## 1. Project Structure & Inventory

- [x] 1.1 Create Ansible project directory structure: `inventory/`, `group_vars/`, `roles/`, and `site.yml`
- [x] 1.2 Create `inventory/hosts.yml` with `relay` and `landing` host groups and placeholder connection details
- [x] 1.3 Create `group_vars/all.yml` with shared variables (SSH user, common packages)
- [x] 1.4 Create `group_vars/relay.yml` with relay-specific variables (SS port, cipher, password placeholder)
- [x] 1.5 Create `group_vars/landing.yml` with landing-specific variables (Trojan password, domain, TLS paths)
- [x] 1.6 Create `ansible.cfg` with sensible defaults (inventory path, roles path, vault settings)

## 2. Base Server Role

- [x] 2.1 Create `roles/base/tasks/main.yml` with package installation tasks
- [x] 2.2 Add SSH hardening tasks (template `sshd_config`, restart sshd handler)
- [x] 2.3 Create `roles/base/templates/sshd_config.j2` with hardened SSH configuration
- [x] 2.4 Add UFW firewall tasks (default deny, allow SSH, allow role-specific ports via variable)
- [x] 2.5 Add fail2ban tasks (install, configure SSH jail, enable service)
- [x] 2.6 Add unattended-upgrades tasks (install, configure security auto-updates)
- [x] 2.7 Create `roles/base/handlers/main.yml` for service restart handlers

## 3. Shadowsocks Relay Role

- [x] 3.1 Create `roles/shadowsocks/tasks/main.yml` — download shadowsocks-rust binary from GitHub releases, create service user
- [x] 3.2 Create `roles/shadowsocks/templates/ss-config.json.j2` — JSON config with server port, password, AEAD cipher
- [x] 3.3 Create `roles/shadowsocks/templates/shadowsocks.service.j2` — systemd unit file running as dedicated user
- [x] 3.4 Create `roles/shadowsocks/handlers/main.yml` — restart handler triggered on config change
- [x] 3.5 Create `roles/shadowsocks/defaults/main.yml` — default values (version, cipher `aes-256-gcm`, port)

## 4. Trojan Landing Role

- [x] 4.1 Create `roles/trojan/tasks/main.yml` — download Trojan binary, create service user, grant `CAP_NET_BIND_SERVICE`
- [x] 4.2 Add certbot tasks — install certbot, obtain Let's Encrypt certificate for configured domain
- [x] 4.3 Add certbot renewal hook — reload Trojan service on certificate renewal
- [x] 4.4 Create `roles/trojan/templates/trojan-config.json.j2` — JSON config with password, TLS cert/key paths, fallback address
- [x] 4.5 Create `roles/trojan/templates/trojan.service.j2` — systemd unit file running as dedicated user
- [x] 4.6 Create `roles/trojan/handlers/main.yml` — restart handler triggered on config change
- [x] 4.7 Create `roles/trojan/defaults/main.yml` — default values (version, port 443, fallback port)

## 5. Reference Surge Client Configuration

- [x] 5.1 Create `docs/surge-client.conf` — reference Surge config with proxy definitions (Relay-SS, Landing-Trojan, Landing-Chain with underlying-proxy)
- [x] 5.2 Add proxy rules using Sukka's rulesets (`ruleset.skk.moe`) — AI ruleset → Chain, streaming ruleset → Chain, with correct ordering (DOMAIN-SET/non_ip before ip rules)
- [x] 5.3 Add FINAL rule routing default traffic through Relay-SS

## 6. Main Playbook & Integration

- [x] 6.1 Create `site.yml` main playbook applying roles in order: base → shadowsocks (relay group) / trojan (landing group)
- [x] 6.2 Add Ansible Vault example for encrypting SS password and Trojan password
- [x] 6.3 Create README.md with setup instructions, variable reference, domain/TLS prerequisites, and usage guide