Patch Automation #
Automated patching strategies, firmware upgrades, and automation improvements for substrate infrastructure components.
Legend: β Complete | π In Progress | β³ Planned
Project Vision & Scope #
Define and implement consistent patching strategies across all substrate components to maintain security posture while minimizing downtime. Includes firmware upgrades and automation improvements identified during the network build.
In Scope
- Patching procedures for all infrastructure components
- Firmware upgrades for network devices
- Automation improvements (idempotency, API gaps, manual step elimination)
- Rollback procedures
- Patch testing requirements
Out of Scope
- Application-level updates (handled per-tenant)
- Zero-day emergency response (separate runbook)
Requirements β³ #
- β³ Define maintenance windows per component type
- β³ Define patch testing requirements
- β³ Define rollback criteria
Firmware Upgrades β³ #
Device firmware updates required for full automation coverage.
- β³ EAP650-Outdoor AP firmware update (1.0.4 β latest) β current firmware doesn’t accept VLAN config from Omada 6.1 controller, requiring manual standalone UI configuration
- β³ SG2218 Access Switch firmware update β evaluate newer firmware for improved CLI compatibility and Omada integration
Automation Improvements β³ #
Improvements identified during the network migration and authority transition work. Non-blocking enhancements β the network is fully functional, but these items improve automation coverage, idempotency, and reduce manual steps for future rebuilds.
- β³ Automate OPNsense interface assignment and IP config via SSH (eliminate manual GUI steps β OPNsense 25.7 has no API for this)
- β³ TP-Link SG2218 cliconf idempotency (proper config diff support in the Ansible cliconf plugin)
- β³ OPNsense automation filter API investigation (addRule saves but doesn’t compile to pf on 25.7.10)
- β³ Omada SSID VLAN provisioning via controller after AP firmware update
- β³ Replace curl-based Omada API tasks with Ansible uri module (eliminate command-line secret exposure)
Patching Strategies β³ #
Ongoing maintenance and security updates.
- β³ Patching Strategy - Switches
- β³ Patching Strategy - Proxmox VE
- β³ Patching Strategy - Firewall/Core router
- β³ Patching Strategy - Linux packages
Documentation β³ #
- β³ Patching runbook
- β³ Rollback procedures