From beaa977e213f96863dfd0ea86901b844e5943e19 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Fri, 3 Oct 2025 17:18:59 +0200
Subject: [PATCH] access: set up SNMP for FS S5800 switches

---
 roles/access/tasks/fs.yml                     | 32 +++++++++++++++++++
 .../access/templates/config-fs-s5800-48t4s.j2 |  9 +++++-
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/roles/access/tasks/fs.yml b/roles/access/tasks/fs.yml
index e69de29..c14920e 100644
--- a/roles/access/tasks/fs.yml
+++ b/roles/access/tasks/fs.yml
@@ -0,0 +1,32 @@
+- name: Get secrets for SNMP manager
+  set_fact:
+    manager: "{{ lookup('passwordstore', 'host/'+snmp_manager.name, returnall=true, missing='empty') | from_yaml }}"
+
+- name: Get existing SNMP users
+  set_fact:
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
+    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
+
+- name: Remove existing SNMP user to reset password
+  when: "snmp_current and snmp_target is not in snmp_current"
+  block:
+    - name: Remove SNMP user
+      ansible.netcommon.cli_config:
+        config: "{{ item }}"
+      loop:
+        - "no snmp-server usm-user {{ manager.snmp_user }}"
+        - "no snmp-server group public user {{ manager.snmp_user }} security-model usm"
+      notify: write config
+
+    - set_fact:
+        snmp_current: false
+
+- name: Create SNMP user
+  when: "not snmp_current"
+  ansible.netcommon.cli_config:
+    config: "{{ item }}"
+  loop:
+    - "{{ snmp_target }}"
+    - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
+  no_log: true
+  notify: write config
diff --git a/roles/access/templates/config-fs-s5800-48t4s.j2 b/roles/access/templates/config-fs-s5800-48t4s.j2
index 3d5c7e9..100f008 100644
--- a/roles/access/templates/config-fs-s5800-48t4s.j2
+++ b/roles/access/templates/config-fs-s5800-48t4s.j2
@@ -1,5 +1,8 @@
 hostname {{ inventory_hostname }}
 
+{# disable encryption until we figure out the hash function, otherwise we can’t create SNMP users idempotently #}
+no service password-encryption
+
 service http disable
 service telnet disable
 
@@ -10,7 +13,11 @@ vlan database
 {% for vlan in del_vlans %}
  no vlan {{ vlan }}
 {% endfor %}
-exit
+
+snmp-server enable
+snmp-server system-location {{ rack }}
+snmp-server engineID {{ snmp_engine_id }}
+snmp-server access public security-model usm priv read _all_
 
 {# sort to ensure LAG interfaces are added last #}
 {% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %}