From 0a949e3efcade3c91ec6d06acfb30a67c36a1ebc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 6 Feb 2021 00:17:34 -0500 Subject: [PATCH] Set file permissions explicitly Fixes ansible-lint violations --- roles/deploy/defaults/main.yml | 6 +++--- roles/deploy/tasks/build.yml | 2 +- roles/deploy/tasks/prepare.yml | 4 ++-- roles/deploy/tasks/share.yml | 8 ++++---- roles/fail2ban/tasks/main.yml | 4 +++- roles/ferm/tasks/main.yml | 2 ++ roles/letsencrypt/tasks/nginx.yml | 4 +++- roles/letsencrypt/tasks/setup.yml | 6 ++++-- roles/mariadb/tasks/main.yml | 1 + roles/memcached/tasks/main.yml | 1 + roles/nginx/tasks/main.yml | 3 +++ roles/php/tasks/main.yml | 2 ++ roles/rollback/tasks/main.yml | 1 + roles/ssmtp/tasks/main.yml | 2 ++ roles/wordpress-install/tasks/directories.yml | 1 + roles/wordpress-install/tasks/dotenv.yml | 2 +- roles/wordpress-setup/tasks/main.yml | 1 + roles/wordpress-setup/tasks/nginx-includes.yml | 1 + roles/wordpress-setup/tasks/nginx.yml | 3 +++ roles/wordpress-setup/tasks/self-signed-certificate.yml | 2 +- roles/wp-cli/tasks/main.yml | 2 +- roles/xdebug/tasks/main.yml | 1 + 22 files changed, 42 insertions(+), 17 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 61a5ad7b62..48174a8d3c 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,7 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env - mode: '0600' + mode: 0600 # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type @@ -29,8 +29,8 @@ project_templates: # project_shared_children: # - path: app/sessions # src: sessions -# mode: '0755' // <- optional, must be quoted, defaults to `'0755'` if `directory` or `'0644'` if `file` -# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` +# mode: 0755 // <- optional, use an octal number starting with 0 or quote it, defaults to `0755` if `directory` or `0644` if `file` +# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - path: web/app/uploads src: uploads diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index d5a99316c5..b9fc2f2c03 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -17,7 +17,7 @@ template: src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" - mode: "{{ item.mode | default('0644') }}" + mode: "{{ item.mode | default(0644) }}" with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 2567d7986e..8af8bd223d 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,7 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" - mode: '0755' + mode: 0755 state: directory - name: Run git archive to populate new build dir @@ -51,7 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" - mode: '0744' + mode: 0744 state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 12da9836c2..ac76b09f2f 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -17,7 +17,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory - mode: "{{ item.mode | default('0755') }}" + mode: "{{ item.mode | default(0755) }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' @@ -25,7 +25,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory - mode: '0755' + mode: 0755 with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' @@ -33,14 +33,14 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch - mode: "{{ item.mode | default('0644') }}" + mode: "{{ item.mode | default(0644) }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" - mode: '0777' + mode: 0777 state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 278f0811ab..5f2b8100ad 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -11,6 +11,7 @@ template: src: "{{ item }}.j2" dest: /etc/fail2ban/{{ item }} + mode: 0644 with_items: - jail.local - fail2ban.local @@ -30,12 +31,13 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: '0755' + mode: 0755 - name: template fail2ban filters template: src: "{{ item }}" dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + mode: 0644 with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index bdbaa0b53d..453ac00112 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -28,6 +28,7 @@ template: src: "{{ item }}.j2" dest: /{{ item }} + mode: 0644 with_items: - etc/default/ferm - etc/ferm/ferm.conf @@ -55,6 +56,7 @@ {% else %} dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf {% endif %} + mode=0644 with_flattened: - "{{ ferm_input_list }}" - "{{ ferm_input_group_list }}" diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 20b97e63b1..d67bfa2e4f 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -3,6 +3,7 @@ template: src: acme-challenge-location.conf.j2 dest: "{{ nginx_path }}/acme-challenge-location.conf" + mode: 0644 - name: Get list of hosts in current Nginx conf shell: | @@ -17,6 +18,7 @@ template: src: nginx-challenge-site.conf.j2 dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" + mode: 0644 register: challenge_site_confs when: - site_uses_letsencrypt @@ -42,7 +44,7 @@ file: path: "{{ acme_tiny_challenges_directory }}/ping.txt" state: touch - mode: '0644' + mode: 0644 - name: Test Acme Challenges test_challenges: diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 48c3221cf3..942cfc4655 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -28,12 +28,12 @@ state: directory with_items: - path: "{{ acme_tiny_data_directory }}" - mode: '0700' + mode: 0700 - path: "{{ acme_tiny_data_directory }}/csrs" - path: "{{ acme_tiny_software_directory }}" - path: "{{ acme_tiny_challenges_directory }}" - path: "{{ letsencrypt_certs_dir }}" - mode: '0700' + mode: 0700 - name: Clone acme-tiny repository git: @@ -46,12 +46,14 @@ copy: src: "{{ letsencrypt_account_key_source_file }}" dest: "{{ letsencrypt_account_key }}" + mode: 0700 when: letsencrypt_account_key_source_file is defined - name: Copy Lets Encrypt account key source contents copy: content: "{{ letsencrypt_account_key_source_content | trim }}" dest: "{{ letsencrypt_account_key }}" + mode: 0700 when: letsencrypt_account_key_source_content is defined - name: Generate a new account key diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index f329616f62..b1acc09da4 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,6 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root + mode: 0644 when: mysql_binary_logging_disabled | bool notify: restart mysql server diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 359ee645f3..0b54161bae 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -10,6 +10,7 @@ template: src: memcached.conf.j2 dest: /etc/memcached.conf + mode: 0644 notify: restart memcached - name: Set the max open file descriptors diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index f97d720b2d..e0176a8ffb 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -19,6 +19,7 @@ file: path: "{{ nginx_path }}/{{ item }}" state: directory + mode: 0755 with_items: - sites-available - sites-enabled @@ -42,12 +43,14 @@ copy: src: templates/h5bp dest: "{{ nginx_path }}" + mode: 0755 notify: reload nginx - name: Create nginx.conf template: src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" + mode: 0644 notify: reload nginx tags: nginx-includes diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index e706517d29..3feda4fd23 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -49,9 +49,11 @@ template: src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini + mode: 0644 notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini + mode: 0644 diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index f8bd6f80c3..44dad91849 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -30,3 +30,4 @@ file: path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" state: touch + mode: 0644 diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 9d62055d4d..6b98dc228b 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -9,8 +9,10 @@ template: src: ssmtp.conf.j2 dest: /etc/ssmtp/ssmtp.conf + mode: 0644 - name: ssmtp revaliases configuration template: src: revaliases.j2 dest: /etc/ssmtp/revaliases + mode: 0644 diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 093d3212a6..7070de7392 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -22,6 +22,7 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" + mode: 0755 state: directory recurse: yes with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 5397096992..84b2e3f721 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,7 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" - mode: '0644' + mode: 0644 owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index e1e48bbe02..53951327c5 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -27,6 +27,7 @@ template: src: php-fpm.conf.j2 dest: /etc/php/7.4/fpm/pool.d/wordpress.conf + mode: 0644 notify: reload php-fpm - name: Disable default PHP-FPM pool diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 0ea756a397..03885a8a59 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -24,6 +24,7 @@ template: src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" + mode: 0644 with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 0f1333fa12..c5e29930c7 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -23,6 +23,7 @@ template: src: "{{ item.src }}" dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + mode: 0644 with_items: "{{ nginx_sites_confs }}" when: item.enabled | default(true) notify: reload nginx @@ -52,12 +53,14 @@ template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" dest: "{{ nginx_path }}/acme-challenge-location.conf" + mode: 0644 notify: reload nginx - name: Create WordPress configuration for Nginx template: src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" + mode: 0644 with_dict: "{{ wordpress_sites }}" notify: reload nginx tags: nginx-includes diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 193415e7d9..78a3b306fe 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -3,7 +3,7 @@ file: path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" state: directory - mode: "0755" + mode: 0755 - name: Template openssl configs template: diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 21494865dc..b0b6aef406 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,7 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg - mode: '0744' + mode: 0744 - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 690c459baa..5b19db0ef4 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,6 +9,7 @@ template: src: xdebug.ini.j2 dest: /etc/php/7.4/mods-available/xdebug.ini + mode: 0644 notify: reload php-fpm - name: Ensure 20-xdebug.ini is present