MakerFLOSS_Mikrotik/roles/makerfloss.mikrotik_switch/defaults/main.yml
sjat 18de750507 feat(mgmt): DHCP server + web UI on the isolated mgmt VLAN
Makerspace experiment: plug into ether8 and get a 192.168.88.x lease, reach the
admin at http://192.168.88.1 (web UI re-enabled) / WinBox / SSH. Login still
required; default admin stays disabled. mamba keeps static .2 (outside the pool).
New flags switch_web_enabled + switch_mgmt_dhcp_enabled/pool/network (off by
default). Verified: www HTTP 200, lease handed out + bound, run-twice idempotent.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 12:55:03 +02:00

45 lines
1.6 KiB
YAML

---
# ----- Identity / management -----
switch_identity_name: "{{ inventory_hostname }}"
switch_mgmt_vlan_id: 99
switch_mgmt_address: "192.168.88.1/24" # PLACEHOLDER — override in host_vars
switch_mgmt_gateway: "192.168.88.254" # PLACEHOLDER — override in host_vars
switch_dns_servers: "192.168.88.254"
switch_ntp_enabled: true # set false for an isolated mgmt plane
switch_ntp_servers: "192.168.88.254"
# Services to disable for hardening (winbox kept on by default for recovery)
switch_disabled_services:
- telnet
- ftp
- www
- www-ssl
- api
- api-ssl
switch_ssh_port: 22
switch_web_enabled: false # enable the WWW (HTTP) admin UI
# Optional DHCP server on the management VLAN (convenience; login still required).
switch_mgmt_dhcp_enabled: false
switch_mgmt_dhcp_pool: "" # e.g. "192.168.88.10-192.168.88.254"
switch_mgmt_dhcp_network: "" # e.g. "192.168.88.0/24"
# ----- Users -----
switch_admin_user: "sjat"
switch_admin_group: "full"
switch_admin_ssh_pubkey_file: "~/.ssh/id_ed25519.pub"
switch_disable_default_admin: true
# ----- VLAN / bridge / ports (PLACEHOLDER example) -----
# Real topology is defined in host_vars/<switch>.yml.
switch_bridge_name: "bridge"
switch_vlans:
- {id: 99, name: "mgmt"}
- {id: 10, name: "members"}
switch_bridge_ports:
# ether1..ether8 = 2.5GbE access ports; sfp-sfpplus1/2 = 10G uplinks
- {interface: "ether1", pvid: 10, mode: access}
- {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]}
# ----- Firmware -----
switch_firmware_target: "" # set in host_vars when opting into upgrades