ansible-proxy-chain/openspec/changes/archive/2026-04-22-chain-proxy-setup/tasks.md

1. Project Structure & Inventory

• 1.1 Create Ansible project directory structure: inventory/, group_vars/, roles/, and site.yml
• 1.2 Create inventory/hosts.yml with relay and landing host groups and placeholder connection details
• 1.3 Create group_vars/all.yml with shared variables (SSH user, common packages)
• 1.4 Create group_vars/relay.yml with relay-specific variables (SS port, cipher, password placeholder)
• 1.5 Create group_vars/landing.yml with landing-specific variables (Trojan password, domain, TLS paths)
• 1.6 Create ansible.cfg with sensible defaults (inventory path, roles path, vault settings)

2. Base Server Role

• 2.1 Create roles/base/tasks/main.yml with package installation tasks
• 2.2 Add SSH hardening tasks (template sshd_config, restart sshd handler)
• 2.3 Create roles/base/templates/sshd_config.j2 with hardened SSH configuration
• 2.4 Add UFW firewall tasks (default deny, allow SSH, allow role-specific ports via variable)
• 2.5 Add fail2ban tasks (install, configure SSH jail, enable service)
• 2.6 Add unattended-upgrades tasks (install, configure security auto-updates)
• 2.7 Create roles/base/handlers/main.yml for service restart handlers

3. Shadowsocks Relay Role

• 3.1 Create roles/shadowsocks/tasks/main.yml — download shadowsocks-rust binary from GitHub releases, create service user
• 3.2 Create roles/shadowsocks/templates/ss-config.json.j2 — JSON config with server port, password, AEAD cipher
• 3.3 Create roles/shadowsocks/templates/shadowsocks.service.j2 — systemd unit file running as dedicated user
• 3.4 Create roles/shadowsocks/handlers/main.yml — restart handler triggered on config change
• 3.5 Create roles/shadowsocks/defaults/main.yml — default values (version, cipher aes-256-gcm, port)

4. Trojan Landing Role

• 4.1 Create roles/trojan/tasks/main.yml — download Trojan binary, create service user, grant CAP_NET_BIND_SERVICE
• 4.2 Add certbot tasks — install certbot, obtain Let's Encrypt certificate for configured domain
• 4.3 Add certbot renewal hook — reload Trojan service on certificate renewal
• 4.4 Create roles/trojan/templates/trojan-config.json.j2 — JSON config with password, TLS cert/key paths, fallback address
• 4.5 Create roles/trojan/templates/trojan.service.j2 — systemd unit file running as dedicated user
• 4.6 Create roles/trojan/handlers/main.yml — restart handler triggered on config change
• 4.7 Create roles/trojan/defaults/main.yml — default values (version, port 443, fallback port)

5. Reference Surge Client Configuration

• 5.1 Create docs/surge-client.conf — reference Surge config with proxy definitions (Relay-SS, Landing-Trojan, Landing-Chain with underlying-proxy)
• 5.2 Add proxy rules using Sukka's rulesets (ruleset.skk.moe) — AI ruleset → Chain, streaming ruleset → Chain, with correct ordering (DOMAIN-SET/non_ip before ip rules)
• 5.3 Add FINAL rule routing default traffic through Relay-SS

6. Main Playbook & Integration

• 6.1 Create site.yml main playbook applying roles in order: base → shadowsocks (relay group) / trojan (landing group)
• 6.2 Add Ansible Vault example for encrypting SS password and Trojan password
• 6.3 Create README.md with setup instructions, variable reference, domain/TLS prerequisites, and usage guide