diff --git a/inventory.sh b/inventory.sh new file mode 100755 index 0000000..f0613e3 --- /dev/null +++ b/inventory.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# use this wrapper as your inventory if you have ansible-vault secrets in some config context + +# thank you Dameon Wagner you magnificent beast +# https://github.com/netbox-community/ansible_modules/discussions/551 + +# remove this file if/when this gets to your computer +# https://github.com/netbox-community/ansible_modules/pull/1114 + +ANSIBLE_ASK_VAULT_PASS=no ansible-inventory -i inventory.yml "${@}" diff --git a/roles/access/tasks/d-link.yml b/roles/access/tasks/d-link.yml index b4a5874..b9f525c 100644 --- a/roles/access/tasks/d-link.yml +++ b/roles/access/tasks/d-link.yml @@ -4,43 +4,22 @@ - name: Generate SNMP passwords delegate_to: localhost - command: > - snmpv3-hashgen --yaml - --engine {{ snmp_engine_id }} - --user {{ manager.snmp_user }} - --auth {{ manager.snmp_pass }} - --priv {{ manager.snmp_pass }} - --hash sha1 + command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}' check_mode: false changed_when: false - no_log: true register: snmp_config - name: Get SNMP password hash set_fact: snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}' -# check if the SNMP user and group we want to set differ from current switch config -# in this case we have to remove them before trying to chane password or settings -- name: Define SNMP user and group configuration commands +- name: Get SNMP users set_fact: - target_user: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} " - target_group: "snmp-server group public v3 priv read public " - -- name: Get existing SNMP user and group entries from switch - set_fact: - current_user: "{{ ansible_net_config | split('\n') - | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}" - current_group: "{{ ansible_net_config | split('\n') - | select('match', '^snmp-server group public v3') }}" - -- name: Check if existing SNMP user and/or group should be removed - set_fact: - remove_user: "{{ current_user and target_user is not in current_user }}" - remove_group: "{{ current_group and target_group is not in current_group }}" + snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}" + snmp_target: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} " - name: Remove existing SNMP user to reset password - when: remove_user or remove_group # can’t change group with existing users + when: 'snmp_current and snmp_target is not in snmp_current' block: - name: Remove SNMP user ansible.netcommon.cli_config: @@ -48,28 +27,10 @@ notify: write config - set_fact: - current_user: false - -- name: Remove existing SNMP group to change parameters - when: remove_group - block: - - name: Remove existing SNMP group - ansible.netcommon.cli_config: - config: 'no snmp-server group public v3 priv' - notify: write config - - - set_fact: - current_group: false - -# create new SNMP user and group -- name: Create SNMP group and user - when: not current_group - ansible.netcommon.cli_config: - config: '{{ target_group }}' - notify: write config + snmp_current: false - name: Create SNMP user - when: not current_user + when: 'not snmp_current' ansible.netcommon.cli_config: - config: '{{ target_user }}' + config: '{{ snmp_target }}' notify: write config diff --git a/roles/access/tasks/fs-s5860-48xmg-u.yml b/roles/access/tasks/fs-s5860-48xmg-u.yml index 02e9f48..8f30f7c 100644 --- a/roles/access/tasks/fs-s5860-48xmg-u.yml +++ b/roles/access/tasks/fs-s5860-48xmg-u.yml @@ -4,16 +4,9 @@ - name: Generate SNMP passwords delegate_to: localhost - command: > - snmpv3-hashgen --yaml - --engine {{ snmp_engine_id }} - --user {{ manager.snmp_user }} - --auth {{ manager.snmp_pass }} - --priv {{ manager.snmp_pass }} - --hash sha1 + command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}' check_mode: false changed_when: false - no_log: true register: snmp_config - name: Get SNMP password hash diff --git a/roles/access/tasks/fs.yml b/roles/access/tasks/fs.yml index 80f1c60..c14920e 100644 --- a/roles/access/tasks/fs.yml +++ b/roles/access/tasks/fs.yml @@ -4,11 +4,11 @@ - name: Get existing SNMP users set_fact: - current_user: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}" - target_user: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} " + snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}" + snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} " - name: Remove existing SNMP user to reset password - when: "current_user and target_user is not in current_user" + when: "snmp_current and snmp_target is not in snmp_current" block: - name: Remove SNMP user ansible.netcommon.cli_config: @@ -19,14 +19,14 @@ notify: write config - set_fact: - current_user: false + snmp_current: false - name: Create SNMP user - when: "not current_user" + when: "not snmp_current" ansible.netcommon.cli_config: config: "{{ item }}" loop: - - "{{ target_user }}" + - "{{ snmp_target }}" - "snmp-server group public user {{ manager.snmp_user }} security-model usm" no_log: true notify: write config diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2 index 36df00c..78680f0 100644 --- a/roles/access/templates/config-d-link.j2 +++ b/roles/access/templates/config-d-link.j2 @@ -112,11 +112,7 @@ snmp-server name {{ inventory_hostname }} snmp-server location {{ rack }} {# SNMP engine ID must be exactly 24 hex digits #} snmp-server engineID local {{ snmp_engine_id }} -{# limit MIBs exposed over SNMP #} -snmp-server view public 1.3.6.1.2.1.1 included {# system +#} -snmp-server view public 1.3.6.1.2.1.2 included {# interfaces +#} -snmp-server view public 1.3.6.1.2.1.17.7 included {# qBridgeMIB +#} -snmp-server view public 1.3.6.1.2.1.31 included {# ifMIB +#} +snmp-server group public v3 priv read CommunityView sntp enable {% for address in ntp %} diff --git a/roles/access/templates/config-fs-s5800-48t4s.j2 b/roles/access/templates/config-fs-s5800-48t4s.j2 index c194033..100f008 100644 --- a/roles/access/templates/config-fs-s5800-48t4s.j2 +++ b/roles/access/templates/config-fs-s5800-48t4s.j2 @@ -17,11 +17,7 @@ vlan database snmp-server enable snmp-server system-location {{ rack }} snmp-server engineID {{ snmp_engine_id }} -snmp-server view public included 1.3.6.1.2.1.1 {# system +#} -snmp-server view public included 1.3.6.1.2.1.2 {# interfaces +#} -snmp-server view public included 1.3.6.1.2.1.17.7 {# qBridgeMIB +#} -snmp-server view public included 1.3.6.1.2.1.31 {# ifMIB +#} -snmp-server access public security-model usm priv read public +snmp-server access public security-model usm priv read _all_ {# sort to ensure LAG interfaces are added last #} {% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %} diff --git a/roles/access/templates/config-fs-s5860-48xmg-u.j2 b/roles/access/templates/config-fs-s5860-48xmg-u.j2 index 4f1184a..83c8a90 100644 --- a/roles/access/templates/config-fs-s5860-48xmg-u.j2 +++ b/roles/access/templates/config-fs-s5860-48xmg-u.j2 @@ -58,9 +58,4 @@ interface {{ iface.name }} enable service snmp-agent snmp-server location {{ rack }} -{# limit MIBs exposed over SNMP #} -snmp-server view public 1.3.6.1.2.1.1 include {# system +#} -snmp-server view public 1.3.6.1.2.1.2 include {# interfaces +#} -snmp-server view public 1.3.6.1.2.1.17.7 include {# qBridgeMIB +#} -snmp-server view public 1.3.6.1.2.1.31 include {# ifMIB +#} -snmp-server group public v3 priv read public +snmp-server group public v3 priv read default