fix: correct Goss test suite to match actual server state

Fixes found by running make verify against Railiance01:

- Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root)
- age/sops are binary installs, not apt packages — use command checks
- Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick
- sudo granted via sudoers file, not group membership — remove group assert
- Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service
- SSH hardening lives in sshd_config.d/10-hardening.conf, not main config
- UFW SSH rule uses app name "OpenSSH", not port 22/tcp
- Replace /regex/i patterns with plain strings (Goss file.contents)
- Update spec/server-baseline.yaml to match all findings

All 27 assertions now pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ansible/roles/goss/tasks/main.yml

@@ -26,7 +26,7 @@
 
 - name: Copy baseline test file
   ansible.builtin.copy:
-    src: "{{ playbook_dir }}/../goss/baseline.yaml"
+    src: "{{ playbook_dir }}/../../goss/baseline.yaml"
     dest: "{{ goss_dir }}/baseline.yaml"
     owner: root
     group: root
@@ -41,7 +41,7 @@
 
 - name: Ensure local reports directory exists
   ansible.builtin.file:
-    path: "{{ playbook_dir }}/../reports"
+    path: "{{ playbook_dir }}/../../reports"
     state: directory
     mode: "0755"
   delegate_to: localhost
@@ -50,7 +50,7 @@
 - name: Write TAP report locally
   ansible.builtin.copy:
     content: "{{ goss_result.stdout }}"
-    dest: "{{ playbook_dir }}/../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
+    dest: "{{ playbook_dir }}/../../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
     mode: "0644"
   delegate_to: localhost
   become: false