fix E208 'File permissions not mentioned'
This commit is contained in:
parent
04b2e3b1e0
commit
63887d3b09
|
@ -4,7 +4,7 @@
|
|||
hosts: 127.0.0.1
|
||||
tasks:
|
||||
- name: create borg-keys directory
|
||||
file: path="{{ playbook_dir }}/../../borg-keys/" state=directory
|
||||
file: path="{{ playbook_dir }}/../../borg-keys/" state=directory mode=preserve
|
||||
|
||||
- name: fetch borg keys
|
||||
hosts: borg_clients
|
||||
|
|
|
@ -14,10 +14,10 @@
|
|||
get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.gz dest={{ tempdir.path }}/pacman.tar.gz
|
||||
|
||||
- name: create extraction dir
|
||||
file: path={{ tempdir.path }}/pacman state=directory
|
||||
file: path={{ tempdir.path }}/pacman state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: unpack tarball
|
||||
unarchive: src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/
|
||||
unarchive: src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/ owner=root group=root mode=0755
|
||||
|
||||
- name: configure
|
||||
command: ./configure chdir={{ tempdir.path }}/pacman/pacman-{{ pacman_version }}
|
||||
|
|
|
@ -21,26 +21,36 @@
|
|||
copy:
|
||||
dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
|
||||
content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].ssh_hostkeys.stdout }}\n\n{% endfor %}"
|
||||
mode: preserve
|
||||
delegate_to: localhost
|
||||
- name: store known_hosts
|
||||
copy:
|
||||
dest: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
|
||||
content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].known_hosts.stdout }}\n\n{% endfor %}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
delegate_to: localhost
|
||||
- name: manually append rsync.net host keys
|
||||
lineinfile:
|
||||
path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
|
||||
line: "{% for host in query('inventory_hostnames', 'rsync_net') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n\n{% endfor %}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
delegate_to: localhost
|
||||
- name: manually append Hetzner Storageboxes host keys
|
||||
lineinfile:
|
||||
path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
|
||||
line: "{% for host in query('inventory_hostnames', 'hetzner_storageboxes') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n\n{% endfor %}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
delegate_to: localhost
|
||||
|
||||
- name: upload known_hosts to all nodes
|
||||
hosts: all,!rsync_net,!hetzner_storageboxes
|
||||
tasks:
|
||||
- name: upload known_hosts
|
||||
copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
|
||||
copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
|
||||
tags: ['upload-known-hosts']
|
||||
|
|
|
@ -17,17 +17,17 @@
|
|||
copy: src=virtualbox.conf dest=/etc/modules-load.d/virtualbox.conf owner=root group=root mode=0644
|
||||
|
||||
- name: adjust permissions of git checkout
|
||||
file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}"
|
||||
file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}" mode=preserve
|
||||
|
||||
- name: ensure controller.py of arch-boxes is executable
|
||||
file: path="{{ archboxes_git_dir }}/controller.py" mode='0744'
|
||||
file: path="{{ archboxes_git_dir }}/controller.py" mode=0744 owner=root group=root
|
||||
|
||||
- name: replace placeholder to vagrantcloud API Key
|
||||
no_log: true
|
||||
replace: path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}"
|
||||
replace: path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}" owner=root group=root mode=0600
|
||||
|
||||
- name: install sudoers file
|
||||
template: src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes
|
||||
template: src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes owner=root group=root mode=0440
|
||||
|
||||
- name: install arch-boxes service
|
||||
template: src='arch-boxes.service.j2' dest='/etc/systemd/system/arch-boxes.service' owner=root group=root mode=0644
|
||||
|
|
|
@ -109,4 +109,4 @@
|
|||
template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
|
||||
|
||||
- name: install archbuild sudoers config
|
||||
copy: src=sudoers dest=/etc/sudoers.d/archbuild
|
||||
copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
|
||||
file: state=directory owner=archweb group=archweb mode=0750 path="{{ archweb_dir }}"
|
||||
|
||||
- name: set archweb groups
|
||||
user: name=archweb groups=uwsgi
|
||||
|
@ -33,7 +33,7 @@
|
|||
when: archweb_site|bool
|
||||
|
||||
- name: make rsync iso dir
|
||||
file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb
|
||||
file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: clone archweb repo
|
||||
|
@ -59,11 +59,11 @@
|
|||
register: virtualenv
|
||||
|
||||
- name: create media dir
|
||||
file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}/media"
|
||||
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
|
||||
file: state=directory owner=archweb group=archweb mode=0750 path="{{ archweb_dir }}"
