feat: bootstrap CRS310 on-site (sjat user + key + vaulted password)

Recorded device facts (CRS310-8G+2S+IN, serial HM40B8TDNDD, RouterOS 7.19.6,
pinned firmware_target 7.19.6). Added encrypted makerfloss-vault admin password
and excluded *.vault.yml from linters. Device bootstrapped over SSH: identity
set to crs310-maker, named user sjat (full) with operator ed25519 key + vaulted
password; key-based login verified from the controller. Default admin still
enabled (hardening + VLANs deferred to the day-2 task files).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-08 19:13:53 +02:00
parent bdfde1644c
commit 3fef7ba9e5
4 changed files with 24 additions and 4 deletions

View file

@ -6,3 +6,4 @@ skip_list:
exclude_paths:
- .venv/
- backups/
- group_vars/mikrotik.vault.yml

View file

@ -9,3 +9,4 @@ rules:
ignore: |
.venv/
backups/
*.vault.yml

View file

@ -0,0 +1,8 @@
$ANSIBLE_VAULT;1.2;AES256;makerfloss
65633363353761306465316563336137323966313330313238633661313938633939653330383561
3936363934636563383032646631336464363534613366360a666162626432303066383863376530
34616565613837326661323565306263636661396637313263613433366438653934383266343664
6538656135366336630a303536663139396364643539636532616165386533616635313166366564
31303762313063353734666632623262616562383833353765376263333732386336616336383934
61623334666230356661636433613633653439353662393730313663656664663962346139666639
396431396664316165663030633732656632

View file

@ -1,5 +1,15 @@
---
# Identity facts recorded during Phase 0.6 (edit to match the device)
# Device facts (recorded on-site 2026-06-08):
# model: CRS310-8G+2S+IN
# serial: HM40B8TDNDD
# base MAC (ether1): D0:EA:11:24:F4:AA
# RouterOS: 7.19.6 stable (bootloader already current) -> pinned target below
#
# Bootstrap status (2026-06-08): identity set; user `sjat` (full) created with the
# operator ed25519 key imported + a vaulted password (vault_switch_admin_password in
# group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled
# (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet
# reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan.
switch_identity_name: "crs310-maker"
switch_mgmt_vlan_id: 99
switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP
@ -18,6 +28,6 @@ switch_bridge_ports:
- {interface: "ether2", pvid: 10, mode: access}
- {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]}
# Firmware (opt-in)
# switch_firmware_enabled: true
# switch_firmware_target: "7.x.y" # EDIT to the version pinned in Phase 0.3
# Firmware: pinned at the version already installed (no upgrade planned now).
switch_firmware_target: "7.19.6"
# switch_firmware_enabled: true # opt-in only when you actually want to upgrade