chore: make inventory a template, gitignore the instance

Rename hosts.yml to hosts.yml.example (tracked). Actual hosts.yml
is gitignored and created by the user via cp.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitignore

@@ -1,4 +1,5 @@
 credentials/
 output/
+inventory/hosts.yml
 *.retry
 .claude/settings.local.json

README.md

@@ -23,6 +23,10 @@ Client → Relay (SS) → Internet                       # relay only
 
 ### 1. Configure inventory
 
+```bash
+cp inventory/hosts.yml.example inventory/hosts.yml
+```
+
 Edit `inventory/hosts.yml` with your server IPs and SSH user:
 
 ```yaml

openspec/changes/archive/2026-04-22-inventory-template/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-22

openspec/changes/archive/2026-04-22-inventory-template/design.md

@@ -0,0 +1,22 @@
+## Context
+
+The inventory file contains environment-specific values (IPs, usernames). It should follow the same pattern as credentials — template in repo, instance gitignored.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Ship `hosts.yml.example` as the tracked template
+- Gitignore the actual `hosts.yml`
+
+**Non-Goals:**
+- Changing the inventory format or structure
+
+## Decisions
+
+### 1. `.example` suffix convention
+
+Use `hosts.yml.example` — consistent with common conventions. Users run `cp inventory/hosts.yml.example inventory/hosts.yml` and edit.
+
+## Risks / Trade-offs
+
+- **[Forgotten copy step]** → New users may miss the copy. Mitigation: documented in README setup steps, Ansible will fail with a clear error if `hosts.yml` is missing.

openspec/changes/archive/2026-04-22-inventory-template/proposal.md

@@ -0,0 +1,24 @@
+## Why
+
+`inventory/hosts.yml` contains real server IPs and usernames — it should not be tracked in git. The repository should ship a `.example` template that users copy and fill in.
+
+## What Changes
+
+- Rename `inventory/hosts.yml` to `inventory/hosts.yml.example` (tracked in git)
+- Add `inventory/hosts.yml` to `.gitignore`
+- Update README to document the copy step
+
+## Capabilities
+
+### New Capabilities
+
+(none)
+
+### Modified Capabilities
+- `server-base`: Inventory file becomes a user-created instance from a template
+
+## Impact
+
+- `inventory/hosts.yml` gitignored (users create their own)
+- `inventory/hosts.yml.example` committed as template
+- README updated

openspec/changes/archive/2026-04-22-inventory-template/specs/server-base/spec.md

@@ -0,0 +1,20 @@
+## MODIFIED Requirements
+
+### Requirement: Ansible inventory defines relay and landing server groups
+The inventory SHALL define two host groups: `relay` and `landing`, each containing the respective server's connection details (IP, SSH user, SSH key). The `ansible_user` SHALL be a configurable placeholder supporting both root and non-root users. The repository SHALL ship `inventory/hosts.yml.example` as a template; the actual `inventory/hosts.yml` SHALL be gitignored and created by the user.
+
+#### Scenario: Inventory is valid
+- **WHEN** the user copies `hosts.yml.example` to `hosts.yml` and fills in their values
+- **THEN** two groups `relay` and `landing` are available, each with at least one host
+
+#### Scenario: Non-root user with sudo
+- **WHEN** `ansible_user` is set to a non-root user (e.g., `ubuntu`)
+- **THEN** Ansible connects as that user and uses `become` for privilege escalation
+
+#### Scenario: Root user
+- **WHEN** `ansible_user` is set to `root`
+- **THEN** Ansible connects as root directly and `become` is a no-op
+
+#### Scenario: Missing inventory
+- **WHEN** the user has not copied `hosts.yml.example` to `hosts.yml`
+- **THEN** Ansible fails with an error indicating the inventory file is missing

openspec/changes/archive/2026-04-22-inventory-template/tasks.md

@@ -0,0 +1,5 @@
+## 1. Inventory Template
+
+- [x] 1.1 Rename `inventory/hosts.yml` to `inventory/hosts.yml.example` in git (git mv)
+- [x] 1.2 Add `inventory/hosts.yml` to `.gitignore`
+- [x] 1.3 Update `README.md` setup step to include `cp inventory/hosts.yml.example inventory/hosts.yml`

openspec/specs/server-base/spec.md

@@ -1,10 +1,10 @@
 ## ADDED Requirements
 
 ### Requirement: Ansible inventory defines relay and landing server groups
-The inventory SHALL define two host groups: `relay` and `landing`, each containing the respective server's connection details (IP, SSH user, SSH key). The `ansible_user` SHALL be a configurable placeholder supporting both root and non-root users.
+The inventory SHALL define two host groups: `relay` and `landing`, each containing the respective server's connection details (IP, SSH user, SSH key). The `ansible_user` SHALL be a configurable placeholder supporting both root and non-root users. The repository SHALL ship `inventory/hosts.yml.example` as a template; the actual `inventory/hosts.yml` SHALL be gitignored and created by the user.
 
 #### Scenario: Inventory is valid
-- **WHEN** the inventory file is parsed by Ansible
+- **WHEN** the user copies `hosts.yml.example` to `hosts.yml` and fills in their values
 - **THEN** two groups `relay` and `landing` are available, each with at least one host
 
 #### Scenario: Non-root user with sudo
@@ -15,6 +15,10 @@ The inventory SHALL define two host groups: `relay` and `landing`, each containi
 - **WHEN** `ansible_user` is set to `root`
 - **THEN** Ansible connects as root directly and `become` is a no-op
 
+#### Scenario: Missing inventory
+- **WHEN** the user has not copied `hosts.yml.example` to `hosts.yml`
+- **THEN** Ansible fails with an error indicating the inventory file is missing
+
 ### Requirement: Base packages are installed on all servers
 The base role SHALL install essential packages: `curl`, `wget`, `vim`, `htop`, `unzip`, `ufw`, `fail2ban`, `unattended-upgrades`.