feat: bootstrap and harden Railiance01 at HostEurope

- Extend base role with fail2ban, UFW k3s/Flannel rules, HISTCONTROL
- Add handlers dir for fail2ban restart
- Fix inventory script to emit correct dynamic inventory JSON format
- Add roles_path to ansible.cfg so playbook finds roles
- Add Railiance01 (92.205.62.239) to inventory/servers.yaml
- Mark workplan T03/T04/T05 as done

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ansible/ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 inventory = ./inventory_from_yaml.py
+roles_path = ./roles
 host_key_checking = False
 retry_files_enabled = False
 interpreter_python = auto

ansible/inventory_from_yaml.py

@@ -20,14 +20,19 @@ def load_tf_outputs():
 def main():
     server_list = load_servers()
     tf = load_tf_outputs()
-    hosts = {}
+    host_names = []
+    hostvars = {}
     for s in server_list:
         name = s['name']
-        hosts[name] = {
+        host_names.append(name)
+        hostvars[name] = {
             "ansible_host": tf.get(name) or s.get('ip'),
             "ansible_user": s.get('ssh_user', 'admin')
         }
-    inv = {"all": {"hosts": hosts}}
+    inv = {
+        "all": {"hosts": host_names},
+        "_meta": {"hostvars": hostvars}
+    }
     print(json.dumps(inv))
 
 if __name__ == "__main__":

ansible/roles/base/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted

ansible/roles/base/tasks/main.yml

@@ -8,6 +8,7 @@
       - git
       - vim
       - ufw
+      - fail2ban
       - python3
       - python3-venv
     state: present
@@ -40,6 +41,49 @@
     rule: allow
     name: OpenSSH
 
+- name: Allow k3s API in UFW
+  ansible.builtin.ufw:
+    rule: allow
+    port: '6443'
+    proto: tcp
+
+- name: Allow Flannel VXLAN in UFW
+  ansible.builtin.ufw:
+    rule: allow
+    port: '8472'
+    proto: udp
+
+- name: Enable fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: started
+    enabled: true
+
+- name: Configure fail2ban SSH jail
+  ansible.builtin.copy:
+    dest: /etc/fail2ban/jail.d/sshd.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      [sshd]
+      enabled = true
+      port    = ssh
+      filter  = sshd
+      maxretry = 5
+      bantime  = 3600
+      findtime = 600
+  notify: Restart fail2ban
+
+- name: Set HISTCONTROL to ignorespace
+  ansible.builtin.copy:
+    dest: /etc/profile.d/histcontrol.sh
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      export HISTCONTROL=ignorespace
+
 - name: Set timezone
   community.general.timezone:
     name: "{{ timezone | default('UTC') }}"

inventory/servers.yaml

@@ -0,0 +1,4 @@
+servers:
+  - name: Railiance01
+    ip: 92.205.62.239
+    ssh_user: tegwick

workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md

@@ -120,7 +120,8 @@ curl http://127.0.0.1:8000/state/health
 
 ```task
 id: T03
-status: todo
+status: done
+completed: "2026-03-08"
 priority: high
 state_hub_task_id: "6eda6875-1301-4794-a07e-3e13ff1d92bf"
 ```
@@ -149,7 +150,8 @@ the play recap.
 
 ```task
 id: T04
-status: todo
+status: done
+completed: "2026-03-08"
 priority: high
 state_hub_task_id: "77921431-3a45-45b2-a0b0-cf0c43262205"
 ```
@@ -172,7 +174,8 @@ ansible-playbook -i ansible/hosts.ini -l hosteurope ansible/playbooks/bootstrap.
 
 ```task
 id: T05
-status: todo
+status: done
+completed: "2026-03-08"
 priority: medium
 state_hub_task_id: "c573c200-bf22-49d1-86f9-dca1fc71743c"
 ```