refactor(zabbixserver): Has moved into its own repo

See https://quico.space/quico-containers/zabbixserver
2023-07-25 04:09:08 +02:00 · 2023-07-25 04:09:08 +02:00 · 83278f6e9e
commit 83278f6e9e
parent 0a4f669d85
14 changed files with 0 additions and 2650 deletions
--- a/zabbixserver/README.md
+++ b/zabbixserver/README.md
@ -1,204 +0,0 @@
 # Upstream repo
 We use the [official Zabbix Docker GitHub repo](https://github.com/zabbix/zabbix-docker) for Docker Compose deployment, we add a few local changes.
 Create dir
 ```
 mkdir -p '/opt/git/github.com/zabbix/zabbix-docker/branches/latest'
 ```
 Pull repo
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' clone 'https://github.com/zabbix/zabbix-docker' .
 ```
 # Docker Compose
 ## Base setup
 When everything's ready start Zabbix with Docker Compose, otherwise head down to [Initial setup](#initial-setup) or [Upgrade an existing repo](#upgrade-an-existing-repo) first.
 Define variables assuming the official Zabbix Docker repo lives at `/opt/git/github.com/zabbix/zabbix-docker/branches/latest`:
 ```
 export UPSTREAM_REPO_DIR='/opt/git/github.com/zabbix/zabbix-docker/branches/latest'
 export UPSTREAM_REPO_TAG='6.4.2'
 export UPSTREAM_COMPOSE_FILE="${UPSTREAM_REPO_DIR%/}"'/docker-compose_v3_alpine_pgsql_latest.yaml'
 export COMPOSE_CTX='loft'
 export COMPOSE_PROJECT_NAME='zabbixserver-'"${COMPOSE_CTX}"
 export COMPOSE_ENV_FILE=<add accordingly>
 ```
 Pull newest image versions:
 ```
 docker compose --project-name "${COMPOSE_PROJECT_NAME}" --file "${UPSTREAM_COMPOSE_FILE}" --env-file "${COMPOSE_ENV_FILE}" pull
 ```
 Run Zabbix like so
 ```
 docker compose --project-name "${COMPOSE_PROJECT_NAME}" --file "${UPSTREAM_COMPOSE_FILE}" --env-file "${COMPOSE_ENV_FILE}" up --detach
 ```
 ## Additional files
 - [common-settings.yml](common-settings.yml)
    This file will be auto-created as part of the patch. Use it as an example in case patching fails
 - [env/fqdn_context.env.example](env/fqdn_context.env.example)
    An example env file with all currently used variables after `docker-compose_v3_alpine_pgsql_latest.yaml` is patched
 - Directory tree underneath [build-context](build-context)
    ```
    build-context/
    └── docker-data
        ├── postgres
        │   └── config
        │       ├── cert
        │       │   ├── ZBX_PGSQL_TLS_CA_CERT_FILE
        │       │   ├── ZBX_PGSQL_TLS_CERT_FILE
        │       │   └── ZBX_PGSQL_TLS_KEY_FILE
        │       └── docker-entrypoint-initdb.d
        │           └── init-user-db.sh
        ├── zabbixserver
        │   └── config
        │       └── cert
        │           ├── ZBX_SERVER_TLS_CA_CERT_FILE
        │           ├── ZBX_SERVER_TLS_CERT_FILE
        │           └── ZBX_SERVER_TLS_KEY_FILE
        └── zabbixwebnginx
            └── config
                └── cert
                    ├── dhparam.pem
                    ├── ZBX_WEBNGINX_TLS_CERT_FULLCHAIN_FILE
                    └── ZBX_WEBNGINX_TLS_KEY_FILE
    ```
    Example data you're going to want to physically place on your deployment machine. SSL certs and keys are blank files each of which has the exact same name used in env file `fqdn_context.env.example`.
