## 1. Credential Auto-Generation

- [x] 1.1 Update `group_vars/relay.yml` to use `lookup('password', ...)` for `ss_password` and random port generation for `ss_port`
- [x] 1.2 Update `group_vars/landing.yml` to use `lookup('password', ...)` for `trojan_password` (keep `trojan_port: 443` fixed)
- [x] 1.3 Create `.gitignore` with `credentials/` and `output/` entries
- [x] 1.4 Remove `group_vars/vault.yml.example` (no longer needed for passwords)

## 2. Surge Config Template & Generation

- [x] 2.1 Convert `docs/surge-client.conf` into `templates/surge-client.conf.j2` with Jinja2 variables for relay IP, SS port, SS password, landing domain, Trojan password
- [x] 2.2 Delete the old static `docs/surge-client.conf`
- [x] 2.3 Add a new play in `site.yml` that runs on `localhost` after server deployment to render the Surge config template to `output/surge-client.conf`

## 3. Documentation

- [x] 3.1 Update `README.md` to reflect auto-generated credentials, remove vault setup instructions, document `credentials/` backup and `output/` location