fix: use hostvars for SS variables in Surge template

ss_port, ss_cipher, and ss_password are scoped to the relay group
and are not accessible from the localhost play. Use hostvars to
reference them from the first relay host.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

openspec/changes/archive/2026-04-22-fix-ss-vars-in-surge-template/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-22

openspec/changes/archive/2026-04-22-fix-ss-vars-in-surge-template/design.md

@@ -0,0 +1,20 @@
+## Context
+
+`ss_port`, `ss_cipher`, and `ss_password` are scoped to the `relay` group via `group_vars/relay.yml`. The Surge template on `localhost` can't access them directly. It already uses `hostvars[groups['relay'][0]]` to get `ansible_host`, so the same approach works for SS variables.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Make SS variables accessible from the localhost play via hostvars
+
+**Non-Goals:**
+- No changes to the Surge config content or structure
+
+## Decisions
+
+Change line 6 of the template from:
+```
+{{ ss_port }} → {{ hostvars[groups['relay'][0]]['ss_port'] }}
+{{ ss_cipher }} → {{ hostvars[groups['relay'][0]]['ss_cipher'] }}
+{{ ss_password }} → {{ hostvars[groups['relay'][0]]['ss_password'] }}
+```

openspec/changes/archive/2026-04-22-fix-ss-vars-in-surge-template/proposal.md

@@ -0,0 +1,19 @@
+## Why
+
+The Surge template uses `{{ ss_port }}`, `{{ ss_cipher }}`, and `{{ ss_password }}` directly, but these are defined in `group_vars/relay.yml` — only available to `relay` group hosts. The localhost play has no access to them, causing "'ss_port' is undefined" errors.
+
+## What Changes
+
+- Change the SS variable references in `templates/surge-client.conf.j2` to use `hostvars[groups['relay'][0]]` — the same pattern already used for `ansible_host` on the same line
+
+## Capabilities
+
+### New Capabilities
+<!-- none -->
+
+### Modified Capabilities
+<!-- none -->
+
+## Impact
+
+- `templates/surge-client.conf.j2`: update SS variable references to use hostvars

openspec/changes/archive/2026-04-22-fix-ss-vars-in-surge-template/specs/NOTE.md

@@ -0,0 +1,3 @@
+## Note
+
+No capability changes. Internal variable scoping fix.

openspec/changes/archive/2026-04-22-fix-ss-vars-in-surge-template/tasks.md

@@ -0,0 +1,3 @@
+## 1. Fix SS variable references in Surge template
+
+- [x] 1.1 Change `ss_port`, `ss_cipher`, `ss_password` to use `hostvars[groups['relay'][0]]` in `templates/surge-client.conf.j2`

templates/surge-client.conf.j2

@@ -3,7 +3,7 @@ loglevel = notify
 
 [Proxy]
 # Relay server - Shadowsocks (中转机)
-Relay-SS = ss, {{ hostvars[groups['relay'][0]]['ansible_host'] }}, {{ ss_port }}, encrypt-method={{ ss_cipher }}, password={{ ss_password }}
+Relay-SS = ss, {{ hostvars[groups['relay'][0]]['ansible_host'] }}, {{ hostvars[groups['relay'][0]]['ss_port'] }}, encrypt-method={{ hostvars[groups['relay'][0]]['ss_cipher'] }}, password={{ hostvars[groups['relay'][0]]['ss_password'] }}
 
 # Landing server - Trojan direct (落地机直连)
 Landing-Trojan = trojan, {{ trojan_domain }}, {{ trojan_port }}, password={{ trojan_password }}