos2-custom -D +``` + +### Deploy only to fsicos3 +``` +just play server-fsicos3 -t fsicos3-custom -D +``` + +## Features + +1. **Automatic directory creation**: Creates necessary Zabbix directories if they don't exist +2. **Proper file permissions**: Sets correct ownership and permissions for all files +3. **Conditional deployment**: Uses blocks with conditions to deploy files only to appropriate hosts +4. **Sudoers validation**: Validates sudoers files before deployment +5. **Service restart**: Automatically restarts Zabbix agent after file changes +6. **Tag-based deployment**: Allows selective deployment using tags + +## Notes + +- The role checks if the host is named 'fsicos2' or 'fsicos3' or belongs to corresponding groups +- All check scripts are made executable (mode 0755) +- Configuration files are deployed with read permissions (mode 0644) +- The Zabbix agent service is restarted only when files are changed + diff --git a/devops/roles/icos.zabbix_custom_checks/defaults/main.yml b/devops/roles/icos.zabbix_custom_checks/defaults/main.yml new file mode 100644 index 000000000..91d9c8698 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/defaults/main.yml @@ -0,0 +1,5 @@ +# Zabbix variables +zabbix_scripts_dir: /etc/zabbix/scripts +zabbix_custom_dir: /etc/zabbix/zabbix_agent2.d +zabbix_sudoers_dir: /etc/sudoers.d +zabbix_agent_service: zabbix-agent2 \ No newline at end of file diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh new file mode 100755 index 000000000..34e4c8aa6 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Ver: 2025-09-21 by Robert +# +export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes +export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes + +REPO_BASE_DIR=$1 +REPO_DIR=$(eval echo "$REPO_BASE_DIR") +repos=$(ls "$REPO_DIR" 2>/dev/null) +current_time=$(date +%Y-%m-%d) + +# Check each repository +for repo in $repos; do + [[ "$repo" == "." || "$repo" == ".." ]] && continue + [[ "$repo" == "prometheus.repo" ]] && continue + + latest_archive=$(borg list --format '{time:%Y-%m-%d} {name}' --last=1 "$REPO_BASE_DIR/$repo" 2>/dev/null) + if [[ $? -eq 0 && "$latest_archive" != "" ]]; then + backup_date=$(echo "$latest_archive" | cut -c1-10) + if [[ "$backup_date" != "$current_time" ]]; then + echo "FAILURE1: Outdated backup in repo $repo" + exit 0 # Important: exit 0 so Zabbix gets the data + fi + else + echo "FAILURE2: Cannot check repo $repo" + exit 0 # Important: exit 0 so Zabbix gets the data + fi +done + +echo "SUCCESS: All repositories have backups for today ($current_time)" +exit 0 + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py new file mode 100755 index 000000000..ae8e04b7f --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py @@ -0,0 +1,131 @@ +#!/usr/bin/env python3 +""" +Certbot Certificate Monitor Script +Runs 'certbot certificates' command and extracts Certificate Name and Expiry Date +""" + +import subprocess +import re +import sys +from datetime import datetime + + +# ---------------------------------------------------------------------- +def run_certbot_certificates(): + """ + Execute 'certbot certificates' command and return the output + """ + try: + result = subprocess.run( + ['certbot', 'certificates'], + capture_output=True, + text=True, + check=True + ) + return result.stdout + except subprocess.CalledProcessError as e: + print(f"Error running certbot command: {e}", file=sys.stderr) + print(f"Return code: {e.returncode}", file=sys.stderr) + print(f"Error output: {e.stderr}", file=sys.stderr) + return None + except FileNotFoundError: + print("Error: certbot command not found. Please ensure certbot is installed.", file=sys.stderr) + return None + + +# ---------------------------------------------------------------------- +def parse_certificates(output): + """ + Parse certbot output and extract certificate names with valid days + Returns dictionary with Certificate Name as key and valid days as value + If certificate is invalid, sets value to -1 + """ + dic_certificates = {} + + # Split output into lines + lines = output.strip().split('\n') + current_cert_name = None + + for line in lines: + line = line.strip() + + # Look for Certificate Name + if line.startswith('Certificate Name:'): + current_cert_name = line.split(':', 1)[1].strip() + + # Look for Expiry Date and extract valid days + elif line.startswith('Expiry Date:') and current_cert_name: + expiry_info = line.split(':', 1)[1].strip() + + # Extract valid days using regex + # Look for patterns like "(VALID: 89 days)" or "(INVALID)" + valid_match = re.search(r'\(VALID:\s*(\d+)\s*days?\)', expiry_info, re.IGNORECASE) + invalid_match = re.search(r'\(INVALID', expiry_info, re.IGNORECASE) + + if valid_match: + # Extract the number of valid days + valid_days = int(valid_match.group(1)) + dic_certificates[current_cert_name] = valid_days + elif invalid_match: + # Certificate is invalid + dic_certificates[current_cert_name] = -1 + else: + # If we can't determine validity, assume invalid + dic_certificates[current_cert_name] = -1 + + # Reset current_cert_name for next certificate + current_cert_name = None + + return dic_certificates + +# ---------------------------------------------------------------------- +def format_output(dic_certificates): + """ + Format and print the certificate information sorted by valid days (least to most) + Input: dictionary with certificate names as keys and valid days as values + """ + if not dic_certificates: + print("No certificates found.") + sys.exit(2) + + # Sort dictionary by valid days (least to most, -1 values first) + sorted_certificates = sorted(dic_certificates.items(), key=lambda x: x[1]) + + for cert_name, valid_days in sorted_certificates: + if valid_days == -1: + print(f"Certificate: {cert_name}, EXPIRED") + sys.exit(1) + elif valid_days < 14: + print(f"Warning: Less than 14 valid days for: {cert_name}") + sys.exit(3) + + print(f"All certificates are valid with more than 30 days.") + sys.exit(0) + +# ---------------------------------------------------------------------- +def main(): + """ + Main function to orchestrate the certificate checking process + """ + + # Run certbot command + output = run_certbot_certificates() + if output is None: + sys.exit(1) + + # Parse the output + certificates = parse_certificates(output) + + # Format and display results + format_output(certificates) + + # Optional: Return certificates for programmatic use + return certificates + +if __name__ == "__main__": + main() + + + + + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh new file mode 100755 index 000000000..0448887ac --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh @@ -0,0 +1,6 @@ +#!/bin/bash +############################################### +# check_docker_num.sh - Zabbix version +# Returns number of running docker containers +############################################### +docker ps -q 2>/dev/null | wc -l diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh new file mode 100755 index 000000000..4695378a3 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh @@ -0,0 +1,13 @@ +#!/bin/bash +############################################### +# +# check_lxc_running.sh +# Returns number of running LXC containers +# +############################################### + +# Set HOME to avoid snap warning +export HOME=/root + +/snap/bin/lxc list --format=csv -c ns 2>/dev/null | grep -c "RUNNING" || echo 0 + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh new file mode 100755 index 000000000..e1aaa99c2 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +############################################### +# check_mounts.sh +# +# Paramter with correct value needed. +# Returns: +# 0 - Correct numbers of nfs mounts +# 1 - NFS mount(s) is missing. +# +############################################### + +EXPECTED=$1 +ACTUAL=$(df -P 2>/dev/null | grep ':' | wc -l) + +if [ "$ACTUAL" -eq "$EXPECTED" ]; then + echo "OK: $ACTUAL mount points found (expected: $EXPECTED)" + exit 0 +else + echo "CRITICAL: $ACTUAL mount points found (expected: $EXPECTED)" + exit 1 +fi + +exit 0 + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh new file mode 100755 index 000000000..9267a194e --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# +# Script to check ping connectivity to specified host +# Returns 0 if ping is successful, 1 if failed +# +# Usage: ./check_ping_connectivity.sh + +# Check if destination parameter is provided +if [ -z "$1" ]; then + echo 1 + exit 1 +fi + +DESTINATION="$1" +PING_COUNT=3 +PING_TIMEOUT=2 + +# Perform ping test +ping -c $PING_COUNT -W $PING_TIMEOUT "$DESTINATION" > /dev/null 2>&1 + +# Check exit status and return result +if [ $? -eq 0 ]; then + echo 0 # Success +else + echo 1 # Failed +fi diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf new file mode 100644 index 000000000..219831fe6 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf @@ -0,0 +1 @@ +UserParameter=cert.status,sudo /etc/zabbix/scripts/check_certbot_valid_days.py diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf new file mode 100644 index 000000000..2ef0e2204 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf @@ -0,0 +1,2 @@ +UserParameter=backup.borg.status[*],sudo /etc/zabbix/scripts/check_borg_backup.sh $1 + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf new file mode 100644 index 000000000..d5751e701 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf @@ -0,0 +1 @@ +UserParameter=docker.running,/etc/zabbix/scripts/check_docker_running.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf new file mode 100644 index 000000000..b80ab5ca6 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf @@ -0,0 +1 @@ +UserParameter=lxc.running,sudo /etc/zabbix/scripts/check_lxc_running.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf new file mode 100644 index 000000000..b8fbdc30b --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf @@ -0,0 +1 @@ +UserParameter=mount.num.status[*],/etc/zabbix/scripts/check_mounts.sh $1 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf new file mode 100644 index 000000000..6b25d336e --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf @@ -0,0 +1 @@ +UserParameter=ping.check[*],/etc/zabbix/scripts/check_ping.sh $1 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix new file mode 100644 index 000000000..80953268f --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix @@ -0,0 +1,4 @@ +# Zabbix monitoring +Defaults:zabbix !requiretty +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_docker_running.sh +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_running.