From ef06198094d361cb330ff3421c2c4eb49930dbc3 Mon Sep 17 00:00:00 2001
From: Erik Berg <zabbix@slipsprogrammor.no>
Date: Sat, 18 May 2024 16:09:42 +0200
Subject: [PATCH] Quality of life improvements for zabbix server role (#1230)

* Don't set empty defaults

Empty defaults just create problems with common ansible
conventions, and is generally not a good practice.

* pgsql: Split out permissions

Coming up in community.postgresql 4.0.0 using priv with the
postgresql_user be removed, and we are encouraged already now to
start using the postgresql_privs module.

This should also take care of some outstanding issues with
installing on postgres-15 (#928)

* mysql: quality of life improvements

Much like the postgres user has carte blanche access to postgresql
database, the root user has to mysql databases over the mysql.sock.
We can use become when zabbix_server_dbhost_run_install: true in a
similar fashion.

Provide the default port for database servers. This could have
been an if-statement, I just don't like the "looseness" of the else
part. So I opted for a lookup-table.

* molecule: remove legacy options for tests

There's no testing against python2 anymore, nor zabbix-5.0. So lets
lighten the load by removing this baggage.
---
 .github/workflows/server.yml                   |  3 ---
 molecule/zabbix_server/molecule.yml            |  9 +--------
 roles/zabbix_server/defaults/main.yml          | 11 +++++++----
 roles/zabbix_server/tasks/initialize-mysql.yml |  1 +
 roles/zabbix_server/tasks/initialize-pgsql.yml | 16 ++++++++++++----
 5 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml
index 33f5cd5fd..f2bdb5a3b 100644
--- a/.github/workflows/server.yml
+++ b/.github/workflows/server.yml
@@ -37,8 +37,6 @@ jobs:
           - v64
           - v62
           - v60
-        include:
-          - interpreter: python3
         exclude:
           - container: debian12
             version: v62
@@ -86,6 +84,5 @@ jobs:
           MY_MOLECULE_IMAGE=${{ matrix.container }}
           MY_MOLECULE_VERSION=${{ matrix.version }}
           MY_MOLECULE_DATABASE=${{ matrix.database }}
-          MY_MOLECULE_INTERPRETER=${{ matrix.interpreter }}
           MY_MOLECULE_DOCKER_COMMAND=${{ matrix.command }}
           molecule test -s ${{ matrix.collection_role }}
diff --git a/molecule/zabbix_server/molecule.yml b/molecule/zabbix_server/molecule.yml
index 52df5ac4e..4638adfe2 100644
--- a/molecule/zabbix_server/molecule.yml
+++ b/molecule/zabbix_server/molecule.yml
@@ -14,7 +14,6 @@ platforms:
     groups:
       - ${MY_MOLECULE_DATABASE:-mysql}
       - ${MY_MOLECULE_VERSION:-v64}
-      - ${MY_MOLECULE_INTERPRETER:-python3}
 
