(#39) xmpp2: improve the auth instruction, start implementing nginx

Author: ForNeVeR

xmpp2/.gitignore

@@ -4,4 +4,5 @@
 
 hosts.ini
 
+vars/secrets.yml
 vars/vars.yml

xmpp2/README.md

@@ -13,8 +13,12 @@ How to Deploy
 -------------
 1. Copy `hosts.example.ini` to `hosts.ini`, fix the host connection details if needed.
 2. Copy `vars/vars.example.yml` to `vars/vars.yml` and adjust it accordingly.
-3. To **check the results** without applying, run `ansible-playbook --check --diff default.yml`.
+3. Copy `vars/secrets.example.yml` to `vars/secrets.yml` and adjust it accordingly.
+4. `ansible-vault encrypt vars/secrets.yml`
+5. To **check the results** without applying, run `ansible-playbook --ask-vault-pass --ask-become-pass --check --diff default.yml`.
 
-   To **deploy**, run `ansible-playbook default.yml`.
+   To **deploy**, run `ansible-playbook --ask-vault-pass --ask-become-pass default.yml`.
 
-If on Windows, feel free to use scripts `ansible-playbook.ps1` as a substitute to use Ansible from WSL.
+If on Windows, feel free to use scripts `ansible-vault.ps1`, `ansible-playbook.ps1` as a substitute to use Ansible from WSL.
+
+If running deployment for the first time, then run `ansible-playbook --ask-vault-pass auth.yml` to set up the user accounts and access properly.

xmpp2/ansible-vault.ps1

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+wsl --distribution Ubuntu ansible-vault @args

xmpp2/users.yml renamed to xmpp2/auth.yml

@@ -3,11 +3,12 @@
 # SPDX-License-Identifier: MIT
 
 ---
-- name: Set up user
+- name: Set up the users and authentication
   hosts: xmpp2
   become: true
 
   vars_files:
+    - secrets.yml
     - vars.yml
 
   handlers:
@@ -28,12 +29,13 @@
         groups: ['sudo', 'sshuser']
         append: true
         home: '/home/{{ user.name }}'
-        password_lock: true
+        password_lock: false
+        password: '{{ user_secrets.password_hash }}'
 
     - name: Ensure the user can use SSH
       ansible.posix.authorized_key:
         user: '{{ user.name }}'
-        key: '{{ user.ssh_key }}'
+        key: '{{ user.ssh_public_key }}'
 
     - name: Ensure only members of sshuser group can connect via SSH
       ansible.builtin.lineinfile:

xmpp2/default.yml

@@ -2,4 +2,5 @@
 #
 # SPDX-License-Identifier: MIT
 
-- import_playbook: users.yml
+- import_playbook: auth.yml
+- import_playbook: nginx.yml

xmpp2/nginx.yml

@@ -0,0 +1,20 @@
+---
+- name: Install and configure Nginx
+  hosts: xmpp2
+  become: true
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 3600
+
+    - name: Install nginx package
+      apt:
+        name: nginx
+        state: present
+
+    - name: Start and enable nginx service
+      service:
+        name: nginx
+        state: started
+        enabled: yes

xmpp2/vars/secrets.example.yml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+user_secrets:
+  password_hash: '' # Use `mkpasswd --method=sha-512` to generate.

xmpp2/vars/vars.example.yml

@@ -4,4 +4,4 @@
 
 user:
   name: mario
-  ssh_key: 'ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXX/XXX username1@hostname'
+  ssh_public_key: 'ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXX/XXX username1@hostname'