Implements Task 6. Guards user creation with :if [find]; disables the built-in admin (switch_disable_default_admin) now that sjat key login is proven. Verified run-twice idempotent (changed=0); admin disabled=true, sjat reachable on bench. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
22 lines
864 B
YAML
22 lines
864 B
YAML
---
|
|
# Ensure the named admin user exists and (optionally) disable the built-in `admin`.
|
|
# The operator SSH key is imported once by play_bootstrap.yml; day-2 only guarantees
|
|
# the user is present and the default account is hardened. Idempotency comes from the
|
|
# RouterOS `:if [find]` guards, so `changed_when: false` is correct here.
|
|
|
|
- name: Ensure named admin user exists
|
|
community.routeros.command:
|
|
commands:
|
|
- >-
|
|
:if ([:len [/user find name="{{ switch_admin_user }}"]] = 0) do={
|
|
/user add name="{{ switch_admin_user }}" group="{{ switch_admin_group }}" }
|
|
changed_when: false
|
|
|
|
- name: Disable the default admin user
|
|
community.routeros.command:
|
|
commands:
|
|
- >-
|
|
:if ([:len [/user find name="admin"]] > 0) do={
|
|
/user/set admin disabled=yes }
|
|
when: switch_disable_default_admin | bool
|
|
changed_when: false
|