 provisioner:
   name: ansible
@@ -23,23 +22,18 @@ provisioner:
     ANSIBLE_ROLES_PATH: $HOME/.ansible/collections/ansible_collections/community/zabbix/roles
   inventory:
     group_vars:
-      python3:
+      all:
         ansible_python_interpreter: /usr/bin/python3
-      python:
-        ansible_python_interpreter: /usr/bin/python
       v64:
         zabbix_server_version: 6.4
       v62:
         zabbix_server_version: 6.2
       v60:
         zabbix_server_version: 6.0
-      v50:
-        zabbix_server_version: 5.0
       mysql:
         zabbix_server_dbname: zabbix
         zabbix_server_dbuser: zabbix-dbuser
         zabbix_server_database: mysql
-        zabbix_server_dbport: 3306
         zabbix_server_dbhost: "{{ inventory_hostname }}-db"
         zabbix_server_dbhost_run_install: false
         zabbix_server_privileged_host: "%"
@@ -49,7 +43,6 @@ provisioner:
         zabbix_server_mysql_login_port: 3306
       pgsql:
         zabbix_server_database: pgsql
-        zabbix_server_dbport: 5432
         zabbix_server_dbhost: "{{ inventory_hostname }}-db"
         zabbix_server_dbhost_run_install: false
         zabbix_server_pgsql_login_host: "{{ inventory_hostname }}-db"
diff --git a/roles/zabbix_server/defaults/main.yml b/roles/zabbix_server/defaults/main.yml
index d2b3a14e3..b3c669ba9 100644
--- a/roles/zabbix_server/defaults/main.yml
+++ b/roles/zabbix_server/defaults/main.yml
@@ -8,18 +8,21 @@ zabbix_server_manage_service: true
 # Database
 zabbix_server_database_sqlload: true
 zabbix_server_database_timescaledb: false
-zabbix_server_real_dbhost:
+#zabbix_server_real_dbhost:
 zabbix_server_dbhost: localhost
 zabbix_server_dbname: zabbix-server
 zabbix_server_privileged_host: localhost
 zabbix_server_dbencoding: utf8
 zabbix_server_dbcollation: utf8_bin
-zabbix_server_dbschema:
+#zabbix_server_dbschema:
 zabbix_server_dbuser: zabbix-server
 zabbix_server_dbpassword: zabbix-server
 zabbix_server_dbpassword_hash_method: md5
-zabbix_server_dbsocket:
-zabbix_server_dbport: 5432
+#zabbix_server_dbsocket:
+_zabbix_server_database_default_port:
+  mysql: 3306
+  pgsql: 5432
+zabbix_server_dbport: "{{ _zabbix_server_database_default_port[zabbix_server_database] }}"
 zabbix_server_dbhost_run_install: true
 zabbix_server_database: pgsql
 zabbix_server_database_creation: true
diff --git a/roles/zabbix_server/tasks/initialize-mysql.yml b/roles/zabbix_server/tasks/initialize-mysql.yml
index c3fd67c6d..9787bc21d 100644
--- a/roles/zabbix_server/tasks/initialize-mysql.yml
+++ b/roles/zabbix_server/tasks/initialize-mysql.yml
@@ -27,6 +27,7 @@
 
 - name: "MySQL Database prep"
   when: zabbix_server_database_creation
+  become: "{{ zabbix_server_dbhost_run_install }}"
   delegate_to: "{{ zabbix_server_real_dbhost | default(zabbix_server_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}"
   vars:
     delegated_dbhost: "{{ (zabbix_server_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_server_dbhost) }}"
diff --git a/roles/zabbix_server/tasks/initialize-pgsql.yml b/roles/zabbix_server/tasks/initialize-pgsql.yml
index 65bd0beec..6f40c66f2 100644
--- a/roles/zabbix_server/tasks/initialize-pgsql.yml
+++ b/roles/zabbix_server/tasks/initialize-pgsql.yml
@@ -32,7 +32,6 @@
         port: "{{ zabbix_server_dbport }}"
         login_unix_socket: "{{ zabbix_server_pgsql_login_unix_socket | default(omit) }}"
         name: "{{ zabbix_server_dbname }}"
-        state: present
 
     - name: "PostgreSQL | Create database user"
       community.postgresql.postgresql_user:
@@ -43,10 +42,19 @@
         login_unix_socket: "{{ zabbix_server_pgsql_login_unix_socket | default(omit) }}"
         name: "{{ zabbix_server_dbuser }}"
         password: "{{ ('md5' + (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5')) if zabbix_server_dbpassword_hash_method == 'md5' else zabbix_server_dbpassword }}"
+
+    - name: "PostgreSQL | Set database/user permissions"
+      community.postgresql.postgresql_privs:
+        login_user: "{{ zabbix_server_pgsql_login_user | default(omit) }}"
+        login_password: "{{ zabbix_server_pgsql_login_password | default(omit) }}"
+        login_host: "{{ zabbix_server_pgsql_login_host | default(omit) }}"
+        port: "{{ zabbix_server_dbport }}"
+        login_unix_socket: "{{ zabbix_server_pgsql_login_unix_socket | default(omit) }}"
         db: "{{ zabbix_server_dbname }}"
-        priv: ALL
-        state: present
-        encrypted: true
+        privs: ALL
+        type: schema
+        objs: public
+        role: "{{ zabbix_server_dbuser }}"
 
     - name: "PostgreSQL | Create timescaledb extension"
       when: zabbix_server_database_timescaledb