|
||||
|
||||
- name: configure archweb
|
||||
template: src=local_settings.py.j2 dest=/srv/http/archweb/local_settings.py owner=archweb group=archweb mode=0660
|
||||
|
@ -196,7 +196,7 @@
|
|||
when: archweb_services or archweb_pgp_import
|
||||
|
||||
- name: create pacman.d hooks dir
|
||||
file: state=directory owner=root group=root path="/etc/pacman.d/hooks"
|
||||
file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
|
||||
when: archweb_services or archweb_pgp_import
|
||||
|
||||
- name: install pgp_import hook
|
||||
|
@ -265,7 +265,7 @@
|
|||
- name: deploy new release
|
||||
become: true
|
||||
become_user: archweb
|
||||
file: path=/etc/uwsgi/vassals/archweb.ini state=touch
|
||||
file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=root group=root mode=0600
|
||||
when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
|
||||
notify: restart archweb memcached
|
||||
|
||||
|
@ -320,7 +320,7 @@
|
|||
when: archweb_donor_import|bool
|
||||
|
||||
- name: create retro dir
|
||||
file: state=directory owner=archweb group=archweb path="{{ archweb_retro_dir }}"
|
||||
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: clone archweb-retro repo
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
register: user_created
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}"
|
||||
|
||||
- name: set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
|
||||
|
@ -47,16 +47,16 @@
|
|||
- run wiki updatescript
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}"
|
||||
|
||||
- name: fix cache permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/cache"
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/cache"
|
||||
|
||||
- name: fix sessions permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/sessions"
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/sessions"
|
||||
|
||||
- name: fix uploads permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/uploads"
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads"
|
||||
|
||||
- name: configure archwiki
|
||||
template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
|
||||
|
@ -119,7 +119,7 @@
|
|||
file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
|
||||
|
||||
- name: create pacman.d hooks dir
|
||||
file: state=directory owner=root group=root path=/etc/pacman.d/hooks
|
||||
file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
|
||||
|
||||
- name: install archwiki question updater hook
|
||||
template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
register: tubylaws_release
|
||||
|
||||
- name: create necessary directories
|
||||
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }}
|
||||
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
|
||||
with_items:
|
||||
- 'aurblup'
|
||||
- 'sessions'
|
||||
|
@ -91,13 +91,13 @@
|
|||
when: release.changed or db_created.changed
|
||||
|
||||
- name: create aurweb conf dir
|
||||
file: path={{ aurweb_conf_dir }} state=directory
|
||||
file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: copy aurweb configuration file
|
||||
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes
|
||||
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
|
||||
|
||||
- name: install custom aurweb configuration
|
||||
template: src=config.j2 dest={{ aurweb_conf_dir }}/config
|
||||
template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
|
||||
|
||||
- name: Install python module
|
||||
command: "python3 setup.py install --install-scripts=/usr/local/bin"
|
||||
|
@ -126,11 +126,11 @@
|
|||
when: tubylaws_release.changed
|
||||
|
||||
- name: Install Trusted User documentation
|
||||
copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes
|
||||
copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes owner={{ aurweb_user }} group=http mode=0644
|
||||
when: tubylaws_release.changed
|
||||
|
||||
- name: Install Trusted User documentation symlink
|
||||
file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link
|
||||
file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link owner={{ aurweb_user }} group=http mode=0644
|
||||
when: tubylaws_release.changed
|
||||
|
||||
- name: set up nginx
|
||||
|
@ -152,7 +152,7 @@
|
|||
service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
|
||||
|
||||
- name: install cgit configuration
|
||||
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc"
|
||||
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
|
||||
|
||||
- name: configure cgit uwsgi service
|
||||
template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
|
||||
|
@ -160,7 +160,7 @@
|
|||
- name: deploy new cgit release
|
||||
become: true
|
||||
become_user: "{{ aurweb_user }}"
|
||||
file: path=/etc/uwsgi/vassals/cgit.ini state=touch
|
||||
file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
|
||||
when: cgit.changed
|
||||
|
||||
- name: configure smartgit uwsgi service
|
||||
|
