feat(identity): identity, DNS, NTP, service hardening

Implements Task 5. Disables telnet/ftp/www/www-ssl/api/api-ssl (winbox kept
for recovery), sets DNS + NTP client, ensures SSH on the configured port.
Verified run-twice idempotent (changed=0) against crs310-maker on the bench.
Also sets ansible_user=sjat in host_vars for day-2 key auth.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-08 19:33:48 +02:00
parent 12001abac6
commit cfc6ec9721
2 changed files with 40 additions and 3 deletions

View file

@ -10,6 +10,10 @@
# group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled # group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled
# (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet # (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet
# reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan. # reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan.
# Day-2 connection: key auth as the named admin user (overrides the bootstrap
# default ansible_user=admin in group_vars/mikrotik.yml).
ansible_user: sjat
switch_identity_name: "crs310-maker" switch_identity_name: "crs310-maker"
switch_mgmt_vlan_id: 99 switch_mgmt_vlan_id: 99
switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP

View file

@ -1,4 +1,37 @@
--- ---
- name: Placeholder # Identity, management services, DNS/NTP and service hardening.
ansible.builtin.debug: # All commands here are `set` on singleton/named items, so they are naturally
msg: "not yet implemented" # idempotent; RouterOS `command` cannot report change, hence `changed_when: false`.
- name: Set system identity
community.routeros.command:
commands:
- /system/identity/set name="{{ switch_identity_name }}"
changed_when: false
- name: Configure DNS servers
community.routeros.command:
commands:
- /ip/dns/set servers="{{ switch_dns_servers }}" allow-remote-requests=no
changed_when: false
- name: Configure NTP client
community.routeros.command:
commands:
- /system/ntp/client/set enabled=yes servers="{{ switch_ntp_servers }}"
changed_when: false
- name: Disable unused IP services (hardening; winbox kept for recovery)
community.routeros.command:
commands:
- /ip/service/set {{ item }} disabled=yes
loop: "{{ switch_disabled_services }}"
loop_control:
label: "{{ item }}"
changed_when: false
- name: Ensure SSH service is enabled on the configured port
community.routeros.command:
commands:
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
changed_when: false