From 67554c0b38065dbdbeb82e4c51e38617f1c0979c Mon Sep 17 00:00:00 2001 From: sjat Date: Mon, 8 Jun 2026 19:45:36 +0200 Subject: [PATCH] docs: mark domain tasks implemented; note deferred vlans device run Implements Task 10 doc updates. README/CLAUDE/role-README now reflect that all task files + play_bootstrap/play_backup are implemented and idempotency-verified, that vlans is built+validated but its device run is deferred (placeholder topology, on-site recovery needed), and that the bootstrap/backup plays exist. Corrects the bootstrap invocation example (-e ansible_user=admin --ask-pass). Co-Authored-By: Claude Opus 4.8 (1M context) --- CLAUDE.md | 15 ++++++++++----- README.md | 16 ++++++++++------ roles/makerfloss.mikrotik_switch/README.md | 7 +++++-- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 85a153e..7b53225 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -18,7 +18,7 @@ conventions this repo copies); independent repo on `forgejo.makerfloss.eu`. - `group_vars/mikrotik.vault.yml` — encrypted password (excluded from linters) - `host_vars/crs310-maker.yml` — device facts, real addressing, VLAN/port map - `roles/makerfloss.mikrotik_switch/` — one role, per-domain task files gated by flags -- `play_switch.yml` (day-2), `play_bootstrap.yml` / `play_backup.yml` (to implement) +- `play_switch.yml` (day-2), `play_bootstrap.yml` (first contact), `play_backup.yml` - `docs/` — field guide, design spec, implementation plan ## Essential commands @@ -43,7 +43,12 @@ ansible-vault view group_vars/mikrotik.vault.yml # read a secret ## Status / next -Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned). -The per-domain task files are **stubs**; implement them per -`docs/superpowers/plans/2026-06-07-mikrotik-crs310-ansible.md` (Tasks 5–9), reading the -"carry-over notes" at the end of that plan first. +Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned; +default `admin` now disabled). All per-domain task files are **implemented**: +`identity`, `users`, `backup`, `firmware` (opt-in) and `play_bootstrap` / `play_backup` +are idempotency-verified against the device. `vlans` is implemented and Jinja-validated +but its **device run is deferred** — the `host_vars` topology is still a placeholder. + +Next, on-site with a recovery channel: drop the real VLAN/port map into `host_vars`, +reconcile the legacy defconf IP (`192.168.88.1/24` lives directly on `bridge`), then run +`--tags vlans` and confirm mgmt reachability before/after `vlan-filtering=yes`. diff --git a/README.md b/README.md index 306482a..88ecd53 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,13 @@ rebuilt from this repo instead of by hand in WinBox. |---|---| | Repo scaffolding, role skeleton, vault | ✅ done | | On-site device prep + **bootstrap** (named user + SSH key + identity) | ✅ done (2026-06-08) | -| Day-2 config: `identity` / `users` / `vlans` / `backup` / `firmware` tasks | ⏳ **stubs** — to implement (see `docs/superpowers/plans/`) | +| `identity` / `users` / `backup` / `firmware` + `play_bootstrap` / `play_backup` | ✅ implemented; idempotency-verified against the device (firmware is opt-in, lint/syntax only) | +| `vlans` (VLAN-aware bridge, ports, mgmt iface) | ✅ implemented + Jinja-validated; **device run deferred** — needs the real VLAN/port plan and an on-site recovery channel before `vlan-filtering` is enabled | -The switch is reachable today by key auth as user `sjat`; the per-domain task files -still need their real RouterOS logic written and idempotency-tested. +The switch is reachable today by key auth as user `sjat`. All task files now carry their +real RouterOS logic. The `vlans` topology in `host_vars` is still a **placeholder**: +replace it with the real makerspace VLAN ids + per-port map before running `--tags vlans` +on the live device, and do so on-site with a serial/WinBox-MAC recovery channel open. ## Layout @@ -62,15 +65,16 @@ community.routeros.routeros`, authenticating with the operator SSH key yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check # First contact on a fresh/reset device (password auth, one time) -ansible-playbook play_bootstrap.yml --ask-pass # (play to be implemented) +ansible-playbook play_bootstrap.yml -e ansible_user=admin --ask-pass # Day-2 configuration (key auth, idempotent) ansible-playbook play_switch.yml -ansible-playbook play_switch.yml --tags vlans # one domain +ansible-playbook play_switch.yml --tags identity,users # safe domains +ansible-playbook play_switch.yml --tags vlans # on-site only — see lockout note ansible-playbook play_switch.yml --limit crs310-maker # Backup config into the repo -ansible-playbook play_backup.yml # (play to be implemented) +ansible-playbook play_backup.yml ``` ## ⚠️ Lockout safety diff --git a/roles/makerfloss.mikrotik_switch/README.md b/roles/makerfloss.mikrotik_switch/README.md index f9a959f..6cf01f1 100644 --- a/roles/makerfloss.mikrotik_switch/README.md +++ b/roles/makerfloss.mikrotik_switch/README.md @@ -15,8 +15,11 @@ subset with `--tags`. | `switch_backup_enabled` | `backup.yml` | `backup` | `/export` + binary backup, fetched into the repo | | `switch_firmware_enabled` | `firmware.yml` | `firmware` | RouterOS + RouterBOOT upgrade to `switch_firmware_target` (opt-in) | -> The per-domain task files are currently **stubs** pending implementation (see the -> plan in `docs/superpowers/plans/`). +> All per-domain task files are implemented. `identity`, `users`, `backup` and +> `firmware` are idempotency-verified against the device; `vlans` is implemented and +> Jinja-validated but its device run is deferred until the real topology is in +> `host_vars` and an on-site recovery channel is available (it enables +> `vlan-filtering` last, which can strand management if the mgmt path is wrong). ## Variables (`defaults/main.yml`)