From 703ee97e9125bf6ca89e3b703142c5332a826d16 Mon Sep 17 00:00:00 2001 From: Salt Date: Fri, 24 Jul 2020 03:25:23 -0500 Subject: [PATCH] Add and enable snmpd --- inventory/group_vars/9iron.yml | 24 +++++ roles/snmpd/handlers/main.yml | 8 ++ roles/snmpd/tasks/main.yml | 21 ++++ roles/snmpd/templates/snmpd.conf | 165 +++++++++++++++++++++++++++++++ site.yml | 2 + 5 files changed, 220 insertions(+) create mode 100644 roles/snmpd/handlers/main.yml create mode 100644 roles/snmpd/tasks/main.yml create mode 100644 roles/snmpd/templates/snmpd.conf diff --git a/inventory/group_vars/9iron.yml b/inventory/group_vars/9iron.yml index 93680be..58203ab 100644 --- a/inventory/group_vars/9iron.yml +++ b/inventory/group_vars/9iron.yml @@ -91,3 +91,27 @@ nextcloud_mysql_password: !vault | 3332313764623133630a393731613236373837316437653265636663666261383135636662373566 61373135303632336237333836353764646639633735323566346366623766646266 nextcloud_url: "nc.9iron.club" +# snmpd +snmp_location: "us-east-2" +snmp_contact: "Salt " +snmp_auth_user_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36373662333533616331623933343364663532326261653636363732323138633836356633623934 + 6561333833343432353561366438313165383163366131630a653163666463356462633966666330 + 38323965303639356635613565633030373836643132336332373730303137376165616163646538 + 3162616233366236350a626130643230323264343938373134653034636232303130623134393531 + 61366330316330646137336161623166343835316432363433373333323232383166 +snmp_priv_user_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61316538316630333662633665646364356138613730633334653761626636633836363335383965 + 6332303265323236383130383366336662626331613866340a636139366135313134303538613833 + 61383662306163663634333538343733663836633834373462616265366365626533366334383031 + 6265643764656461320a313137326430386532653538346462323463386538303966303830343037 + 63333632656534333334383666666138353435383938623934663766623735656533 +snmp_int_user_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31616561323762653439346630653231646137626638383930346437323139666163316131333534 + 6463313537316230363735346236323033386562373032330a326261393039663539353738643465 + 36666136663930663463373731663534316232643637623732346331383737643233626235613439 + 3733366462613133620a386336303434303130313636356339633939623638366236346234376566 + 65386530663137393830636134653632623366333837616364396161666464613166 diff --git a/roles/snmpd/handlers/main.yml b/roles/snmpd/handlers/main.yml new file mode 100644 index 0000000..ce2f76b --- /dev/null +++ b/roles/snmpd/handlers/main.yml @@ -0,0 +1,8 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: +--- +- name: restart snmpd + systemd: + name: snmpd + state: restarted + become: yes diff --git a/roles/snmpd/tasks/main.yml b/roles/snmpd/tasks/main.yml new file mode 100644 index 0000000..34dab91 --- /dev/null +++ b/roles/snmpd/tasks/main.yml @@ -0,0 +1,21 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: +--- +- name: Install snmpd + block: + - name: Install snmpd + apt: + name: + - snmpd + - name: Template out config + template: + src: snmpd.conf + dest: /etc/snmp/snmpd.conf + mode: "0600" + notify: restart snmpd + - name: Enable snmpd + systemd: + name: snmpd + enabled: yes + state: started + become: yes diff --git a/roles/snmpd/templates/snmpd.conf b/roles/snmpd/templates/snmpd.conf new file mode 100644 index 0000000..1607211 --- /dev/null +++ b/roles/snmpd/templates/snmpd.conf @@ -0,0 +1,165 @@ +# Listen for connections on all interfaces (both IPv4 *and* IPv6) +agentAddress udp:161,udp6:[::1]:161 + +# Create users +createUser authOnlyUser SHA {{ snmp_auth_user_pass }} +createUser authPrivUser SHA {{ snmp_priv_user_pass }} +createUser internalUser SHA {{ snmp_int_user_pass }} + +############################################################################### +# +# ACCESS CONTROL +# + + # system + hrSystem groups only +view systemonly included .1.3.6.1.2.1.1 +view systemonly included .1.3.6.1.2.1.25.1 + + # Full access from the local host +#rocommunity public localhost + # Default access to basic system info + rocommunity public default -V systemonly + # rocommunity6 is for IPv6 + rocommunity6 public default -V systemonly + + # Full access from an example network + # Adjust this