feat: [#339] add AI training outputs with complete input/output dataset

Implement Option B: Generate rendered deployment artifacts for all AI
training examples to complete the dataset with input/output pairs.

Added:
- Script: scripts/generate-ai-training-outputs.sh
  * Iterates over all 15 example configurations
  * Replaces generic SSH paths with fixture paths dynamically
  * Calls render command with placeholder IP (203.0.113.1)
  * Generates artifacts to docs/ai-training/outputs/

- Outputs: docs/ai-training/outputs/ (4.1 MB, 15 subdirectories)
  * Complete rendered templates for all examples
  * Each output includes: Ansible playbooks, Docker Compose,
    configuration files (tracker.toml, prometheus.yml, etc.)
  * Demonstrates deployer transformation: config → artifacts

- Documentation: docs/ai-training/outputs/README.md
  * Explains purpose and structure of outputs
  * Documents placeholder values used
  * Provides regeneration instructions

Updated:
- docs/ai-training/README.md: Added outputs section explaining
  complete input/output pairs for AI training

Benefits:
- AI agents can learn full input/output transformation patterns
- Users can see concrete examples of what gets deployed
- Diff analysis reveals how config options affect rendered templates
- Complete dataset for few-shot learning and pattern recognition

Script features:
- Validates fixture SSH keys exist
- Uses jq for JSON manipulation
- Detailed progress reporting
- Error handling with failure summary
- --clean flag for regeneration
- --help for usage documentation

All linters passing (markdown, yaml, toml, cspell, clippy, rustfmt, shellcheck)

Author: josecelano

docs/ai-training/README.md

@@ -6,6 +6,7 @@ This directory contains resources to help AI agents guide users through creating
 
 - **[questionnaire.md](questionnaire.md)** - Structured decision tree for gathering user requirements
 - **[examples/](examples/)** - 15 pre-configured environment examples demonstrating common deployment scenarios
+- **[outputs/](outputs/)** - Rendered deployment artifacts for all examples (complete input/output pairs)
 
 ## Purpose
 
@@ -16,6 +17,50 @@ These materials enable AI agents to:
 3. **Explain configuration tradeoffs** between different deployment options
 4. **Help users customize** example configurations for their specific needs
 
+## Dataset Structure: Input/Output Pairs
+
+This directory contains a **complete AI training dataset** with both inputs and outputs:
+
+### Input: Environment Configurations
+
+- Location: [`examples/`](examples/)
+- Format: JSON configuration files
+- Content: High-level deployment requirements (provider, database, domains, etc.)
+
+### Output: Rendered Deployment Artifacts
+
+- Location: [`outputs/`](outputs/)
+- Format: Rendered templates (Ansible, Docker Compose, configuration files)
+- Content: Concrete artifacts ready for deployment
+
+### The Deployer as a Function
+
+```text
+config.json → [Deployer] → Rendered Templates
+   (IN)                         (OUT)
+```
+
+The deployer transforms:
+
+- **FROM**: Desired infrastructure state in custom domain language
+- **TO**: Executable deployment artifacts
+
+### Example Mapping
+
+| Input (Config)                                                 | Output (Artifacts)                                    |
+| -------------------------------------------------------------- | ----------------------------------------------------- |
+| [`examples/01-minimal-lxd.json`](examples/01-minimal-lxd.json) | [`outputs/01-minimal-lxd/`](outputs/01-minimal-lxd/)  |
+| SQLite + UDP + HTTP + LXD                                      | Ansible playbooks, tracker.toml, docker-compose, etc. |
+
+**Benefits for AI Agents:**
+
+- **Few-shot learning**: Full input/output examples show transformation patterns
+- **Pattern recognition**: See how config changes affect rendered templates
+- **Diff analysis**: Compare outputs to understand configuration impact
+- **Template understanding**: Learn the structure of deployment artifacts
+
+**Regenerating Outputs**: Run `./scripts/generate-ai-training-outputs.sh` to update artifacts when templates change.
+
 ## Using the Questionnaire
 
 The [questionnaire.md](questionnaire.md) provides a systematic approach to gather user requirements across 14 key areas:

