access: set up SNMP for FS S5800 switches

roles/access/tasks/fs.yml

@@ -0,0 +1,32 @@
+- name: Get secrets for SNMP manager
+  set_fact:
+    manager: "{{ lookup('passwordstore', 'host/'+snmp_manager.name, returnall=true, missing='empty') | from_yaml }}"
+
+- name: Get existing SNMP users
+  set_fact:
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
+    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
+
+- name: Remove existing SNMP user to reset password
+  when: "snmp_current and snmp_target is not in snmp_current"
+  block:
+    - name: Remove SNMP user
+      ansible.netcommon.cli_config:
+        config: "{{ item }}"
+      loop:
+        - "no snmp-server usm-user {{ manager.snmp_user }}"
+        - "no snmp-server group public user {{ manager.snmp_user }} security-model usm"
+      notify: write config
+
+    - set_fact:
+        snmp_current: false
+
+- name: Create SNMP user
+  when: "not snmp_current"
+  ansible.netcommon.cli_config:
+    config: "{{ item }}"
+  loop:
+    - "{{ snmp_target }}"
+    - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
+  no_log: true
+  notify: write config

roles/access/templates/config-fs-s5800-48t4s.j2

@@ -1,5 +1,8 @@
 hostname {{ inventory_hostname }}
 
+{# disable encryption until we figure out the hash function, otherwise we can’t create SNMP users idempotently #}
+no service password-encryption
+
 service http disable
 service telnet disable
 
@@ -10,7 +13,11 @@ vlan database
 {% for vlan in del_vlans %}
  no vlan {{ vlan }}
 {% endfor %}
-exit
+
+snmp-server enable
+snmp-server system-location {{ rack }}
+snmp-server engineID {{ snmp_engine_id }}
+snmp-server access public security-model usm priv read _all_
 
 {# sort to ensure LAG interfaces are added last #}
 {% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %}