diff --git a/.idea/dictionaries/project.xml b/.idea/dictionaries/project.xml
new file mode 100644
index 0000000..d30f832
--- /dev/null
+++ b/.idea/dictionaries/project.xml
@@ -0,0 +1,14 @@
+
+
+
+ fallocate
+ fstype
+ initdb
+ lineinfile
+ mkswap
+ noqa
+ passno
+ swapon
+
+
+
\ No newline at end of file
diff --git a/REUSE.toml b/REUSE.toml
index 7bd1cfb..5a44547 100644
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -8,3 +8,9 @@ path = "**.DotSettings"
precedence = "aggregate"
SPDX-FileCopyrightText = "2025 Friedrich von Never "
SPDX-License-Identifier = "MIT"
+
+[[annotations]]
+path = ".idea/**/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2025 Friedrich von Never "
+SPDX-License-Identifier = "MIT"
diff --git a/xmpp2/default.yml b/xmpp2/default.yml
index 69564ed..f5863a0 100644
--- a/xmpp2/default.yml
+++ b/xmpp2/default.yml
@@ -3,6 +3,7 @@
# SPDX-License-Identifier: MIT
- import_playbook: auth.yml
+- import_playbook: system.yml
- import_playbook: nginx.yml
- import_playbook: docker.yml
- import_playbook: codingteam.org.ru.yml
diff --git a/xmpp2/loglist.yml b/xmpp2/loglist.yml
index 8cbdfda..fe3d48b 100644
--- a/xmpp2/loglist.yml
+++ b/xmpp2/loglist.yml
@@ -40,16 +40,23 @@
state: reloaded
tasks:
- - name: Create directories
+ - name: Create read-only directories
ansible.builtin.file:
path: '{{ item }}'
state: directory
- mode: 'u=rx,g,o=r'
+ mode: 'u=rx,go='
loop:
- '{{ host_db_init_scripts_dir }}'
- - '{{ host_data_dir }}'
- '{{ host_config_dir }}'
+ - name: Create read/write directories
+ ansible.builtin.file:
+ path: '{{ item }}'
+ state: directory
+ mode: 'u=rwx,go='
+ loop:
+ - '{{ host_data_dir }}'
+
- name: Create the Docker network
community.docker.docker_network:
name: loglist
@@ -58,7 +65,7 @@
ansible.builtin.copy:
src: loglist/init_db.sql
dest: '{{ host_db_init_scripts_dir }}/init_db.sql'
- mode: 'u,g,o=rx'
+ mode: 'u=rx,go='
- name: Set up the database container
community.docker.docker_container:
@@ -84,7 +91,7 @@
ansible.builtin.copy:
src: loglist/application.conf
dest: '{{ host_config_dir }}/application.conf'
- mode: 'u,g,o=r'
+ mode: 'u=r,go='
- name: Set up the application container
community.docker.docker_container:
@@ -116,5 +123,5 @@
ansible.builtin.copy:
src: nginx/conf.d/loglist.conf
dest: /etc/nginx/conf.d/loglist.conf
- mode: "u=rx,go=rx"
+ mode: 'u=rx,go='
notify: Reload nginx
diff --git a/xmpp2/system.yml b/xmpp2/system.yml
new file mode 100644
index 0000000..7db37ab
--- /dev/null
+++ b/xmpp2/system.yml
@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Set up the system
+ hosts: xmpp2
+ become: true
+
+ vars:
+ swap_file_path: '/swapfile'
+ swap_file_size: '2GiB'
+
+ tasks:
+ - name: Check if swap file exists
+ ansible.builtin.stat:
+ path: '{{ swap_file_path }}'
+ register: swap_file_check
+
+ - name: Create swap file
+ ansible.builtin.command:
+ cmd: fallocate -l "{{ swap_file_size }}" "{{ swap_file_path }}"
+ creates: '{{ swap_file_path }}'
+
+ - name: Set up swap file permissions
+ ansible.builtin.file:
+ path: '{{ swap_file_path }}'
+ owner: root
+ group: root
+ mode: '0600'
+
+ - name: Prepare the swap file # noqa: no-changed-when
+ # we already have a check in `when`, no need for warning
+ ansible.builtin.command: mkswap "{{ swap_file_path }}"
+ when: not swap_file_check.stat.exists
+
+ - name: Mount the swap file
+ ansible.posix.mount:
+ path: none
+ src: '{{ swap_file_path }}'
+ fstype: swap
+ opts: sw
+ passno: 0
+ dump: 0
+ state: present
+
+ - name: Enable swap # noqa: no-changed-when
+ # we already have a check in `when`, no need for warning
+ ansible.builtin.command: swapon -a
+ when: not swap_file_check.stat.exists
+
+ - name: Enable swappiness
+ ansible.posix.sysctl:
+ name: vm.swappiness
+ value: 1