feat(ansible): add OpenWrt dlink AP configuration

Add community.openwrt collection, dlink host to inventory,
openwrt role with system/network/firewall tasks, and two
playbooks: dlink-init.yml for one-time bootstrap from factory
IP, and openwrt.yml for ongoing idempotent configuration.

Network: MGMT untagged + LAN (vlan2) tagged on WAN port trunk
to MikroTik ether3. Firewall zones replace factory WAN/LAN
with mgmt (input ACCEPT) and lan (forward ACCEPT, AP mode).

ansible/roles/openwrt/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+# Hostname for the AP
+openwrt_hostname: dlink
+
+# Timezone (POSIX TZ string used by OpenWrt)
+openwrt_timezone: CET-1CEST,M3.5.0,M10.5.0/3
+
+# Management interface and IP (statically assigned on VLAN 1 / eth0.1)
+openwrt_mgmt_ip: 192.168.255.11
+openwrt_mgmt_prefix: 24
+openwrt_mgmt_gateway: 192.168.255.10
+
+# DNS servers for the AP itself
+openwrt_dns_servers:
+  - 192.168.0.1
+
+# SSH authorised keys (list of public key strings)
+openwrt_ssh_authorized_keys: []
+
+# NTP servers
+openwrt_ntp_servers:
+  - 0.pl.pool.ntp.org
+  - 1.pl.pool.ntp.org
+
+# Packages to install
+openwrt_packages: []
+

ansible/roles/openwrt/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Reload network
+  community.openwrt.nohup:
+    command: /etc/init.d/network reload
+  ignore_unreachable: true
+
+- name: Reload firewall
+  community.openwrt.service:
+    name: firewall
+    state: restarted
+
+- name: Reload wireless
+  community.openwrt.command:
+    cmd: wifi reload

ansible/roles/openwrt/tasks/firewall.yml

@@ -0,0 +1,51 @@
+---
+# This device is a pure AP — no routing, no NAT, no internet-facing interface.
+#
+# Zones:
+#   mgmt  — management interface (192.168.255.11)
+#           input: ACCEPT  (SSH, ping reachable from MGMT network)
+#           forward: REJECT (nothing routes through mgmt)
+#
+#   lan   — client bridge (eth0.2, wireless clients)
+#           input: REJECT  (clients cannot SSH into the AP itself)
+#           forward: ACCEPT (client traffic passes through to MikroTik,
+#                            which does all actual firewalling)
+#
+# No forwarding rules between zones — traffic in/out of each zone goes
+# directly to/from MikroTik over the trunk, not through this device.
+
+- name: Configure firewall
+  community.openwrt.uci:
+    command: import
+    merge: false
+    config: firewall
+    value: |
+      package firewall
+
+      config defaults
+        option syn_flood '1'
+        option input 'REJECT'
+        option output 'ACCEPT'
+        option forward 'REJECT'
+
+      config zone
+        option name 'mgmt'
+        list network 'mgmt'
+        option input 'ACCEPT'
+        option output 'ACCEPT'
+        option forward 'REJECT'
+
+      config zone
+        option name 'lan'
+        list network 'lan'
+        option input 'REJECT'
+        option output 'ACCEPT'
+        option forward 'ACCEPT'
+
+      config rule
+        option name 'Allow-ICMP-mgmt'
+        option src 'mgmt'
+        option proto 'icmp'
+        option target 'ACCEPT'
+
+  notify: Reload firewall

ansible/roles/openwrt/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Preflight — verify connectivity
+  ansible.builtin.import_tasks: preflight.yml
+
+- name: System configuration
+  ansible.builtin.import_tasks: system.yml
+
+- name: Network configuration
+  ansible.builtin.import_tasks: network.yml
+
+- name: Firewall configuration
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Wireless configuration
+  ansible.builtin.import_tasks: wireless.yml
+
+- name: Package management
+  ansible.builtin.import_tasks: packages.yml
+  when: openwrt_packages | length > 0

