From acfe7f564dd1736d82ec1ee05d5f4934847d84ca Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Mon, 20 Apr 2026 10:53:35 +0800
Subject: [PATCH] feat(xfce): refactor XFCE role into install and config tasks,
 and fix session setup

- Split XFCE minimal role into install.yml and config.yml for better modularity.
- Restore .xsession setup with NO_BROWSER=true and exec startxfce4.
- Add support for managing user groups and shell.
- Ensure XRDP services are active and enabled on jp-xhttp-contabo.svc.plus.
---
 .../xfce_xrdp_minimal/defaults/main.yml       |  1 +
 .../vhosts/xfce_xrdp_minimal/tasks/config.yml | 63 +++++++++++++++++++
 .../xfce_xrdp_minimal/tasks/install.yml       | 31 ---------
 roles/vhosts/xfce_xrdp_minimal/tasks/main.yml |  4 ++
 4 files changed, 68 insertions(+), 31 deletions(-)
 create mode 100644 roles/vhosts/xfce_xrdp_minimal/tasks/config.yml

diff --git a/roles/vhosts/xfce_xrdp_minimal/defaults/main.yml b/roles/vhosts/xfce_xrdp_minimal/defaults/main.yml
index ad109ae..20893e8 100644
--- a/roles/vhosts/xfce_xrdp_minimal/defaults/main.yml
+++ b/roles/vhosts/xfce_xrdp_minimal/defaults/main.yml
@@ -18,5 +18,6 @@ xfce_rdp_port: 3389
 xfce_disable_compositor: true
 xfce_disable_animations: true
 xfce_manage_user: false
+xfce_user_groups: []
 xfce_user_shell: /bin/bash
 xfce_user_password_plaintext: ""
diff --git a/roles/vhosts/xfce_xrdp_minimal/tasks/config.yml b/roles/vhosts/xfce_xrdp_minimal/tasks/config.yml
new file mode 100644
index 0000000..b74f1bb
--- /dev/null
+++ b/roles/vhosts/xfce_xrdp_minimal/tasks/config.yml
@@ -0,0 +1,63 @@
+---
+- name: Ensure the desktop user exists
+  ansible.builtin.user:
+    name: "{{ xfce_user }}"
+    shell: "{{ xfce_user_shell }}"
+    create_home: true
+    state: present
+    password_lock: false
+  become: true
+  when: xfce_manage_user | bool
+
+- name: Fail when the desktop user password is not provided
+  ansible.builtin.assert:
+    that:
+      - xfce_user_password_plaintext | length > 0
+    fail_msg: >-
+      xfce_user_password_plaintext must be set so XRDP can authenticate the
+      desktop user.
+  when: xfce_manage_user | bool
+
+- name: Set desktop user password for XRDP login
+  ansible.builtin.user:
+    name: "{{ xfce_user }}"
+    password: "{{ xfce_user_password_plaintext | password_hash('sha512') }}"
+    update_password: always
+    password_lock: false
+  become: true
+  no_log: true
+  when: xfce_manage_user | bool
+
+- name: Ensure the desktop user can sudo
+  ansible.builtin.user:
+    name: "{{ xfce_user }}"
+    groups: "{{ xfce_user_groups }}"
+    append: true
+    state: present
+  become: true
+  when:
+    - xfce_manage_user | bool
+    - xfce_user_groups | length > 0
+
+- name: Ensure XFCE session file is present
+  ansible.builtin.template:
+    src: xsession.j2
+    dest: "{{ xfce_xsession_file }}"
+    owner: "{{ xfce_user }}"
+    group: "{{ xfce_user }}"
+    mode: "0644"
+  become: true
+  when: xfce_manage_user | bool
+  notify:
+    - Restart xrdp
+    - Restart xrdp sesman
+
+- name: Ensure XFCE config directory exists
+  ansible.builtin.file:
+    path: "{{ xfce_xfconf_dir }}"
+    state: directory
+    owner: "{{ xfce_user }}"
+    group: "{{ xfce_user }}"
+    mode: "0755"
+  become: true
+  when: xfce_manage_user | bool
diff --git a/roles/vhosts/xfce_xrdp_minimal/tasks/install.yml b/roles/vhosts/xfce_xrdp_minimal/tasks/install.yml
index 1ad763e..c10560f 100644
--- a/roles/vhosts/xfce_xrdp_minimal/tasks/install.yml
+++ b/roles/vhosts/xfce_xrdp_minimal/tasks/install.yml
@@ -44,28 +44,6 @@
     APT_LISTCHANGES_FRONTEND: none
   become: true
 
-- name: Ensure the desktop user exists and is unlocked
-  ansible.builtin.user:
-    name: "{{ xfce_user }}"
-    shell: "{{ xfce_user_shell }}"
-    create_home: true
-    state: present
-    password_lock: false
-  become: true
-  when: xfce_manage_user | bool
-
-- name: Set desktop user password for XRDP login
-  ansible.builtin.user:
-    name: "{{ xfce_user }}"
-    password: "{{ xfce_user_password_plaintext | password_hash('sha512') }}"
-    update_password: always
-    password_lock: false
-  become: true
-  no_log: true
-  when:
-    - xfce_manage_user | bool
-    - xfce_user_password_plaintext | length > 0
-
 - name: Add xrdp user to ssl-cert group to allow reading SSL keys
   ansible.builtin.user:
     name: xrdp
@@ -76,15 +54,6 @@
     - Restart xrdp
     - Restart xrdp sesman
 
-- name: Configure .xsession for the desktop user
-  ansible.builtin.template:
-    src: xsession.j2
-    dest: "{{ xfce_user_home }}/.xsession"
-    owner: "{{ xfce_user }}"
-    group: "{{ xfce_user }}"
-    mode: '0644'
-  become: true
-
 - name: Check whether XRDP service units are available
   ansible.builtin.stat:
     path: "{{ item }}"
diff --git a/roles/vhosts/xfce_xrdp_minimal/tasks/main.yml b/roles/vhosts/xfce_xrdp_minimal/tasks/main.yml
index 26ad303..51b78d1 100644
--- a/roles/vhosts/xfce_xrdp_minimal/tasks/main.yml
+++ b/roles/vhosts/xfce_xrdp_minimal/tasks/main.yml
@@ -2,3 +2,7 @@
 - name: Install minimal XFCE + XRDP stack
   ansible.builtin.import_tasks: install.yml
   tags: [xfce, xfce_install]
+
+- name: Configure XFCE desktop user and XRDP session
+  ansible.builtin.import_tasks: config.yml
+  tags: [xfce, xfce_config]