Enable Ansible deployment for xmpp2 host

.github/workflows/main.yml

@@ -14,6 +14,16 @@ on:
   workflow_dispatch:
 
 jobs:
+  lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@v25
+        with:
+          args: "-c ansible-lint.yml"
+
   encoding:
     runs-on: ubuntu-24.04
     steps:

Folder.DotSettings

@@ -0,0 +1,8 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=certonly/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=codingteam/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=lineinfile/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=loglist/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=pgdata/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=postgre/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=sshuser/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>

README.md

@@ -25,6 +25,7 @@ Host specification
 - [codingteam.org.ru][hosts/ctor]
 - [cthulhu-3][hosts/cthulhu-3]
 - [omnissiah][hosts/omnissiah]
+- [xmpp2][hosts.xmpp2]
 
 Documentation
 -------------
@@ -40,6 +41,7 @@ The license indication in the project's sources is compliant with the [REUSE spe
 [codingteam.org.ru]: https://codingteam.org.ru
 [devops]: https://ru.wikipedia.org/wiki/DevOps
 [docs.license]: LICENSES/MIT.txt
+[host.xmpp2]: xmpp2/README.md
 [hosts/cthulhu-3]: cthulhu-3/Host.md
 [hosts/ctor]: ctor/Host.md
 [hosts/omnissiah]: omnissiah/Host.md

REUSE.toml

@@ -0,0 +1,10 @@
+version = 1
+SPDX-PackageName = "devops"
+SPDX-PackageSupplier = "codingteam/devops contributors <https://github.com/codingteam/devops>"
+SPDX-PackageDownloadLocation = "https://github.com/codingteam/devops"
+
+[[annotations]]
+path = "**.DotSettings"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2025 Friedrich von Never <[email protected]>"
+SPDX-License-Identifier = "MIT"

ansible-lint.yml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+exclude_paths:
+  - .github/ # no Ansible plays in there
+  - xmpp2/default.yml # just a list of other files

requirements.yml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+---
+collections:
+  - name: ansible.posix
+    version: 1.5.4
+  - name: community.docker
+    version: 3.7.0
+  - name: community.general
+    version: 8.3.0

xmpp2/.gitignore

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+hosts.ini
+
+vars/secrets.yml
+vars/vars.yml

xmpp2/README.md

@@ -0,0 +1,39 @@
+<!--
+SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+
+SPDX-License-Identifier: MIT
+-->
+
+xmpp2 host
+==========
+- **Provider:** Digital Ocean
+- **OS**: Ubuntu 24.04
+
+How to Deploy
+-------------
+1. Copy `hosts.example.ini` to `hosts.ini`, fix the host connection details if needed.
+2. Copy `vars/vars.example.yml` to `vars/vars.yml` and adjust it accordingly.
+3. Copy `vars/secrets.example.yml` to `vars/secrets.yml` and adjust it accordingly.
+4. `ansible-vault encrypt vars/secrets.yml`
+5. To **check the results** without applying, run `ansible-playbook --ask-vault-pass --ask-become-pass --check --diff default.yml`.
+
+   To **deploy**, run `ansible-playbook --ask-vault-pass --ask-become-pass default.yml`.
+
+If on Windows, feel free to use scripts `ansible-vault.ps1`, `ansible-playbook.ps1` as a substitute to use Ansible from WSL.
+
+If running deployment for the first time, then run `ansible-playbook --ask-vault-pass auth.yml` to set up the user accounts and access properly.
+
+Standard Operating Procedures
+-----------------------------
+
+### Dump Database Backup for LogList
+```console
+$ docker exec -i loglist.postgresql pg_dump -d loglist -U postgres -F custom --no-acl > loglist.dmp
+```
+
+### Restore Database Backup for LogList
+```console
+$ docker cp loglist.dmp loglist.postgresql:/loglist.dmp
+$ docker exec -i loglist.postgresql pg_restore -d loglist -U loglist --clean --no-owner -1 /loglist.dmp
+$ docker exec -i loglist.postgresql rm /loglist.dmp
+```

xmpp2/ansible-playbook.ps1

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+wsl --distribution Ubuntu ansible-playbook --inventory hosts.ini @args -e 'ansible_ssh_pipelining=True'

xmpp2/ansible-vault.ps1

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+wsl --distribution Ubuntu ansible-vault @args

xmpp2/auth.yml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Set up the users and authentication
+  hosts: xmpp2
+  become: true
+
+  vars_files:
+    - secrets.yml
+    - vars.yml
+
+  handlers:
+    - name: Reload sshd
+      ansible.builtin.service:
+        name: ssh
+        state: reloaded
+
+  tasks:
+    - name: Ensure a group exists for those who can connect with SSH
+      ansible.builtin.group:
+        name: sshuser
+
+    - name: Ensure a user exists and can SSH into the machine
+      ansible.builtin.user:
+        name: '{{ user.name }}'
+        shell: /bin/bash
+        groups: ['sudo', 'sshuser']
+        append: true
+        home: '/home/{{ user.name }}'
+        password_lock: false
+        password: '{{ user_secrets.password_hash }}'
+
+    - name: Ensure the user can use SSH
+      ansible.posix.authorized_key:
+        user: '{{ user.name }}'
+        key: '{{ user.ssh_public_key }}'
+
+    - name: Ensure only members of sshuser group can connect via SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        line: 'AllowGroups sshuser'
+        validate: 'sshd -f %s -t'
+      notify: Reload sshd

xmpp2/certbot.yml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Configure Certbot for certificate renewal
+  hosts: xmpp2
+  become: true
+
+  tasks:
+    - name: Install certbot
+      community.general.snap:
+        name: certbot
+        classic: true
+
+    # One-time setup should be performed manually, see the documentation:
+    # https://certbot.eff.org/instructions?ws=nginx&os=snap&tab=standard
+    #
+    # sudo certbot --nginx -d codingteam.org.ru -d loglist.xyz -d www.loglist.xyz
+    #
+    # Verify the changes to the web server configuration files performed by this command.
+    #
+    # Further updates are done by snap.certbot.renew.timer — see `systemctl list-timers` for details.

