## 1. Project Scaffolding

- [x] 1.1 Initialize Ansible project structure (`ansible.cfg`, `site.yml`, `roles/`)
- [x] 1.2 Create `.gitignore` (inventory files, credentials, users.yml, output/)
- [x] 1.3 Create `inventory/hosts.yml.example` with `servers`, `snell`, `trojan` groups
- [x] 1.4 Create `group_vars/all.yml` with base variables and Python interpreter setting
- [x] 1.5 Create `users.yml.example` with `trojan_users` list template
- [x] 1.6 Create `credentials/` directory placeholder with `.gitkeep`
- [x] 1.7 Create `README.md` with project overview and usage instructions

## 2. Base Role (`roles/base/`)

- [x] 2.1 Create `roles/base/tasks/main.yml` with package installation task
- [x] 2.2 Implement SSH hardening tasks (disable password auth, disable root login, set custom port)
- [x] 2.3 Implement UFW configuration tasks (default deny, allow SSH port)
- [x] 2.4 Implement fail2ban configuration and SSH jail
- [x] 2.5 Implement unattended-upgrades configuration
- [x] 2.6 Add SSH handler for sshd restart
- [x] 2.7 Add UFW handler for firewall reload

## 3. Snell Role (`roles/snell/`)

- [x] 3.1 Create `roles/snell/tasks/main.yml` with Snell binary download and install task
- [x] 3.2 Create `roles/snell/templates/snell-server.conf.j2` with listen, psk, ipv6 settings
- [x] 3.3 Implement configuration file deployment task with proper permissions
- [x] 3.4 Create `roles/snell/templates/snell.service.j2` systemd unit file
- [x] 3.5 Implement systemd service creation and start tasks
- [x] 3.6 Add UFW rule for Snell port
- [x] 3.7 Add auto-generated PSK logic via `credentials/snell_psk` lookup
- [x] 3.8 Add Snell service restart handler

## 4. Trojan Role (`roles/trojan/`)

- [x] 4.1 Create `roles/trojan/tasks/main.yml` with trojan-go binary download and install task
- [x] 4.2 Implement `users.yml` loading via `include_vars` at playbook level
- [x] 4.3 Create `roles/trojan/templates/config.json.j2` with multi-user `password` array
- [x] 4.4 Implement configuration file deployment task with proper permissions
- [x] 4.5 Implement certbot TLS certificate provisioning tasks
- [x] 4.6 Implement certificate deploy-hook for auto-renewal copy and service reload
- [x] 4.7 Create `roles/trojan/templates/trojan-go.service.j2` systemd unit with `CAP_NET_BIND_SERVICE`
- [x] 4.8 Implement systemd service creation and start tasks
- [x] 4.9 Add UFW rule for port 443
- [x] 4.10 Add Trojan service restart handler

## 5. Playbook Integration

- [x] 5.1 Create `site.yml` with plays: bootstrap, base (all), snell (`snell` group), trojan (`trojan` group)
- [x] 5.2 Add `include_vars` for `users.yml` in the Trojan play
- [x] 5.3 Verify handler triggers work correctly across roles
- [x] 5.4 Add `ansible_python_interpreter: auto_silent` to `group_vars/all.yml`

## 6. Testing and Validation

- [x] 6.1 Run `ansible-playbook --check` to validate syntax and task structure
- [x] 6.2 Verify all Jinja2 templates render without errors
- [x] 6.3 Confirm `.gitignore` covers all sensitive files (credentials/, users.yml, inventory/hosts.yml)
- [x] 6.4 Review that all spec requirements have corresponding task coverage