From 90068321949fd46a33c96ed9d531bd29624557c6 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 2 Oct 2024 14:27:45 +0200
Subject: [PATCH] access: set up SNMP user for D-Link switches

---
 roles/access/handlers/main.yml               |  2 +-
 roles/access/tasks/d-link-dgs-1510-52x.yml   |  1 +
 roles/access/tasks/d-link-dgs-1510-52xmp.yml |  1 +
 roles/access/tasks/d-link.yml                | 37 ++++++++++++++++++++
 roles/access/tasks/fs-s5860-48xmg-u.yml      |  1 +
 roles/access/tasks/fs.yml                    |  0
 roles/access/tasks/main.yml                  |  7 ++++
 roles/access/templates/config-d-link.j2      |  5 +++
 8 files changed, 53 insertions(+), 1 deletion(-)
 create mode 120000 roles/access/tasks/d-link-dgs-1510-52x.yml
 create mode 120000 roles/access/tasks/d-link-dgs-1510-52xmp.yml
 create mode 100644 roles/access/tasks/d-link.yml
 create mode 120000 roles/access/tasks/fs-s5860-48xmg-u.yml
 create mode 100644 roles/access/tasks/fs.yml

diff --git a/roles/access/handlers/main.yml b/roles/access/handlers/main.yml
index af48a6f..5a7fcbd 100644
--- a/roles/access/handlers/main.yml
+++ b/roles/access/handlers/main.yml
@@ -7,4 +7,4 @@
     answer:
       - "y"
       - "y"
-  when: "'handler' not in ansible_skip_tags"
+  when: "not ansible_check_mode and 'handler' not in ansible_skip_tags"
diff --git a/roles/access/tasks/d-link-dgs-1510-52x.yml b/roles/access/tasks/d-link-dgs-1510-52x.yml
new file mode 120000
index 0000000..c0ec355
--- /dev/null
+++ b/roles/access/tasks/d-link-dgs-1510-52x.yml
@@ -0,0 +1 @@
+d-link.yml
\ No newline at end of file
diff --git a/roles/access/tasks/d-link-dgs-1510-52xmp.yml b/roles/access/tasks/d-link-dgs-1510-52xmp.yml
new file mode 120000
index 0000000..c0ec355
--- /dev/null
+++ b/roles/access/tasks/d-link-dgs-1510-52xmp.yml
@@ -0,0 +1 @@
+d-link.yml
\ No newline at end of file
diff --git a/roles/access/tasks/d-link.yml b/roles/access/tasks/d-link.yml
new file mode 100644
index 0000000..de07493
--- /dev/null
+++ b/roles/access/tasks/d-link.yml
@@ -0,0 +1,37 @@
+- name: Generate SNMP passwords
+  delegate_to: localhost
+  command: 'snmpv3-hashgen --yaml --user {{ password.snmp_user }} --auth {{ password.snmp_pass }} --priv {{ password.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
+  check_mode: false
+  changed_when: false
+  register: snmp_config
+
+- name: Get SNMP password hash
+  set_fact:
+    snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}'
+
+- name: Get switch facts
+  cisco.ios.ios_facts:
+    gather_subset: config
+
+- name: Get SNMP users
+  set_fact:
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+password.snmp_user+' public v3') }}"
+    snmp_target: "snmp-server user {{ password.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
+
+- name: Remove existing SNMP user to reset password
+  when: 'snmp_current and snmp_target is not in snmp_current'
+  block:
+    - name: Remove SNMP user
+      ansible.netcommon.cli_config:
+        config: 'no snmp-server user {{ password.snmp_user }} public v3'
+      notify: write config
+
+    - set_fact:
+        snmp_current: false
+
+- name: Create SNMP user
+  when: 'not snmp_current'
+  ansible.netcommon.cli_config:
+    config: '{{ snmp_target }}'
+  notify: write config
+
diff --git a/roles/access/tasks/fs-s5860-48xmg-u.yml b/roles/access/tasks/fs-s5860-48xmg-u.yml
new file mode 120000
index 0000000..b136bed
--- /dev/null
+++ b/roles/access/tasks/fs-s5860-48xmg-u.yml
@@ -0,0 +1 @@
+fs.yml
\ No newline at end of file
diff --git a/roles/access/tasks/fs.yml b/roles/access/tasks/fs.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/access/tasks/main.yml b/roles/access/tasks/main.yml
index 3e82132..a48f03e 100644
--- a/roles/access/tasks/main.yml
+++ b/roles/access/tasks/main.yml
@@ -7,6 +7,10 @@
     ansible_ssh_user: '{{ password.user }}'
     ansible_ssh_pass: '{{ password.pass }}'
 
+- name: Generate SNMP engine ID from serial number
+  set_fact:
+    snmp_engine_id: '{{ (serial | sha1)[:24] }}'
+
 - name: Set configuration
   ansible.netcommon.cli_config:
     config: '{{ lookup("template", "config-"~manufacturer~"-"~device_type~".j2") }}'
@@ -17,3 +21,6 @@
   # These lines are not displayed by 'sho ru' and always reported as different, so ignore them.
   changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?)$')
   notify: write config
+
+- name: Run model-specific tasks
+  include_tasks: '{{ manufacturer~"-"~device_type~".yml" }}'
diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2
index 2313f15..ab2a982 100644
--- a/roles/access/templates/config-d-link.j2
+++ b/roles/access/templates/config-d-link.j2
@@ -69,7 +69,12 @@ voice vlan {{ voice_vlan }}
 no voice vlan
 {% endif %}
 
+snmp-server
 snmp-server name {{ inventory_hostname }}
+snmp-server location {{ rack }}
+{# SNMP engine ID must be exactly 24 hex digits #}
+snmp-server engineID local {{ snmp_engine_id }}
+snmp-server group public v3  priv read CommunityView
 
 sntp enable
 {% for address in ntp %}