No description
Find a file
sjat ebd21623ef feat: real flat+mgmt-VLAN topology in host_vars; role tweaks
host_vars: DATA VLAN 30 (ether1 uplink + ether2-7 + sfp1/2), isolated MGMT VLAN 99
on ether8, mgmt 192.168.88.1/24, no gateway, NTP disabled. Role: switch_ntp_enabled
flag (enable/disable NTP), conditional default route (skip when no gateway), and a
guarded removal of the legacy defconf bridge IP so the mgmt IP lives only on vlan-mgmt.
Membership Jinja re-validated; lint+syntax clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 12:15:23 +02:00
backups feat(backup): export + binary backup, fetch into repo 2026-06-08 19:36:14 +02:00
docs docs(spec): flat data path + isolated mgmt VLAN topology 2026-06-09 12:12:22 +02:00
group_vars feat: bootstrap CRS310 on-site (sjat user + key + vaulted password) 2026-06-08 19:13:53 +02:00
host_vars feat: real flat+mgmt-VLAN topology in host_vars; role tweaks 2026-06-09 12:15:23 +02:00
inventories/prod feat: inventory, connection group_vars, makerfloss vault identity 2026-06-07 08:29:57 +02:00
roles/makerfloss.mikrotik_switch feat: real flat+mgmt-VLAN topology in host_vars; role tweaks 2026-06-09 12:15:23 +02:00
.ansible-lint feat: bootstrap CRS310 on-site (sjat user + key + vaulted password) 2026-06-08 19:13:53 +02:00
.envrc chore: repo scaffolding (direnv, ansible.cfg, lint, requirements) 2026-06-07 08:26:09 +02:00
.gitignore feat(backup): export + binary backup, fetch into repo 2026-06-08 19:36:14 +02:00
.yamllint feat: bootstrap CRS310 on-site (sjat user + key + vaulted password) 2026-06-08 19:13:53 +02:00
ansible.cfg chore: repo scaffolding (direnv, ansible.cfg, lint, requirements) 2026-06-07 08:26:09 +02:00
CLAUDE.md docs: mark domain tasks implemented; note deferred vlans device run 2026-06-08 19:45:36 +02:00
play_backup.yml feat(backup): export + binary backup, fetch into repo 2026-06-08 19:36:14 +02:00
play_bootstrap.yml feat: first-contact bootstrap play (named admin + SSH key import) 2026-06-08 19:42:56 +02:00
play_switch.yml feat: role skeleton, host_vars, day-2 play (stubbed domains) 2026-06-07 08:34:13 +02:00
README.md docs: mark domain tasks implemented; note deferred vlans device run 2026-06-08 19:45:36 +02:00
requirements.txt chore: repo scaffolding (direnv, ansible.cfg, lint, requirements) 2026-06-07 08:26:09 +02:00
requirements.yml chore: repo scaffolding (direnv, ansible.cfg, lint, requirements) 2026-06-07 08:26:09 +02:00

MakerFLOSS_Mikrotik

Infrastructure-as-Code for the makerspace's MikroTik CRS310-8G+2S+IN switch (8× 2.5GbE + 2× SFP+ 10G, RouterOS 7). Configuration is managed declaratively with Ansible over SSH using the community.routeros collection — identity, management access, users/keys, VLAN switching, backups, and firmware — so the switch can be rebuilt from this repo instead of by hand in WinBox.

Status

Area State
Repo scaffolding, role skeleton, vault done
On-site device prep + bootstrap (named user + SSH key + identity) done (2026-06-08)
identity / users / backup / firmware + play_bootstrap / play_backup implemented; idempotency-verified against the device (firmware is opt-in, lint/syntax only)
vlans (VLAN-aware bridge, ports, mgmt iface) implemented + Jinja-validated; device run deferred — needs the real VLAN/port plan and an on-site recovery channel before vlan-filtering is enabled

The switch is reachable today by key auth as user sjat. All task files now carry their real RouterOS logic. The vlans topology in host_vars is still a placeholder: replace it with the real makerspace VLAN ids + per-port map before running --tags vlans on the live device, and do so on-site with a serial/WinBox-MAC recovery channel open.

Layout

inventories/prod/hosts.yml          # group `mikrotik` -> the switch host
group_vars/mikrotik.yml             # connection vars (network_cli + community.routeros) + enable-flags
group_vars/mikrotik.vault.yml       # encrypted admin/user password (makerfloss vault id)
host_vars/crs310-maker.yml          # device facts + real addressing + VLAN/port map
roles/makerfloss.mikrotik_switch/   # the role: defaults + per-domain task files
play_switch.yml                     # day-2 run (key auth), applies all enabled domains
docs/makerspace-switch-fieldguide.md  # on-site, printable prep checklist
docs/superpowers/specs|plans/       # design spec + implementation plan

Setup (control node)

direnv allow                                # or: python3 -m venv .venv && . .venv/bin/activate
pip install -r requirements.txt
ansible-galaxy collection install -r requirements.yml

Vault: secrets use a dedicated vault identity makerfloss, keyed by ~/.ansible/vault-keys/makerfloss.txt (referenced in ansible.cfg, kept outside the repo). View a secret with ansible-vault view group_vars/mikrotik.vault.yml.

Connectivity

The role connects with ansible.netcommon.network_cli + ansible_network_os: community.routeros.routeros, authenticating with the operator SSH key (~/.ssh/id_ed25519). Day-2 needs no password.

Bench note: while the switch sits on an isolated bench reachable only through a jump host, Ansible's paramiko transport won't traverse ProxyJump. Run Ansible from a host on the switch's network, or forward the port: ssh -J <jump> <user>@<jump-lan> -L 2222:192.168.88.1:22 -N then set ansible_host=127.0.0.1 ansible_port=2222. In production (switch directly reachable) this is a non-issue.

Usage

# Validate
yamllint . && ansible-lint && ansible-playbook play_switch.yml --syntax-check

# First contact on a fresh/reset device (password auth, one time)
ansible-playbook play_bootstrap.yml -e ansible_user=admin --ask-pass

# Day-2 configuration (key auth, idempotent)
ansible-playbook play_switch.yml
ansible-playbook play_switch.yml --tags identity,users  # safe domains
ansible-playbook play_switch.yml --tags vlans           # on-site only — see lockout note
ansible-playbook play_switch.yml --limit crs310-maker

# Backup config into the repo
ansible-playbook play_backup.yml

⚠️ Lockout safety

When changing management, services, or VLAN/bridge settings, keep an independent recovery channel open (serial console, or WinBox MAC-telnet) and enable vlan-filtering last, after the management path is proven. RouterOS config tasks use :if [find] guards for idempotency; run every device-touching play twice and confirm the second run reports no changes.

Preparing a switch on-site

See docs/makerspace-switch-fieldguide.md — a printable checklist for what to do physically at the makerspace before Ansible takes over.