2026-06-07 08:34:13 +02:00
|
|
|
---
|
2026-06-08 19:33:48 +02:00
|
|
|
# Identity, management services, DNS/NTP and service hardening.
|
|
|
|
|
# All commands here are `set` on singleton/named items, so they are naturally
|
|
|
|
|
# idempotent; RouterOS `command` cannot report change, hence `changed_when: false`.
|
|
|
|
|
|
|
|
|
|
- name: Set system identity
|
|
|
|
|
community.routeros.command:
|
|
|
|
|
commands:
|
|
|
|
|
- /system/identity/set name="{{ switch_identity_name }}"
|
|
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
|
|
- name: Configure DNS servers
|
|
|
|
|
community.routeros.command:
|
|
|
|
|
commands:
|
|
|
|
|
- /ip/dns/set servers="{{ switch_dns_servers }}" allow-remote-requests=no
|
|
|
|
|
changed_when: false
|
|
|
|
|
|
2026-06-09 12:15:23 +02:00
|
|
|
- name: Enable NTP client
|
2026-06-08 19:33:48 +02:00
|
|
|
community.routeros.command:
|
|
|
|
|
commands:
|
|
|
|
|
- /system/ntp/client/set enabled=yes servers="{{ switch_ntp_servers }}"
|
2026-06-09 12:15:23 +02:00
|
|
|
when: switch_ntp_enabled | bool
|
|
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
|
|
- name: Disable NTP client (isolated mgmt plane has no upstream time source)
|
|
|
|
|
community.routeros.command:
|
|
|
|
|
commands:
|
|
|
|
|
- /system/ntp/client/set enabled=no
|
|
|
|
|
when: not (switch_ntp_enabled | bool)
|
2026-06-08 19:33:48 +02:00
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
|
|
- name: Disable unused IP services (hardening; winbox kept for recovery)
|
|
|
|
|
community.routeros.command:
|
|
|
|
|
commands:
|
|
|
|
|
- /ip/service/set {{ item }} disabled=yes
|
|
|
|
|
loop: "{{ switch_disabled_services }}"
|
|
|
|
|
loop_control:
|
|
|
|
|
label: "{{ item }}"
|
|
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
|
|
- name: Ensure SSH service is enabled on the configured port
|
|
|
|
|
community.routeros.command:
|
|
|
|
|
commands:
|
|
|
|
|
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
|
|
|
|
|
changed_when: false
|