From 51e961ce9f752dfe3e0d4968254f1e0b77cef2d9 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Tue, 29 Apr 2025 10:37:57 +0300
Subject: [PATCH] Add `matrix_user_shell` and default it to `/sbin/nologin`

This is a backward-incompatible change. By default, Ansible creates
users with (e.g.) `/bin/sh` on Linux, so changing to a no shell
leads to different behavior.

That said, it appears that using a shell-less user works OK with regard
to Ansible execution and starting the systemd services/containers later on.
---
 roles/custom/matrix-base/defaults/main.yml           | 2 ++
 roles/custom/matrix-base/tasks/setup_matrix_user.yml | 1 +
 2 files changed, 3 insertions(+)

diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml
index 9e678c771..f30d416f0 100644
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@@ -177,6 +177,8 @@ matrix_container_global_registry_prefix_override: ""
 
 matrix_user_name: "matrix"
 matrix_user_system: true
+matrix_user_shell: /sbin/nologin
+
 matrix_group_name: "matrix"
 matrix_group_system: true
 
diff --git a/roles/custom/matrix-base/tasks/setup_matrix_user.yml b/roles/custom/matrix-base/tasks/setup_matrix_user.yml
index a7a09f284..b2512a437 100644
--- a/roles/custom/matrix-base/tasks/setup_matrix_user.yml
+++ b/roles/custom/matrix-base/tasks/setup_matrix_user.yml
@@ -22,6 +22,7 @@
     home: "{{ matrix_base_data_path }}"
     create_home: false
     system: "{{ matrix_user_system }}"
+    shell: "{{ matrix_user_shell }}"
   register: matrix_user
 
 - name: Initialize matrix_user_uid and matrix_user_gid