    In [postgres/config/docker-entrypoint-initdb.d](build-context/docker-data/postgres/config/docker-entrypoint-initdb.d) a PostgreSQL initialization script - when this container is run on a completely empty data directory - will create an additional read-only user `ZBX_DB_USERNAME_RO` with password `ZBX_DB_USERNAME_PW`. The example's intended to grant a Grafana daemon direct PostgreSQL database read access.
 # Upgrade an existing repo
 Check [Initial setup](#initial-setup) below for first time steps. On consecutive upgrades proceed as follows.
 ## Revert unpushed local changes
 Return repo state to exactly the upstream repo's original branch state throwing away the commits you added.
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' reset --hard origin
 ```
 Switch to `trunk` branch, get newest commits from upstream
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' checkout trunk
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' pull
 ```
 Pick and checkout new tag
 ```
 pushd '/opt/git/github.com/zabbix/zabbix-docker/branches/latest'
 while IFS= read -r; do commitDate=$(grep -Pio '^.+?(?=[[:space:]])' <<< "${REPLY}"); commitDate=$(date --date='@'"${commitDate}" +%F-%H%M%S); tagRef="$(cut -d $'\t' -f2 <<< "${REPLY}")"; tagName="$(grep -Pio '(?<=refs/tags/)[^\r\n\f]+' <<<"${tagRef}")"; commitHash="$(git rev-list -n 1 "${tagRef}")"; echo "${commitDate} ${commitHash} ${tagName}"; done < <(git for-each-ref --sort=v:refname --format='%(*creatordate:raw)%00%(creatordate:raw)%00%(refname)' refs/tags | awk -F"\0" 'BEGIN {ORS=""} $1 == "" {print $2} $1 != "" {print $1} {print "\t"$3"\n"}')
 # Output goes like:
 ...
 2023-02-05-091648 89511f06ad4de6b373f10b06604dc5d8e1da02df 6.2.7
 2023-03-08-171402 2025ec8ad74f59981ad6598e9f6cd2a5c9c99f6b 6.2.8
 2023-03-27-164321 59a91bfbb6e46885f201e50f9197a7a44d3ba3ac 6.2.9
 2023-03-07-191829 9f2e726e554b23595489eb66c8e11e5d114b573f 6.4.0
 2023-04-03-105513 9f16f6d773a2a46f1595c86077899d1e040db283 6.4.1
 2023-04-25-133446 0fa87156974e799e04bf99e5300bad6830d754ab 6.4.2
 ...
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' checkout 'tags/x.y.z'
 ```
 Lastly [apply patch](#apply-patch). If patch does not apply cleanly read on in the next section [Create new patch](#create-new-patch) to find out how to fix your patch.
 # Create new patch
 ## Add your changes as commits
 Get `zabbix-docker` repo into a state with which you're happy then
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' format-patch 7665739620ba6d99090838d502ab76d2f5a47e96^..a17380598ca66153ddc2a42eb618d906d4f582e6 --stdout > '/opt/containers/zabbixserver/zabbix-docker.patch'
 ```
 Where the first commit hash is our first commit and the other commit hash is our last commit. Note the caret (`^`) right after the first commit hash.
 ## Investigation
 You may have to try and find out how a known good base commit differs from a newer one in case the newer one does no longer cleanly accept the patch.
 Get commit hashes from both affected tags, e.g.
 ```
 pushd '/opt/git/github.com/zabbix/zabbix-docker/branches/latest'
 while IFS= read -r; do commitDate=$(grep -Pio '^.+?(?=[[:space:]])' <<< "${REPLY}"); commitDate=$(date --date='@'"${commitDate}" +%F-%H%M%S); tagRef="$(cut -d $'\t' -f2 <<< "${REPLY}")"; tagName="$(grep -Pio '(?<=refs/tags/)[^\r\n\f]+' <<<"${tagRef}")"; commitHash="$(git rev-list -n 1 "${tagRef}")"; echo "${commitDate} ${commitHash} ${tagName}"; done < <(git for-each-ref --sort=v:refname --format='%(*creatordate:raw)%00%(creatordate:raw)%00%(refname)' refs/tags | awk -F"\0" 'BEGIN {ORS=""} $1 == "" {print $2} $1 != "" {print $1} {print "\t"$3"\n"}')
 # Output goes like:
 ...
