--- # Identity, management services, DNS/NTP and service hardening. # All commands here are `set` on singleton/named items, so they are naturally # idempotent; RouterOS `command` cannot report change, hence `changed_when: false`. - name: Set system identity community.routeros.command: commands: - /system/identity/set name="{{ switch_identity_name }}" changed_when: false - name: Configure DNS servers community.routeros.command: commands: - /ip/dns/set servers="{{ switch_dns_servers }}" allow-remote-requests=no changed_when: false - name: Enable NTP client community.routeros.command: commands: - /system/ntp/client/set enabled=yes servers="{{ switch_ntp_servers }}" when: switch_ntp_enabled | bool changed_when: false - name: Disable NTP client (isolated mgmt plane has no upstream time source) community.routeros.command: commands: - /system/ntp/client/set enabled=no when: not (switch_ntp_enabled | bool) changed_when: false - name: Disable unused IP services (hardening; winbox kept for recovery) community.routeros.command: commands: - /ip/service/set {{ item }} disabled=yes loop: "{{ switch_disabled_services }}" loop_control: label: "{{ item }}" changed_when: false - name: Ensure SSH service is enabled on the configured port community.routeros.command: commands: - /ip/service/set ssh disabled=no port={{ switch_ssh_port }} changed_when: false