Set file permissions explicitly

Fixes ansible-lint violations

roles/fail2ban/tasks/main.yml

@@ -11,6 +11,7 @@
   template:
     src: "{{ item }}.j2"
     dest: /etc/fail2ban/{{ item }}
+    mode: 0644
   with_items:
     - jail.local
     - fail2ban.local
@@ -36,6 +37,7 @@
   template:
     src: "{{ item }}"
     dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}"
+    mode: 0644
   with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}"
   notify: restart fail2ban
 

roles/ferm/tasks/main.yml

@@ -28,6 +28,7 @@
   template:
     src: "{{ item }}.j2"
     dest: /{{ item }}
+    mode: 0644
   with_items:
     - etc/default/ferm
     - etc/ferm/ferm.conf
@@ -55,6 +56,7 @@
             {% else %}
             dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf
             {% endif %}
+            mode=0644
   with_flattened:
     - "{{ ferm_input_list }}"
     - "{{ ferm_input_group_list }}"

roles/letsencrypt/tasks/nginx.yml

@@ -3,6 +3,7 @@
   template:
     src: acme-challenge-location.conf.j2
     dest: "{{ nginx_path }}/acme-challenge-location.conf"
+    mode: 0644
 
 - name: Get list of hosts in current Nginx conf
   shell: |
@@ -17,6 +18,7 @@
   template:
     src: nginx-challenge-site.conf.j2
     dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf"
+    mode: 0644
   register: challenge_site_confs
   when:
     - site_uses_letsencrypt

roles/letsencrypt/tasks/setup.yml

@@ -46,12 +46,14 @@
   copy:
     src: "{{ letsencrypt_account_key_source_file }}"
     dest: "{{ letsencrypt_account_key }}"
+    mode: 0700
   when: letsencrypt_account_key_source_file is defined
 
 - name: Copy Lets Encrypt account key source contents
   copy:
     content: "{{ letsencrypt_account_key_source_content | trim }}"
     dest: "{{ letsencrypt_account_key }}"
+    mode: 0700
   when: letsencrypt_account_key_source_content is defined
 
 - name: Generate a new account key

roles/mariadb/tasks/main.yml

@@ -29,6 +29,7 @@
       dest: /etc/mysql/conf.d
       owner: root
       group: root
+      mode: 0644
     when: mysql_binary_logging_disabled | bool
     notify: restart mysql server
 

roles/memcached/tasks/main.yml

@@ -10,6 +10,7 @@
   template:
     src: memcached.conf.j2
     dest: /etc/memcached.conf
+    mode: 0644
   notify: restart memcached
 
 - name: Set the max open file descriptors

roles/nginx/tasks/main.yml

@@ -19,6 +19,7 @@
   file:
     path: "{{ nginx_path }}/{{ item }}"
     state: directory
+    mode: 0755
   with_items:
     - sites-available
     - sites-enabled
@@ -42,12 +43,14 @@
   copy:
     src: templates/h5bp
     dest: "{{ nginx_path }}"
+    mode: 0755
   notify: reload nginx
 
 - name: Create nginx.conf
   template:
     src: "{{ nginx_conf }}"
     dest: "{{ nginx_path }}/nginx.conf"
+    mode: 0644
   notify: reload nginx
   tags: nginx-includes
 

roles/php/tasks/main.yml

@@ -49,9 +49,11 @@
   template:
     src: php-fpm.ini.j2
     dest: /etc/php/7.4/fpm/php.ini
+    mode: 0644
   notify: reload php-fpm
 
 - name: Copy PHP CLI configuration file
   template:
     src: php-cli.ini.j2
     dest: /etc/php/7.4/cli/php.ini
+    mode: 0644

roles/rollback/tasks/main.yml

@@ -30,3 +30,4 @@
   file:
     path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED"
     state: touch
+    mode: 0644

roles/ssmtp/tasks/main.yml

@@ -9,8 +9,10 @@
   template:
     src: ssmtp.conf.j2
     dest: /etc/ssmtp/ssmtp.conf
+    mode: 0644
 
 - name: ssmtp revaliases configuration
   template:
     src: revaliases.j2
     dest: /etc/ssmtp/revaliases
+    mode: 0644

roles/wordpress-install/tasks/directories.yml

@@ -22,6 +22,7 @@
     path: "{{ www_root }}/{{ item.key }}"
     owner: "{{ web_user }}"
     group: "{{ web_group }}"
+    mode: 0755
     state: directory
     recurse: yes
   with_dict: "{{ wordpress_sites }}"

roles/wordpress-setup/tasks/main.yml

@@ -27,6 +27,7 @@
   template:
     src: php-fpm.conf.j2
     dest: /etc/php/7.4/fpm/pool.d/wordpress.conf
+    mode: '0644'
   notify: reload php-fpm
 
 - name: Disable default PHP-FPM pool

roles/wordpress-setup/tasks/nginx-includes.yml

@@ -24,6 +24,7 @@
   template:
     src: "{{ item }}"
     dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}"
+    mode: '0644'
   with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}"
   notify: reload nginx
 

roles/wordpress-setup/tasks/nginx.yml

@@ -23,6 +23,7 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}"
+    mode: '0644'
   with_items: "{{ nginx_sites_confs }}"
   when: item.enabled | default(true)
   notify: reload nginx
@@ -52,12 +53,14 @@
   template:
     src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2"
     dest: "{{ nginx_path }}/acme-challenge-location.conf"
+    mode: '0644'
   notify: reload nginx
 
 - name: Create WordPress configuration for Nginx
   template:
     src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}"
     dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf"
+    mode: '0644'
   with_dict: "{{ wordpress_sites }}"
   notify: reload nginx
   tags: nginx-includes

roles/wordpress-setup/tasks/self-signed-certificate.yml

@@ -9,6 +9,7 @@
   template:
     src: self-signed-openssl-config.j2
     dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf"
+    mode: '0644'
   with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}"
   when:
     - sites_use_ssl | bool

roles/xdebug/tasks/main.yml

@@ -9,6 +9,7 @@
   template:
     src: xdebug.ini.j2
     dest: /etc/php/7.4/mods-available/xdebug.ini
+    mode: 0644
   notify: reload php-fpm
 
 - name: Ensure 20-xdebug.ini is present