Add MikroTik AdGuard setup script and complete documentation

- Added scripts/mikrotik-adguard-setup.rsc with full setup commands
- Created docs/09-MIKROTIK-ADGUARD-DOT-DOH.md with:
  - Architecture diagram
  - Complete NAT/routing rules documentation
  - Container configuration details
  - TLS/DoT/DoH setup
  - Troubleshooting guide
- Removed WIP document (moved to completed docs)

scripts/mikrotik-adguard-setup.rsc

@@ -0,0 +1,109 @@
+# MikroTik AdGuard Home Setup Script
+# Created: 2026-01-25
+# Repository: https://git.xtrm-lab.org/jazzymc/infrastructure
+#
+# Prerequisites:
+# - RouterOS 7.4+ with container package
+# - USB storage mounted as usb1
+# - Container mode enabled: /system/device-mode/update container=yes
+
+#------------------------------------------------------------
+# Variables
+#------------------------------------------------------------
+:local containerName "adguardhome"
+:local containerImage "adguard/adguardhome:latest"
+:local vethName "veth-adguard"
+:local containerIP "172.17.0.2"
+:local gatewayIP "172.17.0.1"
+:local containerNet "172.17.0.0/24"
+:local lanNet "192.168.31.0/24"
+:local unraidAdguard "192.168.31.4"
+:local wanInterface "eth1_WAN"
+
+#------------------------------------------------------------
+# 1. Create veth interface
+#------------------------------------------------------------
+/interface veth add name=$vethName address=$containerIP/24 gateway=$gatewayIP
+
+#------------------------------------------------------------
+# 2. Add IP to veth (MikroTik side)
+#------------------------------------------------------------
+/ip address add address=$gatewayIP/24 interface=$vethName
+
+#------------------------------------------------------------
+# 3. Create container mounts
+#------------------------------------------------------------
+/container mounts add name=agh-config src=usb1/adguard/conf dst=/opt/adguardhome/conf
+/container mounts add name=agh-work src=usb1/adguard/work dst=/opt/adguardhome/work
+
+#------------------------------------------------------------
+# 4. Pull and create container
+#------------------------------------------------------------
+/container add remote-image=$containerImage interface=$vethName root-dir=usb1/adguard/root \
+    mounts=agh-config,agh-work logging=yes start-on-boot=yes dns=8.8.8.8 \
+    hostname="mikrotik-adguard" name=$containerName
+
+#------------------------------------------------------------
+# 5. Firewall - Allow container network traffic
+#------------------------------------------------------------
+# Input chain
+/ip firewall filter add chain=input action=accept dst-address=$containerNet comment="Allow container network"
+/ip firewall filter add chain=input action=accept src-address=$containerNet comment="Allow from container network"
+
+# Forward chain
+/ip firewall filter add chain=forward action=accept dst-address=$containerNet comment="Allow to container network"
+/ip firewall filter add chain=forward action=accept src-address=$containerNet comment="Allow from container network"
+
+#------------------------------------------------------------
+# 6. NAT Rules - DNS Redirect
+#------------------------------------------------------------
+# Allow container outbound DNS (prevent redirect loop)
+/ip firewall nat add chain=dstnat action=accept protocol=udp src-address=$containerNet dst-port=53 \
+    comment="Allow MikroTik AdGuard outbound DNS"
+
+# Allow Unraid AdGuard outbound DNS  
+/ip firewall nat add chain=dstnat action=accept protocol=udp src-address=$unraidAdguard dst-port=53 \
+    comment="Allow Unraid AdGuard outbound DNS"
+/ip firewall nat add chain=dstnat action=accept protocol=tcp src-address=$unraidAdguard dst-port=53 \
+    comment="Allow Unraid AdGuard outbound DNS TCP"
+
+# Redirect LAN DNS to container
+/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=53 \
+    protocol=udp src-address=$lanNet dst-port=53 comment="Redirect DNS to MikroTik AdGuard"
+/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=53 \
+    protocol=tcp src-address=$lanNet dst-port=53 comment="Redirect DNS to MikroTik AdGuard TCP"
+
+# Masquerade for return traffic
+/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=$lanNet \
+    dst-address=$containerIP dst-port=53 comment="Masquerade DNS to MikroTik AdGuard"
+/ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=$lanNet \
+    dst-address=$containerIP dst-port=53 comment="Masquerade DNS to MikroTik AdGuard TCP"
+
+#------------------------------------------------------------
+# 7. NAT Rules - External Access (DoT/DoH)
+#------------------------------------------------------------
+# DoT (DNS over TLS) - port 853
+/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=853 \
+    protocol=tcp in-interface=$wanInterface dst-port=853 comment="DNS over TLS (DoT)"
+
+# DoH (DNS over HTTPS) - port 8443 external -> 443 internal
+/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=443 \
+    protocol=tcp in-interface=$wanInterface dst-port=8443 comment="DNS over HTTPS (DoH)"
+
+# Web UI access - port 3000 -> 80
+/ip firewall nat add chain=dstnat action=dst-nat to-addresses=$containerIP to-ports=80 \
+    protocol=tcp dst-address=192.168.31.1 dst-port=3000 comment="AdGuard Web UI"
+
+#------------------------------------------------------------
+# 8. Set MikroTik DNS to use container
+#------------------------------------------------------------
+/ip dns set servers=$containerIP allow-remote-requests=yes
+
+#------------------------------------------------------------
+# 9. Start container
+#------------------------------------------------------------
+/container start $containerName
+
+:log info "AdGuard Home container setup complete"
+:log info "Web UI: http://192.168.31.1:3000"
+:log info "Complete initial setup, then configure TLS for DoT/DoH"