Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity
Files
1b66a8c2306053773fa9eb0b0c4c77cba324af58
klaster/ansible/README.md
T
Lumpiasty 1b66a8c230
ci/woodpecker/push/flux-reconcile-source Pipeline was successful
Details
Change Tailscale distribution 
gitea.lumpiasty.xyz/Lumpiasty/tailscale-mikrotik allows us to move tailscale to internal flash
2026-06-02 17:29:22 +02:00

92 lines
2.6 KiB
Markdown
Raw Blame History

# Ansible
Idempotent configuration management for the home-lab network devices.
## Devices
| Host | Group | IP | Playbook |
|---|---|---|---|
| crs418 (MikroTik CRS418) | `mikrotik` | 192.168.255.10 | `playbooks/routeros.yml` |
| dlink (OpenWrt AP) | `openwrt` | 192.168.255.11 | `playbooks/openwrt.yml` |
Both devices are reachable on the MGMT network (192.168.255.0/24) once fully set up.
## Dependencies
```bash
ansible-galaxy collection install -r requirements.yml
pip install librouteros hvac
```
Collections used:
- `community.routeros >= 3.16.0` — MikroTik API modules
- `community.hashi_vault >= 7.1.0` — OpenBao/Vault secret lookup
- `community.openwrt >= 1.0.0` — OpenWrt UCI and shell modules
## MikroTik (routeros)
Secrets are fetched at runtime from OpenBao. No credentials are stored in files.
```bash
export VAULT_TOKEN=... # or OPENBAO_TOKEN
ansible-playbook playbooks/routeros.yml
```
Secret layout expected in OpenBao (KVv2, mount `secret`):
| Path | Fields |
|---|---|
| `routeros_api` | `username`, `password` |
| `wan_pppoe` | `username`, `password` |
## OpenWrt dlink AP
The dlink needs a one-time initialisation before it can be managed through MikroTik.
There are two playbooks:
### Step 1 — `dlink-init.yml` (once, PC directly connected)
Run this while your PC is plugged into one of the dlink **LAN ports** with the
device still on its factory IP (192.168.1.1) and your SSH key has been added in
web ui. MikroTik must **not** be in the picture yet.
What it does:
- Reconfigures switch0 so the **WAN port** becomes a VLAN trunk:
- untagged → VLAN 1 (MGMT, 192.168.255.0/24)
- tagged → VLAN 2 (LAN, 192.168.0.0/24)
- Adds `mgmt` interface: static 192.168.255.11/24, gateway 192.168.255.10
- Reconfigures `lan` to a bridge on eth0.2 with no IP (AP mode)
- Removes routed `wan`/`wan6` interfaces
- Commits and reloads network in the background
After the reload the device is no longer reachable at 192.168.1.1.
```bash
ansible-playbook playbooks/dlink-init.yml
```
### Step 2 — connect dlink WAN port to MikroTik ether3
Plug the **dlink WAN port** into **MikroTik ether3**.
If the MikroTik config hasn't been applied yet, do it now:
```bash
export VAULT_TOKEN=...
ansible-playbook playbooks/routeros.yml
```
MikroTik ether3 is configured to send MGMT traffic untagged and VLAN 2 (LAN)
tagged, which matches what dlink expects on its WAN port.
### Step 3 — `openwrt.yml` (ongoing, via MikroTik)
All subsequent runs connect to 192.168.255.11 through MikroTik:
```bash
ansible-playbook playbooks/openwrt.yml
```
This is the idempotent main playbook. Run it any time to converge configuration.
Reference in New Issue View Git Blame Copy Permalink