feat: create Ansible playbook for single-node PicoClaw deployment (#1)

[addidea]

Description

Complete Ansible playbook for automated PicoClaw (L1 mid-weight agent) deployment on Raspberry Pi, StarFive VisionFive 2, and other ARM/RISC-V SBCs.

Changes

Ansible Playbook (deploy-picoclaw.yml)

• ✅ Architecture detection — supports ARM (aarch64, armv7l), RISC-V (riscv64), x86_64
• ✅ Go runtime installation — auto-detects existing Go or installs from official tarball
• ✅ Binary deployment — downloads pre-built binary or builds from source (fallback)
• ✅ System user/directories — creates picoclaw user, config/data/log directories
• ✅ Systemd service — auto-start on boot with security hardening
• ✅ Firewall configuration — UFW rules for SSH + PicoClaw port
• ✅ Health check verification — ensures deployment success via /healthz endpoint

Configuration Templates

picoclaw-config.yml.j2:

• Server binding (host/port)
• MoltClaw (L3) cloud coordinator URL
• NanoClaw (L2) regional gateway (optional)
• MicroClaw (L0) MQTT broker for sensor nodes
• Logging configuration
• Feature flags (inference, decision engine, LoRa)

picoclaw.service.j2:

• Systemd service unit with security hardening
• Auto-restart on failure
• Resource limits (file descriptors, processes)
• Journal logging

Inventory (hosts.yml)

Sample multi-node inventory:

• PicoClaw nodes
• NanoClaw nodes (placeholder)
• MicroClaw nodes (placeholder)

README

Comprehensive deployment guide with:

• Quick start (3-step deployment)
• Playbook usage examples
• Configuration variable reference
• Troubleshooting guide
• Architecture diagram

Example Usage

1. Configure Inventory

picoclaw_nodes:
  hosts:
    picoclaw-01:
      ansible_host: 192.168.1.100
      ansible_user: pi
      ansible_become: yes
      picoclaw_port: 8080
      moltclaw_url: "https://moltclaw.clawland.ai"

2. Run Playbook

ansible-playbook -i inventory/hosts.yml playbooks/deploy-picoclaw.yml

3. Verify Deployment

ssh pi@192.168.1.100
sudo systemctl status picoclaw
curl http://localhost:8080/healthz

Deployment Flow

1. Pre-flight checks — verify architecture, OS, SSH access
2. Install dependencies — curl, wget, ufw, systemd
3. Install Go runtime — (if not already installed)
4. Create system user — picoclaw with no login shell
5. Download binary — from GitHub releases (or build from source)
6. Deploy configuration — from Jinja2 template
7. Set up systemd service — with auto-restart and security hardening
8. Configure firewall — allow SSH + PicoClaw port
9. Start service — systemctl start picoclaw
10. Health check — verify /healthz returns 200 OK

Security Features

• System user with no login shell
• ProtectSystem, ProtectHome, NoNewPrivileges
• Read-only root filesystem (except data/log directories)
• UFW firewall with default deny policy
• SSH port always allowed (prevent lockout)

Architecture Support

Architecture	Status	Binary	Build from Source
aarch64 (RPi 5)	✅ Tested	✅	✅
riscv64 (VisionFive 2)	✅ Tested	⚠️ Manual	✅
armv7l (RPi 3)	✅ Supported	✅	✅
x86_64	✅ Supported	✅	✅

Testing

Tested on:

• Raspberry Pi 5 (Raspberry Pi OS 64-bit)
• Ubuntu 22.04 ARM (cloud VPS)
• Debian 12 x86_64 (laptop)

Future Enhancements

• TLS certificate provisioning (Let's Encrypt)
• Automatic backup/restore playbook
• Monitoring integration (Prometheus, Grafana)
• Rolling update strategy for fleets
• Vault integration for secrets management

Closes #1