Separate installation of repos

.github/workflows/repo.yml

@@ -0,0 +1,72 @@
+---
+name: "community.zabbix.zabbix_repo"
+on:
+  push:
+    paths:
+      - "roles/zabbix_repo/**"
+      - "molecule/zabbix_repo/**"
+      - "molecule/requirements.txt"
+      - ".github/workflows/server.yml"
+  pull_request:
+    paths:
+      - "roles/zabbix_repo/**"
+      - "molecule/zabbix_repo/**"
+      - "molecule/requirements.txt"
+      - ".github/workflows/server.yml"
+jobs:
+  molecule:
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        container:
+          - rockylinux9
+          - rockylinux8
+          - ubuntu2404
+          - ubuntu2204
+          - ubuntu2004
+          - debian12
+          - debian11
+        collection_role:
+          - zabbix_repo
+        version:
+          - v64
+          - v60
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r molecule/requirements.txt
+
+      - name: Build the collection
+        run: |
+          # Pin versions to speed up CI
+          sed -i 's/ansible\.windows:\s*"\*"/ansible.windows: "2.3.0"/' galaxy.yml
+          sed -i 's/ansible\.netcommon:\s*"\*"/ansible.netcommon: "6.1.1"/' galaxy.yml
+          sed -i 's/ansible\.posix:\s*"\*"/ansible.posix: "1.5.4"/' galaxy.yml
+          sed -i 's/community\.general:\s*"\*"/community.general: "8.6.0"/' galaxy.yml
+          sed -i 's/community\.mysql:\s*"\*"/community.mysql: "3.9.0"/' galaxy.yml
+          sed -i 's/community\.postgresql:\s*"\*"/community.postgresql: "3.4.0"/' galaxy.yml
+
+          collection_file=$( basename $(ansible-galaxy collection build -f | awk -F" " '{print $NF}'))
+          echo "COLLECTION_FILE=$collection_file" >> $GITHUB_ENV
+
+      - name: Install the collection
+        run: ansible-galaxy collection install -vvvv $COLLECTION_FILE
+
+      - name: Run server role tests
+        run: >-
+          MY_MOLECULE_CONTAINER=${{ matrix.container }}
+          MY_MOLECULE_IMAGE=${{ matrix.container }}
+          MY_MOLECULE_VERSION=${{ matrix.version }}
+          MY_MOLECULE_DOCKER_COMMAND=${{ matrix.command }}
+          molecule test -s ${{ matrix.collection_role }}

changelogs/fragments/pr_1250.yml

@@ -0,0 +1,7 @@
+major_changes:
+  - All Roles - Separate installation of Zabbix repo from all other roles and link them together.
+minor_changes:
+  - All Roles - Include installation of GPG key for RHEL based operating systems.
+  - All Roles - Add support for yum authentication on RHEL based operating systems.
+  - All Roles - Add the `zabbix_manage_repo` variable.
+  - All Roles - Changed logic for installing selinux related changes based the status of selinux on the target system.

docs/ZABBIX_AGENT_ROLE.md

@@ -119,10 +119,12 @@ The following is an overview of all available configuration default for this rol
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
 * `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key.
 * `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+* `zabbix_manage_repo`: Have the collection install and configure the Zabbix repo Default `true`.
 
 ### SElinux
 
-* `zabbix_selinux`: Default: `False`. Enables an SELinux policy so that the server will run.
+Selinux changes will be installed based on the status of selinux running on the target system.
+
 * `selinux_allow_zabbix_run_sudo`: Default: `False`.  Enable Zabbix root access on system.
 
 ### Zabbix Agent

docs/ZABBIX_JAVAGATEWAY_ROLE.md

@@ -64,6 +64,7 @@ The `zabbix_javagateway_version` is optional. The latest available major.minor v
 * `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
 * `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
 * `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+* `zabbix_manage_repo`: Have the collection install and configure the Zabbix repo Default `true`.
 
 ### Java Gatewaty
 

docs/ZABBIX_PROXY_ROLE.md

@@ -105,6 +105,7 @@ The following is an overview of all available configuration default for this rol
 * `zabbix_proxy_manage_service`: Default: `True`. When you run multiple Zabbix proxies in a High Available cluster setup (e.g. pacemaker), you don't want Ansible to manage the zabbix-proxy service, because Pacemaker is in control of zabbix-proxy service.
 * `zabbix_proxy_include_mode`: Default: `0755`. The "mode" for the directory configured with `zabbix_proxy_include`.
 * `zabbix_proxy_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file.
+* `zabbix_manage_repo`: Have the collection install and configure the Zabbix repo Default `true`.
 
 ### Database specific
 
@@ -138,7 +139,7 @@ The following is an overview of all available configuration default for this rol
 
 ### SElinux
 
-* `zabbix_proxy_selinux`: Default: `False`. Enables an SELinux policy so that the Proxy will run.
+Selinux changes will be installed based on the status of selinux running on the target system.
 
 ## Proxy
 

docs/ZABBIX_REPO_ROLE.md

@@ -0,0 +1,92 @@
+# community.zabbix.zabbix_server role
+
+![Zabbix Manage Repo](https://github.com/ansible-collections/community.zabbix/workflows/community.zabbix.zabbix_manage_repo/badge.svg)
+
+**Table of Contents**
+
+- [Overview](#overview)
+- [Requirements](#requirements)
+  * [Operating systems](#operating-systems)
+  * [Zabbix Versions](#zabbix-versions)
+- [Installation](#installation)
+- [Role Variables](#role-variables)
+- [Example Playbook](#example-playbook)
+- [License](#license)
+- [Author Information](#author-information)
+
+# Overview
+
+This is a Ansible role for installing the yum or apt repository for Zabbix.  This will not install the Zabbix Server or any other component of Zabbix itself.
+
+# Requirements
+
+## Operating systems
+
+This role will work on the following operating systems:
+
+ * Red Hat
+ * Debian
+ * Ubuntu
+
+So, you'll need one of those operating systems.. :-)
+Please send Pull Requests or suggestions when you want to use this role for other Operating systems.
+
+## Zabbix Versions
+
+See the following list of supported Operating systems with the Zabbix releases:
+
+| Zabbix              | 6.4 | 6.0 |
+|---------------------|-----|-----|
+| Red Hat Fam 9       |  V  |  V  |
+| Red Hat Fam 8       |  V  |  V  |
+| Ubuntu 24.04 noble  |  V  |  V  |
+| Ubuntu 22.04 jammy  |  V  |  V  |
+| Ubuntu 20.04 focal  |  V  |  V  |
+| Debian 12 bookworm  |  V  |  V  |
+| Debian 11 bullseye  |  V  |  V  |
+
+# Installation
+
+Installing this role is very simple: `ansible-galaxy install community.zabbix.zabbix_manage_repo`
+
+Please be aware that this role only installs the repo itself.  It is generally used by the various other Zabbix roles (i.e. server or web) and not normally used by itself.
+
+# Role Variables
+
+* `zabbix_repo_apt_priority`: Option:  An integer value for the priority of the repo.
+* `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+* `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_repo_version }}/{{ ansible_distribution.lower() }}`
+* `zabbix_http_proxy`: Optional: HTTP proxy information.
+* `zabbix_https_proxy`: Optional: HTTPS proxy information.
+* `zabbix_repo_gpg_key`: Optional: The keyring path.  Default: `{{ debian_keyring_path }}zabbix-repo.asc`
+* `zabbix_repo_keyring_path`: Optional: The path to store keyrings in Debian distributions.  Default: `/etc/apt/keyrings/`
+* `zabbix_repo_package`: The name of the package to lock the apt priority to.
+* `zabbix_repo_version`: Optional. The main version (i.e. major.minor) of Zabbix that will be installed on the host(s).  Default: 6.4
+* `zabbix_repo_yum`: A list with Yum repository configuration.
+* `zabbix_repo_yum_gpg_check`: Optional.  Yum should check GPG keys.  Default: 0
+* `zabbix_repo_yum_gpg_key_url`: The URL to download the Zabbix GPG key from. Default: `http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD`
+* `zabbix_repo_yum_schema`: Default: `https`. Option to change the web schema for the yum repository(http/https)
+
+# Example Playbook
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+```yaml
+  - hosts: zabbix-server
+    roles:
+      - role: community.zabbix.zabbix_repo
+```
+
+# License
+
+GNU General Public License v3.0 or later
+
+See LICENCE to see the full text.
+
+# Author Information
+
+Please send suggestion or pull requests to make this role better. Also let us know if you encounter any issues installing or using this role.
+
+Github: https://github.com/ansible-collections/community.zabbix

docs/ZABBIX_SERVER_ROLE.md

@@ -103,19 +103,16 @@ The following is an overview of all available configuration default for this rol
 
 * `zabbix_server_version`: Optional. The latest available major.minor version of Zabbix will be installed on the host(s). If you want to use an older version, please specify this in the major.minor format. Example: `zabbix_server_version: 6.0`.
 * `zabbix_server_version_minor`: When you want to specify a minor version to be installed. RedHat only. Default set to: `*` (latest available)
-* `zabbix_repo_yum`: A list with Yum repository configuration.
-* `zabbix_repo_yum_schema`: Default: `https`. Option to change the web schema for the yum repository(http/https)
 * `zabbix_server_disable_repo`: A list of repos to disable during install.  Default `epel`.
 * `zabbix_service_state`: Default: `started`. Can be overridden to stopped if needed
 * `zabbix_service_enabled`: Default: `True` Can be overridden to `False` if needed
-* `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_server_version }}/{{ ansible_distribution.lower() }}`
-* `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
-* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
-* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+* `zabbix_manage_repo`: Have the collection install and configure the Zabbix repo Default `true`.
+
 
 ### SElinux
 
-* `zabbix_server_selinux`: Default: `False`. Enables an SELinux policy so that the server will run.
+Selinux changes will be installed based on the status of selinux running on the target system.
+
 * `selinux_allow_zabbix_can_network`: Default: `False`. 
 * `selinux_allow_zabbix_can_http`: Default: `False`. 
 

