mozilla-platform-ops · aerickson · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/.kitchen_configs/kitchen.docker.yml b/.kitchen_configs/kitchen.docker.yml
@@ -37,6 +37,8 @@ provisioner:
   hiera_deep_merge: true
   hiera_writer_files:
     - secrets/vault.yaml:
+        snmpd:
+          ro_community: aaaa
         telegraf:
           user: telegraf
           password: telegraf4fun

diff --git a/modules/linux_packages/manifests/snmpd.pp b/modules/linux_packages/manifests/snmpd.pp
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+class linux_packages::snmpd {
+  case $facts['os']['name'] {
+    'Ubuntu': {
+      case $facts['os']['release']['full'] {
+        '18.04', '22.04', '24.04': {
+          package {
+            'snmpd':
+              ensure => present;
+          }
+        }
+        default: {
+          fail("Ubuntu ${facts['os']['release']['full']} is not supported")
+        }
+      }
+    }
+    default: {
+      fail("${facts['os']['name']} is not supported")
+    }
+  }
+}
diff --git a/modules/linux_snmpd/manifests/init.pp b/modules/linux_snmpd/manifests/init.pp
@@ -0,0 +1,49 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+class linux_snmpd {
+  case $facts['os']['name'] {
+    'Ubuntu': {
+      case $facts['os']['release']['full'] {
+        '18.04', '22.04', '24.04': {
+          # load in secrets from vault/hiera
+          $snmpd_ro_secret = lookup('snmpd.ro_community', { default_value => undef })
+
+          # only do this block if secret is set
+          if $snmpd_ro_secret and $snmpd_ro_secret != '' {
+            # include vs require? still need to do ordering...
+            include linux_packages::snmpd
+
+            service { 'snmpd':
+              ensure  => running,
+              enable  => true,
+              require => Class['linux_packages::snmpd'];
+            }
+
+            # deliver our config (require linux_packages::snmpd)
+            #   /etc/snmp/snmpd.conf
+            file {
+              default: * => $shared::file_defaults;
+
+              '/etc/snmp/snmpd.conf':
+                ensure  => file,
+                content => template('linux_snmpd/snmpd.conf.erb'),
+                mode    => '0644',
+                notify  => Service['snmpd'];
+            }
+          }
+          else {
+            notice('snmpd_ro_community is not set, skipping snmpd configuration')
+          }
+        }
+        default: {
+          fail("Ubuntu ${facts['os']['release']['full']} is not supported")
+        }
+      }
+    }
+    default: {
+      fail("${facts['os']['name']} is not supported")
+    }
+  }
+}
diff --git a/modules/linux_snmpd/templates/snmpd.conf.erb b/modules/linux_snmpd/templates/snmpd.conf.erb
@@ -0,0 +1,12 @@
+# mozilla relops snmpd.conf template
+# v1.0 - 2026-02-18
+
+agentAddress udp:161
+
+sysLocation    "MDC1"
+sysContact     "relops@mozilla.com"
+
+# create 'all' view and include all of .1
+view   all         included   .1
+# set a SNMPv1/v2c read-only community (default source) and tie to 'all' view
+rocommunity <%= @snmpd_ro_secret %> default -V all
diff --git a/modules/roles_profiles/manifests/profiles/linux_base.pp b/modules/roles_profiles/manifests/profiles/linux_base.pp
@@ -25,6 +25,9 @@
       # fix for ubuntu packaging bug
       require linux_packages::testresources
 
+      # should be requires above, but fight that battle another day
+      include linux_snmpd
+
       # TODO:
       # - add auditd
       # - add sending of logs to log aggregator/relay

diff --git a/test/integration/linux-perf/inspec/snmpd_spec.rb b/test/integration/linux-perf/inspec/snmpd_spec.rb
@@ -0,0 +1,21 @@
+# ensure package is installed
+describe package('snmpd') do
+    it { should be_installed }
+end
+
+describe service('snmpd') do
+    it { should be_running }
+    it { should be_enabled }
+end
+
+# check our templating worked
+describe file('/etc/snmp/snmpd.conf') do
+    it { should exist }
+    # TODO: don't check community secret (so it could work on prod hosts)
+    its(:content) { should match /rocommunity aaaa/ }
+
+    # check that our template is in place (and not the default)
+    its(:content) { should match /# mozilla relops snmpd.conf template/ }
+    # check that RO community is enabled
+    its(:content) { should match /^rocommunity/ }
+end