MakerFLOSS_Mikrotik/roles/makerfloss.mikrotik_switch
sjat 67554c0b38 docs: mark domain tasks implemented; note deferred vlans device run
Implements Task 10 doc updates. README/CLAUDE/role-README now reflect that all
task files + play_bootstrap/play_backup are implemented and idempotency-verified,
that vlans is built+validated but its device run is deferred (placeholder topology,
on-site recovery needed), and that the bootstrap/backup plays exist. Corrects the
bootstrap invocation example (-e ansible_user=admin --ask-pass).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 19:45:36 +02:00
..
defaults feat: role skeleton, host_vars, day-2 play (stubbed domains) 2026-06-07 08:34:13 +02:00
meta feat: role skeleton, host_vars, day-2 play (stubbed domains) 2026-06-07 08:34:13 +02:00
tasks feat(firmware): opt-in RouterOS + RouterBOOT upgrade to pinned target 2026-06-08 19:40:24 +02:00
README.md docs: mark domain tasks implemented; note deferred vlans device run 2026-06-08 19:45:36 +02:00

makerfloss.mikrotik_switch

Configure a MikroTik RouterOS switch (CRS310) over SSH with community.routeros. The role provides the mechanism; real values live in host_vars. Each domain is gated by an enable-flag (defined in group_vars/mikrotik.yml) so you can apply a subset with --tags.

Domains (enable-flags)

Flag Task file Tag Does
switch_identity_enabled identity.yml identity identity, mgmt IP, DNS/NTP, SSH on, disable unused services
switch_users_enabled users.yml users named admin user, import SSH key, disable default admin
switch_vlans_enabled vlans.yml vlans VLAN-aware bridge, access/trunk ports, mgmt VLAN iface
switch_backup_enabled backup.yml backup /export + binary backup, fetched into the repo
switch_firmware_enabled firmware.yml firmware RouterOS + RouterBOOT upgrade to switch_firmware_target (opt-in)

All per-domain task files are implemented. identity, users, backup and firmware are idempotency-verified against the device; vlans is implemented and Jinja-validated but its device run is deferred until the real topology is in host_vars and an on-site recovery channel is available (it enables vlan-filtering last, which can strand management if the mgmt path is wrong).

Variables (defaults/main.yml)

Variable Default Purpose
switch_identity_name {{ inventory_hostname }} system identity
switch_mgmt_vlan_id 99 management VLAN id
switch_mgmt_address placeholder mgmt IP addr/cidr (override in host_vars)
switch_mgmt_gateway placeholder default gateway
switch_dns_servers placeholder DNS server(s)
switch_ntp_servers placeholder NTP server(s)
switch_disabled_services telnet,ftp,www,www-ssl,api,api-ssl services to disable (winbox kept for recovery)
switch_ssh_port 22 SSH service port
switch_admin_user sjat named admin user
switch_admin_group full RouterOS group for the admin user
switch_admin_ssh_pubkey_file ~/.ssh/id_ed25519.pub operator public key to import
switch_disable_default_admin true disable the built-in admin after key login works
switch_bridge_name bridge bridge to manage
switch_vlans example list of {id, name}
switch_bridge_ports example list of port definitions (see below)
switch_firmware_target "" RouterOS version to pin/upgrade to

Data shapes

switch_vlans:
  - {id: 99, name: "mgmt"}
  - {id: 10, name: "members"}

switch_bridge_ports:
  # access port: untagged member of one VLAN (pvid)
  - {interface: "ether1", pvid: 10, mode: access}
  # trunk port: carries tagged VLANs; pvid sets the untagged/native VLAN
  - {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]}

Idempotency

RouterOS has no rich declarative module set over network_cli, so tasks use community.routeros.command with :if ([:len [... find ...]] = 0) do={ ... } guards. Always run twice and confirm the second run is a no-op.