 2023-02-05-091648 89511f06ad4de6b373f10b06604dc5d8e1da02df 6.2.7
 2023-03-08-171402 2025ec8ad74f59981ad6598e9f6cd2a5c9c99f6b 6.2.8
 2023-03-27-164321 59a91bfbb6e46885f201e50f9197a7a44d3ba3ac 6.2.9
 2023-03-07-191829 9f2e726e554b23595489eb66c8e11e5d114b573f 6.4.0
 2023-04-03-105513 9f16f6d773a2a46f1595c86077899d1e040db283 6.4.1
 2023-04-25-133446 0fa87156974e799e04bf99e5300bad6830d754ab 6.4.2
 ...
 ```
 Diff them
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' diff 9f16f6d773a2a46f1595c86077899d1e040db283 0fa87156974e799e04bf99e5300bad6830d754ab 'docker-compose_v3_alpine_pgsql_latest.yaml'
 ```
 Output will be empty in case no difference exists in `docker-compose_v3_alpine_pgsql_latest.yaml` between both commit hashes.
 Commit your updated patch file into _this_ repo. With a new working patch in hand head back up to [Upgrade an existing repo](#upgrade-an-existing-repo).
 # Initial setup
 ## Prep
 Get desired tag e.g. from version-sorted tags list
 ```
 pushd '/opt/git/github.com/zabbix/zabbix-docker/branches/latest'
 while IFS= read -r; do commitDate=$(grep -Pio '^.+?(?=[[:space:]])' <<< "${REPLY}"); commitDate=$(date --date='@'"${commitDate}" +%F-%H%M%S); tagRef="$(cut -d $'\t' -f2 <<< "${REPLY}")"; tagName="$(grep -Pio '(?<=refs/tags/)[^\r\n\f]+' <<<"${tagRef}")"; commitHash="$(git rev-list -n 1 "${tagRef}")"; echo "${commitDate} ${commitHash} ${tagName}"; done < <(git for-each-ref --sort=v:refname --format='%(*creatordate:raw)%00%(creatordate:raw)%00%(refname)' refs/tags | awk -F"\0" 'BEGIN {ORS=""} $1 == "" {print $2} $1 != "" {print $1} {print "\t"$3"\n"}')
 # Output goes like:
 ...
 2023-02-05-091648 89511f06ad4de6b373f10b06604dc5d8e1da02df 6.2.7
 2023-03-08-171402 2025ec8ad74f59981ad6598e9f6cd2a5c9c99f6b 6.2.8
 2023-03-27-164321 59a91bfbb6e46885f201e50f9197a7a44d3ba3ac 6.2.9
 2023-03-07-191829 9f2e726e554b23595489eb66c8e11e5d114b573f 6.4.0
 2023-04-03-105513 9f16f6d773a2a46f1595c86077899d1e040db283 6.4.1
 2023-04-25-133446 0fa87156974e799e04bf99e5300bad6830d754ab 6.4.2
 ...
 ```
 Switch to desired tag
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' checkout 'tags/6.4.2'
 ```
 ## Apply patch
 Identify yourself to the local `zabbix-docker` repo. Obviously substitute your own name. An e-mail address is optional here. You don't want to contribute upstream, you just want to locally apply a patch file.
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' config user.name "hygienic-books"
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' config user.email ""
 ```
 Apply `zabbix-docker.patch` to Docker Compose file. We use Zabbix' `docker-compose_v3_alpine_pgsql_latest.yaml` Compose file. Assuming this repo lives at `/opt/containers/zabbixserver`:
 ```
 git -C '/opt/git/github.com/zabbix/zabbix-docker/branches/latest' am '/opt/containers/zabbixserver/zabbix-docker.patch'
 # Output will be:
 Applying: refactor(compose): Remove trailing whitespace
 Applying: refactor(compose): 4 leading spaces
 Applying: refactor(compose): Indent comments
 Applying: refactor(zabbix-server): Set correct libs paths
 Applying: refactor(zabbix-server): Set TLS cert file names
 Applying: feat(zabbix-server): Replace env files with variables
 ...
 ```
 And now back up to [Docker Compose](#docker-compose).
--- a/zabbixserver/build-context/docker-data/postgres/config/cert/ZBX_PGSQL_TLS_CA_CERT_FILE
+++ b/zabbixserver/build-context/docker-data/postgres/config/cert/ZBX_PGSQL_TLS_CA_CERT_FILE
--- a/zabbixserver/build-context/docker-data/postgres/config/cert/ZBX_PGSQL_TLS_CERT_FILE
+++ b/zabbixserver/build-context/docker-data/postgres/config/cert/ZBX_PGSQL_TLS_CERT_FILE
--- a/zabbixserver/build-context/docker-data/postgres/config/cert/ZBX_PGSQL_TLS_KEY_FILE
+++ b/zabbixserver/build-context/docker-data/postgres/config/cert/ZBX_PGSQL_TLS_KEY_FILE
--- a/zabbixserver/build-context/docker-data/postgres/config/docker-entrypoint-initdb.d/init-user-db.sh
+++ b/zabbixserver/build-context/docker-data/postgres/config/docker-entrypoint-initdb.d/init-user-db.sh
@ -1,21 +0,0 @@
 #!/bin/bash
 set -e
 sleep 20
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
    DO
        \$block\$
            BEGIN
                IF EXISTS (
                    SELECT FROM pg_catalog.pg_roles WHERE rolname = '${ZBX_DB_USERNAME_RO}'
                    )
                THEN
                    RAISE NOTICE 'Role ''${ZBX_DB_USERNAME_RO}'' already exists. Skipping ...';
                ELSE
                    CREATE ROLE "${ZBX_DB_USERNAME_RO}" WITH PASSWORD '${ZBX_DB_USERNAME_PW}';
                    GRANT CONNECT ON DATABASE "${POSTGRES_DB}" TO "${ZBX_DB_USERNAME_RO}";
                    GRANT SELECT ON ALL TABLES IN SCHEMA public TO "${ZBX_DB_USERNAME_RO}";
                END IF;
            END
        \$block\$;
 EOSQL
--- a/zabbixserver/build-context/docker-data/zabbixserver/config/cert/ZBX_SERVER_TLS_CA_CERT_FILE
+++ b/zabbixserver/build-context/docker-data/zabbixserver/config/cert/ZBX_SERVER_TLS_CA_CERT_FILE
--- a/zabbixserver/build-context/docker-data/zabbixserver/config/cert/ZBX_SERVER_TLS_CERT_FILE
+++ b/zabbixserver/build-context/docker-data/zabbixserver/config/cert/ZBX_SERVER_TLS_CERT_FILE
--- a/zabbixserver/build-context/docker-data/zabbixserver/config/cert/ZBX_SERVER_TLS_KEY_FILE
+++ b/zabbixserver/build-context/docker-data/zabbixserver/config/cert/ZBX_SERVER_TLS_KEY_FILE
--- a/zabbixserver/build-context/docker-data/zabbixwebnginx/config/cert/ZBX_WEBNGINX_TLS_CERT_FULLCHAIN_FILE
+++ b/zabbixserver/build-context/docker-data/zabbixwebnginx/config/cert/ZBX_WEBNGINX_TLS_CERT_FULLCHAIN_FILE
