Set file permissions explicitly

Fixes ansible-lint violations

roles/deploy/defaults/main.yml

@@ -20,7 +20,7 @@ project_templates:
   - name: .env config
     src: roles/deploy/templates/env.j2
     dest: .env
-    mode: '0600'
+    mode: 0600
 
 # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`.
 # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type
@@ -29,8 +29,8 @@ project_templates:
 # project_shared_children:
 #   - path: app/sessions
 #     src: sessions
-#     mode: '0755'        // <- optional, must be quoted, defaults to `'0755'` if `directory` or `'0644'` if `file`
-#     type: directory     // <- optional, defaults to `directory`, options: `directory` or `file`
+#     mode: 0755      // <- optional, use an octal number starting with 0 or quote it, defaults to `0755` if `directory` or `0644` if `file`
+#     type: directory // <- optional, defaults to `directory`, options: `directory` or `file`
 project_shared_children:
   - path: web/app/uploads
     src: uploads

roles/deploy/tasks/build.yml

@@ -17,7 +17,7 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}"
-    mode: "{{ item.mode | default('0644') }}"
+    mode: "{{ item.mode | default(0644) }}"
   with_items: "{{ project.project_templates | default(project_templates) }}"
 
 - name: Check if project folders exist

roles/deploy/tasks/prepare.yml

@@ -27,7 +27,7 @@
 - name: Create new release dir
   file:
     path: "{{ deploy_helper.new_release_path }}"
-    mode: '0755'
+    mode: 0755
     state: directory
 
 - name: Run git archive to populate new build dir
@@ -51,7 +51,7 @@
 - name: write unfinished file
   file:
     path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}"
-    mode: '0744'
+    mode: 0744
     state: touch
 
 - name: Check if deploy_prepare_after scripts exist

roles/deploy/tasks/share.yml

@@ -17,30 +17,30 @@
   file:
     path: "{{ deploy_helper.shared_path }}/{{ item.src }}"
     state: directory
-    mode: "{{ item.mode | default('0755') }}"
+    mode: "{{ item.mode | default(0755) }}"
   with_items: "{{ project.project_shared_children | default(project_shared_children) }}"
   when: item.type | default('directory') | lower == 'directory'
 
 - name: Ensure shared sources are present -- files' parent directories
   file:
     path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}"
     state: directory
-    mode: '0755'
+    mode: 0755
   with_items: "{{ project.project_shared_children | default(project_shared_children) }}"
   when: item.type | default('directory') | lower == 'file'
 
 - name: Ensure shared sources are present -- files
   file:
     path: "{{ deploy_helper.shared_path }}/{{ item.src }}"
     state: touch
-    mode: "{{ item.mode | default('0644') }}"
+    mode: "{{ item.mode | default(0644) }}"
   with_items: "{{ project.project_shared_children | default(project_shared_children) }}"
   when: item.type | default('directory') | lower == 'file'
 
 - name: Ensure parent directories for shared paths are present
   file:
     path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}"
-    mode: '0777'
+    mode: 0777
     state: directory
   with_items: "{{ project.project_shared_children | default(project_shared_children) }}"
 

roles/fail2ban/tasks/main.yml

@@ -11,6 +11,7 @@
   template:
     src: "{{ item }}.j2"
     dest: /etc/fail2ban/{{ item }}
+    mode: 0644
   with_items:
     - jail.local
     - fail2ban.local
@@ -30,12 +31,13 @@
   file:
     path: /etc/fail2ban/filter.d/
     state: directory
-    mode: '0755'
+    mode: 0755
 
 - name: template fail2ban filters
   template:
     src: "{{ item }}"
     dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}"
+    mode: 0644
   with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}"
   notify: restart fail2ban
 

roles/ferm/tasks/main.yml

@@ -28,6 +28,7 @@
   template:
     src: "{{ item }}.j2"
     dest: /{{ item }}
+    mode: 0644
   with_items:
     - etc/default/ferm
     - etc/ferm/ferm.conf
@@ -55,6 +56,7 @@
             {% else %}
             dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf
             {% endif %}
+            mode=0644
   with_flattened:
     - "{{ ferm_input_list }}"
     - "{{ ferm_input_group_list }}"

roles/letsencrypt/tasks/nginx.yml

@@ -3,6 +3,7 @@
   template:
     src: acme-challenge-location.conf.j2
     dest: "{{ nginx_path }}/acme-challenge-location.conf"
+    mode: 0644
 
 - name: Get list of hosts in current Nginx conf
   shell: |
@@ -17,6 +18,7 @@
   template:
     src: nginx-challenge-site.conf.j2
     dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf"
+    mode: 0644
   register: challenge_site_confs
   when:
     - site_uses_letsencrypt
@@ -42,7 +44,7 @@
   file:
     path: "{{ acme_tiny_challenges_directory }}/ping.txt"
     state: touch
-    mode: '0644'
+    mode: 0644
 
 - name: Test Acme Challenges
   test_challenges:

roles/letsencrypt/tasks/setup.yml

@@ -28,12 +28,12 @@
     state: directory
   with_items:
     - path: "{{ acme_tiny_data_directory }}"
-      mode: '0700'
+      mode: 0700
     - path: "{{ acme_tiny_data_directory }}/csrs"
     - path: "{{ acme_tiny_software_directory }}"
     - path: "{{ acme_tiny_challenges_directory }}"
     - path: "{{ letsencrypt_certs_dir }}"
-      mode: '0700'
+      mode: 0700
 