docs/ai-training/outputs/01-minimal-lxd/ansible/ansible.cfg

@@ -0,0 +1,60 @@
+# ============================================================================
+# Torrust Tracker Deployer - Generated Configuration
+# ============================================================================
+#
+# This file was generated by the Torrust Tracker Deployer.
+#
+# DOCUMENTATION:
+#   Repository:    https://github.com/torrust/torrust-tracker-deployer
+#   Template:      templates/ansible/ansible.cfg
+#   API Docs:      https://docs.rs/torrust-tracker-deployer/latest/
+#
+# DESCRIPTION:
+#   Ansible global configuration settings for connecting to provisioned VMs.
+#   Configures SSH connection settings and output formatting.
+#
+# For configuration options and valid values, see the API documentation link above.
+# ============================================================================
+
+# 🔗 INFRASTRUCTURE WORKFLOW:
+# 1. OpenTofu (templates/tofu/lxd/) provisions VMs with cloud-init
+# 2. Cloud-init sets up users, SSH keys, and basic system configuration
+# 3. Ansible (this directory) connects to provisioned VMs for management tasks
+# 4. This config file ensures Ansible can reliably connect to OpenTofu-created VMs
+
+[defaults]
+# Specify the default inventory file location
+# This tells Ansible where to find the list of hosts to manage
+# 🔗 The inventory.yml contains IPs of VMs created by OpenTofu
+inventory = inventory.yml
+
+# Disable SSH host key checking for lab/development environments
+# This prevents SSH from asking "Are you sure you want to connect?" prompts
+# ⚠️  IMPORTANT: OpenTofu creates fresh VMs with new SSH host keys each time
+# WARNING: Only use this in trusted lab environments, not production
+host_key_checking = False
+
+# Use debug callback plugin for better output formatting
+# This provides cleaner, more readable output from Ansible commands
+stdout_callback = debug
+stderr_callback = debug
+
+# Enable progress display for long-running tasks
+# Shows task progress and timing information
+callback_enabled = timer, profile_tasks
+
+# Display task timing information
+show_task_path_on_failure = True
+
+# Set connection timeout in seconds
+# How long to wait for SSH connections before giving up
+timeout = 30
+
+[ssh_connection]
+# SSH connection optimization arguments
+# These settings improve SSH connection performance and reliability:
+# - ControlMaster=auto: Reuse SSH connections for multiple commands
+# - ControlPersist=60s: Keep connections alive for 60 seconds after last use
+# - StrictHostKeyChecking=no: Don't verify SSH host keys (lab environment only)
+# - UserKnownHostsFile=/dev/null: Don't save host keys to known_hosts file
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

docs/ai-training/outputs/01-minimal-lxd/ansible/configure-firewall.yml

@@ -0,0 +1,142 @@
+# ============================================================================
+# Torrust Tracker Deployer - Generated Configuration
+# ============================================================================
+#
+# This file was generated by the Torrust Tracker Deployer.
+#
+# DOCUMENTATION:
+#   Repository:    https://github.com/torrust/torrust-tracker-deployer
+#   Template:      templates/ansible/configure-firewall.yml
+#   API Docs:      https://docs.rs/torrust-tracker-deployer/latest/
+#
+# DESCRIPTION:
+#   Ansible playbook to configure UFW firewall rules for SSH access.
+#   Ensures safe SSH connectivity before enabling firewall.
+#
+# For configuration options and valid values, see the API documentation link above.
+# ============================================================================
+
+---
+# IMPORTANT SECURITY NOTE:
+# =======================
+# This playbook ONLY configures SSH firewall rules. Application service ports
+# (tracker, grafana, prometheus, etc.) are NOT controlled by UFW because Docker
+# bypasses UFW rules when publishing container ports.
+#
+# Docker Security Model:
+# - Docker manipulates iptables NAT table directly, bypassing UFW's INPUT/OUTPUT chains
+# - Service exposure is controlled via docker-compose port bindings, not UFW
+# - Internal services (MySQL, Prometheus) have NO port bindings - Docker network only
+# - Public services (Tracker, Grafana) have explicit port bindings in docker-compose
+#
+# For details, see ADR: docs/decisions/docker-ufw-firewall-security-strategy.md
+#
+# This playbook configures UFW with restrictive policies while preserving SSH access.
+# CRITICAL: SSH access is allowed BEFORE enabling firewall to prevent lockout.
+#
+# Variables are loaded from variables.yml for centralized management.
+
+- name: Configure UFW firewall safely (SSH access only)
+  hosts: all
+  become: yes
+  gather_facts: yes
+  vars_files:
+    - variables.yml
+
+  tasks:
+    - name: Install UFW (should already be present on Ubuntu)
+      ansible.builtin.apt:
+        name: ufw
+        state: present
+        update_cache: yes
+      tags:
+        - security
+        - firewall
+        - packages
+
+    - name: Reset UFW to clean state
+      community.general.ufw:
+        state: reset
+      tags:
+        - security
+        - firewall
+        - reset
+
+    - name: Set UFW default policy - deny incoming
+      community.general.ufw:
+        default: deny
+        direction: incoming
+      tags:
+        - security
+        - firewall
+        - policy
+
+    - name: Set UFW default policy - allow outgoing
+      community.general.ufw:
+        default: allow
+        direction: outgoing
+      tags:
+        - security
+        - firewall
+        - policy
+
+    # CRITICAL: Allow SSH BEFORE enabling firewall to prevent lockout
+    - name: Allow SSH access on configured port (BEFORE enabling firewall)
+      community.general.ufw:
+        rule: allow
+        port: "{{ ssh_port }}"
+        proto: tcp
+        comment: "SSH access (configured port {{ ssh_port }})"
+      tags:
+        - security
+        - firewall
+        - ssh
+
+    - name: Enable UFW firewall (AFTER SSH rules are in place)
+      community.general.ufw:
+        state: enabled
+      tags:
+        - security
+        - firewall
+        - enable
+
+    - name: Verify UFW status
+      ansible.builtin.command:
+        cmd: ufw status numbered
+      register: ufw_status
+      changed_when: false
+      tags:
+        - security
+        - firewall
+        - verification
+
+    - name: Display UFW status
+      ansible.builtin.debug:
+        var: ufw_status.stdout_lines
+      tags:
+        - security
+        - firewall
+        - verification
+
+    - name: Verify SSH port is allowed
+      ansible.builtin.shell:
+        cmd: "ufw status | grep -E '{{ ssh_port }}/tcp.*ALLOW'"
+      register: ssh_port_check
+      changed_when: false
+      failed_when: ssh_port_check.rc != 0
+      tags:
+        - security
+        - firewall
+        - verification
+        - ssh
+
+    - name: Confirm firewall configuration complete
+      ansible.builtin.debug:
+        msg:
+          - "UFW firewall configured successfully"
+          - "SSH access preserved on port {{ ssh_port }}"
+          - "Default policy: deny incoming, allow outgoing"
+          - "Active rules protect against unauthorized access"
+      tags:
+        - security
+        - firewall

