MakerFLOSS_Mikrotik/host_vars/crs310-maker.yml
sjat 3fef7ba9e5 feat: bootstrap CRS310 on-site (sjat user + key + vaulted password)
Recorded device facts (CRS310-8G+2S+IN, serial HM40B8TDNDD, RouterOS 7.19.6,
pinned firmware_target 7.19.6). Added encrypted makerfloss-vault admin password
and excluded *.vault.yml from linters. Device bootstrapped over SSH: identity
set to crs310-maker, named user sjat (full) with operator ed25519 key + vaulted
password; key-based login verified from the controller. Default admin still
enabled (hardening + VLANs deferred to the day-2 task files).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 19:13:53 +02:00

33 lines
1.4 KiB
YAML

---
# Device facts (recorded on-site 2026-06-08):
# model: CRS310-8G+2S+IN
# serial: HM40B8TDNDD
# base MAC (ether1): D0:EA:11:24:F4:AA
# RouterOS: 7.19.6 stable (bootloader already current) -> pinned target below
#
# Bootstrap status (2026-06-08): identity set; user `sjat` (full) created with the
# operator ed25519 key imported + a vaulted password (vault_switch_admin_password in
# group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled
# (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet
# reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan.
switch_identity_name: "crs310-maker"
switch_mgmt_vlan_id: 99
switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP
switch_mgmt_gateway: "10.0.99.1" # EDIT: real gateway
switch_dns_servers: "10.0.99.1"
switch_ntp_servers: "10.0.99.1"
switch_admin_user: "sjat"
# Real VLAN/port topology (EDIT to the makerspace plan when known)
switch_vlans:
- {id: 99, name: "mgmt"}
- {id: 10, name: "members"}
switch_bridge_ports:
- {interface: "ether1", pvid: 10, mode: access}
- {interface: "ether2", pvid: 10, mode: access}
- {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]}
# Firmware: pinned at the version already installed (no upgrade planned now).
switch_firmware_target: "7.19.6"
# switch_firmware_enabled: true # opt-in only when you actually want to upgrade