 - name: Clone acme-tiny repository
   git:
@@ -46,12 +46,14 @@
   copy:
     src: "{{ letsencrypt_account_key_source_file }}"
     dest: "{{ letsencrypt_account_key }}"
+    mode: 0700
   when: letsencrypt_account_key_source_file is defined
 
 - name: Copy Lets Encrypt account key source contents
   copy:
     content: "{{ letsencrypt_account_key_source_content | trim }}"
     dest: "{{ letsencrypt_account_key }}"
+    mode: 0700
   when: letsencrypt_account_key_source_content is defined
 
 - name: Generate a new account key

roles/mariadb/tasks/main.yml

@@ -29,6 +29,7 @@
       dest: /etc/mysql/conf.d
       owner: root
       group: root
+      mode: 0644
     when: mysql_binary_logging_disabled | bool
     notify: restart mysql server
 

roles/memcached/tasks/main.yml

@@ -10,6 +10,7 @@
   template:
     src: memcached.conf.j2
     dest: /etc/memcached.conf
+    mode: 0644
   notify: restart memcached
 
 - name: Set the max open file descriptors

roles/nginx/tasks/main.yml

@@ -19,6 +19,7 @@
   file:
     path: "{{ nginx_path }}/{{ item }}"
     state: directory
+    mode: 0755
   with_items:
     - sites-available
     - sites-enabled
@@ -42,12 +43,14 @@
   copy:
     src: templates/h5bp
     dest: "{{ nginx_path }}"
+    mode: 0755
   notify: reload nginx
 
 - name: Create nginx.conf
   template:
     src: "{{ nginx_conf }}"
     dest: "{{ nginx_path }}/nginx.conf"
+    mode: 0644
   notify: reload nginx
   tags: nginx-includes
 

roles/php/tasks/main.yml

@@ -49,9 +49,11 @@
   template:
     src: php-fpm.ini.j2
     dest: /etc/php/7.4/fpm/php.ini
+    mode: 0644
   notify: reload php-fpm
 
 - name: Copy PHP CLI configuration file
   template:
     src: php-cli.ini.j2
     dest: /etc/php/7.4/cli/php.ini
+    mode: 0644

roles/rollback/tasks/main.yml

@@ -30,3 +30,4 @@
   file:
     path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED"
     state: touch
+    mode: 0644

roles/ssmtp/tasks/main.yml

@@ -9,8 +9,10 @@
   template:
     src: ssmtp.conf.j2
     dest: /etc/ssmtp/ssmtp.conf
+    mode: 0644
 
 - name: ssmtp revaliases configuration
   template:
     src: revaliases.j2
     dest: /etc/ssmtp/revaliases
+    mode: 0644

roles/wordpress-install/tasks/directories.yml

@@ -22,6 +22,7 @@
     path: "{{ www_root }}/{{ item.key }}"
     owner: "{{ web_user }}"
     group: "{{ web_group }}"
+    mode: 0755
     state: directory
     recurse: yes
   with_dict: "{{ wordpress_sites }}"

roles/wordpress-install/tasks/dotenv.yml

@@ -3,7 +3,7 @@
   template:
     src: "env.j2"
     dest: "/tmp/{{ item.key }}.env"
-    mode: '0644'
+    mode: 0644
     owner: "{{ web_user }}"
     group: "{{ web_group }}"
   with_dict: "{{ wordpress_sites }}"

roles/wordpress-setup/tasks/main.yml

@@ -27,6 +27,7 @@
   template:
     src: php-fpm.conf.j2
     dest: /etc/php/7.4/fpm/pool.d/wordpress.conf
+    mode: 0644
   notify: reload php-fpm
 
 - name: Disable default PHP-FPM pool

roles/wordpress-setup/tasks/nginx-includes.yml

@@ -24,6 +24,7 @@
   template:
     src: "{{ item }}"
     dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}"
+    mode: 0644
   with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}"
   notify: reload nginx
 

roles/wordpress-setup/tasks/nginx.yml

@@ -23,6 +23,7 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}"
+    mode: 0644
   with_items: "{{ nginx_sites_confs }}"
   when: item.enabled | default(true)
   notify: reload nginx
@@ -52,12 +53,14 @@
   template:
     src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2"
     dest: "{{ nginx_path }}/acme-challenge-location.conf"
+    mode: 0644
   notify: reload nginx
 
 - name: Create WordPress configuration for Nginx
   template:
     src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}"
     dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf"
+    mode: 0644
   with_dict: "{{ wordpress_sites }}"
   notify: reload nginx
   tags: nginx-includes

roles/wordpress-setup/tasks/self-signed-certificate.yml

@@ -3,7 +3,7 @@
   file:
     path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/"
     state: directory
-    mode: "0755"
+    mode: 0755
 
 - name: Template openssl configs
   template:

roles/wp-cli/tasks/main.yml

@@ -19,7 +19,7 @@
   copy:
     src: "{{ wp_cli_pgp_public_key }}"
     dest: /tmp/wp-cli.pgp.gpg
-    mode: '0744'
+    mode: 0744
 
 - name: Verify WP-CLI Phar Signature
   command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar

roles/xdebug/tasks/main.yml

@@ -9,6 +9,7 @@
   template:
     src: xdebug.ini.j2
     dest: /etc/php/7.4/mods-available/xdebug.ini
+    mode: 0644
   notify: reload php-fpm
 
 - name: Ensure 20-xdebug.ini is present