ansible-proxy-chain/openspec/changes/archive/2026-04-22-auto-generate-surge-config/tasks.md

1. Credential Auto-Generation

• 1.1 Update group_vars/relay.yml to use lookup('password', ...) for ss_password and random port generation for ss_port
• 1.2 Update group_vars/landing.yml to use lookup('password', ...) for trojan_password (keep trojan_port: 443 fixed)
• 1.3 Create .gitignore with credentials/ and output/ entries
• 1.4 Remove group_vars/vault.yml.example (no longer needed for passwords)

2. Surge Config Template & Generation

• 2.1 Convert docs/surge-client.conf into templates/surge-client.conf.j2 with Jinja2 variables for relay IP, SS port, SS password, landing domain, Trojan password
• 2.2 Delete the old static docs/surge-client.conf
• 2.3 Add a new play in site.yml that runs on localhost after server deployment to render the Surge config template to output/surge-client.conf

3. Documentation

• 3.1 Update README.md to reflect auto-generated credentials, remove vault setup instructions, document credentials/ backup and output/ location