From 3a21dbfa35b32c6cec4fbe7867a7905096bbb249 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 26 Apr 2025 20:33:23 +0000
Subject: [PATCH] routeros: Don't run mqtt publish script as root

---
 roles/routeros/files/README.md                 |  6 ++++++
 .../files/routeros-poe-mqtt-publish.sh         | 18 +++++++++++-------
 roles/routeros/tasks/main.yml                  |  2 ++
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/roles/routeros/files/README.md b/roles/routeros/files/README.md
index 91fed9c..9e5cc1e 100644
--- a/roles/routeros/files/README.md
+++ b/roles/routeros/files/README.md
@@ -14,3 +14,9 @@
 ```
 /interface/bridge/port/set [find where bridge=bridge and interface=ether1] pvid=30
 ```
+
+## Add name to port
+
+```
+/interface/ethernet/set [ find default-name=ether20 ] comment="name"
+```
diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh
index d622f2a..4395ba0 100644
--- a/roles/routeros/files/routeros-poe-mqtt-publish.sh
+++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh
@@ -4,16 +4,19 @@ set -eu
 umask 077
 
 community="public"
+tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
+cafile="${tlsdir}/certs/ca.crt"
+keyfile="${tlsdir}/private/$(hostname -f).key"
+certfile="${tlsdir}/certs/$(hostname -f).crt"
+
+export LDAPTLS_KEY="$keyfile"
+export LDAPTLS_CERT="$certfile"
 
 mqtt_send() {
     topic="$1"
     value="$2"
-
-    tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
     mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \
-        --cafile "${tlsdir}/certs/ca.crt" \
-        --key "${tlsdir}/private/$(hostname -f).key" \
-        --cert "${tlsdir}/certs/$(hostname -f).crt"
+        --cafile "$cafile" --key "$keyfile" --cert "$certfile"
 }
 
 snmp_get() {
@@ -32,7 +35,7 @@ if [ "${1:-}" != "-f" ]; then
     done
 fi
 
-ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \
+ldapsearch -Q -LLL -Y EXTERNAL "(&(objectClass=device)(description=MikroTik *))" cn | \
     awk '{ if ($1 == "cn:") print $2 }' | while read -r name
 do
     snmpwalk -v 1 -c "$community" "$name" -Oq -m MIKROTIK-MIB \
@@ -43,7 +46,8 @@ do
 
         device="$(snmp_get "$name" "SNMPv2-SMI::mib-2.31.1.1.1.18.${port}")"
         [ -z "$device" ] && continue
-        location="$(ldapsearch -Q -LLL "(&(objectClass=device)(cn=${device}))" l | \
+        location="$(ldapsearch -Q -LLL -Y EXTERNAL \
+            "(&(objectClass=device)(cn=${device}))" l | \
             sed -n 's/^l: \(.\+\)/\1/p' | tr '[:upper:]' '[:lower:]' | tr ' ' '_')"
         [ -z "$location" ] && continue
 
diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml
index 8f73b67..f9693ad 100644
--- a/roles/routeros/tasks/main.yml
+++ b/roles/routeros/tasks/main.yml
@@ -25,6 +25,7 @@
     name: routeros
     comment: RouterOS Downloader
     group: routeros
+    groups: hostkey
     create_home: false
     home: /var/empty
     shell: /sbin/nologin
@@ -74,4 +75,5 @@
   ansible.builtin.cron:
     name: routeros-poe-mqtt-publish
     job: /usr/local/bin/routeros-poe-mqtt-publish
+    user: routeros
     minute: "*/5"