Checkmk · robin-checkmk · Apr 8, 2025 · May 27, 2025 · May 27, 2025 · May 27, 2025
@@ -0,0 +1,5 @@
+breaking_changes:
+  - Agent role - Remove advanced firewall configuration options and revert to basic firewall management.
+    If you used the `checkmk_agent_server_ips` or `checkmk_agent_configure_firewall_zone` option, you need to take action.
+    Refer to the README for details.
+    If you need elaborate firewall management, use a dedicated role!
@@ -0,0 +1,3 @@
+minor_changes:
+  - Server role - Harmonize firewall management accross distributions and simplify configuration.
+    Refer to the README for details!
@@ -131,17 +131,10 @@ See [this link](https://docs.checkmk.com/latest/en/agent_linux.html#registration
 
     checkmk_agent_configure_firewall: 'true'
 
-Automatically configure the firewall (*currently only on RedHat and Debian derivatives*) to allow access to the Checkmk agent.
-
-    checkmk_agent_configure_firewall_zone: 'public'
-
-When checkmk_agent_configure_firewall is set to `true` then configure the firewall zone on RedHat derivatives. Defaults to 'public'.
-
-    checkmk_agent_server_ips: []
-
-A list of IP addresses, that will be whitelisted in the firewall for agent access on `checkmk_agent_port`.
-The `checkmk_agent_server` will automatically be added, but only if it is an IP address.
-This parameter also does **not** take care of any agent-side whitelisting!
+Automatically configure the firewall to allow access to the Checkmk agent on the `checkmk_agent_port`.
+This setting only has effect on systems, which are running `ufw` or `firewalld`.
+For elaborate firewall configuration, use your own firewall management!
+This setting only enables very basic firewall configuration.
 
     checkmk_agent_force_install: 'false'
 

@@ -24,8 +24,6 @@ checkmk_agent_force_foreign_changes: 'false'
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'false'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips: []
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: 'localhost'

@@ -145,12 +145,6 @@ argument_specs:
         description:
           - Refer to the README for details.
 
-      checkmk_agent_server_ips:
-        type: "list"
-        elements: "str"
-        description:
-          - Refer to the README for details.
-
       checkmk_agent_force_install:
         type: "bool"
         default: false

@@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'true'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips:
-  - 10.10.10.10
-  - 172.16.16.16
-  - 192.168.1.1
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"

@@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'true'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips:
-  - 10.10.10.10
-  - 172.16.16.16
-  - 192.168.1.1
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"

@@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'true'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips:
-  - 10.10.10.10
-  - 172.16.16.16
-  - 192.168.1.1
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"

@@ -44,21 +44,11 @@
   tags:
     - install-package
 
-- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent."
+- name: "{{ ansible_os_family }} Derivatives: Allow access to the Checkmk agent on port {{ checkmk_agent_port }}/tcp."
   when: checkmk_agent_configure_firewall | bool and "ufw.service" in ansible_facts.services
-  block:
-    - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address."
-      when: checkmk_agent_server | ansible.utils.ipaddr()
-      ansible.builtin.set_fact:
-        checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}"
-
-    - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
-      when: checkmk_agent_server_ips is defined
-      community.general.ufw:
-        rule: allow
-        proto: tcp
-        src: "{{ item }}"
-        port: '6556'
-        comment: Allow Checkmk
-      loop: "{{ checkmk_agent_server_ips }}"
-      become: true
+  community.general.ufw:
+    rule: allow
+    proto: tcp
+    port: "{{ checkmk_agent_port }}"
+    comment: "Allow Checkmk Agent access from anywhere."
+  become: true
@@ -44,21 +44,11 @@
   tags:
     - install-package
 
-- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent."
+- name: "{{ ansible_os_family }} Derivatives: Allow access to the Checkmk agent on port {{ checkmk_agent_port }}/tcp."
   when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services
-  block:
-    - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address."
-      when: checkmk_agent_server | ansible.utils.ipaddr()
-      ansible.builtin.set_fact:
-        checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}"
-
-    - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
-      when: checkmk_agent_server_ips is defined
-      ansible.posix.firewalld:
-        permanent: 'yes'
-        immediate: 'yes'
-        state: enabled
-        rich_rule: 'rule family="ipv4" source address={{ item }} port port="{{ checkmk_agent_port }}" protocol="tcp" accept'
-        zone: "{{ checkmk_agent_configure_firewall_zone | default('public') }}"
-      loop: "{{ checkmk_agent_server_ips }}"
-      become: true
+  ansible.posix.firewalld:
+    permanent: true
+    immediate: true
+    port: "{{ checkmk_agent_port }}/tcp"
+    state: "enabled"
+  become: true
@@ -46,3 +46,12 @@
   when: checkmk_agent_edition | lower == "cre"
   tags:
     - install-package
+
+- name: "{{ ansible_os_family }} Derivatives: Allow access to the Checkmk agent on port {{ checkmk_agent_port }}/tcp."
+  when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services
+  ansible.posix.firewalld:
+    permanent: true
+    immediate: true
+    port: "{{ checkmk_agent_port }}/tcp"
+    state: "enabled"
+  become: true
@@ -64,8 +64,17 @@ Uninstall unused Checkmk versions on the server.
 
     checkmk_server_configure_firewall: 'true'
 
-Automatically open the necessary ports on the Checkmk server for the
-web interface to be accessible.
+Automatically open necessary ports on the Checkmk server.
+This setting only has effect on systems, which are running `ufw` or `firewalld`.
+For elaborate firewall configuration, use your own firewall management!
+This setting only enables very basic firewall configuration.
+
+    checkmk_server_ports:
+    - 80
+    - 443
+    - 8000
+
+The ports to open automatically. Adapt this to the specific requirements of your site.
 
     checkmk_server_allow_downgrades: 'false'
 

@@ -56,6 +56,12 @@ checkmk_server_sites: []
 
 checkmk_server_configure_firewall: 'true'
 
+checkmk_server_ports:
+  - 22
+  - 80
+  - 443
+  - 8000
+
 checkmk_server_backup_on_update: 'true'  # Not recommended to disable this option
 checkmk_server_backup_dir: '/tmp'
 checkmk_server_backup_opts: '--no-past'

@@ -9,3 +9,13 @@
   notify: Start Apache
   tags:
     - install-package
+
+- name: "{{ ansible_os_family }} Derivatives: Open Firewall Ports for the Checkmk Server."
+  when: checkmk_server_configure_firewall | bool and "ufw.service" in ansible_facts.services
+  community.general.ufw:
+    rule: allow
+    proto: tcp
+    port: "{{ item }}"
+    state: "enabled"
+  become: true
+  loop: "{{ checkmk_server_ports }}"
@@ -97,20 +97,12 @@
   tags:
     - set-selinux-boolean
 
-- name: "Make sure firewalld is started and enabled"
-  become: true
-  ansible.builtin.systemd:
-    name: firewalld
-    state: started
-    enabled: true
-  when: checkmk_server_configure_firewall | bool
-
-- name: "Open firewall ports."
-  become: true
+- name: "{{ ansible_os_family }} Derivatives: Open Firewall Ports for the Checkmk Server."
+  when: checkmk_server_configure_firewall | bool and "firewalld.service" in ansible_facts.services
   ansible.posix.firewalld:
-    port: "{{ item }}"
     permanent: true
     immediate: true
-    state: enabled
-  loop: "{{ __checkmk_server_ports }}"
-  when: checkmk_server_configure_firewall | bool
+    port: "{{ item }}/tcp"
+    state: "enabled"
+  become: true
+  loop: "{{ checkmk_server_ports }}"
@@ -17,8 +17,12 @@
     - include-os-family-vars
     - install-package
 
-- name: "Get installed Packages."
+- name: "{{ ansible_system }}: Get RPM or APT package facts."
   ansible.builtin.package_facts:
+    manager: "auto"
+
+- name: "{{ ansible_system }}: Populate service facts."
+  ansible.builtin.service_facts:
 
 - name: "Update APT Cache."
   become: true

@@ -3,11 +3,6 @@
 __checkmk_server_setup_file: |-
   check-mk-{{ __checkmk_server_edition_mapping[checkmk_server_edition | lower] }}-{{ checkmk_server_version }}-el{{ ansible_distribution_major_version }}-38.x86_64.rpm
 
-__checkmk_server_ports:
-  - 80/tcp
-  - 443/tcp
-  - 8000/tcp
-
 __checkmk_server_prerequisites_per_distro:
   RedHat:
     - firewalld