From 77d85df7e4cdd4186b2922819374ed26a627073a Mon Sep 17 00:00:00 2001
From: Scott Walkinshaw <scott.walkinshaw@gmail.com>
Date: Sat, 6 Feb 2021 00:17:34 -0500
Subject: [PATCH] Set file permissions explicitly

Fixes ansible-lint violations
---
 roles/fail2ban/tasks/main.yml                           | 2 ++
 roles/ferm/tasks/main.yml                               | 2 ++
 roles/letsencrypt/tasks/nginx.yml                       | 2 ++
 roles/letsencrypt/tasks/setup.yml                       | 2 ++
 roles/mariadb/tasks/main.yml                            | 1 +
 roles/memcached/tasks/main.yml                          | 1 +
 roles/nginx/tasks/main.yml                              | 3 +++
 roles/php/tasks/main.yml                                | 2 ++
 roles/rollback/tasks/main.yml                           | 1 +
 roles/ssmtp/tasks/main.yml                              | 2 ++
 roles/wordpress-install/tasks/directories.yml           | 1 +
 roles/wordpress-setup/tasks/main.yml                    | 1 +
 roles/wordpress-setup/tasks/nginx-includes.yml          | 1 +
 roles/wordpress-setup/tasks/nginx.yml                   | 3 +++
 roles/wordpress-setup/tasks/self-signed-certificate.yml | 1 +
 roles/xdebug/tasks/main.yml                             | 1 +
 16 files changed, 26 insertions(+)

diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index 278f0811ab..28a931ea73 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -11,6 +11,7 @@
   template:
     src: "{{ item }}.j2"
     dest: /etc/fail2ban/{{ item }}
+    mode: 0644
   with_items:
     - jail.local
     - fail2ban.local
@@ -36,6 +37,7 @@
   template:
     src: "{{ item }}"
     dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}"
+    mode: 0644
   with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}"
   notify: restart fail2ban
 
diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml
index bdbaa0b53d..453ac00112 100644
--- a/roles/ferm/tasks/main.yml
+++ b/roles/ferm/tasks/main.yml
@@ -28,6 +28,7 @@
   template:
     src: "{{ item }}.j2"
     dest: /{{ item }}
+    mode: 0644
   with_items:
     - etc/default/ferm
     - etc/ferm/ferm.conf
@@ -55,6 +56,7 @@
             {% else %}
             dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf
             {% endif %}
+            mode=0644
   with_flattened:
     - "{{ ferm_input_list }}"
     - "{{ ferm_input_group_list }}"
diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml
index 20b97e63b1..5865cdb742 100644
--- a/roles/letsencrypt/tasks/nginx.yml
+++ b/roles/letsencrypt/tasks/nginx.yml
@@ -3,6 +3,7 @@
   template:
     src: acme-challenge-location.conf.j2
     dest: "{{ nginx_path }}/acme-challenge-location.conf"
+    mode: 0644
 
 - name: Get list of hosts in current Nginx conf
   shell: |
@@ -17,6 +18,7 @@
   template:
     src: nginx-challenge-site.conf.j2
     dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf"
+    mode: 0644
   register: challenge_site_confs
   when:
     - site_uses_letsencrypt
diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml
index 48c3221cf3..8a1e65da2a 100644
--- a/roles/letsencrypt/tasks/setup.yml
+++ b/roles/letsencrypt/tasks/setup.yml
@@ -46,12 +46,14 @@
   copy:
     src: "{{ letsencrypt_account_key_source_file }}"
     dest: "{{ letsencrypt_account_key }}"
+    mode: 0700
   when: letsencrypt_account_key_source_file is defined
 
 - name: Copy Lets Encrypt account key source contents
   copy:
     content: "{{ letsencrypt_account_key_source_content | trim }}"
     dest: "{{ letsencrypt_account_key }}"
+    mode: 0700
   when: letsencrypt_account_key_source_content is defined
 
 - name: Generate a new account key
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index f329616f62..b1acc09da4 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -29,6 +29,7 @@
       dest: /etc/mysql/conf.d
       owner: root
       group: root
+      mode: 0644
     when: mysql_binary_logging_disabled | bool
     notify: restart mysql server
 
diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml
index 359ee645f3..0b54161bae 100644
--- a/roles/memcached/tasks/main.yml
+++ b/roles/memcached/tasks/main.yml
@@ -10,6 +10,7 @@
   template:
     src: memcached.conf.j2
     dest: /etc/memcached.conf
+    mode: 0644
   notify: restart memcached
 