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py new file mode 100755 index 000000000..ae8e04b7f --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py @@ -0,0 +1,131 @@ +#!/usr/bin/env python3 +""" +Certbot Certificate Monitor Script +Runs 'certbot certificates' command and extracts Certificate Name and Expiry Date +""" + +import subprocess +import re +import sys +from datetime import datetime + + +# ---------------------------------------------------------------------- +def run_certbot_certificates(): + """ + Execute 'certbot certificates' command and return the output + """ + try: + result = subprocess.run( + ['certbot', 'certificates'], + capture_output=True, + text=True, + check=True + ) + return result.stdout + except subprocess.CalledProcessError as e: + print(f"Error running certbot command: {e}", file=sys.stderr) + print(f"Return code: {e.returncode}", file=sys.stderr) + print(f"Error output: {e.stderr}", file=sys.stderr) + return None + except FileNotFoundError: + print("Error: certbot command not found. Please ensure certbot is installed.", file=sys.stderr) + return None + + +# ---------------------------------------------------------------------- +def parse_certificates(output): + """ + Parse certbot output and extract certificate names with valid days + Returns dictionary with Certificate Name as key and valid days as value + If certificate is invalid, sets value to -1 + """ + dic_certificates = {} + + # Split output into lines + lines = output.strip().split('\n') + current_cert_name = None + + for line in lines: + line = line.strip() + + # Look for Certificate Name + if line.startswith('Certificate Name:'): + current_cert_name = line.split(':', 1)[1].strip() + + # Look for Expiry Date and extract valid days + elif line.startswith('Expiry Date:') and current_cert_name: + expiry_info = line.split(':', 1)[1].strip() + + # Extract valid days using regex + # Look for patterns like "(VALID: 89 days)" or "(INVALID)" + valid_match = re.search(r'\(VALID:\s*(\d+)\s*days?\)', expiry_info, re.IGNORECASE) + invalid_match = re.search(r'\(INVALID', expiry_info, re.IGNORECASE) + + if valid_match: + # Extract the number of valid days + valid_days = int(valid_match.group(1)) + dic_certificates[current_cert_name] = valid_days + elif invalid_match: + # Certificate is invalid + dic_certificates[current_cert_name] = -1 + else: + # If we can't determine validity, assume invalid + dic_certificates[current_cert_name] = -1 + + # Reset current_cert_name for next certificate + current_cert_name = None + + return dic_certificates + +# ---------------------------------------------------------------------- +def format_output(dic_certificates): + """ + Format and print the certificate information sorted by valid days (least to most) + Input: dictionary with certificate names as keys and valid days as values + """ + if not dic_certificates: + print("No certificates found.") + sys.exit(2) + + # Sort dictionary by valid days (least to most, -1 values first) + sorted_certificates = sorted(dic_certificates.items(), key=lambda x: x[1]) + + for cert_name, valid_days in sorted_certificates: + if valid_days == -1: + print(f"Certificate: {cert_name}, EXPIRED") + sys.exit(1) + elif valid_days < 14: + print(f"Warning: Less than 14 valid days for: {cert_name}") + sys.exit(3) + + print(f"All certificates are valid with more than 30 days.") + sys.exit(0) + +# ---------------------------------------------------------------------- +def main(): + """ + Main function to orchestrate the certificate checking process + """ + + # Run certbot command + output = run_certbot_certificates() + if output is None: + sys.exit(1) + + # Parse the output + certificates = parse_certificates(output) + + # Format and display results + format_output(certificates) + + # Optional: Return certificates for programmatic use + return certificates + +if __name__ == "__main__": + main() + + + + + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh new file mode 100755 index 000000000..53b36809c --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +#################################################### +# Docker status checker in LXC container +# OUTPUT: 1 = running, 0 = not running +#################################################### + +LXC_BIN="/snap/bin/lxc" +LXC_CONTAINER=$1 +DOCKER_CONTAINER=$2 + + +if [ -z "$DOCKER_CONTAINER" ]; then + echo "*** Missing parameter" + exit 1 +fi + +STATE=$(sudo $LXC_BIN exec $LXC_CONTAINER -- bash -lc "docker inspect -f '{{.State.Status}}' '$DOCKER_CONTAINER'" 2>/dev/null) + + +if [ "$STATE" = "running" ]; then + echo 1 +else + echo 0 +fi + +exit 0 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh new file mode 100755 index 000000000..156015826 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +#################################################### +# Docker status checker in LXC container +# OUTPUT: 1 = changed, 0 = unchanged. +#################################################### + +CURRENT_HASH=$(sudo lxc config show exploredata | md5sum | awk '{print $1}') +BASELINE_HASH=$(cat /etc/zabbix/scripts/hash-keys/exploredata-hash) + + +if [ "$CURRENT_HASH" = "$BASELINE_HASH" ]; then + # Configuration unchanged + echo 0 +else + # Configuration has changed + echo 1 +fi + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh new file mode 100755 index 000000000..cf9049528 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +############################################### +# check_mounts.sh +# +# Paramter with correct value needed. +# Returns: +# 0 - Correct numbers of nfs mounts +# 1 - NFS mount(s) is missing. +# +############################################### + +EXPECTED=$1 +ACTUAL=$(sudo df -P 2>/dev/null | egrep ':' | wc -l) + +if [ "$ACTUAL" -eq "$EXPECTED" ]; then + echo "OK: $ACTUAL mount points found (expected: $EXPECTED)" + exit 0 +else + echo "CRITICAL: $ACTUAL mount points found (expected: $EXPECTED)" + exit 1 +fi + +exit 0 + diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf new file mode 100644 index 000000000..219831fe6 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf @@ -0,0 +1 @@ +UserParameter=cert.status,sudo /etc/zabbix/scripts/check_certbot_valid_days.py diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf new file mode 100644 index 000000000..70aaf6293 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf @@ -0,0 +1 @@ +UserParameter=docker.status[*],/etc/zabbix/scripts/check_docker_status.sh $1 $2 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf new file mode 100644 index 000000000..dc2265b38 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf @@ -0,0 +1 @@ +UserParameter=hash.status,sudo /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf new file mode 100644 index 000000000..b8fbdc30b --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf @@ -0,0 +1 @@ +UserParameter=mount.num.status[*],/etc/zabbix/scripts/check_mounts.sh $1 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix new file mode 100644 index 000000000..7e2a84ea4 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix @@ -0,0 +1,4 @@ +zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc exec * +zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc config show * +zabbix ALL=(ALL) NOPASSWD: /usr/bin/md5sum +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_custom_checks/handlers/main.yml b/devops/roles/icos.zabbix_custom_checks/handlers/main.yml new file mode 100644 index 000000000..a7120ec77 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart zabbix-agent2 + systemd: + name: "{{ zabbix_agent_service }}" + state: restarted + daemon_reload: yes \ No newline at end of file diff --git a/devops/roles/icos.zabbix_custom_checks/tasks/main.yml b/devops/roles/icos.zabbix_custom_checks/tasks/main.yml new file mode 100644 index 000000000..8311a57e5 --- /dev/null +++ b/devops/roles/icos.zabbix_custom_checks/tasks/main.yml @@ -0,0 +1,158 @@ +--- +# Ensure directories exist on all hosts +- name: Ensure Zabbix directories exist + file: + path: "{{ item }}" + state: directory + owner: zabbix + group: zabbix + mode: '0755' + loop: + - "{{ zabbix_scripts_dir }}" + - "{{ zabbix_custom_dir }}" + become: yes + +# Block for fsicos2 custom checks deployment +- name: Deploy custom checks for fsicos2 + when: inventory_hostname == 'fsicos2' or 'fsicos2' in group_names + tags: + - fsicos2-custom + - zabbix-custom + block: + - name: Copy fsicos2 check scripts (.sh files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/fsicos2/check_*.sh" + register: sh_files + + - name: Copy fsicos2 check scripts (.py files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/fsicos2/check_*.py" + register: py_files + + - name: Copy fsicos2 custom configuration files + copy: + src: "{{ item }}" + dest: "{{ zabbix_custom_dir }}/" + owner: zabbix + group: zabbix + mode: '0644' + become: yes + with_fileglob: + - "files/fsicos2/custom_*.conf" + register: conf_files + + - name: Copy fsicos2 sudoers file if exists + copy: + src: "files/fsicos2/zabbix" + dest: "{{ zabbix_sudoers_dir }}/zabbix" + owner: root + group: root + mode: '0440' + validate: 'visudo -cf %s' + become: yes + when: lookup('ansible.builtin.fileglob', 'files/fsicos2/zabbix', errors='ignore') | length > 0 + register: sudo_file + + - name: Trigger zabbix restart if fsicos2 files changed + debug: + msg: "Files changed, triggering zabbix-agent2 restart" + changed_when: true + when: > + sh_files.changed or + py_files.changed or + conf_files.changed or + sudo_file.changed + notify: restart zabbix-agent2 + + +# Block for fsicos3 custom checks deployment +- name: Deploy custom checks for fsicos3 + when: inventory_hostname == 'fsicos3' or 'fsicos3' in group_names + tags: + - fsicos3-custom + - zabbix-custom + block: + - name: Copy fsicos3 check scripts (.sh files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/fsicos3/check_*.sh" + register: sh_files + + - name: Copy fsicos3 check scripts (.py files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/fsicos3/check_*.py" + register: py_files + + - name: Copy fsicos3 custom configuration files + copy: + src: "{{ item }}" + dest: "{{ zabbix_custom_dir }}/" + owner: zabbix + group: zabbix + mode: '0644' + become: yes + with_fileglob: + - "files/fsicos3/custom_*.conf" + register: conf_files + + - name: Copy fsicos3 userparam configuration files + copy: + src: "{{ item }}" + dest: "{{ zabbix_custom_dir }}/" + owner: zabbix + group: zabbix + mode: '0644' + become: yes + with_fileglob: + - "files/fsicos3/userparam_*.conf" + register: conf_files + + - name: Copy fsicos3 sudoers zabbix file + copy: + src: "files/fsicos3/zabbix" + dest: "{{ zabbix_sudoers_dir }}/zabbix" + owner: root + group: root + mode: '0440' + validate: 'visudo -cf %s' + become: yes + when: lookup('ansible.builtin.fileglob', 'files/fsicos3/zabbix', errors='ignore') | length > 0 + register: sudo_file + + - name: Trigger zabbix restart if fsicos3 files changed + ansible.builtin.debug: + msg: "*** Triggering zabbix-agent2 restart ****" + changed_when: true + when: > + sh_files.changed or + py_files.changed or + conf_files.changed or + sudo_file.changed + notify: restart zabbix-agent2 \ No newline at end of file diff --git a/devops/server-fsicos2.yml b/devops/server-fsicos2.yml index 30a84d8e2..10b33d67a 100644 --- a/devops/server-fsicos2.yml +++ b/devops/server-fsicos2.yml @@ -19,4 +19,9 @@ tags: nfs - role: icos.zabbix_agent - tags: zabbix-agent \ No newline at end of file + tags: zabbix-agent + + - role: icos.zabbix_custom_checks + tags: fsicos2-custom + + \ No newline at end of file diff --git a/devops/server-fsicos3.yml b/devops/server-fsicos3.yml index 75791fc2e..752b1aafe 100644 --- a/devops/server-fsicos3.yml +++ b/devops/server-fsicos3.yml @@ -20,3 +20,6 @@ - role: icos.zabbix_agent tags: zabbix-agent + + - role: icos.zabbix_custom_checks + tags: fsicos3-custom \ No newline at end of file From 2e3360d05ff710da21fc3d0fbe97a71c744bbbb5 Mon Sep 17 00:00:00 2001 From: robban-github Date: Thu, 4 Dec 2025 16:09:31 +0100 Subject: [PATCH 28/29] [Zabbix] Custom checks for fsicos2 and fsicos3 --- .../icos.zabbix_checks_fsicos2/README.md | 62 +++++++++ .../defaults/main.yml | 5 + .../files/check_borg_backup.sh | 33 +++++ .../files/check_certbot_valid_days.py | 131 ++++++++++++++++++ .../files/check_docker_running.sh | 6 + .../files/check_lxc_running.sh | 13 ++ .../files/check_mounts.sh | 25 ++++ .../files/check_ping.sh | 26 ++++ .../files/custom_certbot_monitor.conf | 1 + .../files/custom_check_borg_backup.conf | 2 + .../files/custom_check_docker_running.conf | 1 + .../files/custom_check_lxc_running.conf | 1 + .../files/custom_check_mount.conf | 1 + .../files/custom_ping_check.conf | 1 + .../icos.zabbix_checks_fsicos2/files/zabbix | 4 + .../handlers/main.yml | 6 + .../icos.zabbix_checks_fsicos2/tasks/main.yml | 78 +++++++++++ .../icos.zabbix_checks_fsicos3/README.md | 73 ++++++++++ .../defaults/main.yml | 5 + .../files/check_certbot_valid_days.py | 131 ++++++++++++++++++ .../files/check_docker_status.sh | 27 ++++ .../files/check_lxc_config_hash.sh | 19 +++ .../files/check_mounts.sh | 25 ++++ .../files/userparam_certbot_monitor.conf | 1 + .../files/userparam_check_docker_status.conf | 1 + .../userparam_check_lxc_config_hash.conf | 1 + .../files/userparam_check_mount.conf | 1 + .../icos.zabbix_checks_fsicos3/files/zabbix | 4 + .../handlers/main.yml | 6 + .../icos.zabbix_checks_fsicos3/tasks/main.yml | 88 ++++++++++++ 30 files changed, 778 insertions(+) create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/README.md create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/defaults/main.yml create mode 100755 devops/roles/icos.zabbix_checks_fsicos2/files/check_borg_backup.sh create mode 100755 devops/roles/icos.zabbix_checks_fsicos2/files/check_certbot_valid_days.py create mode 100755 devops/roles/icos.zabbix_checks_fsicos2/files/check_docker_running.sh create mode 100755 devops/roles/icos.zabbix_checks_fsicos2/files/check_lxc_running.sh create mode 100755 devops/roles/icos.zabbix_checks_fsicos2/files/check_mounts.sh create mode 100755 devops/roles/icos.zabbix_checks_fsicos2/files/check_ping.sh create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/custom_certbot_monitor.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_borg_backup.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_docker_running.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_lxc_running.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_mount.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/custom_ping_check.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/files/zabbix create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/handlers/main.yml create mode 100644 devops/roles/icos.zabbix_checks_fsicos2/tasks/main.yml create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/README.md create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/defaults/main.yml create mode 100755 devops/roles/icos.zabbix_checks_fsicos3/files/check_certbot_valid_days.py create mode 100755 devops/roles/icos.zabbix_checks_fsicos3/files/check_docker_status.sh create mode 100755 devops/roles/icos.zabbix_checks_fsicos3/files/check_lxc_config_hash.sh create mode 100755 devops/roles/icos.zabbix_checks_fsicos3/files/check_mounts.sh create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/files/userparam_certbot_monitor.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_docker_status.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_lxc_config_hash.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_mount.conf create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/files/zabbix create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/handlers/main.yml create mode 100644 devops/roles/icos.zabbix_checks_fsicos3/tasks/main.yml diff --git a/devops/roles/icos.zabbix_checks_fsicos2/README.md b/devops/roles/icos.zabbix_checks_fsicos2/README.md new file mode 100644 index 000000000..4cd02e1b6 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/README.md @@ -0,0 +1,62 @@ +# Ansible Role: icos.zabbix_custom_checks + +This Ansible role deploys custom Zabbix monitoring checks on fsicos2. + +## Role Structure + +``` +icos.zabbix_checks_fsicos2/ +├── defaults/ +│ └── main.yml +├── handlers/ +│ └── main.yml +├── tasks/ +│ └── main.yml +├── files/ +│ ├── check_*.sh +│ ├── check_*.py +│ ├── custom_*.conf +│ └── zabbix # Sudoers file +└── README.md +``` + +## Variables + +The following variables are defined in `defaults/main.yml`: + +- `zabbix_scripts_dir`: Directory for Zabbix scripts (default: `/etc/zabbix/scripts`) +- `zabbix_custom_dir`: Directory for custom configurations (default: `/etc/zabbix/zabbix_agent2.d`) +- `zabbix_sudoers_dir`: Directory for sudoers files (default: `/etc/sudoers.d`) +- `zabbix_agent_service`: Zabbix agent service name (default: `zabbix-agent2`) + +## Tags + +The role uses the following tags for selective deployment: + +- `fsicos2-checks`: Deploy only fsicos2 custom checks +- `zabbix-checks`: Deploy all custom checks scripts + +## Usage + +### Deploy on fsicos2 +``` +just play server-fsicos2 -t fsicos2-checks -D +``` + +## Features + +1. **Automatic directory creation**: Creates necessary Zabbix directories if they don't exist +2. **Proper file permissions**: Sets correct ownership and permissions for all files +3. **Conditional deployment**: Uses blocks with conditions to deploy files only to appropriate hosts +4. **Sudoers validation**: Validates sudoers files before deployment +5. **Service restart**: Automatically restarts Zabbix agent after file changes +6. **Tag-based deployment**: Allows selective deployment using tags + + +## Notes + +- The role checks if the host is named 'fsicos2' or 'fsicos3' or belongs to corresponding groups +- All check scripts are made executable (mode 0755) +- Configuration files are deployed with read permissions (mode 0644) +- The Zabbix agent service is restarted only when files are changed + diff --git a/devops/roles/icos.zabbix_checks_fsicos2/defaults/main.yml b/devops/roles/icos.zabbix_checks_fsicos2/defaults/main.yml new file mode 100644 index 000000000..91d9c8698 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/defaults/main.yml @@ -0,0 +1,5 @@ +# Zabbix variables +zabbix_scripts_dir: /etc/zabbix/scripts +zabbix_custom_dir: /etc/zabbix/zabbix_agent2.d +zabbix_sudoers_dir: /etc/sudoers.d +zabbix_agent_service: zabbix-agent2 \ No newline at end of file diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/check_borg_backup.sh b/devops/roles/icos.zabbix_checks_fsicos2/files/check_borg_backup.sh new file mode 100755 index 000000000..34e4c8aa6 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/check_borg_backup.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Ver: 2025-09-21 by Robert +# +export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes +export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes + +REPO_BASE_DIR=$1 +REPO_DIR=$(eval echo "$REPO_BASE_DIR") +repos=$(ls "$REPO_DIR" 2>/dev/null) +current_time=$(date +%Y-%m-%d) + +# Check each repository +for repo in $repos; do + [[ "$repo" == "." || "$repo" == ".." ]] && continue + [[ "$repo" == "prometheus.repo" ]] && continue + + latest_archive=$(borg list --format '{time:%Y-%m-%d} {name}' --last=1 "$REPO_BASE_DIR/$repo" 2>/dev/null) + if [[ $? -eq 0 && "$latest_archive" != "" ]]; then + backup_date=$(echo "$latest_archive" | cut -c1-10) + if [[ "$backup_date" != "$current_time" ]]; then + echo "FAILURE1: Outdated backup in repo $repo" + exit 0 # Important: exit 0 so Zabbix gets the data + fi + else + echo "FAILURE2: Cannot check repo $repo" + exit 0 # Important: exit 0 so Zabbix gets the data + fi +done + +echo "SUCCESS: All repositories have backups for today ($current_time)" +exit 0 + diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/check_certbot_valid_days.py b/devops/roles/icos.zabbix_checks_fsicos2/files/check_certbot_valid_days.py new file mode 100755 index 000000000..ae8e04b7f --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/check_certbot_valid_days.py @@ -0,0 +1,131 @@ +#!