From ea7cf5ec038397952b670f77bd39d1ff43419334 Mon Sep 17 00:00:00 2001 From: sjat Date: Mon, 8 Jun 2026 19:34:58 +0200 Subject: [PATCH] feat(users): ensure named admin, disable default admin Implements Task 6. Guards user creation with :if [find]; disables the built-in admin (switch_disable_default_admin) now that sjat key login is proven. Verified run-twice idempotent (changed=0); admin disabled=true, sjat reachable on bench. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../tasks/users.yml | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/roles/makerfloss.mikrotik_switch/tasks/users.yml b/roles/makerfloss.mikrotik_switch/tasks/users.yml index fe0a9a3..189898b 100644 --- a/roles/makerfloss.mikrotik_switch/tasks/users.yml +++ b/roles/makerfloss.mikrotik_switch/tasks/users.yml @@ -1,4 +1,22 @@ --- -- name: Placeholder - ansible.builtin.debug: - msg: "not yet implemented" +# Ensure the named admin user exists and (optionally) disable the built-in `admin`. +# The operator SSH key is imported once by play_bootstrap.yml; day-2 only guarantees +# the user is present and the default account is hardened. Idempotency comes from the +# RouterOS `:if [find]` guards, so `changed_when: false` is correct here. + +- name: Ensure named admin user exists + community.routeros.command: + commands: + - >- + :if ([:len [/user find name="{{ switch_admin_user }}"]] = 0) do={ + /user add name="{{ switch_admin_user }}" group="{{ switch_admin_group }}" } + changed_when: false + +- name: Disable the default admin user + community.routeros.command: + commands: + - >- + :if ([:len [/user find name="admin"]] > 0) do={ + /user/set admin disabled=yes } + when: switch_disable_default_admin | bool + changed_when: false