@ -169,7 +169,7 @@
|
|||
- name: deploy new smartgit release
|
||||
become: true
|
||||
become_user: "{{ aurweb_user }}"
|
||||
file: path=/etc/uwsgi/vassals/smartgit.ini state=touch
|
||||
file: path=/etc/uwsgi/vassals/smartgit.ini state=touch mode=preserve
|
||||
when: git.changed
|
||||
|
||||
- name: create git repo dir
|
||||
|
@ -227,6 +227,9 @@
|
|||
file:
|
||||
src: "{{ aurweb_git_hook }}"
|
||||
dest: "{{ aurweb_git_dir }}/hooks/update"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
state: link
|
||||
|
||||
- name: install AUR systemd service and timers
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
changed_when: check_postgres_user.stdout | length > 0
|
||||
|
||||
- name: make postgres backup directory
|
||||
file: path={{ postgres_backup_dir }} owner=root group=root state=directory
|
||||
file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory
|
||||
when: check_postgres_user is succeeded and postgres_backup_dir is defined
|
||||
|
||||
- name: install mysql backup script
|
||||
|
@ -50,11 +50,11 @@
|
|||
when: mysql_backup_dir is defined
|
||||
|
||||
- name: install mysql backup config
|
||||
template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }}
|
||||
template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644
|
||||
when: mysql_backup_defaults is defined
|
||||
|
||||
- name: create mysql backup directory
|
||||
file: path={{ mysql_backup_dir }} state=directory owner=root group=root
|
||||
file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
|
||||
when: mysql_backup_dir is defined
|
||||
|
||||
- name: install gitlab backup script
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
|
||||
|
||||
- name: install bugbot systemd service
|
||||
copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service
|
||||
copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644
|
||||
|
||||
- name: start and enable bugbot service
|
||||
systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes
|
||||
|
|
|
@ -55,7 +55,7 @@
|
|||
when: configure_network
|
||||
|
||||
- name: create symlink to resolv.conf
|
||||
file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
|
||||
file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes owner=root group=root mode=0755
|
||||
when: configure_network and not host_has_local_dns_resolver
|
||||
|
||||
- name: create resolv.conf
|
||||
|
|
|
@ -14,10 +14,10 @@
|
|||
register: release
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ conference_dir }}"
|
||||
file: state=directory owner={{ conference_user }} group={{ conference_user }} mode=0750 path="{{ conference_dir }}"
|
||||
|
||||
- name: create static conf.archlinux.org dir
|
||||
file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ static_conference_dir }}"
|
||||
file: state=directory owner={{ conference_user }} group={{ conference_user }} mode=0755 path="{{ static_conference_dir }}"
|
||||
|
||||
- name: generate conf.archlinux.org site
|
||||
command: hugo
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
tags: ["archusers"]
|
||||
|
||||
- name: create dbscripts paths
|
||||
file: path="{{ item }}" state=directory
|
||||
file: path="{{ item }}" state=directory owner=root group=root mode=0755
|
||||
with_items:
|
||||
- /srv/repos/svn-community
|
||||
- /srv/repos/svn-packages
|
||||
|
@ -167,19 +167,19 @@
|
|||
- svn-packages
|
||||
|
||||
- name: make /srv/svn
|
||||
file: path=/srv/svn state=directory
|
||||
file: path=/srv/svn state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
|
||||
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link
|
||||
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
|
||||
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link
|
||||
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /community to /srv/repos/svn-community/dbscripts
|
||||
file: path=/community src=/srv/repos/svn-community/dbscripts state=link
|
||||
file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /packages to /srv/repos/svn-packages/dbscripts
|
||||
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link
|
||||
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
|
||||
|
||||
- name: put rsyncd.conf into tmpfiles
|
||||
copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
|
||||
|
@ -301,7 +301,7 @@
|
|||
- firewall
|
||||
|
||||
- name: configure svnserve
|
||||
copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
|
||||
copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
|
||||
|
||||
- name: start and enable svnserve
|
||||
service: name=svnserve enabled=yes state=started
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
git: repo="{{ docker_image_git_remote }}" version="{{ docker_image_git_tag }}" dest="{{ docker_image_git_dir }}" force=yes
|
||||
|
||||
- name: install sudoers file
|
||||
template: src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image
|
||||
