feat(users): ensure named admin, disable default admin
Implements Task 6. Guards user creation with :if [find]; disables the built-in admin (switch_disable_default_admin) now that sjat key login is proven. Verified run-twice idempotent (changed=0); admin disabled=true, sjat reachable on bench. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
cfc6ec9721
commit
ea7cf5ec03
1 changed files with 21 additions and 3 deletions
|
|
@ -1,4 +1,22 @@
|
|||
---
|
||||
- name: Placeholder
|
||||
ansible.builtin.debug:
|
||||
msg: "not yet implemented"
|
||||
# Ensure the named admin user exists and (optionally) disable the built-in `admin`.
|
||||
# The operator SSH key is imported once by play_bootstrap.yml; day-2 only guarantees
|
||||
# the user is present and the default account is hardened. Idempotency comes from the
|
||||
# RouterOS `:if [find]` guards, so `changed_when: false` is correct here.
|
||||
|
||||
- name: Ensure named admin user exists
|
||||
community.routeros.command:
|
||||
commands:
|
||||
- >-
|
||||
:if ([:len [/user find name="{{ switch_admin_user }}"]] = 0) do={
|
||||
/user add name="{{ switch_admin_user }}" group="{{ switch_admin_group }}" }
|
||||
changed_when: false
|
||||
|
||||
- name: Disable the default admin user
|
||||
community.routeros.command:
|
||||
commands:
|
||||
- >-
|
||||
:if ([:len [/user find name="admin"]] > 0) do={
|
||||
/user/set admin disabled=yes }
|
||||
when: switch_disable_default_admin | bool
|
||||
changed_when: false
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue