Ansible Role to deploy Zabbix Server/Proxy/Agent components on a linux server.
The roles target is it to configure the Zabbix components foundational.
You will need to manage the zabbix-agent integration(s) into your systems on your own! (per example: adding MySQL users and client-config to monitor its status)
NOTE: Check out the Zabbix Server dockerized Role if you prefer Docker setups.
Molecule Integration-Tests:
Internal CI: Tester Role | Jobs API
- Debian 11
- Debian 12
# latest
ansible-galaxy role install git+
# from galaxy
ansible-galaxy install ansibleguy.sw_zabbix
# or to custom role-path
ansible-galaxy install ansibleguy.sw_zabbix --roles-path ./roles
# install dependencies
ansible-galaxy install -r requirements.yml
Need professional support using Ansible or Zabbix? Contact us:
E-Mail: [email protected]
Tel: +43 3115 40 900 0
Language: German or English
You want a simple Ansible GUI?
Check-out this Ansible WebUI
Define the zabbix dictionary as needed.
Example for a zabbix server:
agent2: true # activated by default
server: true
nginx: # configure the webserver settings => see:
domain: ''
aliases: ['']
mode: 'letsencrypt' # or snakeoil/selfsigned/ca
# if you use 'selfsigned', 'snakeoil' or 'ca':
# cert:
# cn: 'Zabbix Server'
# org: 'AnsibleGuy'
# email: '[email protected]'
email: '[email protected]'
tls_cert_copy: 'server.crt' # will be copied from the roles 'files/certs' directory to the target system
tls_key_copy: 'server.key' # must be configured for server-authentication
tls_ca_copy: 'ca.crt'
ListenIP: ''
ProxyDataFrequency: 10
ProxyConfigFrequency: 600
SSHKeyLocation: '/etc/zabbix/private/id_rsa'
tls_psk: !vault ...
Server: ''
TLSPSKIdentity: 'RandomIdentity_O(73odfs23'
Example for a zabbix proxy:
agent2: true
proxy: true
tls_cert_copy: 'proxy01.crt' # will be copied from the roles 'files/certs' directory to the target system
tls_key_copy: 'proxy01.key' # must be configured for client-authentication
tls_ca_copy: 'ca.crt'
Server: ''
TLSConnect: 'cert'
TLSAccept: 'cert'
ConfigFrequency: 600
ListenIP: ''
tls_psk: !vault ... # plain key may only contain hexdigits (0-9 & a-f)
Server: ''
ListenIP: ''
Example for zabbix agent V2:
# agent version 2 is enabled by default
# manage:
# agent2: true
tls_psk: !vault ... # plain key may only contain hexdigits (0-9 & a-f)
Server: ''
TLSPSKIdentity: 'RandomIdentity_lUF(o3s4kjh3o'
ListenIP: ''
Example for the older zabbix agent:
agent1: true
tls_psk: !vault ... # plain key may only contain hexdigits (0-9 & a-f)
Server: ''
TLSPSKIdentity: 'RandomIdentity_lUF(o3s4kjh3o'
ListenIP: ''
Example - if you don't want to use the ansible-managed nginx web-proxy:
server: true
webserver: false # <=
You might want to use 'ansible-vault' to encrypt your passwords:
ansible-vault encrypt_string
Run the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass
There are also some useful tags available:
- config
- install
- uninstall
- agent
- proxy
- server
Package installation
Copying your..
- scripts (agent scripts, externalscripts, alertscripts)
- userparameters
- certificates
.. to the target system; just put them in the prepared 'files' directory of this role!
Default config:
- Using ansible-hostnames as Zabbix hostnames
- Traffic encryption using PSK
- Using a Self-Signed certificate for the Zabbix server
- not running as root
- Webserver best-practices => see: THIS Role
- Agent/Proxy/Server listening on all interfaces
Default opt-ins:
- Logging to syslog
- Zabbix agent installation
- MariaDB setup for Zabbix proxy and server
- Nginx setup for Zabbix server
Default opt-outs:
- Zabbix proxy and server installation
- Settings: UnsafeUserParameters, EnableRemoteCommands
- Traffic encryption per PSK or Certificate is ENFORCED
Note: The lowest version supported is 6.0!
Warning: The target server/os for the Zabbix server-component should host only this service! Else you might possibly run into configuration/compatibility issues!
Note: this role currently only supports debian-based systems
Info: We chose to use Nginx and Apache2 so that the configuration managed by Zabbix (Apache2) and the one we manage using this role (Nginx) can co-exist safely. This may be important in the future. Else incompatibilities would break future setups if Zabbix changes their config-handling.
Info: Zabbix-Server apache2 config is stored at: /etc/zabbix/apache.conf (default)
Info: The default login for the Zabbix server is: User = Admin | Password = zabbix
Info: If the server installation fails for some reason you might want to uninstall the 'zabbix-server-mysql' package before re-running this role!
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
Info: If you use PSKs to encrypt your traffic - it must be at least 32 hex-digits long!