Add support for '/proc' 'hidepid' option

CHANGES.rst

@@ -32,3 +32,7 @@ v0.1.0
   preferences. Move their configuration to default variables, which can be used
   from an Ansible playbook. [drybjed]
 
+- Add support for ``/proc`` ``hidepid`` option. Role will detect it using
+  Ansible local facts provided by the ``debops.console`` role and add ``snmp``
+  user to the required system group. [drybjed]
+

defaults/main.yml

@@ -244,6 +244,30 @@ snmpd_load_15min: '{{ (((snmpd_load_base | float) *
                        snmpd_load_weight_map[snmpd_load_weight][2] | float) }}'
 
 
+# ----------------------
+#   Process monitoring
+# ----------------------
+
+# .. envvar:: snmpd_proc_hidepid
+#
+# Should the ``debops.snmpd`` add the ``snmp`` user account to a group that has
+# access to the ``/proc`` filesystem?
+snmpd_proc_hidepid: '{{ True
+                        if (ansible_local|d() and ansible_local.proc|d() and
+                            ansible_local.proc.hidepid|bool)
+                        else False }}'
+
+
+# .. envvar:: snmpd_proc_hidepid_group
+#
+# Name of the system group which ``snmp`` user will be added to to get
+# information about processes.
+snmpd_proc_hidepid_group: '{{ (ansible_local.proc.hidepid_group
+                               if (ansible_local|d() and ansible_local.proc|d() and
+                                   ansible_local.proc.hidepid_group|d())
+                               else "") }}'
+
+
 # ------------------------------------------
 #   SNMPv3 admin, agent and local accounts
 # ------------------------------------------

tasks/main.yml

@@ -37,6 +37,14 @@
     mode: '0644'
   notify: [ 'Reload systemd daemon', 'Restart snmpd' ]
 
+- name: Allow 'snmp' user access to /proc if needed
+  user:
+    name: 'snmp'
+    groups: '{{ snmpd_proc_hidepid_group }}'
+    append: True
+  when: snmpd_proc_hidepid | bool
+  notify: [ 'Restart snmpd' ]
+
 - name: Enable MIBs support
   lineinfile:
     dest: '/etc/snmp/snmp.conf'