/usr/bin/env python3 +""" +Certbot Certificate Monitor Script +Runs 'certbot certificates' command and extracts Certificate Name and Expiry Date +""" + +import subprocess +import re +import sys +from datetime import datetime + + +# ---------------------------------------------------------------------- +def run_certbot_certificates(): + """ + Execute 'certbot certificates' command and return the output + """ + try: + result = subprocess.run( + ['certbot', 'certificates'], + capture_output=True, + text=True, + check=True + ) + return result.stdout + except subprocess.CalledProcessError as e: + print(f"Error running certbot command: {e}", file=sys.stderr) + print(f"Return code: {e.returncode}", file=sys.stderr) + print(f"Error output: {e.stderr}", file=sys.stderr) + return None + except FileNotFoundError: + print("Error: certbot command not found. Please ensure certbot is installed.", file=sys.stderr) + return None + + +# ---------------------------------------------------------------------- +def parse_certificates(output): + """ + Parse certbot output and extract certificate names with valid days + Returns dictionary with Certificate Name as key and valid days as value + If certificate is invalid, sets value to -1 + """ + dic_certificates = {} + + # Split output into lines + lines = output.strip().split('\n') + current_cert_name = None + + for line in lines: + line = line.strip() + + # Look for Certificate Name + if line.startswith('Certificate Name:'): + current_cert_name = line.split(':', 1)[1].strip() + + # Look for Expiry Date and extract valid days + elif line.startswith('Expiry Date:') and current_cert_name: + expiry_info = line.split(':', 1)[1].strip() + + # Extract valid days using regex + # Look for patterns like "(VALID: 89 days)" or "(INVALID)" + valid_match = re.search(r'\(VALID:\s*(\d+)\s*days?\)', expiry_info, re.IGNORECASE) + invalid_match = re.search(r'\(INVALID', expiry_info, re.IGNORECASE) + + if valid_match: + # Extract the number of valid days + valid_days = int(valid_match.group(1)) + dic_certificates[current_cert_name] = valid_days + elif invalid_match: + # Certificate is invalid + dic_certificates[current_cert_name] = -1 + else: + # If we can't determine validity, assume invalid + dic_certificates[current_cert_name] = -1 + + # Reset current_cert_name for next certificate + current_cert_name = None + + return dic_certificates + +# ---------------------------------------------------------------------- +def format_output(dic_certificates): + """ + Format and print the certificate information sorted by valid days (least to most) + Input: dictionary with certificate names as keys and valid days as values + """ + if not dic_certificates: + print("No certificates found.") + sys.exit(2) + + # Sort dictionary by valid days (least to most, -1 values first) + sorted_certificates = sorted(dic_certificates.items(), key=lambda x: x[1]) + + for cert_name, valid_days in sorted_certificates: + if valid_days == -1: + print(f"Certificate: {cert_name}, EXPIRED") + sys.exit(1) + elif valid_days < 14: + print(f"Warning: Less than 14 valid days for: {cert_name}") + sys.exit(3) + + print(f"All certificates are valid with more than 30 days.") + sys.exit(0) + +# ---------------------------------------------------------------------- +def main(): + """ + Main function to orchestrate the certificate checking process + """ + + # Run certbot command + output = run_certbot_certificates() + if output is None: + sys.exit(1) + + # Parse the output + certificates = parse_certificates(output) + + # Format and display results + format_output(certificates) + + # Optional: Return certificates for programmatic use + return certificates + +if __name__ == "__main__": + main() + + + + + diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/check_docker_running.sh b/devops/roles/icos.zabbix_checks_fsicos2/files/check_docker_running.sh new file mode 100755 index 000000000..0448887ac --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/check_docker_running.sh @@ -0,0 +1,6 @@ +#!/bin/bash +############################################### +# check_docker_num.sh - Zabbix version +# Returns number of running docker containers +############################################### +docker ps -q 2>/dev/null | wc -l diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/check_lxc_running.sh b/devops/roles/icos.zabbix_checks_fsicos2/files/check_lxc_running.sh new file mode 100755 index 000000000..4695378a3 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/check_lxc_running.sh @@ -0,0 +1,13 @@ +#!/bin/bash +############################################### +# +# check_lxc_running.sh +# Returns number of running LXC containers +# +############################################### + +# Set HOME to avoid snap warning +export HOME=/root + +/snap/bin/lxc list --format=csv -c ns 2>/dev/null | grep -c "RUNNING" || echo 0 + diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/check_mounts.sh b/devops/roles/icos.zabbix_checks_fsicos2/files/check_mounts.sh new file mode 100755 index 000000000..e1aaa99c2 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/check_mounts.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +############################################### +# check_mounts.sh +# +# Paramter with correct value needed. +# Returns: +# 0 - Correct numbers of nfs mounts +# 1 - NFS mount(s) is missing. +# +############################################### + +EXPECTED=$1 +ACTUAL=$(df -P 2>/dev/null | grep ':' | wc -l) + +if [ "$ACTUAL" -eq "$EXPECTED" ]; then + echo "OK: $ACTUAL mount points found (expected: $EXPECTED)" + exit 0 +else + echo "CRITICAL: $ACTUAL mount points found (expected: $EXPECTED)" + exit 1 +fi + +exit 0 + diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/check_ping.sh b/devops/roles/icos.zabbix_checks_fsicos2/files/check_ping.sh new file mode 100755 index 000000000..9267a194e --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/check_ping.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# +# Script to check ping connectivity to specified host +# Returns 0 if ping is successful, 1 if failed +# +# Usage: ./check_ping_connectivity.sh + +# Check if destination parameter is provided +if [ -z "$1" ]; then + echo 1 + exit 1 +fi + +DESTINATION="$1" +PING_COUNT=3 +PING_TIMEOUT=2 + +# Perform ping test +ping -c $PING_COUNT -W $PING_TIMEOUT "$DESTINATION" > /dev/null 2>&1 + +# Check exit status and return result +if [ $? -eq 0 ]; then + echo 0 # Success +else + echo 1 # Failed +fi diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/custom_certbot_monitor.conf b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_certbot_monitor.conf new file mode 100644 index 000000000..219831fe6 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_certbot_monitor.conf @@ -0,0 +1 @@ +UserParameter=cert.status,sudo /etc/zabbix/scripts/check_certbot_valid_days.py diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_borg_backup.conf b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_borg_backup.conf new file mode 100644 index 000000000..2ef0e2204 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_borg_backup.conf @@ -0,0 +1,2 @@ +UserParameter=backup.borg.status[*],sudo /etc/zabbix/scripts/check_borg_backup.sh $1 + diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_docker_running.conf b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_docker_running.conf new file mode 100644 index 000000000..d5751e701 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_docker_running.conf @@ -0,0 +1 @@ +UserParameter=docker.running,/etc/zabbix/scripts/check_docker_running.sh diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_lxc_running.conf b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_lxc_running.conf new file mode 100644 index 000000000..b80ab5ca6 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_lxc_running.conf @@ -0,0 +1 @@ +UserParameter=lxc.running,sudo /etc/zabbix/scripts/check_lxc_running.sh diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_mount.conf b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_mount.conf new file mode 100644 index 000000000..b8fbdc30b --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_check_mount.conf @@ -0,0 +1 @@ +UserParameter=mount.num.status[*],/etc/zabbix/scripts/check_mounts.sh $1 diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/custom_ping_check.conf b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_ping_check.conf new file mode 100644 index 000000000..6b25d336e --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/custom_ping_check.conf @@ -0,0 +1 @@ +UserParameter=ping.check[*],/etc/zabbix/scripts/check_ping.sh $1 diff --git a/devops/roles/icos.zabbix_checks_fsicos2/files/zabbix b/devops/roles/icos.zabbix_checks_fsicos2/files/zabbix new file mode 100644 index 000000000..80953268f --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/files/zabbix @@ -0,0 +1,4 @@ +# Zabbix monitoring +Defaults:zabbix !requiretty +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_docker_running.sh +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_running.sh diff --git a/devops/roles/icos.zabbix_checks_fsicos2/handlers/main.yml b/devops/roles/icos.zabbix_checks_fsicos2/handlers/main.yml new file mode 100644 index 000000000..a7120ec77 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart zabbix-agent2 + systemd: + name: "{{ zabbix_agent_service }}" + state: restarted + daemon_reload: yes \ No newline at end of file diff --git a/devops/roles/icos.zabbix_checks_fsicos2/tasks/main.yml b/devops/roles/icos.zabbix_checks_fsicos2/tasks/main.yml new file mode 100644 index 000000000..3b2dbd297 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos2/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Ensure Zabbix directories exist + file: + path: "{{ item }}" + state: directory + owner: zabbix + group: zabbix + mode: '0755' + loop: + - "{{ zabbix_scripts_dir }}" + - "{{ zabbix_custom_dir }}" + become: yes + +- name: Deploy custom checks for fsicos2 + tags: + - fsicos2-checks + - zabbix-checks + block: + - name: Copy fsicos2 check scripts (.sh files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/check_*.sh" + register: sh_files + + - name: Copy fsicos2 check scripts (.py files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/check_*.py" + register: py_files + + - name: Copy fsicos2 custom configuration files + copy: + src: "{{ item }}" + dest: "{{ zabbix_custom_dir }}/" + owner: zabbix + group: zabbix + mode: '0644' + become: yes + with_fileglob: + - "files/custom_*.conf" + register: conf_files + + - name: Copy fsicos2 sudoers file if exists + copy: + src: "files/zabbix" + dest: "{{ zabbix_sudoers_dir }}/zabbix" + owner: root + group: root + mode: '0440' + validate: 'visudo -cf %s' + become: yes + when: lookup('ansible.builtin.fileglob', 'files/zabbix', errors='ignore') | length > 0 + register: sudo_file + + - name: Trigger zabbix restart if fsicos2 files changed + debug: + msg: "Files changed, triggering zabbix-agent2 restart" + changed_when: true + when: > + sh_files.changed or + py_files.changed or + conf_files.changed or + sudo_file.changed + notify: restart zabbix-agent2 + + diff --git a/devops/roles/icos.zabbix_checks_fsicos3/README.md b/devops/roles/icos.zabbix_checks_fsicos3/README.md new file mode 100644 index 000000000..1f763192e --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/README.md @@ -0,0 +1,73 @@ +# Ansible Role: icos.zabbix_custom_checks + +This Ansible role deploys custom Zabbix monitoring checks to specific hosts (fsicos2 and fsicos3). + +## Role Structure + +``` +icos.zabbix_custom_checks/ +├── defaults/ +│ └── main.yml # Default variables +├── handlers/ +│ └── main.yml # Service restart handlers +├── tasks/ +│ └── main.yml # Main tasks with blocks and tags +├── files/ +│ ├── fsicos2/ # Files specific to fsicos2 +│ │ ├── check_*.sh # Shell check scripts +│ │ ├── check_*.py # Python check scripts +│ │ ├── custom_*.conf # Custom configuration files +│ │ └── zabbix # Sudoers file (optional) +│ └── fsicos3/ # Files specific to fsicos3 +│ ├── check_*.sh # Shell check scripts +│ ├── check_*.py # Python check scripts +│ ├── custom_*.conf # Custom configuration files +│ └── zabbix # Sudoers file (optional) +└── README.md # This file +``` + +## Variables + +The following variables are defined in `defaults/main.yml`: + +- `zabbix_scripts_dir`: Directory for Zabbix scripts (default: `/etc/zabbix/scripts`) +- `zabbix_custom_dir`: Directory for custom configurations (default: `/etc/zabbix/zabbix_agent2.d`) +- `zabbix_sudoers_dir`: Directory for sudoers files (default: `/etc/sudoers.d`) +- `zabbix_agent_service`: Zabbix agent service name (default: `zabbix-agent2`) + +## Tags + +The role uses the following tags for selective deployment: + +- `fsicos2-custom`: Deploy only fsicos2 custom checks +- `fsicos3-custom`: Deploy only fsicos3 custom checks +- `zabbix-custom`: Deploy all custom checks + +## Usage + +### Deploy only to fsicos2 +``` +just play server-fsicos2 -t fsicos2-custom -D +``` + +### Deploy only to fsicos3 +``` +just play server-fsicos3 -t fsicos3-custom -D +``` + +## Features + +1. **Automatic directory creation**: Creates necessary Zabbix directories if they don't exist +2. **Proper file permissions**: Sets correct ownership and permissions for all files +3. **Conditional deployment**: Uses blocks with conditions to deploy files only to appropriate hosts +4. **Sudoers validation**: Validates sudoers files before deployment +5. **Service restart**: Automatically restarts Zabbix agent after file changes +6. **Tag-based deployment**: Allows selective deployment using tags + +## Notes + +- The role checks if the host is named 'fsicos2' or 'fsicos3' or belongs to corresponding groups +- All check scripts are made executable (mode 0755) +- Configuration files are deployed with read permissions (mode 0644) +- The Zabbix agent service is restarted only when files are changed + diff --git a/devops/roles/icos.zabbix_checks_fsicos3/defaults/main.yml b/devops/roles/icos.zabbix_checks_fsicos3/defaults/main.yml new file mode 100644 index 000000000..91d9c8698 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/defaults/main.yml @@ -0,0 +1,5 @@ +# Zabbix variables +zabbix_scripts_dir: /etc/zabbix/scripts +zabbix_custom_dir: /etc/zabbix/zabbix_agent2.d +zabbix_sudoers_dir: /etc/sudoers.d +zabbix_agent_service: zabbix-agent2 \ No newline at end of file diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/check_certbot_valid_days.py b/devops/roles/icos.zabbix_checks_fsicos3/files/check_certbot_valid_days.py new file mode 100755 index 000000000..ae8e04b7f --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/check_certbot_valid_days.py @@ -0,0 +1,131 @@ +#!/usr/bin/env python3 +""" +Certbot Certificate Monitor Script +Runs 'certbot certificates' command and extracts Certificate Name and Expiry Date +""" + +import subprocess +import re +import sys +from datetime import datetime + + +# ---------------------------------------------------------------------- +def run_certbot_certificates(): + """ + Execute 'certbot certificates' command and return the output + """ + try: + result = subprocess.run( + ['certbot', 'certificates'], + capture_output=True, + text=True, + check=True + ) + return result.stdout + except subprocess.CalledProcessError as e: + print(f"Error running certbot command: {e}", file=sys.stderr) + print(f"Return code: {e.returncode}", file=sys.stderr) + print(f"Error output: {e.stderr}", file=sys.stderr) + return None + except FileNotFoundError: + print("Error: certbot command not found. Please ensure certbot is installed.", file=sys.stderr) + return None + + +# ---------------------------------------------------------------------- +def parse_certificates(output): + """ + Parse certbot output and extract certificate names with valid days + Returns dictionary with Certificate Name as key and valid days as value + If certificate is invalid, sets value to -1 + """ + dic_certificates = {} + + # Split output into lines + lines = output.strip().split('\n') + current_cert_name = None + + for line in lines: + line = line.strip() + + # Look for Certificate Name + if line.startswith('Certificate Name:'): + current_cert_name = line.split(':', 1)[1].strip() + + # Look for Expiry Date and extract valid days + elif line.startswith('Expiry Date:') and current_cert_name: + expiry_info = line.split(':', 1)[1].strip() + + # Extract valid days using regex + # Look for patterns like "(VALID: 89 days)" or "(INVALID)" + valid_match = re.search(r'\(VALID:\s*(\d+)\s*days?\)', expiry_info, re.IGNORECASE) + invalid_match = re.search(r'\(INVALID', expiry_info, re.IGNORECASE) + + if valid_match: + # Extract the number of valid days + valid_days = int(valid_match.group(1)) + dic_certificates[current_cert_name] = valid_days + elif invalid_match: + # Certificate is invalid + dic_certificates[current_cert_name] = -1 + else: + # If we can't determine validity, assume invalid + dic_certificates[current_cert_name] = -1 + + # Reset current_cert_name for next certificate + current_cert_name = None + + return dic_certificates + +# ---------------------------------------------------------------------- +def format_output(dic_certificates): + """ + Format and print the certificate information sorted by valid days (least to most) + Input: dictionary with certificate names as keys and valid days as values + """ + if not dic_certificates: + print("No certificates found.") + sys.exit(2) + + # Sort dictionary by valid days (least to most, -1 values first) + sorted_certificates = sorted(dic_certificates.items(), key=lambda x: x[1]) + + for cert_name, valid_days in sorted_certificates: + if valid_days == -1: + print(f"Certificate: {cert_name}, EXPIRED") + sys.exit(1) + elif valid_days < 14: + print(f"Warning: Less than 14 valid days for: {cert_name}") + sys.exit(3) + + print(f"All certificates are valid with more than 30 days.") + sys.exit(0) + +# ---------------------------------------------------------------------- +def main(): + """ + Main function to orchestrate the certificate checking process + """ + + # Run certbot command + output = run_certbot_certificates() + if output is None: + sys.exit(1) + + # Parse the output + certificates = parse_certificates(output) + + # Format and display results + format_output(certificates) + + # Optional: Return certificates for programmatic use + return certificates + +if __name__ == "__main__": + main() + + + + + diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/check_docker_status.sh b/devops/roles/icos.zabbix_checks_fsicos3/files/check_docker_status.sh new file mode 100755 index 000000000..53b36809c --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/check_docker_status.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +#################################################### +# Docker status checker in LXC container +# OUTPUT: 1 = running, 0 = not running +#################################################### + +LXC_BIN="/snap/bin/lxc" +LXC_CONTAINER=$1 +DOCKER_CONTAINER=$2 + + +if [ -z "$DOCKER_CONTAINER" ]; then + echo "*** Missing parameter" + exit 1 +fi + +STATE=$(sudo $LXC_BIN exec $LXC_CONTAINER -- bash -lc "docker inspect -f '{{.State.Status}}' '$DOCKER_CONTAINER'" 2>/dev/null) + + +if [ "$STATE" = "running" ]; then + echo 1 +else + echo 0 +fi + +exit 0 diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/check_lxc_config_hash.sh b/devops/roles/icos.zabbix_checks_fsicos3/files/check_lxc_config_hash.sh new file mode 100755 index 000000000..156015826 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/check_lxc_config_hash.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +#################################################### +# Docker status checker in LXC container +# OUTPUT: 1 = changed, 0 = unchanged. +#################################################### + +CURRENT_HASH=$(sudo lxc config show exploredata | md5sum | awk '{print $1}') +BASELINE_HASH=$(cat /etc/zabbix/scripts/hash-keys/exploredata-hash) + + +if [ "$CURRENT_HASH" = "$BASELINE_HASH" ]; then + # Configuration unchanged + echo 0 +else + # Configuration has changed + echo 1 +fi + diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/check_mounts.sh b/devops/roles/icos.zabbix_checks_fsicos3/files/check_mounts.sh new file mode 100755 index 000000000..cf9049528 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/check_mounts.