commit f0f9df53a3abf53191e2f004c7b7947970a4638f Author: Tomislav Kopić Date: Sat Feb 10 10:25:27 2024 +0100 first commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e845c18 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +inventory diff --git a/playbooks/upgrade_all_hosts.yml b/playbooks/upgrade_all_hosts.yml new file mode 100644 index 0000000..fbb9135 --- /dev/null +++ b/playbooks/upgrade_all_hosts.yml @@ -0,0 +1,24 @@ +--- +- hosts: all + become: yes + tasks: + - name: "Update cache & Full system update" + apt: + update_cache: true + upgrade: dist + cache_valid_time: 3600 + force_apt_get: true + - name: "Clean unwanted olderstuff" + apt: + autoremove: yes + purge: yes + clean: yes + - name: "Fix sysctl file" + ansible.builtin.copy: + src: ../config/sysctl.conf + dest: /etc/sysctl.conf + owner: "root" + group: "root" + mode: 0644 + - name: "Reboot all machines" + ansible.builtin.reboot: diff --git a/playbooks/zabbix_agent_install.yml b/playbooks/zabbix_agent_install.yml new file mode 100644 index 0000000..5f77e68 --- /dev/null +++ b/playbooks/zabbix_agent_install.yml @@ -0,0 +1,49 @@ +--- +- name: "Zabbix agent2 installation and setup" + hosts: Rack + become: yes + vars_files: + - ../vaults/zabbix.yml + vars: + - zabbix_version: 6.4 + - zabbix_server: 192.168.1.161 + - host_meta: OrangePiZero Rack + + tasks: + - name: Upgrade zabbix-release + apt: + name: zabbix-release + state: latest + + - name: uninstall zabbix agent + apt: + name: zabbix-agent + state: absent + + - name: install zabbix agent2 + apt: + name: zabbix-agent2 + state: latest + + - ansible.builtin.copy: content="{{ psk_key }}" dest=/etc/zabbix/key.psk + + - name: Configure zabbix agent service + ansible.builtin.template: + src: ../templates/zabbix_agentd2.conf + dest: /etc/zabbix/zabbix_agent2.conf + owner: zabbix + group: zabbix + mode: '0644' + backup: yes + - name: Create a config directory + ansible.builtin.file: + path: /etc/zabbix/zabbix_agentd.conf.d/ + state: directory + mode: '0755' + + + - name: Restart zabbix agent + ansible.builtin.service: + name: zabbix-agent2 + state: restarted + enabled: yes diff --git a/templates/sysctl.conf b/templates/sysctl.conf new file mode 100644 index 0000000..d1e8b8c --- /dev/null +++ b/templates/sysctl.conf @@ -0,0 +1,133 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all, >1 bitmask of sysrq functions +# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +# for what other values do +#kernel.sysrq=438 + +vm.swappiness=1 +vm.dirty_ratio=50 +vm.dirty_background_ratio=30 +vm.min_free_kbytes = 4096 +vm.vfs_cache_pressure=75 + +### GENERAL NETWORK SECURITY OPTIONS ### + +# Number of times SYNACKs for passive TCP connection. +net.ipv4.tcp_synack_retries = 2 + +# Protect Against TCP Time-Wait +net.ipv4.tcp_rfc1337 = 1 + +# Decrease the time default value for tcp_fin_timeout connection +net.ipv4.tcp_fin_timeout = 15 + +# Decrease the time default value for connections to keep alive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +### TUNING NETWORK PERFORMANCE ### + +# Default Socket Receive Buffer +net.core.rmem_default = 31457280 + +# Maximum Socket Receive Buffer +net.core.rmem_max = 12582912 + +# Default Socket Send Buffer +net.core.wmem_default = 31457280 + +# Maximum Socket Send Buffer +net.core.wmem_max = 12582912 + +# Increase number of incoming connections +net.core.somaxconn = 4096 + +# Increase number of incoming connections backlog +net.core.netdev_max_backlog = 65536 + +# Increase the maximum amount of option memory buffers +net.core.optmem_max = 25165824 + +# Increase the maximum total buffer-space allocatable +# This is measured in units of pages (4096 bytes) +net.ipv4.tcp_mem = 65536 131072 262144 +net.ipv4.udp_mem = 65536 131072 262144 + +# Increase the read-buffer space allocatable +net.ipv4.tcp_rmem = 8192 87380 16777216 +net.ipv4.udp_rmem_min = 16384 + +# Increase the write-buffer-space allocatable +net.ipv4.tcp_wmem = 8192 65536 16777216 +net.ipv4.udp_wmem_min = 16384 + +# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks +net.ipv4.tcp_max_tw_buckets = 1440000 +net.ipv4.tcp_tw_reuse = 1 + +# Congestion Control +net.core.default_qdisc=fq +net.ipv4.tcp_congestion_control=bbr diff --git a/templates/zabbix_agentd2.conf b/templates/zabbix_agentd2.conf new file mode 100644 index 0000000..5718ca5 --- /dev/null +++ b/templates/zabbix_agentd2.conf @@ -0,0 +1,20 @@ +PidFile=/var/run/zabbix/zabbix_agent2.pid +LogType=file +LogFile=/var/log/zabbix/zabbix_agent2.log +LogFileSize=0 +DebugLevel=2 +Server={{ zabbix_server }} +ListenPort=10050 +ListenIP={{ ansible_default_ipv4.address }} +ServerActive={{ zabbix_server }} +Hostname={{ ansible_hostname }} +HostMetadata={{ host_meta }} +RefreshActiveChecks=300 +Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf +ControlSocket=/tmp/agent.sock +Include=./zabbix_agent2.d/plugins.d/*.conf +TLSAccept=psk +TLSConnect=psk +TLSPSKIdentity={{ psk_id }} +TLSPSKFile=/etc/zabbix/key.psk +UserParameter=get.sensors.data,/usr/bin/sensors -j diff --git a/vaults/zabbix.yml b/vaults/zabbix.yml new file mode 100644 index 0000000..478b0d1 --- /dev/null +++ b/vaults/zabbix.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +39363033333663376561306236323138336366383435646638616131373231373765626136303630 +3333386134633035363136346133626361353863643030390a326663623539393730316261643334 +65666530353763613563626636323136363831366435343630363430363331623934633131613134 +3732336634386239310a666134633565633838313735643862373830373634333064353566336432 +66373335343965383434366536353734373865393738316462363035646261336231353864393935 +39316361626333323534666637333831363566346234353932633833306563353937393465346361 +63373733393461646139653835373235343439303434303539393432303866633931343566353733 +61633939323537303434316561643437356661316334326130633862323136363433333938356261 +37306435333338656163646539373363306663303139383739363835393239373532376338656461 +3762666530373266626564366631323438643466656133333765