Getting started

debops.snmpd role will install snmpd package on Debian/Ubuntu hosts and secure access to SNMP using random SNMPv3 username / password combination, as well as firewall and TCP wrappers rules.

Example inventory

To enable SNMP service on a DebOps-managed host, you need to add that host to [debops_snmpd] Ansible inventory group:


If you use separate host groups, better idea might be to create a parent group and add your own host groups to it:



Example playbook

Here's an example playbook which uses debops.snmpd role:


- name: Manage SNMP service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_snmpd' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'


    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
        - '{{ snmpd_apt_preferences_dependent_list }}'

    - role: ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
        - '{{ snmpd_ferm_dependent_rules }}'

    - role: tcpwrappers
      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
        - '{{ snmpd_tcpwrappers_dependent_allow }}'

    - role: snmpd
      tags: [ 'role::snmpd', 'skip::snmpd' ]

    - role: lldpd
      tags: [ 'role::lldpd', 'skip::lldpd' ]

Firewall, TCP wrappers access

SNMP is primarily used over the network, but for security reasons access from remote hosts is filtered by a firewall and TCP wrappers. To allow access to SNMP from other hosts using debops.ferm and debops.tcpwrappers Ansible roles, you need to add IP addresses or CIDR subnets which can access the service to snmpd_*_allow lists:

snmpd_allow: [ '', '2001:db8::/48' ]

SNMPv3 authentication

debops.snmpd role will create three SNMPv3 user accounts with random usernames and passwords, which will be stored on Ansible Controller in the secret/ directory (see debops.secret role for more details).

Authentication uses SHA encryption, privacy mode uses AES encryption. The generated accounts are:

  • a global "admin" account, stored in secret/snmp/credentials/admin/ directory on Ansible Controller. Read-write, disabled after snmpd is configured. Will be the same on all servers in the cluster.

  • a global "agent" account, stored in secret/snmp/credentials/agent/ directory on Ansible Controller. Read-only, meant to be used to access the SNMP service using network management software. Will be the same on all servers in the cluster.

  • a "local" account, stored in /etc/snmp/snmp.local.conf and /etc/ansible/facts.d/snmpd.fact files on remote hosts. Unique to a particular host, read only. Allows access from the host to itself from the root account, can be used to grant access to a particular host data to other users or services.