Bring the everyday guides up to the live state (flat data VLAN 30 + isolated mgmt
VLAN 99 on ether8, DHCP + web UI experiment) and record the gotchas that cost time:
the bench tunnel (paramiko ignores ProxyJump), mamba NM-profile stickiness on cable
flap, the RouterOS find-by-address quirk, and the commit-confirmed detached-flip
pattern for lockout-prone changes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Makerspace experiment: plug into ether8 and get a 192.168.88.x lease, reach the
admin at http://192.168.88.1 (web UI re-enabled) / WinBox / SSH. Login still
required; default admin stays disabled. mamba keeps static .2 (outside the pool).
New flags switch_web_enabled + switch_mgmt_dhcp_enabled/pool/network (off by
default). Verified: www HTTP 200, lease handed out + bound, run-twice idempotent.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
RouterOS 'find ... address=<prefix>' never matches an ip/address value, so the
legacy-bridge-IP removal is now a :foreach get-and-compare. Refresh the committed
export.rsc to the post-cutover config (flat VLAN 30 + isolated mgmt VLAN 99 on
ether8, vlan-filtering on). Spec updated with execution notes (NM autoconnect flap,
the find-address quirk, and the commit-confirmed detached-flip technique used).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
host_vars: DATA VLAN 30 (ether1 uplink + ether2-7 + sfp1/2), isolated MGMT VLAN 99
on ether8, mgmt 192.168.88.1/24, no gateway, NTP disabled. Role: switch_ntp_enabled
flag (enable/disable NTP), conditional default route (skip when no gateway), and a
guarded removal of the legacy defconf bridge IP so the mgmt IP lives only on vlan-mgmt.
Membership Jinja re-validated; lint+syntax clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ether1 copper uplink (SFP+ deferred), flat 10.2.30.0/24 data VLAN 30, isolated
mgmt VLAN 99 on ether8 with switch mgmt 192.168.88.1/24, no gateway/NTP/DNS.
Includes the lockout-safe on-site cutover runbook.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 10 doc updates. README/CLAUDE/role-README now reflect that all
task files + play_bootstrap/play_backup are implemented and idempotency-verified,
that vlans is built+validated but its device run is deferred (placeholder topology,
on-site recovery needed), and that the bootstrap/backup plays exist. Corrects the
bootstrap invocation example (-e ansible_user=admin --ask-pass).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 4 (the play was run on-site but never committed). Creates the
named admin user, imports the operator pubkey over SCP (net_put), enables SSH.
Improvements over the plan: the key import is :if [find] guarded so re-runs don't
create duplicate keys, and the vaulted password is loaded via vars_files (it is
not auto-loaded because group_vars/mikrotik.vault.yml doesn't match the group-name
convention). Verified idempotent (changed=0) against crs310-maker; no duplicate key.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 9. Version-guarded (no-op when already >= switch_firmware_target,
as crs310-maker is at 7.19.6). Upgrade steps grouped in a block; reboot uses
ignore_unreachable + wait_for_connection instead of ignore_errors so it stays
lint-clean under the production profile. Syntax + lint only; not run (opt-in).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 7. Deliberate lockout-safe ordering (vlan-filtering LAST) with
:if [find] guards that adopt the existing defconf bridge/ports rather than
recreating them. Membership Jinja: trunk ports tagged per tagged_vlans, access
ports untagged per pvid, bridge/CPU tagged only on the mgmt VLAN; else={set} makes
membership declarative. Jinja render validated offline against the placeholder
topology. Device run DEFERRED to an on-site session with a recovery channel
(remote bench has no serial/WinBox-MAC fallback). Topology stays placeholder.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 8. play_backup.yml ensures the local dir then includes backup.yml,
which runs /export + /system backup save and pulls both over SCP (net_get).
Binary .backup is gitignored (may contain secrets); export.rsc is committed.
Verified against crs310-maker on the bench: both artifacts fetched non-empty.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 6. Guards user creation with :if [find]; disables the built-in
admin (switch_disable_default_admin) now that sjat key login is proven. Verified
run-twice idempotent (changed=0); admin disabled=true, sjat reachable on bench.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements Task 5. Disables telnet/ftp/www/www-ssl/api/api-ssl (winbox kept
for recovery), sets DNS + NTP client, ensures SSH on the configured port.
Verified run-twice idempotent (changed=0) against crs310-maker on the bench.
Also sets ansible_user=sjat in host_vars for day-2 key auth.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Recorded device facts (CRS310-8G+2S+IN, serial HM40B8TDNDD, RouterOS 7.19.6,
pinned firmware_target 7.19.6). Added encrypted makerfloss-vault admin password
and excluded *.vault.yml from linters. Device bootstrapped over SSH: identity
set to crs310-maker, named user sjat (full) with operator ed25519 key + vaulted
password; key-based login verified from the controller. Default admin still
enabled (hardening + VLANs deferred to the day-2 task files).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Initial design doc for managing the makerspace MikroTik CRS310-8G+2S+IN
switch as IaC over SSH with community.routeros. Single-switch scope,
fresh repo in AnsibleBaobabV4 conventions, separate makerfloss vault.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>