Always set file permissions

4 years ago · 9b8dee098e
parent d60b75109a
commit 9b8dee098e
9 changed files with 24 additions and 4 deletions
--- a/roles/baseconfig/tasks/apt-listchanges.yml
+++ b/roles/baseconfig/tasks/apt-listchanges.yml
@ -19,6 +19,7 @@
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    state: present
+    mode: 0644
  loop:
    - option: confirm
      value: "true"
--- a/roles/baseconfig/tasks/main.yml
+++ b/roles/baseconfig/tasks/main.yml
@ -77,6 +77,7 @@
  copy:
    src: "skel/dot_{{ item }}"
    dest: "/etc/skel/.{{ item }}"
+    mode: 0644
  loop:
    - zshrc
    - zshrc.local
--- a/roles/basesecurity/tasks/main.yml
+++ b/roles/basesecurity/tasks/main.yml
@ -54,6 +54,7 @@
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    state: present
+    mode: 0644
  notify: Restart fail2ban service
  loop:
    - section: sshd
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -26,6 +26,7 @@
  file:
    path: /etc/letsencrypt/conf.d
    state: directory
+    mode: 0755

 - name: Add Certbot configuration
  template:
--- a/roles/ipv6-edge-router/tasks/main.yml
+++ b/roles/ipv6-edge-router/tasks/main.yml
@ -18,17 +18,19 @@
 - name: Install frr
  apt:
    name: frr
-  
+
 - name: setup frr daemons
  template:
    src: daemons.j2
    dest: /etc/frr/daemons
+    mode: 0644
  notify: restart frr

 - name: setup frr.conf
  template:
    src: frr.conf.j2
    dest: /etc/frr/frr.conf
+    mode: 0644
  notify: restart frr

 - name: enable+start frr
--- a/roles/ldap-replica/tasks/main.yml
+++ b/roles/ldap-replica/tasks/main.yml
@ -40,6 +40,7 @@
  file:
    path: "{{ item }}"
    state: directory
+    mode: 0755
  loop:
    - /etc/ldap/slapd.d
    - /var/lib/ldap
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@ -11,6 +11,7 @@
  template:
    src: "nginx/snippets/{{ item }}.j2"
    dest: "/etc/nginx/snippets/{{ item }}"
+    mode: 0644
  loop:
    - options-ssl.conf
    - options-proxypass.conf
@ -19,11 +20,13 @@
  template:
    src: letsencrypt/dhparam.j2
    dest: /etc/letsencrypt/dhparam
+    mode: 0644

 - name: Copy reverse proxy sites
  template:
    src: "nginx/sites-available/{{ item }}.j2"
    dest: "/etc/nginx/sites-available/{{ item }}"
+    mode: 0644
  loop:
    - reverseproxy
    - reverseproxy_redirect_dname
@ -35,6 +38,7 @@
    src: "/etc/nginx/sites-available/{{ item }}"
    dest: "/etc/nginx/sites-enabled/{{ item }}"
    state: link
+    mode: 0644
  loop:
    - reverseproxy
    - reverseproxy_redirect_dname
@ -45,6 +49,7 @@
  template:
    src: www/html/50x.html.j2
    dest: /var/www/html/50x.html
+    mode: 0644

 - name: Indicate role in motd
  template:
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -13,12 +13,14 @@
  template:
    src: prometheus/prometheus.yml.j2
    dest: /etc/prometheus/prometheus.yml
+    mode: 0644
  notify: Restart Prometheus

 - name: Configure Prometheus alert rules
  template:
    src: "prometheus/{{ item }}.j2"
    dest: "/etc/prometheus/{{ item }}"
+    mode: 0644
  notify: Restart Prometheus
  loop:
    - alert.rules.yml
@ -45,12 +47,14 @@
  copy:
    content: "{{ prometheus_targets | to_nice_json }}"
    dest: /etc/prometheus/targets.json
+    mode: 0644

 # We don't need to restart Prometheus when updating nodes
 - name: Configure Prometheus Ubiquity Unifi SNMP devices
  copy:
    content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
    dest: /etc/prometheus/targets_unifi_snmp.json
+    mode: 0644

 - name: Activate prometheus service
  systemd:
--- a/roles/radius/tasks/main.yml
+++ b/roles/radius/tasks/main.yml
@ -5,11 +5,11 @@
    - "deb"
    - "deb-src"

-
 - name: Ensure /var/www exists
  file:
    name: "/var/www"
-    state: directory 
+    state: directory
+    mode: 0755

 - name: Clone re2o repo
  git:
@ -22,11 +22,11 @@
  template:
    src: "{{ item }}.j2"
    dest: "/var/www/re2o/re2o/{{ item }}"
+    mode: 0644
  loop:
    - settings_local.py
    - local_routers.py

-
 # What follows is a hideous abomination.
 # Blame freeradius-python3 on backports.

@ -41,6 +41,7 @@
  template:
    src: freeradius-python3.postinst.j2
    dest: /var/lib/dpkg/info/freeradius-python3.postinst
+    mode: 0644

 - name: reinstall broken package (this might fail too, for different reasons)
  apt:
@ -69,6 +70,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "/etc/freeradius/3.0/{{ item }}"
+    mode: 0640
  loop:
    - sites-enabled/default
    - sites-enabled/inner-tunnel
@ -77,6 +79,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "/etc/freeradius/3.0/{{ item }}"
+    mode: 0640
  loop:
    - clients.conf
    - proxy.conf
@ -113,6 +116,7 @@
  template:
    src: "freeradius-logrotate.j2"
    dest: "/etc/logrotate.d/freeradius"
+    mode: 0644


 # Database setup