docs: mark domain tasks implemented; note deferred vlans device run

Implements Task 10 doc updates. README/CLAUDE/role-README now reflect that all
task files + play_bootstrap/play_backup are implemented and idempotency-verified,
that vlans is built+validated but its device run is deferred (placeholder topology,
on-site recovery needed), and that the bootstrap/backup plays exist. Corrects the
bootstrap invocation example (-e ansible_user=admin --ask-pass).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-08 19:45:36 +02:00
parent 5931542473
commit 67554c0b38
3 changed files with 25 additions and 13 deletions

View file

@ -18,7 +18,7 @@ conventions this repo copies); independent repo on `forgejo.makerfloss.eu`.
- `group_vars/mikrotik.vault.yml` — encrypted password (excluded from linters) - `group_vars/mikrotik.vault.yml` — encrypted password (excluded from linters)
- `host_vars/crs310-maker.yml` — device facts, real addressing, VLAN/port map - `host_vars/crs310-maker.yml` — device facts, real addressing, VLAN/port map
- `roles/makerfloss.mikrotik_switch/` — one role, per-domain task files gated by flags - `roles/makerfloss.mikrotik_switch/` — one role, per-domain task files gated by flags
- `play_switch.yml` (day-2), `play_bootstrap.yml` / `play_backup.yml` (to implement) - `play_switch.yml` (day-2), `play_bootstrap.yml` (first contact), `play_backup.yml`
- `docs/` — field guide, design spec, implementation plan - `docs/` — field guide, design spec, implementation plan
## Essential commands ## Essential commands
@ -43,7 +43,12 @@ ansible-vault view group_vars/mikrotik.vault.yml # read a secret
## Status / next ## Status / next
Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned). Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned;
The per-domain task files are **stubs**; implement them per default `admin` now disabled). All per-domain task files are **implemented**:
`docs/superpowers/plans/2026-06-07-mikrotik-crs310-ansible.md` (Tasks 59), reading the `identity`, `users`, `backup`, `firmware` (opt-in) and `play_bootstrap` / `play_backup`
"carry-over notes" at the end of that plan first. are idempotency-verified against the device. `vlans` is implemented and Jinja-validated
but its **device run is deferred** — the `host_vars` topology is still a placeholder.
Next, on-site with a recovery channel: drop the real VLAN/port map into `host_vars`,
reconcile the legacy defconf IP (`192.168.88.1/24` lives directly on `bridge`), then run
`--tags vlans` and confirm mgmt reachability before/after `vlan-filtering=yes`.

View file

@ -12,10 +12,13 @@ rebuilt from this repo instead of by hand in WinBox.
|---|---| |---|---|
| Repo scaffolding, role skeleton, vault | ✅ done | | Repo scaffolding, role skeleton, vault | ✅ done |
| On-site device prep + **bootstrap** (named user + SSH key + identity) | ✅ done (2026-06-08) | | On-site device prep + **bootstrap** (named user + SSH key + identity) | ✅ done (2026-06-08) |
| Day-2 config: `identity` / `users` / `vlans` / `backup` / `firmware` tasks | ⏳ **stubs** — to implement (see `docs/superpowers/plans/`) | | `identity` / `users` / `backup` / `firmware` + `play_bootstrap` / `play_backup` | ✅ implemented; idempotency-verified against the device (firmware is opt-in, lint/syntax only) |
| `vlans` (VLAN-aware bridge, ports, mgmt iface) | ✅ implemented + Jinja-validated; **device run deferred** — needs the real VLAN/port plan and an on-site recovery channel before `vlan-filtering` is enabled |
The switch is reachable today by key auth as user `sjat`; the per-domain task files The switch is reachable today by key auth as user `sjat`. All task files now carry their
still need their real RouterOS logic written and idempotency-tested. real RouterOS logic. The `vlans` topology in `host_vars` is still a **placeholder**:
replace it with the real makerspace VLAN ids + per-port map before running `--tags vlans`
on the live device, and do so on-site with a serial/WinBox-MAC recovery channel open.
## Layout ## Layout
@ -62,15 +65,16 @@ community.routeros.routeros`, authenticating with the operator SSH key
yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check
# First contact on a fresh/reset device (password auth, one time) # First contact on a fresh/reset device (password auth, one time)
ansible-playbook play_bootstrap.yml --ask-pass # (play to be implemented) ansible-playbook play_bootstrap.yml -e ansible_user=admin --ask-pass
# Day-2 configuration (key auth, idempotent) # Day-2 configuration (key auth, idempotent)
ansible-playbook play_switch.yml ansible-playbook play_switch.yml
ansible-playbook play_switch.yml --tags vlans # one domain ansible-playbook play_switch.yml --tags identity,users # safe domains
ansible-playbook play_switch.yml --tags vlans # on-site only — see lockout note
ansible-playbook play_switch.yml --limit crs310-maker ansible-playbook play_switch.yml --limit crs310-maker
# Backup config into the repo # Backup config into the repo
ansible-playbook play_backup.yml # (play to be implemented) ansible-playbook play_backup.yml
``` ```
## ⚠️ Lockout safety ## ⚠️ Lockout safety

View file

@ -15,8 +15,11 @@ subset with `--tags`.
| `switch_backup_enabled` | `backup.yml` | `backup` | `/export` + binary backup, fetched into the repo | | `switch_backup_enabled` | `backup.yml` | `backup` | `/export` + binary backup, fetched into the repo |
| `switch_firmware_enabled` | `firmware.yml` | `firmware` | RouterOS + RouterBOOT upgrade to `switch_firmware_target` (opt-in) | | `switch_firmware_enabled` | `firmware.yml` | `firmware` | RouterOS + RouterBOOT upgrade to `switch_firmware_target` (opt-in) |
> The per-domain task files are currently **stubs** pending implementation (see the > All per-domain task files are implemented. `identity`, `users`, `backup` and
> plan in `docs/superpowers/plans/`). > `firmware` are idempotency-verified against the device; `vlans` is implemented and
> Jinja-validated but its device run is deferred until the real topology is in
> `host_vars` and an on-site recovery channel is available (it enables
> `vlan-filtering` last, which can strand management if the mgmt path is wrong).
## Variables (`defaults/main.yml`) ## Variables (`defaults/main.yml`)