xmpp2/codingteam.org.ru.yml

@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Main site for codingteam.org.ru
+  hosts: xmpp2
+  become: true
+
+  vars:
+    codingteam_org_ru_version: v1.2.1
+
+  handlers:
+    - name: Prune Docker
+      community.docker.docker_prune:
+        containers: true
+        images: true
+        images_filters:
+          dangling: false
+        networks: true
+        volumes: true
+        builder_cache: true
+
+    - name: Reload nginx
+      ansible.builtin.service:
+        name: nginx
+        state: reloaded
+
+  tasks:
+    - name: Set up the Docker container
+      community.docker.docker_container:
+        name: codingteam.org.ru
+        image_name_mismatch: recreate
+        image: codingteam/codingteam.org.ru:{{ codingteam_org_ru_version }}
+        published_ports:
+          - '5000:5000'
+        restart_policy: unless-stopped
+        default_host_ip: ''
+        env:
+          ASPNETCORE_URLS: "http://+:5000" # otherwise, it can't be reached (listens to "localhost" only?)
+      notify: Prune Docker
+
+    - name: Set up the nginx configuration file
+      ansible.builtin.copy:
+        src: nginx/conf.d/codingteam.org.ru.conf
+        dest: /etc/nginx/conf.d/codingteam.org.ru.conf
+        mode: "u=rx,go=rx"
+      notify: Reload nginx
+
+    - name: Create a directory for the old logs # uploaded manually
+      ansible.builtin.file:
+        path: /opt/codingteam/old-logs
+        state: directory
+        owner: www-data
+        group: www-data
+        mode: "u=rx,go=rx"

xmpp2/default.yml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+- import_playbook: auth.yml
+- import_playbook: nginx.yml
+- import_playbook: docker.yml
+- import_playbook: codingteam.org.ru.yml
+- import_playbook: loglist.yml
+- import_playbook: certbot.yml

xmpp2/docker.yml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Install Docker
+  hosts: xmpp2
+  become: true
+
+  vars_files:
+    - vars.yml
+
+  tasks:
+    - name: Install the Docker package
+      ansible.builtin.apt:
+        cache_valid_time: 86400
+        name: docker.io
+        state: present
+
+    - name: Add the admin user to docker group
+      ansible.builtin.user:
+        name: '{{ user.name }}'
+        groups: docker
+        append: true

xmpp2/files/loglist/application.conf

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+#
+# SPDX-License-Identifier: MIT
+
+play.http.secret.key = ${HTTP_SECRET_KEY}
+play.i18n.langs = ["en"]
+
+feed.limit = 30
+
+db.default.driver = org.postgresql.Driver
+db.default.url = ${DATABASE_URL}
+
+play.evolutions.autocommit = false
+play.evolutions.db.default.autoApply = ${APPLY_EVOLUTIONS_SILENTLY}
+
+recaptcha.publickey = ${RECAPTCHA_PUBLIC_KEY}
+recaptcha.privatekey = ${RECAPTCHA_PRIVATE_KEY}
+
+basicAuth.username = ${BASIC_AUTH_USERNAME}
+basicAuth.password = ${BASIC_AUTH_PASSWORD}
+
+approval.smtpHost = ${APPROVAL_SMTP_HOST}
+approval.email = ${APPROVAL_EMAIL}
+approval.emailPassword = ${APPROVAL_EMAIL_PASSWORD}
+
+play.modules.enabled += "scalikejdbc.PlayModule"
+
+play.filters.enabled += play.filters.hosts.AllowedHostsFilter
+play.filters.hosts {
+  allowed = ["loglist.xyz"]
+}

xmpp2/files/loglist/init_db.sql

@@ -0,0 +1,5 @@
+-- SPDX-FileCopyrightText: 2025 Friedrich von Never <[email protected]>
+--
+-- SPDX-License-Identifier: MIT
+
+CREATE EXTENSION pgcrypto;

xmpp2/files/nginx/conf.d/codingteam.org.ru.conf

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2016-2025 codingteam/devops contributors <https://github.com/codingteam/devops>
+#
+# SPDX-License-Identifier: MIT
+
+server {
+    listen 443 ssl http2;
+    server_name codingteam.org.ru;
+    include /etc/nginx/ssl.conf;
+
+    location /old-logs/ {
+        alias /opt/codingteam/old-logs/;
+        index index.html;
+    }
+
+    location / {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host codingteam.org.ru;
+        proxy_http_version 1.1;
+        proxy_pass http://localhost:5000/;
+    }
+}
+
+server {
+    listen 80;
+    server_name codingteam.org.ru;
+
+    location / {
+         rewrite ^(.*)$ https://codingteam.org.ru$1 permanent;
+    }
+}