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +############################################### +# check_mounts.sh +# +# Paramter with correct value needed. +# Returns: +# 0 - Correct numbers of nfs mounts +# 1 - NFS mount(s) is missing. +# +############################################### + +EXPECTED=$1 +ACTUAL=$(sudo df -P 2>/dev/null | egrep ':' | wc -l) + +if [ "$ACTUAL" -eq "$EXPECTED" ]; then + echo "OK: $ACTUAL mount points found (expected: $EXPECTED)" + exit 0 +else + echo "CRITICAL: $ACTUAL mount points found (expected: $EXPECTED)" + exit 1 +fi + +exit 0 + diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_certbot_monitor.conf b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_certbot_monitor.conf new file mode 100644 index 000000000..219831fe6 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_certbot_monitor.conf @@ -0,0 +1 @@ +UserParameter=cert.status,sudo /etc/zabbix/scripts/check_certbot_valid_days.py diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_docker_status.conf b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_docker_status.conf new file mode 100644 index 000000000..70aaf6293 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_docker_status.conf @@ -0,0 +1 @@ +UserParameter=docker.status[*],/etc/zabbix/scripts/check_docker_status.sh $1 $2 diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_lxc_config_hash.conf b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_lxc_config_hash.conf new file mode 100644 index 000000000..dc2265b38 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_lxc_config_hash.conf @@ -0,0 +1 @@ +UserParameter=hash.status,sudo /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_mount.conf b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_mount.conf new file mode 100644 index 000000000..b8fbdc30b --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/userparam_check_mount.conf @@ -0,0 +1 @@ +UserParameter=mount.num.status[*],/etc/zabbix/scripts/check_mounts.sh $1 diff --git a/devops/roles/icos.zabbix_checks_fsicos3/files/zabbix b/devops/roles/icos.zabbix_checks_fsicos3/files/zabbix new file mode 100644 index 000000000..7e2a84ea4 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/files/zabbix @@ -0,0 +1,4 @@ +zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc exec * +zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc config show * +zabbix ALL=(ALL) NOPASSWD: /usr/bin/md5sum +zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_checks_fsicos3/handlers/main.yml b/devops/roles/icos.zabbix_checks_fsicos3/handlers/main.yml new file mode 100644 index 000000000..a7120ec77 --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart zabbix-agent2 + systemd: + name: "{{ zabbix_agent_service }}" + state: restarted + daemon_reload: yes \ No newline at end of file diff --git a/devops/roles/icos.zabbix_checks_fsicos3/tasks/main.yml b/devops/roles/icos.zabbix_checks_fsicos3/tasks/main.yml new file mode 100644 index 000000000..d0345854f --- /dev/null +++ b/devops/roles/icos.zabbix_checks_fsicos3/tasks/main.yml @@ -0,0 +1,88 @@ +--- +- name: Ensure Zabbix directories exist + file: + path: "{{ item }}" + state: directory + owner: zabbix + group: zabbix + mode: '0755' + loop: + - "{{ zabbix_scripts_dir }}" + - "{{ zabbix_custom_dir }}" + become: yes + +- name: Deploy custom checks for fsicos3 + tags: + - fsicos3-checks + - zabbix-checks + block: + - name: Copy fsicos3 check scripts (.sh files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/check_*.sh" + register: sh_files + + - name: Copy fsicos3 check scripts (.py files) + copy: + src: "{{ item }}" + dest: "{{ zabbix_scripts_dir }}/" + owner: zabbix + group: zabbix + mode: '0755' + become: yes + with_fileglob: + - "files/check_*.py" + register: py_files + + - name: Copy fsicos3 custom configuration files + copy: + src: "{{ item }}" + dest: "{{ zabbix_custom_dir }}/" + owner: zabbix + group: zabbix + mode: '0644' + become: yes + with_fileglob: + - "files/custom_*.conf" + register: conf_files + + - name: Copy fsicos3 userparam configuration files + copy: + src: "{{ item }}" + dest: "{{ zabbix_custom_dir }}/" + owner: zabbix + group: zabbix + mode: '0644' + become: yes + with_fileglob: + - "files/userparam_*.conf" + register: conf_files + + - name: Copy fsicos3 sudoers zabbix file + copy: + src: "files/zabbix" + dest: "{{ zabbix_sudoers_dir }}/zabbix" + owner: root + group: root + mode: '0440' + validate: 'visudo -cf %s' + become: yes + when: lookup('ansible.builtin.fileglob', 'files/zabbix', errors='ignore') | length > 0 + register: sudo_file + + - name: Trigger zabbix restart if fsicos3 files changed + ansible.builtin.debug: + msg: "*** Triggering zabbix-agent2 restart ****" + changed_when: true + when: > + sh_files.changed or + py_files.changed or + conf_files.changed or + sudo_file.changed + notify: restart zabbix-agent2 \ No newline at end of file From 4c6db857ee73dcd94bc2563c94710992b4dc5540 Mon Sep 17 00:00:00 2001 From: robban-github Date: Thu, 4 Dec 2025 16:24:53 +0100 Subject: [PATCH 29/29] [Zabbix] Remove old icos.zabbix_custom_checks role --- .../roles/icos.zabbix_custom_checks/README.md | 73 -------- .../defaults/main.yml | 5 - .../files/fsicos2/check_borg_backup.sh | 33 ---- .../files/fsicos2/check_certbot_valid_days.py | 131 --------------- .../files/fsicos2/check_docker_running.sh | 6 - .../files/fsicos2/check_lxc_running.sh | 13 -- .../files/fsicos2/check_mounts.sh | 25 --- .../files/fsicos2/check_ping.sh | 26 --- .../files/fsicos2/custom_certbot_monitor.conf | 1 - .../fsicos2/custom_check_borg_backup.conf | 2 - .../fsicos2/custom_check_docker_running.conf | 1 - .../fsicos2/custom_check_lxc_running.conf | 1 - .../files/fsicos2/custom_check_mount.conf | 1 - .../files/fsicos2/custom_ping_check.conf | 1 - .../files/fsicos2/zabbix | 4 - .../files/fsicos3/check_certbot_valid_days.py | 131 --------------- .../files/fsicos3/check_docker_status.sh | 27 --- .../files/fsicos3/check_lxc_config_hash.sh | 19 --- .../files/fsicos3/check_mounts.sh | 25 --- .../fsicos3/userparam_certbot_monitor.conf | 1 - .../userparam_check_docker_status.conf | 1 - .../userparam_check_lxc_config_hash.conf | 1 - .../files/fsicos3/userparam_check_mount.conf | 1 - .../files/fsicos3/zabbix | 4 - .../handlers/main.yml | 6 - .../icos.zabbix_custom_checks/tasks/main.yml | 158 ------------------ 26 files changed, 697 deletions(-) delete mode 100644 devops/roles/icos.zabbix_custom_checks/README.md delete mode 100644 devops/roles/icos.zabbix_custom_checks/defaults/main.yml delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh delete mode 100755 devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf delete mode 100644 devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix delete mode 100644 devops/roles/icos.zabbix_custom_checks/handlers/main.yml delete mode 100644 devops/roles/icos.zabbix_custom_checks/tasks/main.yml diff --git a/devops/roles/icos.zabbix_custom_checks/README.md b/devops/roles/icos.zabbix_custom_checks/README.md deleted file mode 100644 index 1f763192e..000000000 --- a/devops/roles/icos.zabbix_custom_checks/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Ansible Role: icos.zabbix_custom_checks - -This Ansible role deploys custom Zabbix monitoring checks to specific hosts (fsicos2 and fsicos3). - -## Role Structure - -``` -icos.zabbix_custom_checks/ -├── defaults/ -│ └── main.yml # Default variables -├── handlers/ -│ └── main.yml # Service restart handlers -├── tasks/ -│ └── main.yml # Main tasks with blocks and tags -├── files/ -│ ├── fsicos2/ # Files specific to fsicos2 -│ │ ├── check_*.sh # Shell check scripts -│ │ ├── check_*.py # Python check scripts -│ │ ├── custom_*.conf # Custom configuration files -│ │ └── zabbix # Sudoers file (optional) -│ └── fsicos3/ # Files specific to fsicos3 -│ ├── check_*.sh # Shell check scripts -│ ├── check_*.py # Python check scripts -│ ├── custom_*.conf # Custom configuration files -│ └── zabbix # Sudoers file (optional) -└── README.md # This file -``` - -## Variables - -The following variables are defined in `defaults/main.yml`: - -- `zabbix_scripts_dir`: Directory for Zabbix scripts (default: `/etc/zabbix/scripts`) -- `zabbix_custom_dir`: Directory for custom configurations (default: `/etc/zabbix/zabbix_agent2.d`) -- `zabbix_sudoers_dir`: Directory for sudoers files (default: `/etc/sudoers.d`) -- `zabbix_agent_service`: Zabbix agent service name (default: `zabbix-agent2`) - -## Tags - -The role uses the following tags for selective deployment: - -- `fsicos2-custom`: Deploy only fsicos2 custom checks -- `fsicos3-custom`: Deploy only fsicos3 custom checks -- `zabbix-custom`: Deploy all custom checks - -## Usage - -### Deploy only to fsicos2 -``` -just play server-fsicos2 -t fsicos2-custom -D -``` - -### Deploy only to fsicos3 -``` -just play server-fsicos3 -t fsicos3-custom -D -``` - -## Features - -1. **Automatic directory creation**: Creates necessary Zabbix directories if they don't exist -2. **Proper file permissions**: Sets correct ownership and permissions for all files -3. **Conditional deployment**: Uses blocks with conditions to deploy files only to appropriate hosts -4. **Sudoers validation**: Validates sudoers files before deployment -5. **Service restart**: Automatically restarts Zabbix agent after file changes -6. **Tag-based deployment**: Allows selective deployment using tags - -## Notes - -- The role checks if the host is named 'fsicos2' or 'fsicos3' or belongs to corresponding groups -- All check scripts are made executable (mode 0755) -- Configuration files are deployed with read permissions (mode 0644) -- The Zabbix agent service is restarted only when files are changed - diff --git a/devops/roles/icos.zabbix_custom_checks/defaults/main.yml b/devops/roles/icos.zabbix_custom_checks/defaults/main.yml deleted file mode 100644 index 91d9c8698..000000000 --- a/devops/roles/icos.zabbix_custom_checks/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -# Zabbix variables -zabbix_scripts_dir: /etc/zabbix/scripts -zabbix_custom_dir: /etc/zabbix/zabbix_agent2.d -zabbix_sudoers_dir: /etc/sudoers.d -zabbix_agent_service: zabbix-agent2 \ No newline at end of file diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh deleted file mode 100755 index 34e4c8aa6..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_borg_backup.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -# -# Ver: 2025-09-21 by Robert -# -export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes -export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes - -REPO_BASE_DIR=$1 -REPO_DIR=$(eval echo "$REPO_BASE_DIR") -repos=$(ls "$REPO_DIR" 2>/dev/null) -current_time=$(date +%Y-%m-%d) - -# Check each repository -for repo in $repos; do - [[ "$repo" == "." || "$repo" == ".." ]] && continue - [[ "$repo" == "prometheus.repo" ]] && continue - - latest_archive=$(borg list --format '{time:%Y-%m-%d} {name}' --last=1 "$REPO_BASE_DIR/$repo" 2>/dev/null) - if [[ $? -eq 0 && "$latest_archive" != "" ]]; then - backup_date=$(echo "$latest_archive" | cut -c1-10) - if [[ "$backup_date" != "$current_time" ]]; then - echo "FAILURE1: Outdated backup in repo $repo" - exit 0 # Important: exit 0 so Zabbix gets the data - fi - else - echo "FAILURE2: Cannot check repo $repo" - exit 0 # Important: exit 0 so Zabbix gets the data - fi -done - -echo "SUCCESS: All repositories have backups for today ($current_time)" -exit 0 - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py deleted file mode 100755 index ae8e04b7f..