add Terraform + Ansible infrastructure for GCP deployment

Provisions e2-micro VM (us-east1-b, free tier) with static IP, SSH and
web firewall rules, Docker + Caddy startup script, and IAM bindings for
Firestore and GCS access via ADC. Imports existing drb-calls bucket and
c2-server Firestore database into state. Ansible roles handle first-time
setup (swap, docker group) and all subsequent deploys via rsync + docker
compose, with secrets managed via Ansible Vault. DNS stays on AWS Route 53.

infra/terraform.tfvars.example

@@ -0,0 +1,24 @@
+# Copy to terraform.tfvars and fill in values.
+# terraform.tfvars is gitignored — never commit it.
+
+project_id    = "your-gcp-project-id"       # gcloud config get-value project
+region        = "us-central1"
+zone          = "us-central1-a"
+
+domain        = "drb.cusano.net"             # DNS is on AWS Route 53 — add A records manually after apply
+
+machine_type  = "e2-standard-2"              # 2 vCPU / 8 GB — adjust if needed
+
+ssh_user       = "drb"
+ssh_public_key = "ssh-ed25519 AAAA... user@host"   # cat ~/.ssh/id_ed25519.pub
+
+# Your IP + any CI runner IPs that need SSH access
+allowed_ssh_cidrs = ["YOUR_IP/32"]
+
+# Existing GCS bucket for audio recordings (bucket must already exist — imported into state)
+audio_bucket_name     = "your-audio-bucket-name"
+audio_bucket_location = "US-CENTRAL1"   # must match existing bucket location exactly — check GCP console
+
+# Existing Firestore database ID and location (imported into state)
+firestore_database = "c2-server"
+firestore_location = "nam5"   # nam5 = us-central, eur3 = europe, us-east1 = us-east