Zabbix: Add grab-bag of SSL checks to proxy01(.stg)

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
2026-03-20 03:57:02 +08:00 · 2025-12-11 12:59:31 +00:00
parent 140a6eb752
commit feee862e77
3 changed files with 100 additions and 0 deletions
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@@ -27,6 +27,7 @@
  - rkhunter
  - nagios_client
  - zabbix/zabbix_agent
+  - { role: zabbix/sslchecks, tags: zabbix_api }
  - collectd/base
  - sudo
  - rsyncd
--- a/roles/zabbix/sslchecks/sslcheck.yml
+++ b/roles/zabbix/sslchecks/sslcheck.yml
@@ -0,0 +1,74 @@
+---
+- name: Zabbix API Block
+  vars:
+    ansible_zabbix_auth_key: "{{ zabbix_auth_key }}"
+    ansible_network_os: "{{ zabbix_network_os }}"
+    ansible_connection: "{{ zabbix_connection }}"
+    ansible_httpapi_port: "{{ zabbix_httpapi_port }}"
+    ansible_httpapi_use_ssl: "{{ zabbix_httpapi_use_ssl }}"
+    ansible_httpapi_validate_certs: "{{ zabbix_httpapi_validate_certs }}"
+    ansible_host: "{{ zabbix_server }}"
+    ansible_zabbix_url_path: "{{ zabbix_url_path }}"
+  tags:
+    - zabbix_agent
+    - zabbix_api
+    - pagure
+  block:
+    - name: Create {{ item.name }} cert age item
+      community.zabbix.zabbix_item:
+        name: "{{ item.name }} SSL Certificate time remaining"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          type: external_check
+          key: "zext_ssl_cert.sh[{{ item.cert }},443]"
+          value_type: numeric_unsigned
+          units: 'days'
+          timeout: '10s'
+          interval: '12h'
+          tags:
+            - tag: application
+              value: pagure
+            - tag: component
+              value: ssl
+
+    - name: Create {{ item.name }} 30day trigger
+      community.zabbix.zabbix_trigger:
+        name: "{{ item.name }} SSL Certificate expires in 30d"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          severity: average
+          expression: "last(/{{ inventory_hostname }}/zext_ssl_cert.sh[{{ item.cert }},443])<30"
+          comments: "Time to renew this certificate"
+          enabled: true
+          manual_close: true
+          tags:
+            - tag: scope
+              value: availability
+
+    - name: Create {{ item.name }} 7day trigger
+      community.zabbix.zabbix_trigger:
+        name: "{{ item.name }} SSL Certificate expires in 7d"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          severity: high
+          expression: "last(/{{ inventory_hostname }}/zext_ssl_cert.sh[{{ item.cert }},443])<7"
+          comments: "Renew this certificate urgently"
+          enabled: true
+          manual_close: true
+          tags:
+            - tag: scope
+              value: availability
+
+    - name: Create {{ item.name }} 0day trigger
+      community.zabbix.zabbix_trigger:
+        name: "{{ item.name }} SSL Certificate expired!"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          severity: disaster
+          expression: "last(/{{ inventory_hostname }}/zext_ssl_cert.sh[{{ item.cert }},443])<1"
+          comments: "Renew this certificate now!"
+          enabled: true
+          manual_close: true
+          tags:
+            - tag: scope
+              value: availability
--- a/roles/zabbix/sslchecks/tasks/main.yml
+++ b/roles/zabbix/sslchecks/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: Create SSL checks for other hosts
+  include_tasks: sslcheck.yml
+  loop:
+    - { name: '*.fedorapeople.org',                          cert: 'fedorapeople.org' }
+    - { name: '*.fedoraproject.org',                         cert: 'fedoraproject.org'  }
+    - { name: '*.apps.ocp.fedoraproject.org',                cert: 'console-openshift-console.apps.ocp.fedoraproject.org'  }
+    - { name: 'api.ocp.fedoraproject.org',                   cert: 'api.ocp.fedoraproject.org'  }
+    - { name: 'raw-updates.coreos.fedoraproject.org',        cert: 'raw-updates.coreos.fedoraproject.org'  }
+    - { name: 'status.raw-updates.coreos.fedoraproject.org', cert: 'status.raw-updates.coreos.fedoraproject.org'  }
+    - { name: 'status.updates.coreos.fedoraproject.org',     cert: 'status.updates.coreos.fedoraproject.org'  }
+    - { name: 'updates.coreos.fedoraproject.org',            cert: 'updates.coreos.fedoraproject.org'  }
+    - { name: 'whatcanidoforfedora.org',                     cert: 'whatcanidoforfedora.org'  }
+  tags:
+    - zabbix_api
+  when: inventory_hostname == 'proxy01.rdu3.fedoraproject.org'
+
+- name: Create SSL checks for other stg hosts
+  include_tasks: sslcheck.yml
+  loop:
+    - { name: '*.apps.ocp.stg.fedoraproject.org', cert: 'console-openshift-console.apps.ocp.stg.fedoraproject.org'  }
+    - { name: 'api.ocp.stg.fedoraproject.org',    cert: 'api.ocp.stg.fedoraproject.org'  }
+  tags:
+    - zabbix_api
+  when: inventory_hostname == 'proxy01.stg.rdu3.fedoraproject.org'