docs/ai-training/outputs/01-minimal-lxd/ansible/configure-security-updates.yml

@@ -0,0 +1,90 @@
+# ============================================================================
+# Torrust Tracker Deployer - Generated Configuration
+# ============================================================================
+#
+# This file was generated by the Torrust Tracker Deployer.
+#
+# DOCUMENTATION:
+#   Repository:    https://github.com/torrust/torrust-tracker-deployer
+#   Template:      templates/ansible/configure-security-updates.yml
+#   API Docs:      https://docs.rs/torrust-tracker-deployer/latest/
+#
+# DESCRIPTION:
+#   Ansible playbook to configure automatic security updates using unattended-upgrades.
+#   Schedules automatic reboots at 2:00 AM when updates require restart.
+#
+# For configuration options and valid values, see the API documentation link above.
+# ============================================================================
+
+---
+- name: Configure automatic security updates
+  hosts: all
+  gather_facts: true
+  become: true
+
+  tasks:
+    - name: 🔐 Starting automatic security updates configuration
+      ansible.builtin.debug:
+        msg: "🚀 Configuring unattended-upgrades on {{ inventory_hostname }}"
+
+    - name: Install unattended-upgrades package
+      ansible.builtin.apt:
+        name: unattended-upgrades
+        state: present
+        update_cache: true
+        force_apt_get: true
+      when: ansible_os_family == "Debian"
+
+    - name: Enable automatic security updates
+      ansible.builtin.lineinfile:
+        path: /etc/apt/apt.conf.d/20auto-upgrades
+        regexp: "^APT::Periodic::Unattended-Upgrade"
+        line: 'APT::Periodic::Unattended-Upgrade "1";'
+        create: true
+        backup: true
+      when: ansible_os_family == "Debian"
+
+    - name: Enable automatic reboot for security updates
+      ansible.builtin.lineinfile:
+        path: /etc/apt/apt.conf.d/50unattended-upgrades
+        regexp: "^Unattended-Upgrade::Automatic-Reboot"
+        line: 'Unattended-Upgrade::Automatic-Reboot "true";'
+        backup: true
+      when: ansible_os_family == "Debian"
+
+    - name: Set automatic reboot time to 2:00 AM
+      ansible.builtin.lineinfile:
+        path: /etc/apt/apt.conf.d/50unattended-upgrades
+        regexp: "^Unattended-Upgrade::Automatic-Reboot-Time"
+        line: 'Unattended-Upgrade::Automatic-Reboot-Time "02:00";'
+        backup: true
+      when: ansible_os_family == "Debian"
+
+    - name: Enable and start unattended-upgrades service
+      ansible.builtin.systemd:
+        name: unattended-upgrades
+        enabled: true
+        state: started
+      when: ansible_os_family == "Debian"
+      ignore_errors: true # Ignore in container environments where systemd might not work
+
+    - name: Verify unattended-upgrades configuration
+      ansible.builtin.command:
+        cmd: unattended-upgrade --dry-run --debug
+      register: unattended_upgrades_test
+      changed_when: false
+      failed_when: false # Don't fail on verification errors in test environments
+      when: ansible_os_family == "Debian"
+
+    - name: Display verification result
+      ansible.builtin.debug:
+        msg: "✅ Unattended-upgrades dry-run completed with exit code {{ unattended_upgrades_test.rc }}"
+
+    - name: Configuration summary
+      ansible.builtin.debug:
+        msg: |
+          ✅ Automatic security updates configuration completed!
+          📦 Installed: unattended-upgrades
+          🔄 Automatic updates: Enabled
+          🕐 Automatic reboot time: 02:00
+          ℹ️  Security updates will be installed automatically with scheduled reboots