refactor(ansible): move RouterOS config into a role

Move flat tasks/ and vars/routeros-secrets.yml into
roles/routeros/ with a main.yml that imports the domain
task files in order. Update playbooks/routeros.yml to
use the role instead of importing tasks directly.

ansible/ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 inventory = inventory/hosts.yml
+roles_path = roles
 host_key_checking = False
 retry_files_enabled = False
 result_format = yaml

ansible/playbooks/routeros.yml

@@ -4,9 +4,6 @@
   gather_facts: false
   connection: local
 
-  vars_files:
-    - ../vars/routeros-secrets.yml
-
   pre_tasks:
     - name: Load router secrets from OpenBao
       ansible.builtin.set_fact:
@@ -63,30 +60,5 @@
       force_no_cert: true
       encoding: UTF-8
 
-  tasks:
-    - name: Preflight checks
-      ansible.builtin.import_tasks: ../tasks/preflight.yml
-
-    - name: Base network configuration
-      ansible.builtin.import_tasks: ../tasks/base.yml
-
-    - name: WAN and tunnel interfaces
-      ansible.builtin.import_tasks: ../tasks/wan.yml
-
-    - name: Hardware and platform tuning
-      ansible.builtin.import_tasks: ../tasks/hardware.yml
-
-    - name: RouterOS container configuration
-      ansible.builtin.import_tasks: ../tasks/containers.yml
-
-    - name: Addressing configuration
-      ansible.builtin.import_tasks: ../tasks/addressing.yml
-
-    - name: Firewall configuration
-      ansible.builtin.import_tasks: ../tasks/firewall.yml
-
-    - name: Routing configuration
-      ansible.builtin.import_tasks: ../tasks/routing.yml
-
-    - name: System configuration
-      ansible.builtin.import_tasks: ../tasks/system.yml
+  roles:
+    - role: routeros

ansible/roles/routeros/tasks/base.yml

@@ -67,6 +67,9 @@
       - bridge: bridge1
         interface: ether2
         pvid: 2
+      - bridge: bridge1
+        interface: ether3
+        comment: OpenWrt AP (dlink)
       - bridge: bridge1
         interface: ether8
         pvid: 4
@@ -89,7 +92,7 @@
     path: interface bridge vlan
     data:
       - bridge: bridge1
-        tagged: sfp-sfpplus2
+        tagged: sfp-sfpplus2,ether3
         untagged: ether1,ether2,ether9
         vlan-ids: 2
       - bridge: bridge1

ansible/roles/routeros/tasks/hardware.yml

@@ -13,6 +13,9 @@
     - default_name: ether2
       config:
         comment: Wifi środek
+    - default_name: ether3
+      config:
+        comment: OpenWrt AP (dlink)
     - default_name: ether8
       config:
         comment: Serwer

ansible/roles/routeros/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Preflight checks
+  ansible.builtin.import_tasks: preflight.yml
+
+- name: Base network configuration
+  ansible.builtin.import_tasks: base.yml
+
+- name: WAN and tunnel interfaces
+  ansible.builtin.import_tasks: wan.yml
+
+- name: Hardware and platform tuning
+  ansible.builtin.import_tasks: hardware.yml
+
+- name: RouterOS container configuration
+  ansible.builtin.import_tasks: containers.yml
+
+- name: Addressing configuration
+  ansible.builtin.import_tasks: addressing.yml
+
+- name: Firewall configuration
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Routing configuration
+  ansible.builtin.import_tasks: routing.yml
+
+- name: System configuration
+  ansible.builtin.import_tasks: system.yml