Add pre-flight SSH connectivity check before update-users

When running ./algo update-users, if the server is unreachable, users
previously saw cryptic Ansible SSH retry errors like:

    ssh_retry: attempt: 3, ssh return code is 255

This adds a pre-flight check that tests SSH connectivity before running
the full playbook. If the connection fails, it provides a helpful error
message with:
- Clear explanation of what failed
- Possible causes (server not running, IP changed, firewall blocking)
- Diagnostic commands to run (nc, ssh -vvv)

Fixes #14878

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: dguido

users.yml

@@ -51,6 +51,32 @@
           include_vars:
             file: configs/{{ algo_server }}/.config.yml
 
+        - name: Test SSH connectivity to server
+          wait_for:
+            host: "{{ algo_server }}"
+            port: "{{ ansible_ssh_port | default(ssh_port) | int }}"
+            timeout: 10
+          register: ssh_check
+          ignore_errors: true
+          when: algo_server != 'localhost'
+
+        - name: Fail with helpful message if server unreachable
+          fail:
+            msg: |
+              Cannot connect to {{ algo_server }} on port {{ ansible_ssh_port | default(ssh_port) }}.
+
+              Possible causes:
+              - Server is not running (check your cloud provider console)
+              - IP address changed (common after EC2 restart without Elastic IP)
+              - Firewall/security group blocking port {{ ansible_ssh_port | default(ssh_port) }}
+
+              To diagnose:
+                nc -zv {{ algo_server }} {{ ansible_ssh_port | default(ssh_port) }}
+                ssh -vvv -p {{ ansible_ssh_port | default(ssh_port) }} -i configs/algo.pem {{ server_user | default('algo') }}@{{ algo_server }}
+          when:
+            - algo_server != 'localhost'
+            - ssh_check is failed
+
         - when: ipsec_enabled
           block:
             - name: CA password prompt