From 9b8dee098e3ecd2b72eb93cee57f84bd3ad2a0b8 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 19:31:50 +0100 Subject: [PATCH] Always set file permissions --- roles/baseconfig/tasks/apt-listchanges.yml | 1 + roles/baseconfig/tasks/main.yml | 1 + roles/basesecurity/tasks/main.yml | 1 + roles/certbot/tasks/main.yml | 1 + roles/ipv6-edge-router/tasks/main.yml | 4 +++- roles/ldap-replica/tasks/main.yml | 1 + roles/nginx-reverseproxy/tasks/main.yml | 5 +++++ roles/prometheus/tasks/main.yml | 4 ++++ roles/radius/tasks/main.yml | 10 +++++++--- 9 files changed, 24 insertions(+), 4 deletions(-) diff --git a/roles/baseconfig/tasks/apt-listchanges.yml b/roles/baseconfig/tasks/apt-listchanges.yml index ec68e1f..b4d6214 100644 --- a/roles/baseconfig/tasks/apt-listchanges.yml +++ b/roles/baseconfig/tasks/apt-listchanges.yml @@ -19,6 +19,7 @@ option: "{{ item.option }}" value: "{{ item.value }}" state: present + mode: 0644 loop: - option: confirm value: "true" diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index e4d2db1..d73cf07 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -77,6 +77,7 @@ copy: src: "skel/dot_{{ item }}" dest: "/etc/skel/.{{ item }}" + mode: 0644 loop: - zshrc - zshrc.local diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index 2db6b5b..a0c15b6 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -54,6 +54,7 @@ option: "{{ item.option }}" value: "{{ item.value }}" state: present + mode: 0644 notify: Restart fail2ban service loop: - section: sshd diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 66cae27..d6314ac 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -26,6 +26,7 @@ file: path: /etc/letsencrypt/conf.d state: directory + mode: 0755 - name: Add Certbot configuration template: diff --git a/roles/ipv6-edge-router/tasks/main.yml b/roles/ipv6-edge-router/tasks/main.yml index 40c945d..5978303 100644 --- a/roles/ipv6-edge-router/tasks/main.yml +++ b/roles/ipv6-edge-router/tasks/main.yml @@ -18,17 +18,19 @@ - name: Install frr apt: name: frr - + - name: setup frr daemons template: src: daemons.j2 dest: /etc/frr/daemons + mode: 0644 notify: restart frr - name: setup frr.conf template: src: frr.conf.j2 dest: /etc/frr/frr.conf + mode: 0644 notify: restart frr - name: enable+start frr diff --git a/roles/ldap-replica/tasks/main.yml b/roles/ldap-replica/tasks/main.yml index 914ce4e..cb79bd4 100644 --- a/roles/ldap-replica/tasks/main.yml +++ b/roles/ldap-replica/tasks/main.yml @@ -40,6 +40,7 @@ file: path: "{{ item }}" state: directory + mode: 0755 loop: - /etc/ldap/slapd.d - /var/lib/ldap diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index b1e3945..4ccaa2a 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -11,6 +11,7 @@ template: src: "nginx/snippets/{{ item }}.j2" dest: "/etc/nginx/snippets/{{ item }}" + mode: 0644 loop: - options-ssl.conf - options-proxypass.conf @@ -19,11 +20,13 @@ template: src: letsencrypt/dhparam.j2 dest: /etc/letsencrypt/dhparam + mode: 0644 - name: Copy reverse proxy sites template: src: "nginx/sites-available/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" + mode: 0644 loop: - reverseproxy - reverseproxy_redirect_dname @@ -35,6 +38,7 @@ src: "/etc/nginx/sites-available/{{ item }}" dest: "/etc/nginx/sites-enabled/{{ item }}" state: link + mode: 0644 loop: - reverseproxy - reverseproxy_redirect_dname @@ -45,6 +49,7 @@ template: src: www/html/50x.html.j2 dest: /var/www/html/50x.html + mode: 0644 - name: Indicate role in motd template: diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 62dde31..211aee3 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -13,12 +13,14 @@ template: src: prometheus/prometheus.yml.j2 dest: /etc/prometheus/prometheus.yml + mode: 0644 notify: Restart Prometheus - name: Configure Prometheus alert rules template: src: "prometheus/{{ item }}.j2" dest: "/etc/prometheus/{{ item }}" + mode: 0644 notify: Restart Prometheus loop: - alert.rules.yml @@ -45,12 +47,14 @@ copy: content: "{{ prometheus_targets | to_nice_json }}" dest: /etc/prometheus/targets.json + mode: 0644 # We don't need to restart Prometheus when updating nodes - name: Configure Prometheus Ubiquity Unifi SNMP devices copy: content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" dest: /etc/prometheus/targets_unifi_snmp.json + mode: 0644 - name: Activate prometheus service systemd: diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 672bc6d..b840b39 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -5,11 +5,11 @@ - "deb" - "deb-src" - - name: Ensure /var/www exists file: name: "/var/www" - state: directory + state: directory + mode: 0755 - name: Clone re2o repo git: @@ -22,11 +22,11 @@ template: src: "{{ item }}.j2" dest: "/var/www/re2o/re2o/{{ item }}" + mode: 0644 loop: - settings_local.py - local_routers.py - # What follows is a hideous abomination. # Blame freeradius-python3 on backports. @@ -41,6 +41,7 @@ template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst + mode: 0644 - name: reinstall broken package (this might fail too, for different reasons) apt: @@ -69,6 +70,7 @@ template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" + mode: 0640 loop: - sites-enabled/default - sites-enabled/inner-tunnel @@ -77,6 +79,7 @@ template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" + mode: 0640 loop: - clients.conf - proxy.conf @@ -113,6 +116,7 @@ template: src: "freeradius-logrotate.j2" dest: "/etc/logrotate.d/freeradius" + mode: 0644 # Database setup