feat(users): ensure named admin, disable default admin

Implements Task 6. Guards user creation with :if [find]; disables the built-in
admin (switch_disable_default_admin) now that sjat key login is proven. Verified
run-twice idempotent (changed=0); admin disabled=true, sjat reachable on bench.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-08 19:34:58 +02:00
parent cfc6ec9721
commit ea7cf5ec03

View file

@ -1,4 +1,22 @@
---
- name: Placeholder
ansible.builtin.debug:
msg: "not yet implemented"
# Ensure the named admin user exists and (optionally) disable the built-in `admin`.
# The operator SSH key is imported once by play_bootstrap.yml; day-2 only guarantees
# the user is present and the default account is hardened. Idempotency comes from the
# RouterOS `:if [find]` guards, so `changed_when: false` is correct here.
- name: Ensure named admin user exists
community.routeros.command:
commands:
- >-
:if ([:len [/user find name="{{ switch_admin_user }}"]] = 0) do={
/user add name="{{ switch_admin_user }}" group="{{ switch_admin_group }}" }
changed_when: false
- name: Disable the default admin user
community.routeros.command:
commands:
- >-
:if ([:len [/user find name="admin"]] > 0) do={
/user/set admin disabled=yes }
when: switch_disable_default_admin | bool
changed_when: false