Separate installation of repos

.github/workflows/manage-repo.yml

@@ -0,0 +1,72 @@
+---
+name: "community.zabbix.zabbix_manage_repo"
+on:
+  push:
+    paths:
+      - "roles/zabbix_manage_repo/**"
+      - "molecule/zabbix_manage_repo/**"
+      - "molecule/requirements.txt"
+      - ".github/workflows/server.yml"
+  pull_request:
+    paths:
+      - "roles/zabbix_manage_repo/**"
+      - "molecule/zabbix_manage_repo/**"
+      - "molecule/requirements.txt"
+      - ".github/workflows/server.yml"
+jobs:
+  molecule:
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        container:
+          - rockylinux9
+          - rockylinux8
+          - ubuntu2404
+          - ubuntu2204
+          - ubuntu2004
+          - debian12
+          - debian11
+        collection_role:
+          - zabbix_manage_repo
+        version:
+          - v64
+          - v60
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r molecule/requirements.txt
+
+      - name: Build the collection
+        run: |
+          # Pin versions to speed up CI
+          sed -i 's/ansible\.windows:\s*"\*"/ansible.windows: "2.3.0"/' galaxy.yml
+          sed -i 's/ansible\.netcommon:\s*"\*"/ansible.netcommon: "6.1.1"/' galaxy.yml
+          sed -i 's/ansible\.posix:\s*"\*"/ansible.posix: "1.5.4"/' galaxy.yml
+          sed -i 's/community\.general:\s*"\*"/community.general: "8.6.0"/' galaxy.yml
+          sed -i 's/community\.mysql:\s*"\*"/community.mysql: "3.9.0"/' galaxy.yml
+          sed -i 's/community\.postgresql:\s*"\*"/community.postgresql: "3.4.0"/' galaxy.yml
+
+          collection_file=$( basename $(ansible-galaxy collection build -f | awk -F" " '{print $NF}'))
+          echo "COLLECTION_FILE=$collection_file" >> $GITHUB_ENV
+
+      - name: Install the collection
+        run: ansible-galaxy collection install -vvvv $COLLECTION_FILE
+
+      - name: Run server role tests
+        run: >-
+          MY_MOLECULE_CONTAINER=${{ matrix.container }}
+          MY_MOLECULE_IMAGE=${{ matrix.container }}
+          MY_MOLECULE_VERSION=${{ matrix.version }}
+          MY_MOLECULE_DOCKER_COMMAND=${{ matrix.command }}
+          molecule test -s ${{ matrix.collection_role }}

changelogs/fragments/pr_1250.yml

@@ -0,0 +1,5 @@
+major_changes:
+  - All Roles - Separate installation of Zabbix repo from all other roles and link them together.
+minor_changes:
+  - All Roles - Include installation of GPG key for RHEL based operating systems.
+  - All Roles - Add support for yum authentication on RHEL based operating systems.

docs/ZABBIX_MANAGE_REPO_ROLE.md

@@ -0,0 +1,92 @@
+# community.zabbix.zabbix_server role
+
+![Zabbix Manage Repo](https://github.com/ansible-collections/community.zabbix/workflows/community.zabbix.zabbix_manage_repo/badge.svg)
+
+**Table of Contents**
+
+- [Overview](#overview)
+- [Requirements](#requirements)
+  * [Operating systems](#operating-systems)
+  * [Zabbix Versions](#zabbix-versions)
+- [Installation](#installation)
+- [Role Variables](#role-variables)
+- [Example Playbook](#example-playbook)
+- [License](#license)
+- [Author Information](#author-information)
+
+# Overview
+
+This is a Ansible role for installing the yum or apt repository for Zabbix.  This will not install the Zabbix Server or any other component of Zabbix itself.
+
+# Requirements
+
+## Operating systems
+
+This role will work on the following operating systems:
+
+ * Red Hat
+ * Debian
+ * Ubuntu
+
+So, you'll need one of those operating systems.. :-)
+Please send Pull Requests or suggestions when you want to use this role for other Operating systems.
+
+## Zabbix Versions
+
+See the following list of supported Operating systems with the Zabbix releases:
+
+| Zabbix              | 6.4 | 6.2 | 6.0 |
+|---------------------|-----|-----|-----|
+| Red Hat Fam 9       |  V  |  V  |  V  |
+| Red Hat Fam 8       |  V  |  V  |  V  |
+| Ubuntu 24.04 noble  |  V  |     |  V  |
+| Ubuntu 22.04 jammy  |  V  |  V  |  V  |
+| Ubuntu 20.04 focal  |  V  |  V  |  V  |
+| Debian 12 bookworm  |  V  |     |  V  |
+| Debian 11 bullseye  |  V  |  V  |  V  |
+
+# Installation
+
+Installing this role is very simple: `ansible-galaxy install community.zabbix.zabbix_manage_repo`
+
+Please be aware that this role only installs the repo itself.  It is generally used by the various other Zabbix roles (i.e. server or web) and not normally used by itself.
+
+# Role Variables
+
+* `zabbix_repo_apt_priority`: Option:  An integer value for the priority of the repo.
+* `zabbix_repo_deb_component`: The repository component for Debian installs. Default `main`.
+* `zabbix_repo_deb_gpg_key_url`: The URL to download the Zabbix GPG key from. Default `http://repo.zabbix.com/zabbix-official-repo.key`.
+* `zabbix_repo_deb_include_deb_src`: True, if deb-src should be included in the zabbix.sources entry. Default `true`.
+* `zabbix_repo_deb_url`: The URL to the Zabbix repository.  Default `http://repo.zabbix.com/zabbix/{{ zabbix_repo_version }}/{{ ansible_distribution.lower() }}`
+* `zabbix_http_proxy`: Optional: HTTP proxy information.
+* `zabbix_https_proxy`: Optional: HTTPS proxy information.
+* `zabbix_repo_gpg_key`: Optional: The keyring path.  Default: `{{ debian_keyring_path }}zabbix-repo.asc`
+* `zabbix_repo_keyring_path`: Optional: The path to store keyrings in Debian distributions.  Default: `/etc/apt/keyrings/`
+* `zabbix_repo_package`: The name of the package to lock the apt priority to.
+* `zabbix_repo_version`: Optional. The main version (i.e. major.minor) of Zabbix that will be installed on the host(s).  Default: 6.4
+* `zabbix_repo_yum`: A list with Yum repository configuration.
+* `zabbix_repo_yum_gpg_check`: Optional.  Yum should check GPG keys.  Default: 0
+* `zabbix_repo_yum_gpg_key_url`: The URL to download the Zabbix GPG key from. Default: `http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD`
+* `zabbix_repo_yum_schema`: Default: `https`. Option to change the web schema for the yum repository(http/https)
+
+# Example Playbook
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+```yaml
+  - hosts: zabbix-server
+    roles:
+      - role: community.zabbix.zabbix_manage_repo
+```
+
+# License
+
+GNU General Public License v3.0 or later
+
+See LICENCE to see the full text.
+
+# Author Information
+
+Please send suggestion or pull requests to make this role better. Also let us know if you encounter any issues installing or using this role.
+
+Github: https://github.com/ansible-collections/community.zabbix

molecule/zabbix_agent_tests/common/molecule.yml

@@ -33,6 +33,8 @@ provisioner:
         zabbix_agent_listenip: 0.0.0.0
         zabbix_agent_tlsconnect: psk
         zabbix_agent_tlsaccept: psk
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_agent_version: 6.4
       v62:

molecule/zabbix_javagateway/molecule.yml

@@ -21,6 +21,9 @@ provisioner:
     ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
   inventory:
     group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_javagateway_version: 6.4
       v62:

molecule/zabbix_manage_repo/converge.yml

@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - role: zabbix_manage_repo

molecule/zabbix_manage_repo/destroy.yml

@@ -0,0 +1,23 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}"
+  tasks:
+    - name: Destroy molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        state: absent
+        force_kill: "{{ item.force_kill | default(True) }}"
+      with_items: "{{ molecule_yml.platforms }}"
+
+    - name: Destroy 3rd party instance(s)
+      docker_container:
+        name: "{{ item.name }}-db"
+        state: absent
+        force_kill: true
+      loop: "{{ molecule_yml.platforms }}"

molecule/zabbix_manage_repo/molecule.yml

@@ -0,0 +1,35 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: zabbix-repo-${MY_MOLECULE_VERSION:-v64}-${MY_MOLECULE_CONTAINER:-rockylinux8}
+    image: geerlingguy/docker-${MY_MOLECULE_IMAGE:-rockylinux8}-ansible:latest
+    privileged: true
+    pre_build_image: true
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    networks:
+      - name: zabbix
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    groups:
+      - ${MY_MOLECULE_VERSION:-v64}
+
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_COLLECTIONS_PATHS: $HOME/.ansible/collections/ansible_collections/community/zabbix
+    ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
+  inventory:
+    group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
+      v64:
+        zabbix_server_version: 6.4
+      v62:
+        zabbix_server_version: 6.2
+      v60:
+        zabbix_server_version: 6.0
+
+verifier:
+  name: testinfra

