feat: bootstrap CRS310 on-site (sjat user + key + vaulted password)
Recorded device facts (CRS310-8G+2S+IN, serial HM40B8TDNDD, RouterOS 7.19.6, pinned firmware_target 7.19.6). Added encrypted makerfloss-vault admin password and excluded *.vault.yml from linters. Device bootstrapped over SSH: identity set to crs310-maker, named user sjat (full) with operator ed25519 key + vaulted password; key-based login verified from the controller. Default admin still enabled (hardening + VLANs deferred to the day-2 task files). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
bdfde1644c
commit
3fef7ba9e5
4 changed files with 24 additions and 4 deletions
|
|
@ -6,3 +6,4 @@ skip_list:
|
|||
exclude_paths:
|
||||
- .venv/
|
||||
- backups/
|
||||
- group_vars/mikrotik.vault.yml
|
||||
|
|
|
|||
|
|
@ -9,3 +9,4 @@ rules:
|
|||
ignore: |
|
||||
.venv/
|
||||
backups/
|
||||
*.vault.yml
|
||||
|
|
|
|||
8
group_vars/mikrotik.vault.yml
Normal file
8
group_vars/mikrotik.vault.yml
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
$ANSIBLE_VAULT;1.2;AES256;makerfloss
|
||||
65633363353761306465316563336137323966313330313238633661313938633939653330383561
|
||||
3936363934636563383032646631336464363534613366360a666162626432303066383863376530
|
||||
34616565613837326661323565306263636661396637313263613433366438653934383266343664
|
||||
6538656135366336630a303536663139396364643539636532616165386533616635313166366564
|
||||
31303762313063353734666632623262616562383833353765376263333732386336616336383934
|
||||
61623334666230356661636433613633653439353662393730313663656664663962346139666639
|
||||
396431396664316165663030633732656632
|
||||
|
|
@ -1,5 +1,15 @@
|
|||
---
|
||||
# Identity facts recorded during Phase 0.6 (edit to match the device)
|
||||
# Device facts (recorded on-site 2026-06-08):
|
||||
# model: CRS310-8G+2S+IN
|
||||
# serial: HM40B8TDNDD
|
||||
# base MAC (ether1): D0:EA:11:24:F4:AA
|
||||
# RouterOS: 7.19.6 stable (bootloader already current) -> pinned target below
|
||||
#
|
||||
# Bootstrap status (2026-06-08): identity set; user `sjat` (full) created with the
|
||||
# operator ed25519 key imported + a vaulted password (vault_switch_admin_password in
|
||||
# group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled
|
||||
# (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet
|
||||
# reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan.
|
||||
switch_identity_name: "crs310-maker"
|
||||
switch_mgmt_vlan_id: 99
|
||||
switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP
|
||||
|
|
@ -18,6 +28,6 @@ switch_bridge_ports:
|
|||
- {interface: "ether2", pvid: 10, mode: access}
|
||||
- {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]}
|
||||
|
||||
# Firmware (opt-in)
|
||||
# switch_firmware_enabled: true
|
||||
# switch_firmware_target: "7.x.y" # EDIT to the version pinned in Phase 0.3
|
||||
# Firmware: pinned at the version already installed (no upgrade planned now).
|
||||
switch_firmware_target: "7.19.6"
|
||||
# switch_firmware_enabled: true # opt-in only when you actually want to upgrade
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue