Zabbix: Rework how PSKs are defined in Ansible

The "file+env_suffix" is a problem when dealing with hosts like
pagure-stg01 that actually exists in prod. We can't override env_suffix
without breaking many things.

Instead, the PSKs are now defined directly in the private vars, instead
of in a file, and the variable name is then read from inventory vars.
This means we can override it for a group/host.

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>

inventory/group_vars/all

@@ -330,7 +330,7 @@ zabbix_url_path: ""  # If Zabbix WebUI runs on non-default (zabbix) path ,e.g. h
 # Zabbix agent vars
 zabbix_host: "zabbix01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
 zabbix_tls_psk_identity: "Fedora"
-zabbix_tls_psk_file: "/etc/zabbix/fedora.psk" # `openssl rand -hex 32` - values in ansible private repo
+zabbix_tls_psk: "{{ zabbix_tls_prod_psk }}" # in ansible-private repo
 
 notes: |
   Unspecified.

inventory/group_vars/pagure_stg

@@ -40,6 +40,7 @@ vpn: true
 zabbix_host: zabbix01.vpn.fedoraproject.org
 zabbix_server: "{{ zabbix_hostname }}"
 zabbix_auth_key: "{{ zabbix_apikey }}" # ansible-private repo
+zabbix_tls_psk: "{{ zabbix_tls_prod_psk }}" # in ansible-private repo, pagure-stg is weird...
 
 notes: |
   Run the pagure instances for fedora

inventory/group_vars/staging

@@ -68,3 +68,4 @@ wildcard_key_file: wildcard-2025.stg.fedoraproject.org.key
 # Zabbix connection vars - overrides on production values
 zabbix_server: zabbix.stg.fedoraproject.org
 zabbix_auth_key: "{{ zabbix_stg_apikey }}" # in ansible-private repo
+zabbix_tls_psk: "{{ zabbix_tls_stg_psk }}" # in ansible-private repo

roles/zabbix/zabbix_agent/defaults/main.yml

@@ -12,7 +12,9 @@ zabbix_base_hostgroups:
 zabbix_tls_connect: "psk"
 zabbix_tls_accept: "psk"
 zabbix_tls_psk_identity: "Test"
-zabbix_tls_psk_file: "/etc/zabbix/test.psk" # `openssl rand -hex 32` - values in ansible private repo
+# Generate this with `openssl rand -hex 32`
+# and put value in ansible-private repo
+zabbix_tls_psk: abababababababababababababababababababababababababababababababab
 
 # Zabbix Connection params
 # these are set in the inventory, see group_vars/all:zabbix_* for starters

roles/zabbix/zabbix_agent/tasks/hosts.yml

@@ -31,13 +31,13 @@
         force: false
 
     # Zabbix API for PSK is write-only, so Ansible will always mark as "changed". Ignore "changed" state for PSK.
-    - name: "API | PSK keys"
+    - name: Set PSK key in Zabbix
       community.zabbix.zabbix_host:
         host_name: "{{ inventory_hostname }}"
         tls_accept: 2     # PSK
         tls_connect: 2    # PSK
         tls_psk_identity: "{{ zabbix_tls_psk_identity }}"
-        tls_psk: "{{ lookup('ansible.builtin.file', private + '/files/zabbix/fedora' + env_suffix + '.psk') }}"
+        tls_psk: "{{ zabbix_tls_psk }}"
       changed_when: false
       ignore_errors: '{{ ansible_check_mode }}' # in check mode, the host might not be created yet
 

roles/zabbix/zabbix_agent/tasks/main.yml

@@ -87,13 +87,13 @@
 
 - name: Copy zabbix-agend.conf psk config
   ansible.builtin.copy:
-    src: "{{ item }}"
+    # value set in group_vars from ansibe-private
+    content: "{{ zabbix_tls_psk }}\n"
     dest: /etc/zabbix/fedora.psk
     owner: zabbix
     group: zabbix
     mode: "0600"
-  with_fileglob:
-  - "{{ private }}/files/zabbix/fedora{{ env_suffix }}.psk"
+  notify: Restart zabbix agent
   tags:
     - zabbix_agent
 

roles/zabbix/zabbix_server/defaults/main.yml

@@ -8,9 +8,6 @@ zabbix_db_name: zabbix     # OVERRIDE
 zabbix_db_user: zabbix     # OVERRIDE
 zabbix_db_pass: zabbix     # OVERRIDE
 
-# This is to configure matching PSK identity to the agents
-zabbix_tls_psk_identity: "Fedora" # OVERRIDE
-
 zabbix_server_pkgs:
   - zabbix-server-pgsql
   - zabbix-web-pgsql