xmpp2: set up the users via Ansible

Author: ForNeVeR

README.md

@@ -41,7 +41,7 @@ The license indication in the project's sources is compliant with the [REUSE spe
 [codingteam.org.ru]: https://codingteam.org.ru
 [devops]: https://ru.wikipedia.org/wiki/DevOps
 [docs.license]: LICENSES/MIT.txt
-[host.xmpp2]: xmpp2/HOST.md
+[host.xmpp2]: xmpp2/README.md
 [hosts/cthulhu-3]: cthulhu-3/Host.md
 [hosts/ctor]: ctor/Host.md
 [hosts/omnissiah]: omnissiah/Host.md

xmpp2/.gitignore

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+hosts.ini
+
+vars/vars.yml

xmpp2/HOST.md

@@ -0,0 +1,20 @@
+<!--
+SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+
+SPDX-License-Identifier: MIT
+-->
+
+xmpp2 host
+==========
+- **Provider:** Digital Ocean
+- **OS**: Ubuntu 24.04
+
+How to Deploy
+-------------
+1. Copy `hosts.example.ini` to `hosts.ini`, fix the host connection details if needed.
+2. Copy `vars/vars.example.yml` to `vars/vars.yml` and adjust it accordingly.
+3. To **check the results** without applying, run `ansible-playbook --check --diff default.yml`.
+
+   To **deploy**, run `ansible-playbook default.yml`.
+
+If on Windows, feel free to use scripts `ansible-playbook.ps1` as a substitute to use Ansible from WSL.

xmpp2/README.md

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+wsl --distribution Ubuntu ansible-playbook --inventory hosts.ini @args -e 'ansible_ssh_pipelining=True'

xmpp2/ansible-playbook.ps1

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+- import_playbook: users.yml

xmpp2/default.yml

@@ -0,0 +1,6 @@
+; SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+;
+; SPDX-License-Identifier: MIT
+
+[xmpp2]
+xmpp2 ansible_user=mario ansible_ssh_private_key_file=/home/mario/.ssh/xmpp2

xmpp2/hosts.example.ini

@@ -0,0 +1,39 @@
+---
+- name: Set up user
+  hosts: xmpp2
+  become: true
+
+  vars_files:
+    - vars.yml
+
+  handlers:
+    - name: Reload sshd
+      ansible.builtin.service:
+        name: ssh
+        state: reloaded
+
+  tasks:
+    - name: Ensure a group exists for those who can connect with SSH
+      ansible.builtin.group:
+        name: sshuser
+
+    - name: Ensure a user exists and can SSH into the machine
+      ansible.builtin.user:
+        name: '{{ user.name }}'
+        shell: /bin/sh
+        groups: [ 'sudo', 'sshuser' ]
+        append: true
+        home: '/home/{{ user.name }}'
+        password_lock: true
+
+    - name: Ensure the user can use SSH
+      ansible.posix.authorized_key:
+        user: '{{ user.name }}'
+        key: '{{ user.ssh_key }}'
+
+    - name: Ensure only members of sshuser group can connect via SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        line: 'AllowGroups sshuser'
+        validate: 'sshd -f %s -t'
+      notify: Reload sshd

xmpp2/users.yml

@@ -0,0 +1,3 @@
+user:
+  name: mario
+  ssh_key: 'ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXX/XXX username1@hostname'