MakerFLOSS_Mikrotik/roles/makerfloss.mikrotik_switch/tasks/identity.yml
sjat 18de750507 feat(mgmt): DHCP server + web UI on the isolated mgmt VLAN
Makerspace experiment: plug into ether8 and get a 192.168.88.x lease, reach the
admin at http://192.168.88.1 (web UI re-enabled) / WinBox / SSH. Login still
required; default admin stays disabled. mamba keeps static .2 (outside the pool).
New flags switch_web_enabled + switch_mgmt_dhcp_enabled/pool/network (off by
default). Verified: www HTTP 200, lease handed out + bound, run-twice idempotent.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 12:55:03 +02:00

52 lines
1.6 KiB
YAML

---
# Identity, management services, DNS/NTP and service hardening.
# All commands here are `set` on singleton/named items, so they are naturally
# idempotent; RouterOS `command` cannot report change, hence `changed_when: false`.
- name: Set system identity
community.routeros.command:
commands:
- /system/identity/set name="{{ switch_identity_name }}"
changed_when: false
- name: Configure DNS servers
community.routeros.command:
commands:
- /ip/dns/set servers="{{ switch_dns_servers }}" allow-remote-requests=no
changed_when: false
- name: Enable NTP client
community.routeros.command:
commands:
- /system/ntp/client/set enabled=yes servers="{{ switch_ntp_servers }}"
when: switch_ntp_enabled | bool
changed_when: false
- name: Disable NTP client (isolated mgmt plane has no upstream time source)
community.routeros.command:
commands:
- /system/ntp/client/set enabled=no
when: not (switch_ntp_enabled | bool)
changed_when: false
- name: Disable unused IP services (hardening; winbox kept for recovery)
community.routeros.command:
commands:
- /ip/service/set {{ item }} disabled=yes
loop: "{{ switch_disabled_services }}"
loop_control:
label: "{{ item }}"
changed_when: false
- name: Ensure SSH service is enabled on the configured port
community.routeros.command:
commands:
- /ip/service/set ssh disabled=no port={{ switch_ssh_port }}
changed_when: false
- name: Enable the WWW (HTTP) admin UI
community.routeros.command:
commands:
- /ip/service/set www disabled=no
when: switch_web_enabled | bool
changed_when: false