add Terraform + Ansible infrastructure for GCP deployment

Provisions e2-micro VM (us-east1-b, free tier) with static IP, SSH and
web firewall rules, Docker + Caddy startup script, and IAM bindings for
Firestore and GCS access via ADC. Imports existing drb-calls bucket and
c2-server Firestore database into state. Ansible roles handle first-time
setup (swap, docker group) and all subsequent deploys via rsync + docker
compose, with secrets managed via Ansible Vault. DNS stays on AWS Route 53.

infra/ansible/vault.yml.example

@@ -0,0 +1,34 @@
+# Template for your Ansible Vault secrets file.
+# Copy to vault.yml, fill in values, then encrypt:
+#   ansible-vault encrypt vault.yml
+# Edit later with:
+#   ansible-vault edit vault.yml
+
+# ── MQTT ─────────────────────────────────────────────────────────────────────
+vault_mqtt_c2_user: drb-c2-core
+vault_mqtt_c2_pass: "CHANGE_ME"
+vault_mqtt_node_user: drb-node
+vault_mqtt_node_pass: "CHANGE_ME"
+
+# ── C2 Core ───────────────────────────────────────────────────────────────────
+vault_service_key: ""            # openssl rand -hex 32
+vault_node_api_key: ""           # openssl rand -hex 32
+vault_openai_api_key: ""
+vault_google_maps_api_key: ""
+vault_gemini_api_key: ""
+vault_gcs_bucket: "your-gcs-bucket-name"
+vault_firestore_database: "c2-server"
+
+# ── Discord Bot ───────────────────────────────────────────────────────────────
+vault_discord_token: ""
+
+# ── Frontend (Firebase) ───────────────────────────────────────────────────────
+vault_firebase_api_key: ""
+vault_firebase_auth_domain: ""
+vault_firebase_project_id: ""
+vault_firebase_storage_bucket: ""
+vault_firebase_messaging_sender_id: ""
+vault_firebase_app_id: ""
+
+# No GCP key needed — the VM uses Application Default Credentials via the
+# GCE metadata server. Terraform grants the required IAM roles at apply time.