93 lines
2.6 KiB
Markdown
93 lines
2.6 KiB
Markdown
# Ansible
|
|
|
|
Idempotent configuration management for the home-lab network devices.
|
|
|
|
## Devices
|
|
|
|
| Host | Group | IP | Playbook |
|
|
|---|---|---|---|
|
|
| crs418 (MikroTik CRS418) | `mikrotik` | 192.168.255.10 | `playbooks/routeros.yml` |
|
|
| dlink (OpenWrt AP) | `openwrt` | 192.168.255.11 | `playbooks/openwrt.yml` |
|
|
|
|
Both devices are reachable on the MGMT network (192.168.255.0/24) once fully set up.
|
|
|
|
## Dependencies
|
|
|
|
```bash
|
|
ansible-galaxy collection install -r requirements.yml
|
|
pip install librouteros hvac
|
|
```
|
|
|
|
Collections used:
|
|
|
|
- `community.routeros >= 3.16.0` — MikroTik API modules
|
|
- `community.hashi_vault >= 7.1.0` — OpenBao/Vault secret lookup
|
|
- `community.openwrt >= 1.0.0` — OpenWrt UCI and shell modules
|
|
|
|
## MikroTik (routeros)
|
|
|
|
Secrets are fetched at runtime from OpenBao. No credentials are stored in files.
|
|
|
|
```bash
|
|
export VAULT_TOKEN=... # or OPENBAO_TOKEN
|
|
ansible-playbook playbooks/routeros.yml
|
|
```
|
|
|
|
Secret layout expected in OpenBao (KVv2, mount `secret`):
|
|
|
|
| Path | Fields |
|
|
|---|---|
|
|
| `routeros_api` | `username`, `password` |
|
|
| `wan_pppoe` | `username`, `password` |
|
|
| `router_tailscale` | `container_password` |
|
|
|
|
## OpenWrt dlink AP
|
|
|
|
The dlink needs a one-time initialisation before it can be managed through MikroTik.
|
|
There are two playbooks:
|
|
|
|
### Step 1 — `dlink-init.yml` (once, PC directly connected)
|
|
|
|
Run this while your PC is plugged into one of the dlink **LAN ports** with the
|
|
device still on its factory IP (192.168.1.1) and your SSH key has been added in
|
|
web ui. MikroTik must **not** be in the picture yet.
|
|
|
|
What it does:
|
|
- Reconfigures switch0 so the **WAN port** becomes a VLAN trunk:
|
|
- untagged → VLAN 1 (MGMT, 192.168.255.0/24)
|
|
- tagged → VLAN 2 (LAN, 192.168.0.0/24)
|
|
- Adds `mgmt` interface: static 192.168.255.11/24, gateway 192.168.255.10
|
|
- Reconfigures `lan` to a bridge on eth0.2 with no IP (AP mode)
|
|
- Removes routed `wan`/`wan6` interfaces
|
|
- Commits and reloads network in the background
|
|
|
|
After the reload the device is no longer reachable at 192.168.1.1.
|
|
|
|
```bash
|
|
ansible-playbook playbooks/dlink-init.yml
|
|
```
|
|
|
|
### Step 2 — connect dlink WAN port to MikroTik ether3
|
|
|
|
Plug the **dlink WAN port** into **MikroTik ether3**.
|
|
|
|
If the MikroTik config hasn't been applied yet, do it now:
|
|
|
|
```bash
|
|
export VAULT_TOKEN=...
|
|
ansible-playbook playbooks/routeros.yml
|
|
```
|
|
|
|
MikroTik ether3 is configured to send MGMT traffic untagged and VLAN 2 (LAN)
|
|
tagged, which matches what dlink expects on its WAN port.
|
|
|
|
### Step 3 — `openwrt.yml` (ongoing, via MikroTik)
|
|
|
|
All subsequent runs connect to 192.168.255.11 through MikroTik:
|
|
|
|
```bash
|
|
ansible-playbook playbooks/openwrt.yml
|
|
```
|
|
|
|
This is the idempotent main playbook. Run it any time to converge configuration.
|