# MakerFLOSS_Mikrotik Ansible IaC for one **MikroTik CRS310-8G+2S+IN** switch (RouterOS 7) at the makerspace, managed over SSH with `community.routeros`. Sibling project to AnsibleBaobabV4 (whose conventions this repo copies); independent repo on `forgejo.makerfloss.eu`. ## Tech stack - Ansible 10.x / ansible-core 2.17, `community.routeros` 3.x + `ansible.netcommon` - Connection: `ansible.netcommon.network_cli`, `ansible_network_os: community.routeros.routeros`, SSH **key** auth - Vault identity **`makerfloss`** (`~/.ansible/vault-keys/makerfloss.txt`) - Lint: `ansible-lint` (profile: production), `yamllint` ## Structure - `inventories/prod/hosts.yml` — group `mikrotik`, host `crs310-maker` - `group_vars/mikrotik.yml` — connection vars + `switch_*_enabled` flags - `group_vars/mikrotik.vault.yml` — encrypted password (excluded from linters) - `host_vars/crs310-maker.yml` — device facts, real addressing, VLAN/port map - `roles/makerfloss.mikrotik_switch/` — one role, per-domain task files gated by flags - `play_switch.yml` (day-2), `play_bootstrap.yml` / `play_backup.yml` (to implement) - `docs/` — field guide, design spec, implementation plan ## Essential commands ```bash yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check ansible-playbook play_switch.yml # day-2 (key auth) ansible-playbook play_switch.yml --tags vlans # one domain ansible-vault view group_vars/mikrotik.vault.yml # read a secret ``` ## Rules - **Idempotency:** RouterOS tasks use `community.routeros.command` with `:if [find]` guards. Run every device-touching play **twice**; the second run must report no changes. - **Lockout safety:** keep an independent recovery channel (serial/WinBox-MAC) when touching mgmt/services/VLANs; enable `vlan-filtering` **last**. - **All real values go in `host_vars`;** the role holds only mechanism + placeholders. - **Secrets** go to the `makerfloss` vault, never plaintext. Encrypt with `ansible-vault encrypt --encrypt-vault-id makerfloss `. - **New work:** branch first, implement, verify (lint + syntax + run-twice), then merge. ## Status / next Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned). The per-domain task files are **stubs**; implement them per `docs/superpowers/plans/2026-06-07-mikrotik-crs310-ansible.md` (Tasks 5–9), reading the "carry-over notes" at the end of that plan first.