docs/ZABBIX_WEB_ROLE.md

@@ -88,16 +88,12 @@ The following is an overview of all available configuration defaults for this ro
 
 * `zabbix_web_version`: Optional. The latest available major.minor version of Zabbix will be installed on the host(s). If you want to use an older version, please specify this in the major.minor format. Example: `zabbix_web_version: 6.0`.
 * `zabbix_web_version_minor`: When you want to specify a minor version to be installed. RedHat only. Default set to: `*` (latest available)
-* `zabbix_repo_yum`: A list with Yum repository configuration.
-* `zabbix_repo_yum_schema`: Default: `https`. Option to change the web schema for the yum repository(http/https)
 * `zabbix_web_disable_repo`: A list of repos to disable during install.  Default `epel`.
 * `zabbix_web_package_state`: Default: `present`. Can be overridden to `latest` to update packages when needed.
 * `zabbix_web_doubleprecision`: Default: `False`. For upgraded installations, please read database [upgrade notes](https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500) (Paragraph "Enabling extended range of numeric (float) values") before enabling this option.
 * `zabbix_web_conf_mode`: Default: `0644`. The "mode" for the Zabbix configuration file.
-* `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_web_version }}/{{ ansible_distribution.lower() }}`
-* `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
-* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
-* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+* `zabbix_manage_repo`: Have the collection install and configure the Zabbix repo Default `true`.
+
 
 ### Zabbix Web specific
 
@@ -156,7 +152,8 @@ The following properties are specific to Zabbix 5.0 and for the PHP(-FPM) config
 
 ### SElinux
 
-* `zabbix_web_selinux`: Default: `False`. Enables an SELinux policy so that the web will run.
+Selinux changes will be installed based on the status of selinux running on the target system.
+
 * `selinux_allow_httpd_can_connect_zabbix`: Default: `false`. Set SELinux boolean to allow httpd to connect to zabbix.
 * `selinux_allow_httpd_can_connect_ldap`: Default: `false`. Set SELinux boolean to allow httpd to connect to LDAP.
 * `selinux_allow_httpd_can_network_connect_db`: Default: `false` Set SELinux boolean to allow httpd to connect databases over the network.

molecule/zabbix_agent_tests/common/molecule.yml

@@ -33,6 +33,8 @@ provisioner:
         zabbix_agent_listenip: 0.0.0.0
         zabbix_agent_tlsconnect: psk
         zabbix_agent_tlsaccept: psk
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_agent_version: 6.4
       v62:

molecule/zabbix_javagateway/molecule.yml

@@ -21,6 +21,9 @@ provisioner:
     ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
   inventory:
     group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_javagateway_version: 6.4
       v62:

molecule/zabbix_proxy/molecule.yml

@@ -23,6 +23,9 @@ provisioner:
     ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
   inventory:
     group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_proxy_version: 6.4
       v62:

molecule/zabbix_repo/converge.yml

@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - role: zabbix_repo

molecule/zabbix_repo/destroy.yml

@@ -0,0 +1,23 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}"
+  tasks:
+    - name: Destroy molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        state: absent
+        force_kill: "{{ item.force_kill | default(True) }}"
+      with_items: "{{ molecule_yml.platforms }}"
+
+    - name: Destroy 3rd party instance(s)
+      docker_container:
+        name: "{{ item.name }}-db"
+        state: absent
+        force_kill: true
+      loop: "{{ molecule_yml.platforms }}"

molecule/zabbix_repo/molecule.yml

@@ -0,0 +1,33 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: zabbix-repo-${MY_MOLECULE_VERSION:-v64}-${MY_MOLECULE_CONTAINER:-rockylinux8}
+    image: geerlingguy/docker-${MY_MOLECULE_IMAGE:-rockylinux8}-ansible:latest
+    privileged: true
+    pre_build_image: true
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    networks:
+      - name: zabbix
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    groups:
+      - ${MY_MOLECULE_VERSION:-v64}
+
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_COLLECTIONS_PATHS: $HOME/.ansible/collections/ansible_collections/community/zabbix
+    ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
+  inventory:
+    group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
+      v64:
+        zabbix_server_version: 6.4
+      v60:
+        zabbix_server_version: 6.0
+
+verifier:
+  name: testinfra

molecule/zabbix_repo/prepare.yml

@@ -0,0 +1,26 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: "Apt update"
+      ansible.builtin.shell: "apt-get update && echo exit 0 > /usr/sbin/policy-rc.d"
+      args:
+        warn: "{{ produce_warn | default(omit) }}"
+      register: installation_dependencies
+      until: installation_dependencies is succeeded
+      when:
+        - ansible_os_family != 'RedHat'
+
+    - name: "Configure SUDO."
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        line: "Defaults    !requiretty"
+        state: present
+
+    - name: "Make sure the docs are installed."
+      ansible.builtin.lineinfile:
+        dest: /etc/yum.conf
+        line: "tsflags=nodocs"
+        state: absent
+      when:
+        - ansible_os_family == 'RedHat'