3.7 KiB
MakerFLOSS_Mikrotik
Infrastructure-as-Code for the makerspace's MikroTik CRS310-8G+2S+IN switch
(8× 2.5GbE + 2× SFP+ 10G, RouterOS 7). Configuration is managed declaratively with
Ansible over SSH using the community.routeros collection — identity, management
access, users/keys, VLAN switching, backups, and firmware — so the switch can be
rebuilt from this repo instead of by hand in WinBox.
Status
| Area | State |
|---|---|
| Repo scaffolding, role skeleton, vault | ✅ done |
| On-site device prep + bootstrap (named user + SSH key + identity) | ✅ done (2026-06-08) |
Day-2 config: identity / users / vlans / backup / firmware tasks |
⏳ stubs — to implement (see docs/superpowers/plans/) |
The switch is reachable today by key auth as user sjat; the per-domain task files
still need their real RouterOS logic written and idempotency-tested.
Layout
inventories/prod/hosts.yml # group `mikrotik` -> the switch host
group_vars/mikrotik.yml # connection vars (network_cli + community.routeros) + enable-flags
group_vars/mikrotik.vault.yml # encrypted admin/user password (makerfloss vault id)
host_vars/crs310-maker.yml # device facts + real addressing + VLAN/port map
roles/makerfloss.mikrotik_switch/ # the role: defaults + per-domain task files
play_switch.yml # day-2 run (key auth), applies all enabled domains
docs/makerspace-switch-fieldguide.md # on-site, printable prep checklist
docs/superpowers/specs|plans/ # design spec + implementation plan
Setup (control node)
direnv allow # or: python3 -m venv .venv && . .venv/bin/activate
pip install -r requirements.txt
ansible-galaxy collection install -r requirements.yml
Vault: secrets use a dedicated vault identity makerfloss, keyed by
~/.ansible/vault-keys/makerfloss.txt (referenced in ansible.cfg, kept outside the
repo). View a secret with ansible-vault view group_vars/mikrotik.vault.yml.
Connectivity
The role connects with ansible.netcommon.network_cli + ansible_network_os: community.routeros.routeros, authenticating with the operator SSH key
(~/.ssh/id_ed25519). Day-2 needs no password.
Bench note: while the switch sits on an isolated bench reachable only through a jump host, Ansible's paramiko transport won't traverse
ProxyJump. Run Ansible from a host on the switch's network, or forward the port:ssh -J <jump> <user>@<jump-lan> -L 2222:192.168.88.1:22 -Nthen setansible_host=127.0.0.1 ansible_port=2222. In production (switch directly reachable) this is a non-issue.
Usage
# Validate
yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check
# First contact on a fresh/reset device (password auth, one time)
ansible-playbook play_bootstrap.yml --ask-pass # (play to be implemented)
# Day-2 configuration (key auth, idempotent)
ansible-playbook play_switch.yml
ansible-playbook play_switch.yml --tags vlans # one domain
ansible-playbook play_switch.yml --limit crs310-maker
# Backup config into the repo
ansible-playbook play_backup.yml # (play to be implemented)
⚠️ Lockout safety
When changing management, services, or VLAN/bridge settings, keep an independent
recovery channel open (serial console, or WinBox MAC-telnet) and enable
vlan-filtering last, after the management path is proven. RouterOS config tasks
use :if [find] guards for idempotency; run every device-touching play twice and
confirm the second run reports no changes.
Preparing a switch on-site
See docs/makerspace-switch-fieldguide.md — a printable checklist for what to do
physically at the makerspace before Ansible takes over.