klaster/ansible/playbooks/routeros.yml

---
- name: Converge MikroTik RouterOS config
  hosts: mikrotik
  gather_facts: false
  connection: local

  pre_tasks:
    - name: Load router secrets from OpenBao
      ansible.builtin.set_fact:
        routeros_api_username: >-
          {{
            lookup(
              'community.hashi_vault.vault_kv2_get',
              openbao_fields.routeros_api.path,
              engine_mount_point=openbao_kv_mount
            ).secret[openbao_fields.routeros_api.username_key]
          }}
        routeros_api_password: >-
          {{
            lookup(
              'community.hashi_vault.vault_kv2_get',
              openbao_fields.routeros_api.path,
              engine_mount_point=openbao_kv_mount
            ).secret[openbao_fields.routeros_api.password_key]
          }}
        routeros_pppoe_username: >-
          {{
            lookup(
              'community.hashi_vault.vault_kv2_get',
              openbao_fields.wan_pppoe.path,
              engine_mount_point=openbao_kv_mount
            ).secret[openbao_fields.wan_pppoe.username_key]
          }}
        routeros_pppoe_password: >-
          {{
            lookup(
              'community.hashi_vault.vault_kv2_get',
              openbao_fields.wan_pppoe.path,
              engine_mount_point=openbao_kv_mount
            ).secret[openbao_fields.wan_pppoe.password_key]
          }}

      no_log: true
      tags:
        - tailscale-script

  module_defaults:
    group/community.routeros.api:
      hostname: "{{ ansible_host }}"
      username: "{{ routeros_api_username }}"
      password: "{{ routeros_api_password }}"
      tls: true
      validate_certs: false
      validate_cert_hostname: false
      force_no_cert: true
      encoding: UTF-8

  roles:
    - role: routeros