template: src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image owner=root group=root mode=0440
|
||||
|
||||
- name: install docker_image service
|
||||
template: src='docker-image.service.j2' dest='/etc/systemd/system/docker-image.service' owner=root group=root mode=0644
|
||||
|
|
|
@ -11,15 +11,11 @@
|
|||
version: "{{ fluxbb_version }}"
|
||||
|
||||
- name: fix home permissions
|
||||
file: >
|
||||
state=directory owner=fluxbb group=fluxbb recurse=yes
|
||||
path="{{ fluxbb_dir }}"
|
||||
file: state=directory owner=fluxbb group=fluxbb mode=0750 recurse=yes path="{{ fluxbb_dir }}"
|
||||
changed_when: False
|
||||
|
||||
- name: create uploads directory
|
||||
file: >
|
||||
state=directory owner=fluxbb group=fluxbb
|
||||
path="{{ fluxbb_dir }}/uploads"
|
||||
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
|
||||
|
||||
- name: create mariadb database
|
||||
mysql_db: name=fluxbb state=present
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
register: user_created
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0750
|
||||
|
||||
- name: set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
|
||||
|
@ -43,7 +43,7 @@
|
|||
register: release
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755
|
||||
|
||||
- name: take away setup dir write permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000
|
||||
|
|
|
@ -33,6 +33,9 @@
|
|||
- name: increase concurrency
|
||||
lineinfile:
|
||||
path: /etc/gitlab-runner/config.toml
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
regexp: '^concurrent = .*'
|
||||
line: concurrent = 100
|
||||
notify: restart gitlab-runner
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
---
|
||||
|
||||
- name: set restricted access to kernel logs
|
||||
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
|
||||
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
|
||||
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
|
||||
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set restricted access to kernel pointers in proc fs
|
||||
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
|
||||
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set kernel lockdown to restricted
|
||||
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf
|
||||
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
|
||||
when: "'hcloud' in group_names"
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
delegate_to: localhost
|
||||
|
||||
- name: fill tempfile
|
||||
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
|
||||
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
|
||||
delegate_to: localhost
|
||||
|
||||
- name: upload authorized_keys file
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
when: filesystem == "btrfs"
|
||||
|
||||
- name: touch LOCK file on mountpoint
|
||||
file: path=/mnt/LOCK state=touch
|
||||
file: path=/mnt/LOCK state=touch owner=root group=root mode=0644
|
||||
|
||||
- name: download bootstrap image
|
||||
get_url:
|
||||
|
@ -51,11 +51,14 @@
|
|||
unarchive:
|
||||
src: /tmp/archlinux-bootstrap-{{ bootstrap_version }}-x86_64.tar.gz
|
||||
dest: /tmp
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
remote_src: yes
|
||||
creates: /tmp/root.x86_64
|
||||
|
||||
- name: copy resolv.conf to bootstrap chroot
|
||||
copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf
|
||||
copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644
|
||||
|
||||
- name: mount /proc to bootstrap chroot
|
||||
mount:
|
||||
|
@ -147,7 +150,7 @@
|
|||
fstab: /dev/dummyfstab
|
||||
|
||||
- name: configure locale.gen
|
||||
lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
|
||||
lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644
|
||||
|
||||
- name: run locale-gen inside chroot
|
||||
command: chroot /mnt locale-gen
|
||||
|
@ -189,6 +192,9 @@
|
|||
- name: provide default mount options (btrfs)
|
||||
lineinfile:
|
||||
path: /mnt/etc/default/grub
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
|
||||
line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
|
||||
when: filesystem == "btrfs"
|
||||
|
@ -225,7 +231,7 @@
|
|||
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
|
||||
|
||||
- name: create symlink to resolv.conf
|
||||
file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
|
||||
file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes owner=root group=root mode=0644
|
||||
|
||||
- name: clean pacman cache
|
||||
command: chroot /mnt pacman -Scc --noconfirm
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
creates: /var/lib/mysql/mysql
|
||||
|
||||
- name: configure mariadb
|
||||
template: src=server.cnf.j2 dest=/etc/my.cnf.d/server.cnf
|
||||
template: src=server.cnf.j2 dest=/etc/my.cnf.d/server.cnf owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart mariadb
|
||||
|
||||
|
@ -36,7 +36,7 @@
|
|||
no_log: true
|
||||
|
||||
- name: create client configuration for root
|
||||
template: src=client.cnf.j2 dest=/root/.my.cnf
