routeros: Don't run mqtt publish script as root

2025-04-26 20:33:23 +00:00 · 2025-04-26 20:33:23 +00:00 · 3a21dbfa35
commit 3a21dbfa35
parent 894f69f82f
3 changed files with 19 additions and 7 deletions
--- a/roles/routeros/files/README.md
+++ b/roles/routeros/files/README.md
@ -14,3 +14,9 @@
 ```
 /interface/bridge/port/set [find where bridge=bridge and interface=ether1] pvid=30
 ```
+
+## Add name to port
+
+```
+/interface/ethernet/set [ find default-name=ether20 ] comment="name"
+```
--- a/roles/routeros/files/routeros-poe-mqtt-publish.sh
+++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh
@ -4,16 +4,19 @@ set -eu
 umask 077

 community="public"
+tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
+cafile="${tlsdir}/certs/ca.crt"
+keyfile="${tlsdir}/private/$(hostname -f).key"
+certfile="${tlsdir}/certs/$(hostname -f).crt"
+
+export LDAPTLS_KEY="$keyfile"
+export LDAPTLS_CERT="$certfile"

 mqtt_send() {
    topic="$1"
    value="$2"
-
-    tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
    mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \
-        --cafile "${tlsdir}/certs/ca.crt" \
-        --key "${tlsdir}/private/$(hostname -f).key" \
-        --cert "${tlsdir}/certs/$(hostname -f).crt"
+        --cafile "$cafile" --key "$keyfile" --cert "$certfile"
 }

 snmp_get() {
@ -32,7 +35,7 @@ if [ "${1:-}" != "-f" ]; then
    done
 fi

-ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \
+ldapsearch -Q -LLL -Y EXTERNAL "(&(objectClass=device)(description=MikroTik *))" cn | \
    awk '{ if ($1 == "cn:") print $2 }' | while read -r name
 do
    snmpwalk -v 1 -c "$community" "$name" -Oq -m MIKROTIK-MIB \
@ -43,7 +46,8 @@ do

        device="$(snmp_get "$name" "SNMPv2-SMI::mib-2.31.1.1.1.18.${port}")"
        [ -z "$device" ] && continue
-        location="$(ldapsearch -Q -LLL "(&(objectClass=device)(cn=${device}))" l | \
+        location="$(ldapsearch -Q -LLL -Y EXTERNAL \
+            "(&(objectClass=device)(cn=${device}))" l | \
            sed -n 's/^l: \(.\+\)/\1/p' | tr '[:upper:]' '[:lower:]' | tr ' ' '_')"
        [ -z "$location" ] && continue

--- a/roles/routeros/tasks/main.yml
+++ b/roles/routeros/tasks/main.yml
@ -25,6 +25,7 @@
    name: routeros
    comment: RouterOS Downloader
    group: routeros
+    groups: hostkey
    create_home: false
    home: /var/empty
    shell: /sbin/nologin
@ -74,4 +75,5 @@
  ansible.builtin.cron:
    name: routeros-poe-mqtt-publish
    job: /usr/local/bin/routeros-poe-mqtt-publish
+    user: routeros
    minute: "*/5"