--- # Ensure the named admin user exists and (optionally) disable the built-in `admin`. # The operator SSH key is imported once by play_bootstrap.yml; day-2 only guarantees # the user is present and the default account is hardened. Idempotency comes from the # RouterOS `:if [find]` guards, so `changed_when: false` is correct here. - name: Ensure named admin user exists community.routeros.command: commands: - >- :if ([:len [/user find name="{{ switch_admin_user }}"]] = 0) do={ /user add name="{{ switch_admin_user }}" group="{{ switch_admin_group }}" } changed_when: false - name: Disable the default admin user community.routeros.command: commands: - >- :if ([:len [/user find name="admin"]] > 0) do={ /user/set admin disabled=yes } when: switch_disable_default_admin | bool changed_when: false