molecule/zabbix_manage_repo/prepare.yml

@@ -0,0 +1,26 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: "Apt update"
+      ansible.builtin.shell: "apt-get update && echo exit 0 > /usr/sbin/policy-rc.d"
+      args:
+        warn: "{{ produce_warn | default(omit) }}"
+      register: installation_dependencies
+      until: installation_dependencies is succeeded
+      when:
+        - ansible_os_family != 'RedHat'
+
+    - name: "Configure SUDO."
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        line: "Defaults    !requiretty"
+        state: present
+
+    - name: "Make sure the docs are installed."
+      ansible.builtin.lineinfile:
+        dest: /etc/yum.conf
+        line: "tsflags=nodocs"
+        state: absent
+      when:
+        - ansible_os_family == 'RedHat'

molecule/zabbix_manage_repo/tests/test_default.py

@@ -0,0 +1,19 @@
+import os
+import pytest
+from pathlib import Path
+
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_zabbix_manage_repo_installed(host):
+    os = host.system_info.distribution
+    if os in ["rocky"]:
+        result = host.ansible("command", "yum update -y", check=False, become=True)["rc"]
+    elif os in ["debian", "ubuntu"]:
+        result = host.ansible("command", "apt update", check=False, become=True)["rc"]
+    assert result == 0

molecule/zabbix_proxy/molecule.yml

@@ -23,6 +23,9 @@ provisioner:
     ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
   inventory:
     group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_proxy_version: 6.4
       v62:

molecule/zabbix_server/molecule.yml

@@ -22,6 +22,9 @@ provisioner:
     ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
   inventory:
     group_vars:
+      all:
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_server_version: 6.4
       v62:

molecule/zabbix_web/molecule.yml

@@ -33,6 +33,8 @@ provisioner:
     group_vars:
       all:
         zabbix_api_server_url: zabbix-web-${MY_MOLECULE_VERSION:-v64}-${MY_MOLECULE_DATABASE:-mysql}-${MY_MOLECULE_CONTAINER:-rockylinux8}
+        zabbix_repo_apt_priority: 1
+        zabbix_repo_yum_gpg_check: 1
       v64:
         zabbix_server_version: 6.4
         zabbix_web_version: 6.4

roles/zabbix_agent/defaults/main.yml

@@ -18,45 +18,15 @@ zabbix_agent_tlspskidentity_file: "/etc/zabbix/tls_psk_auto.identity"
 # Selinux related vars
 selinux_allow_zabbix_run_sudo: false
 
-zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
-zabbix_repo_deb_include_deb_src: true
-
 zabbix_agent_install_agent_only: false
 
 # Zabbix role related vars
 zabbix_apt_force_apt_get: true
 zabbix_apt_install_recommends: false
 
 # Override Ansible specific facts
-zabbix_repo_yum_gpgcheck: 0
-zabbix_repo_yum_schema: https
 zabbix_agent_disable_repo:
   - epel
-zabbix_repo_yum:
-  - name: zabbix
-    description: Zabbix Official Repository - $basearch
-    baseurl: "{{ zabbix_repo_yum_schema }}://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/rhel/{{ ansible_distribution_major_version }}/$basearch/"
-    mode: "0644"
-    gpgcheck: "{{ zabbix_repo_yum_gpgcheck }}"
-    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX
-    state: present
-  - name: zabbix-non-supported
-    description: Zabbix Official Repository non-supported - $basearch
-    baseurl: "{{ zabbix_repo_yum_schema }}://repo.zabbix.com/non-supported/rhel/{{ ansible_distribution_major_version }}/$basearch/"
-    mode: "0644"
-    gpgcheck: "{{ zabbix_repo_yum_gpgcheck }}"
-    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX
-    state: present
-  - name: zabbix-agent2-plugins
-    description: Zabbix Official Repository (Agent2 Plugins) - $basearch
-    baseurl: "{{ zabbix_repo_yum_schema }}://repo.zabbix.com/zabbix-agent2-plugins/1/rhel/{{ ansible_distribution_major_version }}/$basearch/"
-    mode: "0644"
-    gpgcheck: "{{ zabbix_repo_yum_gpgcheck }}"
-    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX
-    state: present
-
-zabbix_repo_deb_url: "http://repo.zabbix.com/zabbix/{{ zabbix_agent_version }}/{{ ansible_facts.lsb.id | default(ansible_facts['distribution']) | lower }}{% if ansible_facts['architecture'] == 'aarch64' and ansible_facts.lsb.id | default(ansible_facts['distribution']) in ['Debian', 'Ubuntu'] %}-arm64{% endif %}"
-zabbix_repo_deb_component: main
 
 # Zabbix API stuff
 zabbix_api_server_host: localhost
@@ -102,8 +72,7 @@ zabbix_agent_chassis: false
 zabbix_agent_tls_config:
   unencrypted: "1"
   psk: "2"
-  cert:
-    "4"
+  cert: "4"
 
 # IPMI settings
 zabbix_agent_ipmi_authtype: -1