ansible/roles/openwrt/tasks/network.yml

@@ -0,0 +1,88 @@
+---
+# Network layout:
+#   MikroTik ether3 ↔ dlink WAN port (switch0 port4)
+#   MikroTik sends MGMT traffic untagged, vlan2 (LAN) and vlan5 (IOT) tagged.
+#
+#   switch0 VLAN table:
+#     VLAN 1 (MGMT): CPU(6) tagged, WAN(4) untagged                        → eth0.1 → mgmt
+#     VLAN 2 (LAN):  CPU(6) tagged, WAN(4) tagged, LAN1-4(0-3) untagged    → eth0.2 → br-lan → lan
+#     VLAN 5 (IOT):  CPU(6) tagged, WAN(4) tagged                          → eth0.5 → br-iot → iot
+#
+#   Interfaces:
+#     mgmt  — static 192.168.255.11/24 on eth0.1, management
+#     lan   — bridge (br-lan) on eth0.2, LAN clients via LAN ports
+#     iot   — bridge (br-iot) on eth0.5, IoT clients via wifi only
+
+- name: Configure network
+  community.openwrt.uci:
+    command: import
+    merge: false
+    config: network
+    value: |
+      package network
+
+      config interface 'loopback'
+        option device 'lo'
+        option proto 'static'
+        list ipaddr '127.0.0.1/8'
+
+      config globals 'globals'
+        option ula_prefix 'fd4d:508e:899a::/48'
+
+      config switch
+        option name 'switch0'
+        option reset '1'
+        option enable_vlan '1'
+
+      config switch_vlan
+        option device 'switch0'
+        option vlan '1'
+        option vid '1'
+        option description 'mgmt'
+        option ports '4 6t'
+
+      config switch_vlan
+        option device 'switch0'
+        option vlan '2'
+        option vid '2'
+        option description 'lan'
+        option ports '0 1 2 3 4t 6t'
+
+      config switch_vlan
+        option device 'switch0'
+        option vlan '5'
+        option vid '5'
+        option description 'iot'
+        option ports '4t 6t'
+
+      config device
+        option name 'br-lan'
+        option type 'bridge'
+        list ports 'eth0.2'
+
+      config interface 'mgmt'
+        option device 'eth0.1'
+        option proto 'static'
+        option ipaddr '{{ openwrt_mgmt_ip }}/{{ openwrt_mgmt_prefix }}'
+        option gateway '{{ openwrt_mgmt_gateway }}'
+        option dns '{{ openwrt_dns_servers | join(" ") }}'
+
+      config interface 'lan'
+        option device 'br-lan'
+        option proto 'none'
+
+      config device
+        option name 'br-iot'
+        option type 'bridge'
+        list ports 'eth0.5'
+
+      config interface 'iot'
+        option device 'br-iot'
+        option proto 'none'
+
+  notify: Reload network
+
+- name: Commit network config
+  community.openwrt.uci:
+    command: commit
+    key: network

ansible/roles/openwrt/tasks/packages.yml

@@ -0,0 +1,7 @@
+---
+- name: Install packages
+  community.openwrt.opkg:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
+  loop: "{{ openwrt_packages }}"

ansible/roles/openwrt/tasks/preflight.yml

@@ -0,0 +1,11 @@
+---
+- name: Verify connectivity to OpenWrt device
+  community.openwrt.ping:
+
+- name: Gather OpenWrt facts
+  community.openwrt.setup:
+  register: openwrt_facts
+
+- name: Show device info
+  ansible.builtin.debug:
+    msg: "Managing {{ inventory_hostname }} ({{ openwrt_facts.ansible_facts.ansible_system | default('OpenWrt') }})"

ansible/roles/openwrt/tasks/system.yml

@@ -0,0 +1,30 @@
+---
+- name: Set hostname
+  community.openwrt.uci:
+    command: set
+    key: system.@system[0].hostname
+    value: "{{ openwrt_hostname }}"
+
+- name: Set timezone
+  community.openwrt.uci:
+    command: set
+    key: system.@system[0].timezone
+    value: "{{ openwrt_timezone }}"
+
+- name: Configure NTP servers
+  community.openwrt.uci:
+    command: set
+    key: system.ntp.server
+    value: "{{ openwrt_ntp_servers }}"
+
+- name: Commit system config
+  community.openwrt.uci:
+    command: commit
+    key: system
+
+- name: Set SSH authorized keys
+  community.openwrt.uci:
+    command: set
+    key: "dropbear.@dropbear[0].authorized_keys"
+    value: "{{ openwrt_ssh_authorized_keys | join('\n') }}"
+  when: openwrt_ssh_authorized_keys | length > 0