When the scope is one VM running Docker and Kamal, Ansible's configuration overhead isn't justified. A cloud-init user-data script entered at droplet creation handles apt upgrades, Docker install, security packages, firewall, swap, non-root user and Tailscale in one shot — and makes the setup reproducible and auditable. Periodically review the script: some things (like chrony on Ubuntu 24) are now defaults and can be removed.