diff --git a/.ansible-lint b/.ansible-lint index b567eb6..3487a53 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,3 +6,4 @@ skip_list: exclude_paths: - .venv/ - backups/ + - group_vars/mikrotik.vault.yml diff --git a/.yamllint b/.yamllint index e73b9ab..4999b0f 100644 --- a/.yamllint +++ b/.yamllint @@ -9,3 +9,4 @@ rules: ignore: | .venv/ backups/ + *.vault.yml diff --git a/group_vars/mikrotik.vault.yml b/group_vars/mikrotik.vault.yml new file mode 100644 index 0000000..ce193b6 --- /dev/null +++ b/group_vars/mikrotik.vault.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.2;AES256;makerfloss +65633363353761306465316563336137323966313330313238633661313938633939653330383561 +3936363934636563383032646631336464363534613366360a666162626432303066383863376530 +34616565613837326661323565306263636661396637313263613433366438653934383266343664 +6538656135366336630a303536663139396364643539636532616165386533616635313166366564 +31303762313063353734666632623262616562383833353765376263333732386336616336383934 +61623334666230356661636433613633653439353662393730313663656664663962346139666639 +396431396664316165663030633732656632 diff --git a/host_vars/crs310-maker.yml b/host_vars/crs310-maker.yml index ec77567..c677c40 100644 --- a/host_vars/crs310-maker.yml +++ b/host_vars/crs310-maker.yml @@ -1,5 +1,15 @@ --- -# Identity facts recorded during Phase 0.6 (edit to match the device) +# Device facts (recorded on-site 2026-06-08): +# model: CRS310-8G+2S+IN +# serial: HM40B8TDNDD +# base MAC (ether1): D0:EA:11:24:F4:AA +# RouterOS: 7.19.6 stable (bootloader already current) -> pinned target below +# +# Bootstrap status (2026-06-08): identity set; user `sjat` (full) created with the +# operator ed25519 key imported + a vaulted password (vault_switch_admin_password in +# group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled +# (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet +# reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan. switch_identity_name: "crs310-maker" switch_mgmt_vlan_id: 99 switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP @@ -18,6 +28,6 @@ switch_bridge_ports: - {interface: "ether2", pvid: 10, mode: access} - {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]} -# Firmware (opt-in) -# switch_firmware_enabled: true -# switch_firmware_target: "7.x.y" # EDIT to the version pinned in Phase 0.3 +# Firmware: pinned at the version already installed (no upgrade planned now). +switch_firmware_target: "7.19.6" +# switch_firmware_enabled: true # opt-in only when you actually want to upgrade