diff --git a/roles/makerfloss.mikrotik_switch/tasks/users.yml b/roles/makerfloss.mikrotik_switch/tasks/users.yml index fe0a9a3..189898b 100644 --- a/roles/makerfloss.mikrotik_switch/tasks/users.yml +++ b/roles/makerfloss.mikrotik_switch/tasks/users.yml @@ -1,4 +1,22 @@ --- -- name: Placeholder - ansible.builtin.debug: - msg: "not yet implemented" +# Ensure the named admin user exists and (optionally) disable the built-in `admin`. +# The operator SSH key is imported once by play_bootstrap.yml; day-2 only guarantees +# the user is present and the default account is hardened. Idempotency comes from the +# RouterOS `:if [find]` guards, so `changed_when: false` is correct here. + +- name: Ensure named admin user exists + community.routeros.command: + commands: + - >- + :if ([:len [/user find name="{{ switch_admin_user }}"]] = 0) do={ + /user add name="{{ switch_admin_user }}" group="{{ switch_admin_group }}" } + changed_when: false + +- name: Disable the default admin user + community.routeros.command: + commands: + - >- + :if ([:len [/user find name="admin"]] > 0) do={ + /user/set admin disabled=yes } + when: switch_disable_default_admin | bool + changed_when: false