network address to match your local + # settings, change the community string, + # and check the 'agentAddress' setting above +#rocommunity secret 10.0.0.0/16 + + # Full read-only access for SNMPv3 + rouser authOnlyUser + # Full write access for encrypted requests + # Remember to activate the 'createUser' lines above +#rwuser authPrivUser priv + +# It's no longer typically necessary to use the full 'com2sec/group/access' configuration +# r[ow]user and r[ow]community, together with suitable views, should cover most requirements + + + +############################################################################### +# +# SYSTEM INFORMATION +# + +# Note that setting these values here, results in the corresponding MIB objects being 'read-only' +# See snmpd.conf(5) for more details +sysLocation {{ snmp_location }} +sysContact {{ snmp_contact }} + # Application + End-to-End layers +sysServices 72 + + +# +# Process Monitoring +# + # At least one 'mountd' process +proc mountd + # No more than 4 'ntalkd' processes - 0 is OK +proc ntalkd 4 + # At least one 'sendmail' process, but no more than 10 +proc sendmail 10 1 + +# Walk the UCD-SNMP-MIB::prTable to see the resulting output +# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file + + +# +# Disk Monitoring +# + # 10MBs required on root disk, 5% free on /var, 10% free on all other disks +disk / 10000 +disk /var 5% +includeAllDisks 10% + +# Walk the UCD-SNMP-MIB::dskTable to see the resulting output +# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file + + +# +# System Load +# + # Unacceptable 1-, 5-, and 15-minute load averages +load 12 10 5 + +# Walk the UCD-SNMP-MIB::laTable to see the resulting output +# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file + + + +############################################################################### +# +# ACTIVE MONITORING +# + + # send SNMPv1 traps + trapsink localhost public + # send SNMPv2c traps +#trap2sink localhost public + # send SNMPv2c INFORMs +#informsink localhost public + +# Note that you typically only want *one* of these three lines +# Uncommenting two (or all three) will result in multiple copies of each notification. + + +# +# Event MIB - automatically generate alerts +# + # Remember to activate the 'createUser' lines above +iquerySecName internalUser +rouser internalUser + # generate traps on UCD error conditions +defaultMonitors yes + # generate traps on linkUp/Down +linkUpDownNotifications yes + + + +############################################################################### +# +# EXTENDING THE AGENT +# + +# +# Arbitrary extension commands +# + extend test1 /bin/echo Hello, world! + extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35 +#extend-sh test3 /bin/sh /tmp/shtest + +# Note that this last entry requires the script '/tmp/shtest' to be created first, +# containing the same three shell commands, before the line is uncommented + +# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table +# and nsExtendOutput2Table) to see the resulting output + +# Note that the "extend" directive supercedes the previous "exec" and "sh" directives +# However, walking the UCD-SNMP-MIB::extTable should still returns the same output, +# as well as the fuller results in the above tables. + + +# +# "Pass-through" MIB extension command +# +#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest +#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl + +# Note that this requires one of the two 'passtest' scripts to be installed first, +# before the appropriate line is uncommented. +# These scripts can be found in the 'local' directory of the source distribution, +# and are not installed automatically. + +# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output + + +# +# AgentX Sub-agents +# + # Run as an AgentX master agent + master agentx + # Listen for network connections (from localhost) + # rather than the default named socket /var/agentx/master +#agentXSocket tcp:localhost:705 diff --git a/site.yml b/site.yml index 295b8a1..2216736 100755 --- a/site.yml +++ b/site.yml @@ -25,6 +25,8 @@ roles: - role: dns tags: [ common, dns ] + - role: snmpd + tags: [ common, snmpd ] - import_playbook: playbooks/webservers.yml - import_playbook: playbooks/gameservers.yml - import_playbook: playbooks/home.yml