MakerFLOSS_Mikrotik/CLAUDE.md
sjat 12001abac6 docs: README, role README, CLAUDE.md
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 19:22:43 +02:00

2.4 KiB
Raw Blame History

MakerFLOSS_Mikrotik

Ansible IaC for one MikroTik CRS310-8G+2S+IN switch (RouterOS 7) at the makerspace, managed over SSH with community.routeros. Sibling project to AnsibleBaobabV4 (whose conventions this repo copies); independent repo on forgejo.makerfloss.eu.

Tech stack

  • Ansible 10.x / ansible-core 2.17, community.routeros 3.x + ansible.netcommon
  • Connection: ansible.netcommon.network_cli, ansible_network_os: community.routeros.routeros, SSH key auth
  • Vault identity makerfloss (~/.ansible/vault-keys/makerfloss.txt)
  • Lint: ansible-lint (profile: production), yamllint

Structure

  • inventories/prod/hosts.yml — group mikrotik, host crs310-maker
  • group_vars/mikrotik.yml — connection vars + switch_*_enabled flags
  • group_vars/mikrotik.vault.yml — encrypted password (excluded from linters)
  • host_vars/crs310-maker.yml — device facts, real addressing, VLAN/port map
  • roles/makerfloss.mikrotik_switch/ — one role, per-domain task files gated by flags
  • play_switch.yml (day-2), play_bootstrap.yml / play_backup.yml (to implement)
  • docs/ — field guide, design spec, implementation plan

Essential commands

yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check
ansible-playbook play_switch.yml                       # day-2 (key auth)
ansible-playbook play_switch.yml --tags vlans          # one domain
ansible-vault view group_vars/mikrotik.vault.yml       # read a secret

Rules

  • Idempotency: RouterOS tasks use community.routeros.command with :if [find] guards. Run every device-touching play twice; the second run must report no changes.
  • Lockout safety: keep an independent recovery channel (serial/WinBox-MAC) when touching mgmt/services/VLANs; enable vlan-filtering last.
  • All real values go in host_vars; the role holds only mechanism + placeholders.
  • Secrets go to the makerfloss vault, never plaintext. Encrypt with ansible-vault encrypt --encrypt-vault-id makerfloss <file>.
  • New work: branch first, implement, verify (lint + syntax + run-twice), then merge.

Status / next

Bootstrap is done (user sjat + key + identity crs310-maker, RouterOS 7.19.6 pinned). The per-domain task files are stubs; implement them per docs/superpowers/plans/2026-06-07-mikrotik-crs310-ansible.md (Tasks 59), reading the "carry-over notes" at the end of that plan first.