access: set up SNMP user for D-Link switches

roles/access/handlers/main.yml

@@ -7,4 +7,4 @@
     answer:
       - "y"
       - "y"
-  when: "'handler' not in ansible_skip_tags"
+  when: "not ansible_check_mode and 'handler' not in ansible_skip_tags"

roles/access/tasks/d-link-dgs-1510-52x.yml

@@ -0,0 +1 @@
+d-link.yml

roles/access/tasks/d-link-dgs-1510-52xmp.yml

@@ -0,0 +1 @@
+d-link.yml

roles/access/tasks/d-link.yml

@@ -0,0 +1,40 @@
+- name: Get secrets for SNMP manager
+  set_fact:
+    manager: '{{ lookup("passwordstore", "host/"+snmp_manager.name, returnall=true, missing="empty") | from_yaml }}'
+
+- name: Generate SNMP passwords
+  delegate_to: localhost
+  command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
+  check_mode: false
+  changed_when: false
+  register: snmp_config
+
+- name: Get SNMP password hash
+  set_fact:
+    snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}'
+
+- name: Get switch facts
+  cisco.ios.ios_facts:
+    gather_subset: config
+
+- name: Get SNMP users
+  set_fact:
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
+    snmp_target: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
+
+- name: Remove existing SNMP user to reset password
+  when: 'snmp_current and snmp_target is not in snmp_current'
+  block:
+    - name: Remove SNMP user
+      ansible.netcommon.cli_config:
+        config: 'no snmp-server user {{ manager.snmp_user }} public v3'
+      notify: write config
+
+    - set_fact:
+        snmp_current: false
+
+- name: Create SNMP user
+  when: 'not snmp_current'
+  ansible.netcommon.cli_config:
+    config: '{{ snmp_target }}'
+  notify: write config

roles/access/tasks/fs-s5860-48xmg-u.yml

@@ -0,0 +1 @@
+fs.yml

roles/access/tasks/main.yml

@@ -7,6 +7,10 @@
     ansible_ssh_user: '{{ password.user }}'
     ansible_ssh_pass: '{{ password.pass }}'
 
+- name: Generate SNMP engine ID from serial number
+  set_fact:
+    snmp_engine_id: '{{ (serial | sha1)[:24] }}'
+
 - name: Set configuration
   ansible.netcommon.cli_config:
     config: '{{ lookup("template", "config-"~manufacturer~"-"~device_type~".j2") }}'
@@ -17,3 +21,6 @@
   # These lines are not displayed by 'sho ru' and always reported as different, so ignore them.
   changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?)$')
   notify: write config
+
+- name: Run model-specific tasks
+  include_tasks: '{{ manufacturer~"-"~device_type~".yml" }}'

roles/access/templates/config-d-link.j2

@@ -69,7 +69,12 @@ voice vlan {{ voice_vlan }}
 no voice vlan
 {% endif %}
 
+snmp-server
 snmp-server name {{ inventory_hostname }}
+snmp-server location {{ rack }}
+{# SNMP engine ID must be exactly 24 hex digits #}
+snmp-server engineID local {{ snmp_engine_id }}
+snmp-server group public v3  priv read CommunityView
 
 sntp enable
 {% for address in ntp %}