initial scaffold: Meridian LXC (Node 22 + npm @rynfar/meridian + systemd)

Deploys @rynfar/meridian on a Debian 12 LXC, bound to 0.0.0.0:3456.
OAuth credentials transferred manually after first deploy (claude login on
Mac, scp ~/.claude to /opt/meridian/.claude). systemd unit is enabled but
gated on credentials.json existence so the first deploy doesn't crash-loop.

LXC has no auth layer — security model is LAN-only reachability.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

site.yml

@@ -0,0 +1,33 @@
+---
+# ==============================================================================
+# Meridian LXC — Site Playbook
+# ==============================================================================
+# Local Anthropic API powered by Chuck's Claude Max OAuth subscription.
+# Bridges the Claude Code SDK to /v1/messages so HAOS's anthropic conversation
+# integration (and any Anthropic-compatible client) can use the Max subscription
+# instead of paid API tokens.
+#
+# Security: Meridian has no auth layer of its own. LAN-only reachability is
+# the entire security model — no Caddy public vhost, no Cloudflare tunnel.
+# OAuth bootstrap is manual: `claude login` on Chuck's Mac, scp ~/.claude/ to
+# /opt/meridian/.claude/ on the LXC, then `systemctl restart meridian`.
+#
+# Usage:
+#   ./deploy.sh                  # full deploy
+#   ./deploy.sh --tags meridian  # meridian role only
+# ==============================================================================
+
+- name: Deploy Meridian LXC
+  hosts: all
+  become: true
+  vars_files:
+    - vars/main.yml
+
+  pre_tasks:
+    - name: Deploy banner
+      debug:
+        msg: "===== {{ ansible_play_name }} → {{ inventory_hostname }} ({{ ansible_host | default(inventory_hostname) }}) ====="
+
+  roles:
+    - meridian
+    - node_exporter