MakerFLOSS_Mikrotik/CLAUDE.md
sjat 12001abac6 docs: README, role README, CLAUDE.md
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 19:22:43 +02:00

49 lines
2.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# MakerFLOSS_Mikrotik
Ansible IaC for one **MikroTik CRS310-8G+2S+IN** switch (RouterOS 7) at the makerspace,
managed over SSH with `community.routeros`. Sibling project to AnsibleBaobabV4 (whose
conventions this repo copies); independent repo on `forgejo.makerfloss.eu`.
## Tech stack
- Ansible 10.x / ansible-core 2.17, `community.routeros` 3.x + `ansible.netcommon`
- Connection: `ansible.netcommon.network_cli`, `ansible_network_os: community.routeros.routeros`, SSH **key** auth
- Vault identity **`makerfloss`** (`~/.ansible/vault-keys/makerfloss.txt`)
- Lint: `ansible-lint` (profile: production), `yamllint`
## Structure
- `inventories/prod/hosts.yml` — group `mikrotik`, host `crs310-maker`
- `group_vars/mikrotik.yml` — connection vars + `switch_*_enabled` flags
- `group_vars/mikrotik.vault.yml` — encrypted password (excluded from linters)
- `host_vars/crs310-maker.yml` — device facts, real addressing, VLAN/port map
- `roles/makerfloss.mikrotik_switch/` — one role, per-domain task files gated by flags
- `play_switch.yml` (day-2), `play_bootstrap.yml` / `play_backup.yml` (to implement)
- `docs/` — field guide, design spec, implementation plan
## Essential commands
```bash
yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check
ansible-playbook play_switch.yml # day-2 (key auth)
ansible-playbook play_switch.yml --tags vlans # one domain
ansible-vault view group_vars/mikrotik.vault.yml # read a secret
```
## Rules
- **Idempotency:** RouterOS tasks use `community.routeros.command` with `:if [find]`
guards. Run every device-touching play **twice**; the second run must report no changes.
- **Lockout safety:** keep an independent recovery channel (serial/WinBox-MAC) when
touching mgmt/services/VLANs; enable `vlan-filtering` **last**.
- **All real values go in `host_vars`;** the role holds only mechanism + placeholders.
- **Secrets** go to the `makerfloss` vault, never plaintext. Encrypt with
`ansible-vault encrypt --encrypt-vault-id makerfloss <file>`.
- **New work:** branch first, implement, verify (lint + syntax + run-twice), then merge.
## Status / next
Bootstrap is done (user `sjat` + key + identity `crs310-maker`, RouterOS 7.19.6 pinned).
The per-domain task files are **stubs**; implement them per
`docs/superpowers/plans/2026-06-07-mikrotik-crs310-ansible.md` (Tasks 59), reading the
"carry-over notes" at the end of that plan first.