docs: mark domain tasks implemented; note deferred vlans device run
Implements Task 10 doc updates. README/CLAUDE/role-README now reflect that all task files + play_bootstrap/play_backup are implemented and idempotency-verified, that vlans is built+validated but its device run is deferred (placeholder topology, on-site recovery needed), and that the bootstrap/backup plays exist. Corrects the bootstrap invocation example (-e ansible_user=admin --ask-pass). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
5931542473
commit
67554c0b38
3 changed files with 25 additions and 13 deletions
15
CLAUDE.md
15
CLAUDE.md
|
|
@ -18,7 +18,7 @@ conventions this repo copies); independent repo on `forgejo.makerfloss.eu`.
|
|||
- `group_vars/mikrotik.vault.yml` — encrypted password (excluded from linters)
|
||||
- `host_vars/crs310-maker.yml` — device facts, real addressing, VLAN/port map
|
||||
- `roles/makerfloss.mikrotik_switch/` — one role, per-domain task files gated by flags
|
||||
- `play_switch.yml` (day-2), `play_bootstrap.yml` / `play_backup.yml` (to implement)
|
||||
- `play_switch.yml` (day-2), `play_bootstrap.yml` (first contact), `play_backup.yml`
|
||||
- `docs/` — field guide, design spec, implementation plan
|
||||
|
||||
## Essential commands
|
||||
|
|
@ -43,7 +43,12 @@ ansible-vault view group_vars/mikrotik.vault.yml # read a secret
|
|||
|
||||
## Status / next
|
||||
|
||||
Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned).
|
||||
The per-domain task files are **stubs**; implement them per
|
||||
`docs/superpowers/plans/2026-06-07-mikrotik-crs310-ansible.md` (Tasks 5–9), reading the
|
||||
"carry-over notes" at the end of that plan first.
|
||||
Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned;
|
||||
default `admin` now disabled). All per-domain task files are **implemented**:
|
||||
`identity`, `users`, `backup`, `firmware` (opt-in) and `play_bootstrap` / `play_backup`
|
||||
are idempotency-verified against the device. `vlans` is implemented and Jinja-validated
|
||||
but its **device run is deferred** — the `host_vars` topology is still a placeholder.
|
||||
|
||||
Next, on-site with a recovery channel: drop the real VLAN/port map into `host_vars`,
|
||||
reconcile the legacy defconf IP (`192.168.88.1/24` lives directly on `bridge`), then run
|
||||
`--tags vlans` and confirm mgmt reachability before/after `vlan-filtering=yes`.
|
||||
|
|
|
|||
16
README.md
16
README.md
|
|
@ -12,10 +12,13 @@ rebuilt from this repo instead of by hand in WinBox.
|
|||
|---|---|
|
||||
| Repo scaffolding, role skeleton, vault | ✅ done |
|
||||
| On-site device prep + **bootstrap** (named user + SSH key + identity) | ✅ done (2026-06-08) |
|
||||
| Day-2 config: `identity` / `users` / `vlans` / `backup` / `firmware` tasks | ⏳ **stubs** — to implement (see `docs/superpowers/plans/`) |
|
||||
| `identity` / `users` / `backup` / `firmware` + `play_bootstrap` / `play_backup` | ✅ implemented; idempotency-verified against the device (firmware is opt-in, lint/syntax only) |
|
||||
| `vlans` (VLAN-aware bridge, ports, mgmt iface) | ✅ implemented + Jinja-validated; **device run deferred** — needs the real VLAN/port plan and an on-site recovery channel before `vlan-filtering` is enabled |
|
||||
|
||||
The switch is reachable today by key auth as user `sjat`; the per-domain task files
|
||||
still need their real RouterOS logic written and idempotency-tested.
|
||||
The switch is reachable today by key auth as user `sjat`. All task files now carry their
|
||||
real RouterOS logic. The `vlans` topology in `host_vars` is still a **placeholder**:
|
||||
replace it with the real makerspace VLAN ids + per-port map before running `--tags vlans`
|
||||
on the live device, and do so on-site with a serial/WinBox-MAC recovery channel open.
|
||||
|
||||
## Layout
|
||||
|
||||
|
|
@ -62,15 +65,16 @@ community.routeros.routeros`, authenticating with the operator SSH key
|
|||
yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check
|
||||
|
||||
# First contact on a fresh/reset device (password auth, one time)
|
||||
ansible-playbook play_bootstrap.yml --ask-pass # (play to be implemented)
|
||||
ansible-playbook play_bootstrap.yml -e ansible_user=admin --ask-pass
|
||||
|
||||
# Day-2 configuration (key auth, idempotent)
|
||||
ansible-playbook play_switch.yml
|
||||
ansible-playbook play_switch.yml --tags vlans # one domain
|
||||
ansible-playbook play_switch.yml --tags identity,users # safe domains
|
||||
ansible-playbook play_switch.yml --tags vlans # on-site only — see lockout note
|
||||
ansible-playbook play_switch.yml --limit crs310-maker
|
||||
|
||||
# Backup config into the repo
|
||||
ansible-playbook play_backup.yml # (play to be implemented)
|
||||
ansible-playbook play_backup.yml
|
||||
```
|
||||
|
||||
## ⚠️ Lockout safety
|
||||
|
|
|
|||
|
|
@ -15,8 +15,11 @@ subset with `--tags`.
|
|||
| `switch_backup_enabled` | `backup.yml` | `backup` | `/export` + binary backup, fetched into the repo |
|
||||
| `switch_firmware_enabled` | `firmware.yml` | `firmware` | RouterOS + RouterBOOT upgrade to `switch_firmware_target` (opt-in) |
|
||||
|
||||
> The per-domain task files are currently **stubs** pending implementation (see the
|
||||
> plan in `docs/superpowers/plans/`).
|
||||
> All per-domain task files are implemented. `identity`, `users`, `backup` and
|
||||
> `firmware` are idempotency-verified against the device; `vlans` is implemented and
|
||||
> Jinja-validated but its device run is deferred until the real topology is in
|
||||
> `host_vars` and an on-site recovery channel is available (it enables
|
||||
> `vlan-filtering` last, which can strand management if the mgmt path is wrong).
|
||||
|
||||
## Variables (`defaults/main.yml`)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue