From 46b7bbf26e6ef2b1e3940963b3887b6ad3be0998 Mon Sep 17 00:00:00 2001
From: Friedrich von Never <friedrich@fornever.me>
Date: Sun, 24 Aug 2025 20:33:16 +0200
Subject: [PATCH 1/4] xmpp2: enable a swap file

---
 .idea/dictionaries/project.xml | 13 +++++++++
 xmpp2/default.yml              |  1 +
 xmpp2/system.yml               | 52 ++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 .idea/dictionaries/project.xml
 create mode 100644 xmpp2/system.yml

diff --git a/.idea/dictionaries/project.xml b/.idea/dictionaries/project.xml
new file mode 100644
index 0000000..57cf370
--- /dev/null
+++ b/.idea/dictionaries/project.xml
@@ -0,0 +1,13 @@
+<component name="ProjectDictionaryState">
+  <dictionary name="project">
+    <words>
+      <w>fallocate</w>
+      <w>fstype</w>
+      <w>initdb</w>
+      <w>lineinfile</w>
+      <w>mkswap</w>
+      <w>passno</w>
+      <w>swapon</w>
+    </words>
+  </dictionary>
+</component>
\ No newline at end of file
diff --git a/xmpp2/default.yml b/xmpp2/default.yml
index 69564ed..f5863a0 100644
--- a/xmpp2/default.yml
+++ b/xmpp2/default.yml
@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: MIT
 
 - import_playbook: auth.yml
+- import_playbook: system.yml
 - import_playbook: nginx.yml
 - import_playbook: docker.yml
 - import_playbook: codingteam.org.ru.yml
diff --git a/xmpp2/system.yml b/xmpp2/system.yml
new file mode 100644
index 0000000..838e339
--- /dev/null
+++ b/xmpp2/system.yml
@@ -0,0 +1,52 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <friedrich@fornever.me>
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Set up the system
+  hosts: xmpp2
+  become: true
+
+  vars:
+    swap_file_path: '/swapfile'
+    swap_file_size: '2GiB'
+
+  tasks:
+    - name: Check if swap file exists
+      stat:
+        path: '{{ swap_file_path }}'
+      register: swap_file_check
+
+    - name: Create swap file
+      ansible.builtin.command: fallocate -l "{{ swap_file_size }}" "{{ swap_file_path }}"
+      when: not swap_file_check.stat.exists
+
+    - name: Set up swap file permissions
+      ansible.builtin.file:
+        path: '{{ swap_file_path }}'
+        owner: root
+        group: root
+        mode: '0600'
+
+    - name: Prepare the swap file
+      ansible.builtin.command: mkswap "{{ swap_file_path }}"
+      when: not swap_file_check.stat.exists
+
+    - name: Mount the swap file
+      ansible.posix.mount:
+        path: none
+        src: '{{ swap_file_path }}'
+        fstype: swap
+        opts: sw
+        passno: 0
+        dump: 0
+        state: present
+
+    - name: Enable swap
+      command: swapon -a
+      when: not swap_file_check.stat.exists
+
+    - name: Enable swappiness
+      sysctl:
+        name: vm.swappiness
+        value: 1

From 68d4ca09435f64ece0a4ef1d7ce3ff6923f4404f Mon Sep 17 00:00:00 2001
From: Friedrich von Never <friedrich@fornever.me>
Date: Sun, 24 Aug 2025 20:33:43 +0200
Subject: [PATCH 2/4] loglist: sort through the file permissions

---
 xmpp2/loglist.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/xmpp2/loglist.yml b/xmpp2/loglist.yml
index 8cbdfda..fe3d48b 100644
--- a/xmpp2/loglist.yml
+++ b/xmpp2/loglist.yml
@@ -40,16 +40,23 @@
         state: reloaded
 
   tasks:
-    - name: Create directories
+    - name: Create read-only directories
       ansible.builtin.file:
         path: '{{ item }}'
         state: directory
-        mode: 'u=rx,g,o=r'
+        mode: 'u=rx,go='
       loop:
         - '{{ host_db_init_scripts_dir }}'
-        - '{{ host_data_dir }}'
         - '{{ host_config_dir }}'
 
+    - name: Create read/write directories
+      ansible.builtin.file:
+        path: '{{ item }}'
+        state: directory
+        mode: 'u=rwx,go='
+      loop:
+        - '{{ host_data_dir }}'
+
     - name: Create the Docker network
       community.docker.docker_network:
         name: loglist
@@ -58,7 +65,7 @@
       ansible.builtin.copy:
         src: loglist/init_db.sql
         dest: '{{ host_db_init_scripts_dir }}/init_db.sql'
-        mode: 'u,g,o=rx'
+        mode: 'u=rx,go='
 
     - name: Set up the database container
       community.docker.docker_container:
@@ -84,7 +91,7 @@
       ansible.builtin.copy:
         src: loglist/application.conf
         dest: '{{ host_config_dir }}/application.conf'
-        mode: 'u,g,o=r'
+        mode: 'u=r,go='
 
     - name: Set up the application container
       community.docker.docker_container:
@@ -116,5 +123,5 @@
       ansible.builtin.copy:
         src: nginx/conf.d/loglist.conf
         dest: /etc/nginx/conf.d/loglist.conf
-        mode: "u=rx,go=rx"
+        mode: 'u=rx,go='
       notify: Reload nginx

From a765dd833aef240fc1adc386891d13c399ee76ab Mon Sep 17 00:00:00 2001
From: Friedrich von Never <friedrich@fornever.me>
Date: Sun, 24 Aug 2025 20:41:40 +0200
Subject: [PATCH 3/4] Legal: specify the license for the dictionary file

---
 REUSE.toml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/REUSE.toml b/REUSE.toml
index 7bd1cfb..5a44547 100644
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -8,3 +8,9 @@ path = "**.DotSettings"
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2025 Friedrich von Never <friedrich@fornever.me>"
 SPDX-License-Identifier = "MIT"
+
+[[annotations]]
+path = ".idea/**/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2025 Friedrich von Never <friedrich@fornever.me>"
+SPDX-License-Identifier = "MIT"

From fa4a39128c6536c4bc57482198268843ddf5a47e Mon Sep 17 00:00:00 2001
From: Friedrich von Never <friedrich@fornever.me>
Date: Sun, 24 Aug 2025 20:53:06 +0200
Subject: [PATCH 4/4] xmpp2: fix the linter warnings

---
 .idea/dictionaries/project.xml |  1 +
 xmpp2/system.yml               | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.idea/dictionaries/project.xml b/.idea/dictionaries/project.xml
index 57cf370..d30f832 100644
--- a/.idea/dictionaries/project.xml
+++ b/.idea/dictionaries/project.xml
@@ -6,6 +6,7 @@
       <w>initdb</w>
       <w>lineinfile</w>
       <w>mkswap</w>
+      <w>noqa</w>
       <w>passno</w>
       <w>swapon</w>
     </words>
diff --git a/xmpp2/system.yml b/xmpp2/system.yml
index 838e339..7db37ab 100644
--- a/xmpp2/system.yml
+++ b/xmpp2/system.yml
@@ -13,13 +13,14 @@
 
   tasks:
     - name: Check if swap file exists
-      stat:
+      ansible.builtin.stat:
         path: '{{ swap_file_path }}'
       register: swap_file_check
 
     - name: Create swap file
-      ansible.builtin.command: fallocate -l "{{ swap_file_size }}" "{{ swap_file_path }}"
-      when: not swap_file_check.stat.exists
+      ansible.builtin.command:
+        cmd: fallocate -l "{{ swap_file_size }}" "{{ swap_file_path }}"
+        creates: '{{ swap_file_path }}'
 
     - name: Set up swap file permissions
       ansible.builtin.file:
@@ -28,7 +29,8 @@
         group: root
         mode: '0600'
 
-    - name: Prepare the swap file
+    - name: Prepare the swap file # noqa: no-changed-when
+                                  # we already have a check in `when`, no need for warning
       ansible.builtin.command: mkswap "{{ swap_file_path }}"
       when: not swap_file_check.stat.exists
 
@@ -42,11 +44,12 @@
         dump: 0
         state: present
 
-    - name: Enable swap
-      command: swapon -a
+    - name: Enable swap # noqa: no-changed-when
+                        # we already have a check in `when`, no need for warning
+      ansible.builtin.command: swapon -a
       when: not swap_file_check.stat.exists
 
     - name: Enable swappiness
-      sysctl:
+      ansible.posix.sysctl:
         name: vm.swappiness
         value: 1