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_certbot_valid_days.py +++ /dev/null @@ -1,131 +0,0 @@ -#!/usr/bin/env python3 -""" -Certbot Certificate Monitor Script -Runs 'certbot certificates' command and extracts Certificate Name and Expiry Date -""" - -import subprocess -import re -import sys -from datetime import datetime - - -# ---------------------------------------------------------------------- -def run_certbot_certificates(): - """ - Execute 'certbot certificates' command and return the output - """ - try: - result = subprocess.run( - ['certbot', 'certificates'], - capture_output=True, - text=True, - check=True - ) - return result.stdout - except subprocess.CalledProcessError as e: - print(f"Error running certbot command: {e}", file=sys.stderr) - print(f"Return code: {e.returncode}", file=sys.stderr) - print(f"Error output: {e.stderr}", file=sys.stderr) - return None - except FileNotFoundError: - print("Error: certbot command not found. Please ensure certbot is installed.", file=sys.stderr) - return None - - -# ---------------------------------------------------------------------- -def parse_certificates(output): - """ - Parse certbot output and extract certificate names with valid days - Returns dictionary with Certificate Name as key and valid days as value - If certificate is invalid, sets value to -1 - """ - dic_certificates = {} - - # Split output into lines - lines = output.strip().split('\n') - current_cert_name = None - - for line in lines: - line = line.strip() - - # Look for Certificate Name - if line.startswith('Certificate Name:'): - current_cert_name = line.split(':', 1)[1].strip() - - # Look for Expiry Date and extract valid days - elif line.startswith('Expiry Date:') and current_cert_name: - expiry_info = line.split(':', 1)[1].strip() - - # Extract valid days using regex - # Look for patterns like "(VALID: 89 days)" or "(INVALID)" - valid_match = re.search(r'\(VALID:\s*(\d+)\s*days?\)', expiry_info, re.IGNORECASE) - invalid_match = re.search(r'\(INVALID', expiry_info, re.IGNORECASE) - - if valid_match: - # Extract the number of valid days - valid_days = int(valid_match.group(1)) - dic_certificates[current_cert_name] = valid_days - elif invalid_match: - # Certificate is invalid - dic_certificates[current_cert_name] = -1 - else: - # If we can't determine validity, assume invalid - dic_certificates[current_cert_name] = -1 - - # Reset current_cert_name for next certificate - current_cert_name = None - - return dic_certificates - -# ---------------------------------------------------------------------- -def format_output(dic_certificates): - """ - Format and print the certificate information sorted by valid days (least to most) - Input: dictionary with certificate names as keys and valid days as values - """ - if not dic_certificates: - print("No certificates found.") - sys.exit(2) - - # Sort dictionary by valid days (least to most, -1 values first) - sorted_certificates = sorted(dic_certificates.items(), key=lambda x: x[1]) - - for cert_name, valid_days in sorted_certificates: - if valid_days == -1: - print(f"Certificate: {cert_name}, EXPIRED") - sys.exit(1) - elif valid_days < 14: - print(f"Warning: Less than 14 valid days for: {cert_name}") - sys.exit(3) - - print(f"All certificates are valid with more than 30 days.") - sys.exit(0) - -# ---------------------------------------------------------------------- -def main(): - """ - Main function to orchestrate the certificate checking process - """ - - # Run certbot command - output = run_certbot_certificates() - if output is None: - sys.exit(1) - - # Parse the output - certificates = parse_certificates(output) - - # Format and display results - format_output(certificates) - - # Optional: Return certificates for programmatic use - return certificates - -if __name__ == "__main__": - main() - - - - - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh deleted file mode 100755 index 0448887ac..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_docker_running.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -############################################### -# check_docker_num.sh - Zabbix version -# Returns number of running docker containers -############################################### -docker ps -q 2>/dev/null | wc -l diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh deleted file mode 100755 index 4695378a3..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_lxc_running.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -############################################### -# -# check_lxc_running.sh -# Returns number of running LXC containers -# -############################################### - -# Set HOME to avoid snap warning -export HOME=/root - -/snap/bin/lxc list --format=csv -c ns 2>/dev/null | grep -c "RUNNING" || echo 0 - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh deleted file mode 100755 index e1aaa99c2..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_mounts.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -############################################### -# check_mounts.sh -# -# Paramter with correct value needed. -# Returns: -# 0 - Correct numbers of nfs mounts -# 1 - NFS mount(s) is missing. -# -############################################### - -EXPECTED=$1 -ACTUAL=$(df -P 2>/dev/null | grep ':' | wc -l) - -if [ "$ACTUAL" -eq "$EXPECTED" ]; then - echo "OK: $ACTUAL mount points found (expected: $EXPECTED)" - exit 0 -else - echo "CRITICAL: $ACTUAL mount points found (expected: $EXPECTED)" - exit 1 -fi - -exit 0 - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh deleted file mode 100755 index 9267a194e..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/check_ping.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# Script to check ping connectivity to specified host -# Returns 0 if ping is successful, 1 if failed -# -# Usage: ./check_ping_connectivity.sh - -# Check if destination parameter is provided -if [ -z "$1" ]; then - echo 1 - exit 1 -fi - -DESTINATION="$1" -PING_COUNT=3 -PING_TIMEOUT=2 - -# Perform ping test -ping -c $PING_COUNT -W $PING_TIMEOUT "$DESTINATION" > /dev/null 2>&1 - -# Check exit status and return result -if [ $? -eq 0 ]; then - echo 0 # Success -else - echo 1 # Failed -fi diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf deleted file mode 100644 index 219831fe6..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_certbot_monitor.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=cert.status,sudo /etc/zabbix/scripts/check_certbot_valid_days.py diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf deleted file mode 100644 index 2ef0e2204..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_borg_backup.conf +++ /dev/null @@ -1,2 +0,0 @@ -UserParameter=backup.borg.status[*],sudo /etc/zabbix/scripts/check_borg_backup.sh $1 - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf deleted file mode 100644 index d5751e701..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_docker_running.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=docker.running,/etc/zabbix/scripts/check_docker_running.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf deleted file mode 100644 index b80ab5ca6..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_lxc_running.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=lxc.running,sudo /etc/zabbix/scripts/check_lxc_running.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf deleted file mode 100644 index b8fbdc30b..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_check_mount.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=mount.num.status[*],/etc/zabbix/scripts/check_mounts.sh $1 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf deleted file mode 100644 index 6b25d336e..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/custom_ping_check.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=ping.check[*],/etc/zabbix/scripts/check_ping.sh $1 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix b/devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix deleted file mode 100644 index 80953268f..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos2/zabbix +++ /dev/null @@ -1,4 +0,0 @@ -# Zabbix monitoring -Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_docker_running.sh -zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_running.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py deleted file mode 100755 index ae8e04b7f..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_certbot_valid_days.py +++ /dev/null @@ -1,131 +0,0 @@ -#!/usr/bin/env python3 -""" -Certbot Certificate Monitor Script -Runs 'certbot certificates' command and extracts Certificate Name and Expiry Date -""" - -import subprocess -import re -import sys -from datetime import datetime - - -# ---------------------------------------------------------------------- -def run_certbot_certificates(): - """ - Execute 'certbot certificates' command and return the output - """ - try: - result = subprocess.run( - ['certbot', 'certificates'], - capture_output=True, - text=True, - check=True - ) - return result.stdout - except subprocess.CalledProcessError as e: - print(f"Error running certbot command: {e}", file=sys.stderr) - print(f"Return code: {e.returncode}", file=sys.stderr) - print(f"Error output: {e.stderr}", file=sys.stderr) - return None - except FileNotFoundError: - print("Error: certbot command not found. Please ensure certbot is installed.", file=sys.stderr) - return None - - -# ---------------------------------------------------------------------- -def parse_certificates(output): - """ - Parse certbot output and extract certificate names with valid days - Returns dictionary with Certificate Name as key and valid days as value - If certificate is invalid, sets value to -1 - """ - dic_certificates = {} - - # Split output into lines - lines = output.strip().split('\n') - current_cert_name = None - - for line in lines: - line = line.strip() - - # Look for Certificate Name - if line.startswith('Certificate Name:'): - current_cert_name = line.split(':', 1)[1].strip() - - # Look for Expiry Date and extract valid days - elif line.startswith('Expiry Date:') and current_cert_name: - expiry_info = line.split(':', 1)[1].strip() - - # Extract valid days using regex - # Look for patterns like "(VALID: 89 days)" or "(INVALID)" - valid_match = re.search(r'\(VALID:\s*(\d+)\s*days?