Lumpiasty/klaster

Fork 0

Files

T

History

Lumpiasty 1b66a8c230

ci/woodpecker/push/flux-reconcile-source Pipeline was successful

Details

Change Tailscale distribution

gitea.lumpiasty.xyz/Lumpiasty/tailscale-mikrotik allows us to move tailscale to internal flash

2026-06-02 17:29:22 +02:00

inventory

feat(ansible): add OpenWrt dlink AP configuration

2026-05-13 21:08:55 +02:00

playbooks

Change Tailscale distribution

2026-06-02 17:29:22 +02:00

roles

Change Tailscale distribution

2026-06-02 17:29:22 +02:00

ansible.cfg

refactor(ansible): move RouterOS config into a role

2026-05-13 20:57:13 +02:00

README.md

Change Tailscale distribution

2026-06-02 17:29:22 +02:00

requirements.yml

feat(ansible): migrate OpenWrt package management from opkg to apk

2026-05-16 21:20:24 +02:00

README.md

Ansible

Idempotent configuration management for the home-lab network devices.

Devices

Host	Group	IP	Playbook
crs418 (MikroTik CRS418)	`mikrotik`	192.168.255.10	`playbooks/routeros.yml`
dlink (OpenWrt AP)	`openwrt`	192.168.255.11	`playbooks/openwrt.yml`

Both devices are reachable on the MGMT network (192.168.255.0/24) once fully set up.

Dependencies

ansible-galaxy collection install -r requirements.yml
pip install librouteros hvac

Collections used:

community.routeros >= 3.16.0 — MikroTik API modules
community.hashi_vault >= 7.1.0 — OpenBao/Vault secret lookup
community.openwrt >= 1.0.0 — OpenWrt UCI and shell modules

MikroTik (routeros)

Secrets are fetched at runtime from OpenBao. No credentials are stored in files.

export VAULT_TOKEN=...   # or OPENBAO_TOKEN
ansible-playbook playbooks/routeros.yml

Secret layout expected in OpenBao (KVv2, mount secret):

Path	Fields
`routeros_api`	`username`, `password`
`wan_pppoe`	`username`, `password`

OpenWrt dlink AP

The dlink needs a one-time initialisation before it can be managed through MikroTik. There are two playbooks:

Step 1 — `dlink-init.yml` (once, PC directly connected)

Run this while your PC is plugged into one of the dlink LAN ports with the device still on its factory IP (192.168.1.1) and your SSH key has been added in web ui. MikroTik must not be in the picture yet.

What it does:

Reconfigures switch0 so the WAN port becomes a VLAN trunk:
- untagged → VLAN 1 (MGMT, 192.168.255.0/24)
- tagged → VLAN 2 (LAN, 192.168.0.0/24)
Adds mgmt interface: static 192.168.255.11/24, gateway 192.168.255.10
Reconfigures lan to a bridge on eth0.2 with no IP (AP mode)
Removes routed wan/wan6 interfaces
Commits and reloads network in the background

After the reload the device is no longer reachable at 192.168.1.1.

ansible-playbook playbooks/dlink-init.yml

Step 2 — connect dlink WAN port to MikroTik ether3

Plug the dlink WAN port into MikroTik ether3.

If the MikroTik config hasn't been applied yet, do it now:

export VAULT_TOKEN=...
ansible-playbook playbooks/routeros.yml

MikroTik ether3 is configured to send MGMT traffic untagged and VLAN 2 (LAN) tagged, which matches what dlink expects on its WAN port.

Step 3 — `openwrt.yml` (ongoing, via MikroTik)

All subsequent runs connect to 192.168.255.11 through MikroTik:

ansible-playbook playbooks/openwrt.yml

This is the idempotent main playbook. Run it any time to converge configuration.

README.md

Ansible

Devices

Dependencies

MikroTik (routeros)

OpenWrt dlink AP

Step 1 — dlink-init.yml (once, PC directly connected)

Step 2 — connect dlink WAN port to MikroTik ether3

Step 3 — openwrt.yml (ongoing, via MikroTik)

Step 1 — `dlink-init.yml` (once, PC directly connected)

Step 3 — `openwrt.yml` (ongoing, via MikroTik)