recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)

Sanitized single-commit public mirror of recipe-maintainer.
- Removed test-ssh/.testenv (live creds); added test-ssh/.testenv.example placeholders.
- Removed plans/ and planned-updates/ (deployment-planning docs) so no client/
  deployment domains appear in the public repo.
- All other secret stores were already gitignored.
- docs.coopcloud.tech retained as a submodule (public upstream).

terraform/cloud-init.yaml

@@ -0,0 +1,37 @@
+#cloud-config
+
+package_update: true
+package_upgrade: true
+
+packages:
+  - curl
+  - git
+  - ufw
+  - fail2ban
+
+write_files:
+  # Docker daemon config for Swarm (live-restore must be false for swarm mode)
+  - path: /etc/docker/daemon.json
+    content: |
+      {
+        "log-driver": "json-file",
+        "log-opts": {
+          "max-size": "10m",
+          "max-file": "3"
+        }
+      }
+
+runcmd:
+  # Install Docker
+  - curl -fsSL https://get.docker.com | sh
+
+  # Configure firewall
+  - ufw default allow incoming
+  - ufw default allow outgoing
+  - ufw --force enable
+
+  # Initialize Docker Swarm
+  - docker swarm init --advertise-addr $(curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address)
+
+  # Create the proxy network used by Traefik and all recipes
+  - docker network create --driver overlay --attachable proxy