\)', expiry_info, re.IGNORECASE) - invalid_match = re.search(r'\(INVALID', expiry_info, re.IGNORECASE) - - if valid_match: - # Extract the number of valid days - valid_days = int(valid_match.group(1)) - dic_certificates[current_cert_name] = valid_days - elif invalid_match: - # Certificate is invalid - dic_certificates[current_cert_name] = -1 - else: - # If we can't determine validity, assume invalid - dic_certificates[current_cert_name] = -1 - - # Reset current_cert_name for next certificate - current_cert_name = None - - return dic_certificates - -# ---------------------------------------------------------------------- -def format_output(dic_certificates): - """ - Format and print the certificate information sorted by valid days (least to most) - Input: dictionary with certificate names as keys and valid days as values - """ - if not dic_certificates: - print("No certificates found.") - sys.exit(2) - - # Sort dictionary by valid days (least to most, -1 values first) - sorted_certificates = sorted(dic_certificates.items(), key=lambda x: x[1]) - - for cert_name, valid_days in sorted_certificates: - if valid_days == -1: - print(f"Certificate: {cert_name}, EXPIRED") - sys.exit(1) - elif valid_days < 14: - print(f"Warning: Less than 14 valid days for: {cert_name}") - sys.exit(3) - - print(f"All certificates are valid with more than 30 days.") - sys.exit(0) - -# ---------------------------------------------------------------------- -def main(): - """ - Main function to orchestrate the certificate checking process - """ - - # Run certbot command - output = run_certbot_certificates() - if output is None: - sys.exit(1) - - # Parse the output - certificates = parse_certificates(output) - - # Format and display results - format_output(certificates) - - # Optional: Return certificates for programmatic use - return certificates - -if __name__ == "__main__": - main() - - - - - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh deleted file mode 100755 index 53b36809c..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_docker_status.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -#################################################### -# Docker status checker in LXC container -# OUTPUT: 1 = running, 0 = not running -#################################################### - -LXC_BIN="/snap/bin/lxc" -LXC_CONTAINER=$1 -DOCKER_CONTAINER=$2 - - -if [ -z "$DOCKER_CONTAINER" ]; then - echo "*** Missing parameter" - exit 1 -fi - -STATE=$(sudo $LXC_BIN exec $LXC_CONTAINER -- bash -lc "docker inspect -f '{{.State.Status}}' '$DOCKER_CONTAINER'" 2>/dev/null) - - -if [ "$STATE" = "running" ]; then - echo 1 -else - echo 0 -fi - -exit 0 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh deleted file mode 100755 index 156015826..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_lxc_config_hash.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -#################################################### -# Docker status checker in LXC container -# OUTPUT: 1 = changed, 0 = unchanged. -#################################################### - -CURRENT_HASH=$(sudo lxc config show exploredata | md5sum | awk '{print $1}') -BASELINE_HASH=$(cat /etc/zabbix/scripts/hash-keys/exploredata-hash) - - -if [ "$CURRENT_HASH" = "$BASELINE_HASH" ]; then - # Configuration unchanged - echo 0 -else - # Configuration has changed - echo 1 -fi - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh deleted file mode 100755 index cf9049528..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/check_mounts.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -############################################### -# check_mounts.sh -# -# Paramter with correct value needed. -# Returns: -# 0 - Correct numbers of nfs mounts -# 1 - NFS mount(s) is missing. -# -############################################### - -EXPECTED=$1 -ACTUAL=$(sudo df -P 2>/dev/null | egrep ':' | wc -l) - -if [ "$ACTUAL" -eq "$EXPECTED" ]; then - echo "OK: $ACTUAL mount points found (expected: $EXPECTED)" - exit 0 -else - echo "CRITICAL: $ACTUAL mount points found (expected: $EXPECTED)" - exit 1 -fi - -exit 0 - diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf deleted file mode 100644 index 219831fe6..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_certbot_monitor.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=cert.status,sudo /etc/zabbix/scripts/check_certbot_valid_days.py diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf deleted file mode 100644 index 70aaf6293..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_docker_status.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=docker.status[*],/etc/zabbix/scripts/check_docker_status.sh $1 $2 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf deleted file mode 100644 index dc2265b38..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_lxc_config_hash.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=hash.status,sudo /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf deleted file mode 100644 index b8fbdc30b..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/userparam_check_mount.conf +++ /dev/null @@ -1 +0,0 @@ -UserParameter=mount.num.status[*],/etc/zabbix/scripts/check_mounts.sh $1 diff --git a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix b/devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix deleted file mode 100644 index 7e2a84ea4..000000000 --- a/devops/roles/icos.zabbix_custom_checks/files/fsicos3/zabbix +++ /dev/null @@ -1,4 +0,0 @@ -zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc exec * -zabbix ALL=(ALL) NOPASSWD: /snap/bin/lxc config show * -zabbix ALL=(ALL) NOPASSWD: /usr/bin/md5sum -zabbix ALL=(ALL) NOPASSWD: /etc/zabbix/scripts/check_lxc_config_hash.sh diff --git a/devops/roles/icos.zabbix_custom_checks/handlers/main.yml b/devops/roles/icos.zabbix_custom_checks/handlers/main.yml deleted file mode 100644 index a7120ec77..000000000 --- a/devops/roles/icos.zabbix_custom_checks/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart zabbix-agent2 - systemd: - name: "{{ zabbix_agent_service }}" - state: restarted - daemon_reload: yes \ No newline at end of file diff --git a/devops/roles/icos.zabbix_custom_checks/tasks/main.yml b/devops/roles/icos.zabbix_custom_checks/tasks/main.yml deleted file mode 100644 index 8311a57e5..000000000 --- a/devops/roles/icos.zabbix_custom_checks/tasks/main.yml +++ /dev/null @@ -1,158 +0,0 @@ ---- -# Ensure directories exist on all hosts -- name: Ensure Zabbix directories exist - file: - path: "{{ item }}" - state: directory - owner: zabbix - group: zabbix - mode: '0755' - loop: - - "{{ zabbix_scripts_dir }}" - - "{{ zabbix_custom_dir }}" - become: yes - -# Block for fsicos2 custom checks deployment -- name: Deploy custom checks for fsicos2 - when: inventory_hostname == 'fsicos2' or 'fsicos2' in group_names - tags: - - fsicos2-custom - - zabbix-custom - block: - - name: Copy fsicos2 check scripts (.sh files) - copy: - src: "{{ item }}" - dest: "{{ zabbix_scripts_dir }}/" - owner: zabbix - group: zabbix - mode: '0755' - become: yes - with_fileglob: - - "files/fsicos2/check_*.sh" - register: sh_files - - - name: Copy fsicos2 check scripts (.py files) - copy: - src: "{{ item }}" - dest: "{{ zabbix_scripts_dir }}/" - owner: zabbix - group: zabbix - mode: '0755' - become: yes - with_fileglob: - - "files/fsicos2/check_*.py" - register: py_files - - - name: Copy fsicos2 custom configuration files - copy: - src: "{{ item }}" - dest: "{{ zabbix_custom_dir }}/" - owner: zabbix - group: zabbix - mode: '0644' - become: yes - with_fileglob: - - "files/fsicos2/custom_*.conf" - register: conf_files - - - name: Copy fsicos2 sudoers file if exists - copy: - src: "files/fsicos2/zabbix" - dest: "{{ zabbix_sudoers_dir }}/zabbix" - owner: root - group: root - mode: '0440' - validate: 'visudo -cf %s' - become: yes - when: lookup('ansible.builtin.fileglob', 'files/fsicos2/zabbix', errors='ignore') | length > 0 - register: sudo_file - - - name: Trigger zabbix restart if fsicos2 files changed - debug: - msg: "Files changed, triggering zabbix-agent2 restart" - changed_when: true - when: > - sh_files.changed or - py_files.changed or - conf_files.changed or - sudo_file.changed - notify: restart zabbix-agent2 - - -# Block for fsicos3 custom checks deployment -- name: Deploy custom checks for fsicos3 - when: inventory_hostname == 'fsicos3' or 'fsicos3' in group_names - tags: - - fsicos3-custom - - zabbix-custom - block: - - name: Copy fsicos3 check scripts (.sh files) - copy: - src: "{{ item }}" - dest: "{{ zabbix_scripts_dir }}/" - owner: zabbix - group: zabbix - mode: '0755' - become: yes - with_fileglob: - - "files/fsicos3/check_*.sh" - register: sh_files - - - name: Copy fsicos3 check scripts (.py files) - copy: - src: "{{ item }}" - dest: "{{ zabbix_scripts_dir }}/" - owner: zabbix - group: zabbix - mode: '0755' - become: yes - with_fileglob: - - "files/fsicos3/check_*.py" - register: py_files - - - name: Copy fsicos3 custom configuration files - copy: - src: "{{ item }}" - dest: "{{ zabbix_custom_dir }}/" - owner: zabbix - group: zabbix - mode: '0644' - become: yes - with_fileglob: - - "files/fsicos3/custom_*.conf" - register: conf_files - - - name: Copy fsicos3 userparam configuration files - copy: - src: "{{ item }}" - dest: "{{ zabbix_custom_dir }}/" - owner: zabbix - group: zabbix - mode: '0644' - become: yes - with_fileglob: - - "files/fsicos3/userparam_*.conf" - register: conf_files - - - name: Copy fsicos3 sudoers zabbix file - copy: - src: "files/fsicos3/zabbix" - dest: "{{ zabbix_sudoers_dir }}/zabbix" - owner: root - group: root - mode: '0440' - validate: 'visudo -cf %s' - become: yes - when: lookup('ansible.builtin.fileglob', 'files/fsicos3/zabbix', errors='ignore') | length > 0 - register: sudo_file - - - name: Trigger zabbix restart if fsicos3 files changed - ansible.builtin.debug: - msg: "*** Triggering zabbix-agent2 restart ****" - changed_when: true - when: > - sh_files.changed or - py_files.changed or - conf_files.changed or - sudo_file.changed - notify: restart zabbix-agent2 \ No newline at end of file