feat: vollst. Installations-Doku, Ansible-Rollen ausimplementiert, claude_workspace-Rolle

- docs/installation.md: Netinstall + Dualboot Schritt-für-Schritt (LUKS nur am Notebook)
- docs/postinstall-ansible.md: Ablauf + restmanuelle Schritte
- roles/base: APT-Sources mit non-free-firmware + Backports, Locale, Tastatur, Zeitzone, Grundpakete
- roles/desktop_kde: Plasma 6 + SDDM (ohne Recommends, kompakt)
- roles/hardening: SSH key-only, UFW, unattended-upgrades
- roles/dev_tools: Node.js via NodeSource, Python, Perl, Git-Defaults
- roles/workstation_apps: Firefox, Thunderbird, LibreOffice, Codecs, KeePassXC
- roles/claude_workspace (NEU): Claude Code + ccusage, SSH-Key für Gitea, Workspace-Clone (recurse-submodules), ~/.claude/settings.json
- site.yml: alle Rollen mit Tags

ansible/roles/base/tasks/main.yml

@@ -1,3 +1,84 @@
 ---
-# Grundsystem: APT-Quellen, Lokalisierung, Firmware, Hilfspakete
-# TODO: implementieren — Skeleton-Datei
+- name: APT-Quellen mit contrib + non-free-firmware + (Backports)
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list
+    mode: '0644'
+    content: |
+      deb http://deb.debian.org/debian/ trixie main contrib non-free-firmware
+      deb http://security.debian.org/debian-security trixie-security main contrib non-free-firmware
+      deb http://deb.debian.org/debian/ trixie-updates main contrib non-free-firmware
+      {% if enable_backports | default(true) %}
+      deb http://deb.debian.org/debian/ trixie-backports main contrib non-free-firmware
+      {% endif %}
+  register: apt_sources
+
+- name: APT cache aktualisieren
+  ansible.builtin.apt:
+    update_cache: true
+  when: apt_sources.changed
+
+- name: Locale-Paket
+  ansible.builtin.apt:
+    name: locales
+    state: present
+    cache_valid_time: 3600
+
+- name: Locale aktivieren
+  ansible.builtin.lineinfile:
+    path: /etc/locale.gen
+    regexp: "^# ?{{ locale }} "
+    line: "{{ locale }} UTF-8"
+  register: locale_line
+
+- name: locale-gen ausführen
+  ansible.builtin.command: locale-gen
+  when: locale_line.changed
+
+- name: Standard-Locale setzen
+  ansible.builtin.copy:
+    dest: /etc/default/locale
+    mode: '0644'
+    content: "LANG={{ locale }}\n"
+
+- name: Tastaturlayout
+  ansible.builtin.copy:
+    dest: /etc/default/keyboard
+    mode: '0644'
+    content: |
+      XKBMODEL="pc105"
+      XKBLAYOUT="{{ keyboard_layout }}"
+      XKBVARIANT=""
+      XKBOPTIONS=""
+      BACKSPACE="guess"
+
+- name: Zeitzone
+  ansible.builtin.command: "timedatectl set-timezone {{ timezone }}"
+  changed_when: false
+
+- name: Grundpakete
+  ansible.builtin.apt:
+    name:
+      - sudo
+      - curl
+      - wget
+      - gnupg
+      - ca-certificates
+      - apt-transport-https
+      - vim
+      - htop
+      - tmux
+      - rsync
+      - net-tools
+      - dnsutils
+      - firmware-linux
+      - firmware-linux-nonfree
+      - lsb-release
+      - bash-completion
+      - man-db
+    state: present
+
+- name: Extra-Pakete je Host
+  ansible.builtin.apt:
+    name: "{{ extra_packages }}"
+    state: present
+  when: extra_packages | default([]) | length > 0