--- a/zabbixserver/build-context/docker-data/zabbixwebnginx/config/cert/ZBX_WEBNGINX_TLS_KEY_FILE
+++ b/zabbixserver/build-context/docker-data/zabbixwebnginx/config/cert/ZBX_WEBNGINX_TLS_KEY_FILE
--- a/zabbixserver/build-context/docker-data/zabbixwebnginx/config/cert/dhparam.pem
+++ b/zabbixserver/build-context/docker-data/zabbixwebnginx/config/cert/dhparam.pem
@ -1,13 +0,0 @@
 -----BEGIN DH PARAMETERS-----
 MIICCAKCAgEA1shg4Gf/2rG+kllZ1qE2or0BHGqhDdjw0DlwNlPL9qVaiqmU/TRq
 LCxr0ZloKa8dwImvEtwxy8bJROMW7gcVfYebsOwTnNbQGePkQ3OSKyyBBG+A04rx
 QAT6mxgG84ydQOicu42mK0lRwWeFUzZFauZa8CWEcaLcKBUxYQWN6QXOAk7pUQ32
 3vAjUKL8+dYUINCna5QXOPmNgnSmXJfjPEnLwveDUTj6IaXFLvWmJm4yRgi7AvXF
 r85aAKl9FgT7e5+BntpJAP4Mj7TYxVyHHq7BLZAke7slwe6bkFLxQ6H3INlTYWgp
 QEmALgW+KjiARTTh12NJgJvT0ti4ck7VA6P9eN5kw4FCEg1hZbMLFQg7asUWq9tV
 7usrDC971W46YsrBstQg851Vbs64ZMf5+knHYJIWaUF5ZTQ1cHihKhEfGJOdRvxU
 Py2q192knNzXwroqi/q22iUe9zu4kPRI3qLjR1brVcf8mkUGnMtkIZsO6cdHdvf9
 +2De05V57/yCp8R1QUY/UErdDSO+ey+gNFVfpIBdUIoy8+bG1Dcz70X8DDHXD+4+
 DJXeajEWS4xkHEB8kaoYGHS6dDJpQk/nsk2H4Mdb1M/uYDedLdMh3FVjH40lzQzR
 oRYpzgieag0RPJcaxi6z8PN0HEuVpPA8EbOvxwDMR2zp4zJxHuA0inMCAQI=
 -----END DH PARAMETERS-----
--- a/zabbixserver/common-settings.yml
+++ b/zabbixserver/common-settings.yml
@ -1,11 +0,0 @@
 services:
    common-settings:
        logging:
            driver: "json-file"
            options:
                max-size: "10m"
                max-file: "10"
                compress: "true"
        environment:
            TZ: Europe/Berlin
        restart: unless-stopped
--- a/zabbixserver/env/fqdn_context.env.example
+++ b/zabbixserver/env/fqdn_context.env.example
@ -1,27 +0,0 @@
 # This file is maintained by remco and populated with data from HashiCorp
 # Vault. Changes not done in Vault will be reverted when file gets rendered.
 CTX=
 PHP_TZ=
 POSTGRES_DB=
 POSTGRES_PASSWORD=
 POSTGRES_USER=
 VAULT_TOKEN=
 ZBX_DB_USERNAME_PW=
 ZBX_DB_USERNAME_RO=
 ZBX_PGSQL_TLS_CA_CERT_FILE=
 ZBX_PGSQL_TLS_CERT_FILE=
 ZBX_PGSQL_TLS_KEY_FILE=
 ZBX_SERVER_HOST=
 ZBX_SERVER_NAME=
 ZBX_SERVER_TLS_CA_CERT_FILE=
 ZBX_SERVER_TLS_CERT_FILE=
 ZBX_SERVER_TLS_KEY_FILE=
 ZBX_VAULTDBPATH=
 ZBX_VAULTURL=
 ZBX_WEBNGINX_EXPOSED_HTTPS_PORT=
 ZBX_WEBNGINX_EXPOSED_HTTP_PORT=
 ZBX_WEBNGINX_TLS_CERT_FULLCHAIN_FILE=
 ZBX_WEBNGINX_TLS_KEY_FILE=
 # When needed for temporary debugging
 # ZBX_DEBUGLEVEL=4
--- a/zabbixserver/zabbix-docker.patch
+++ b/zabbixserver/zabbix-docker.patch