|
||||
template: src=client.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0644
|
||||
no_log: true
|
||||
|
||||
- name: configure zabbix-agent user
|
||||
|
|
|
@ -118,7 +118,7 @@
|
|||
- name: deploy new release
|
||||
become: true
|
||||
become_user: patchwork
|
||||
file: path=/etc/uwsgi/vassals/patchwork.ini state=touch
|
||||
file: path=/etc/uwsgi/vassals/patchwork.ini state=touch owner=root group=root mode=0644
|
||||
when: (release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy)
|
||||
|
||||
- name: start and enable patchwork memcached service and notification timer
|
||||
|
|
|
@ -22,13 +22,13 @@
|
|||
tags: ['archusers']
|
||||
|
||||
- name: install phrik sudoers config
|
||||
copy: src=sudoers dest=/etc/sudoers.d/phrik
|
||||
copy: src=sudoers dest=/etc/sudoers.d/phrik owner=root group=root mode=0440
|
||||
|
||||
- name: install polkit rule for restarting phrik
|
||||
copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules
|
||||
copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules owner=root group=root mode=0644
|
||||
|
||||
- name: install phrik systemd service
|
||||
copy: src=phrik.service dest=/etc/systemd/system/phrik.service
|
||||
copy: src=phrik.service dest=/etc/systemd/system/phrik.service owner=root group=root mode=0644
|
||||
|
||||
- name: start and enable pkgfile and phrikservice
|
||||
systemd:
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
group: postgres
|
||||
attributes: "+C"
|
||||
path: /var/lib/postgres/data
|
||||
mode: 0700
|
||||
when: filesystem == "btrfs"
|
||||
|
||||
- name: initialize postgres
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
delegate_to: localhost
|
||||
|
||||
- name: fill tempfile
|
||||
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
|
||||
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" owner=root group=root mode=0644
|
||||
delegate_to: localhost
|
||||
|
||||
- name: upload authorized_keys file
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no
|
||||
|
||||
- name: fix home permissions
|
||||
file: state=directory owner=security group=security path="{{ security_tracker_dir }}"
|
||||
file: state=directory mode=0750 owner=security group=security path="{{ security_tracker_dir }}"
|
||||
|
||||
- name: copy security-tracker units
|
||||
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
|
@ -89,7 +89,7 @@
|
|||
- name: deploy new release
|
||||
become: true
|
||||
become_user: security
|
||||
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch
|
||||
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
|
||||
when: release.changed
|
||||
|
||||
- name: start and enable security-tracker timer
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
- systemd daemon reload
|
||||
|
||||
- name: create pacman.d hooks dir
|
||||
file: state=directory owner=root group=root path="/etc/pacman.d/hooks"
|
||||
file: state=directory path="/etc/pacman.d/hooks" owner=root group=root mode=0755
|
||||
|
||||
- name: install pacman sa-update hook
|
||||
copy: src=sa-update.hook dest=/etc/pacman.d/hooks/sa-update.hook owner=root group=root mode=0644
|
||||
|
|
|
@ -22,6 +22,9 @@
|
|||
insertafter: '^# %wheel ALL=\(ALL\) ALL'
|
||||
line: '%wheel ALL=(ALL) ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
mode: 0440
|
||||
user: root
|
||||
group: root
|
||||
|
||||
- name: secure path to protect against attacks
|
||||
lineinfile:
|
||||
|
@ -31,3 +34,6 @@
|
|||
insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
|
||||
line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
|
||||
validate: 'visudo -cf %s'
|
||||
mode: 0440
|
||||
user: root
|
||||
group: root
|
||||
|
|
|
@ -35,6 +35,9 @@
|
|||
insertafter: '^#CacheDir'
|
||||
regexp: '^CacheDir'
|
||||
line: 'CacheDir = /var/cache/pacman/pkg/ /srv/ftp/pool/packages/ /srv/ftp/pool/community/'
|
||||
mode: 0644
|
||||
user: root
|
||||
group: root
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=root mode=0755
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
- run wkd service
|
||||
|
||||
- name: create pacman.d hooks dir
|
||||
file: state=directory owner=root group=root path=/etc/pacman.d/hooks
|
||||
file: state=directory path=/etc/pacman.d/hooks mode=0755 owner=root group=root
|
||||
|
||||
- name: install pgp_import hook
|
||||
template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
|
||||
|
|
|
@ -106,7 +106,7 @@
|
|||
when: "'nginx' in group_names"
|
||||
|
||||
- name: install sudo config
|
||||
template: src=zabbix-agent-sudoers.conf.j2 dest=/etc/sudoers.d/zabbix-agent-sudoers
|
||||
template: src=zabbix-agent-sudoers.conf.j2 dest=/etc/sudoers.d/zabbix-agent-sudoers mode=0440 owner=root group=root
|
||||
|
||||
- name: copy nginx-zabbix.service
|
||||
copy: src=nginx-zabbix.service dest=/etc/systemd/system/nginx-zabbix.service owner=root group=root mode=0644
|
||||
|
|
Loading…
Reference in a new issue