add Terraform + Ansible infrastructure for GCP deployment

Provisions e2-micro VM (us-east1-b, free tier) with static IP, SSH and
web firewall rules, Docker + Caddy startup script, and IAM bindings for
Firestore and GCS access via ADC. Imports existing drb-calls bucket and
c2-server Firestore database into state. Ansible roles handle first-time
setup (swap, docker group) and all subsequent deploys via rsync + docker
compose, with secrets managed via Ansible Vault. DNS stays on AWS Route 53.

infra/ansible/roles/deploy/templates/c2-core.env.j2

@@ -0,0 +1,20 @@
+# drb-c2-core environment — Managed by Ansible. Do not edit manually.
+
+MQTT_BROKER=mosquitto
+MQTT_PORT=1883
+MQTT_USER={{ vault_mqtt_c2_user }}
+MQTT_PASS={{ vault_mqtt_c2_pass }}
+
+# No GCP_CREDENTIALS_PATH — the VM uses Application Default Credentials
+# via the GCE metadata server. The Terraform IAM bindings grant the required roles.
+FIRESTORE_DATABASE={{ vault_firestore_database }}
+GCS_BUCKET={{ vault_gcs_bucket }}
+
+OPENAI_API_KEY={{ vault_openai_api_key }}
+GOOGLE_MAPS_API_KEY={{ vault_google_maps_api_key }}
+GEMINI_API_KEY={{ vault_gemini_api_key }}
+
+SERVICE_KEY={{ vault_service_key }}
+NODE_API_KEY={{ vault_node_api_key }}
+
+CORS_ORIGINS=["https://app.{{ domain }}"]