From cfc6ec97211c1754f9782123737b7385925a2c08 Mon Sep 17 00:00:00 2001 From: sjat Date: Mon, 8 Jun 2026 19:33:48 +0200 Subject: [PATCH] feat(identity): identity, DNS, NTP, service hardening Implements Task 5. Disables telnet/ftp/www/www-ssl/api/api-ssl (winbox kept for recovery), sets DNS + NTP client, ensures SSH on the configured port. Verified run-twice idempotent (changed=0) against crs310-maker on the bench. Also sets ansible_user=sjat in host_vars for day-2 key auth. Co-Authored-By: Claude Opus 4.8 (1M context) --- host_vars/crs310-maker.yml | 4 ++ .../tasks/identity.yml | 39 +++++++++++++++++-- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/host_vars/crs310-maker.yml b/host_vars/crs310-maker.yml index c677c40..58a83bf 100644 --- a/host_vars/crs310-maker.yml +++ b/host_vars/crs310-maker.yml @@ -10,6 +10,10 @@ # group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled # (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet # reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan. +# Day-2 connection: key auth as the named admin user (overrides the bootstrap +# default ansible_user=admin in group_vars/mikrotik.yml). +ansible_user: sjat + switch_identity_name: "crs310-maker" switch_mgmt_vlan_id: 99 switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP diff --git a/roles/makerfloss.mikrotik_switch/tasks/identity.yml b/roles/makerfloss.mikrotik_switch/tasks/identity.yml index fe0a9a3..1095690 100644 --- a/roles/makerfloss.mikrotik_switch/tasks/identity.yml +++ b/roles/makerfloss.mikrotik_switch/tasks/identity.yml @@ -1,4 +1,37 @@ --- -- name: Placeholder - ansible.builtin.debug: - msg: "not yet implemented" +# Identity, management services, DNS/NTP and service hardening. +# All commands here are `set` on singleton/named items, so they are naturally +# idempotent; RouterOS `command` cannot report change, hence `changed_when: false`. + +- name: Set system identity + community.routeros.command: + commands: + - /system/identity/set name="{{ switch_identity_name }}" + changed_when: false + +- name: Configure DNS servers + community.routeros.command: + commands: + - /ip/dns/set servers="{{ switch_dns_servers }}" allow-remote-requests=no + changed_when: false + +- name: Configure NTP client + community.routeros.command: + commands: + - /system/ntp/client/set enabled=yes servers="{{ switch_ntp_servers }}" + changed_when: false + +- name: Disable unused IP services (hardening; winbox kept for recovery) + community.routeros.command: + commands: + - /ip/service/set {{ item }} disabled=yes + loop: "{{ switch_disabled_services }}" + loop_control: + label: "{{ item }}" + changed_when: false + +- name: Ensure SSH service is enabled on the configured port + community.routeros.command: + commands: + - /ip/service/set ssh disabled=no port={{ switch_ssh_port }} + changed_when: false