 - name: Set the max open file descriptors
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index f97d720b2d..e0176a8ffb 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -19,6 +19,7 @@
   file:
     path: "{{ nginx_path }}/{{ item }}"
     state: directory
+    mode: 0755
   with_items:
     - sites-available
     - sites-enabled
@@ -42,12 +43,14 @@
   copy:
     src: templates/h5bp
     dest: "{{ nginx_path }}"
+    mode: 0755
   notify: reload nginx
 
 - name: Create nginx.conf
   template:
     src: "{{ nginx_conf }}"
     dest: "{{ nginx_path }}/nginx.conf"
+    mode: 0644
   notify: reload nginx
   tags: nginx-includes
 
diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml
index e706517d29..3feda4fd23 100644
--- a/roles/php/tasks/main.yml
+++ b/roles/php/tasks/main.yml
@@ -49,9 +49,11 @@
   template:
     src: php-fpm.ini.j2
     dest: /etc/php/7.4/fpm/php.ini
+    mode: 0644
   notify: reload php-fpm
 
 - name: Copy PHP CLI configuration file
   template:
     src: php-cli.ini.j2
     dest: /etc/php/7.4/cli/php.ini
+    mode: 0644
diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml
index f8bd6f80c3..44dad91849 100644
--- a/roles/rollback/tasks/main.yml
+++ b/roles/rollback/tasks/main.yml
@@ -30,3 +30,4 @@
   file:
     path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED"
     state: touch
+    mode: 0644
diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml
index 9d62055d4d..6b98dc228b 100644
--- a/roles/ssmtp/tasks/main.yml
+++ b/roles/ssmtp/tasks/main.yml
@@ -9,8 +9,10 @@
   template:
     src: ssmtp.conf.j2
     dest: /etc/ssmtp/ssmtp.conf
+    mode: 0644
 
 - name: ssmtp revaliases configuration
   template:
     src: revaliases.j2
     dest: /etc/ssmtp/revaliases
+    mode: 0644
diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml
index 093d3212a6..7070de7392 100644
--- a/roles/wordpress-install/tasks/directories.yml
+++ b/roles/wordpress-install/tasks/directories.yml
@@ -22,6 +22,7 @@
     path: "{{ www_root }}/{{ item.key }}"
     owner: "{{ web_user }}"
     group: "{{ web_group }}"
+    mode: 0755
     state: directory
     recurse: yes
   with_dict: "{{ wordpress_sites }}"
diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml
index e1e48bbe02..e4c8395a16 100644
--- a/roles/wordpress-setup/tasks/main.yml
+++ b/roles/wordpress-setup/tasks/main.yml
@@ -27,6 +27,7 @@
   template:
     src: php-fpm.conf.j2
     dest: /etc/php/7.4/fpm/pool.d/wordpress.conf
+    mode: '0644'
   notify: reload php-fpm
 
 - name: Disable default PHP-FPM pool
diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml
index 0ea756a397..8980ed9851 100644
--- a/roles/wordpress-setup/tasks/nginx-includes.yml
+++ b/roles/wordpress-setup/tasks/nginx-includes.yml
@@ -24,6 +24,7 @@
   template:
     src: "{{ item }}"
     dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}"
+    mode: '0644'
   with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}"
   notify: reload nginx
 
diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml
index 0f1333fa12..77fe0bf72f 100644
--- a/roles/wordpress-setup/tasks/nginx.yml
+++ b/roles/wordpress-setup/tasks/nginx.yml
@@ -23,6 +23,7 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}"
+    mode: '0644'
   with_items: "{{ nginx_sites_confs }}"
   when: item.enabled | default(true)
   notify: reload nginx
@@ -52,12 +53,14 @@
   template:
     src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2"
     dest: "{{ nginx_path }}/acme-challenge-location.conf"
+    mode: '0644'
   notify: reload nginx
 
 - name: Create WordPress configuration for Nginx
   template:
     src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}"
     dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf"
+    mode: '0644'
   with_dict: "{{ wordpress_sites }}"
   notify: reload nginx
   tags: nginx-includes
diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml
index 193415e7d9..c34a6d4c7e 100644
--- a/roles/wordpress-setup/tasks/self-signed-certificate.yml
+++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml
@@ -9,6 +9,7 @@
   template:
     src: self-signed-openssl-config.j2
     dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf"
+    mode: '0644'
   with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}"
   when:
     - sites_use_ssl | bool
diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml
index 690c459baa..5b19db0ef4 100644
--- a/roles/xdebug/tasks/main.yml
+++ b/roles/xdebug/tasks/main.yml
@@ -9,6 +9,7 @@
   template:
     src: xdebug.ini.j2
     dest: /etc/php/7.4/mods-available/xdebug.ini
+    mode: 0644
   notify: reload php-fpm
 
 - name: Ensure 20-xdebug.ini is present