From 29ae53a730d2de4cc9a9ab01c05be0370cfe7584 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sch=C3=A4fer?= <felix@thegcat.net>
Date: Fri, 28 Jan 2022 17:52:42 +0100
Subject: [PATCH] Explicit file permissions

---
 tasks/certpaths.yml      |  3 +++
 tasks/configure.yml      | 52 +++++++++++++++++++++++++++++++++++++++-
 tasks/install.yml        |  9 +++++++
 tasks/standalone_tls.yml |  3 +++
 4 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/tasks/certpaths.yml b/tasks/certpaths.yml
index e2ef548..f7af67d 100644
--- a/tasks/certpaths.yml
+++ b/tasks/certpaths.yml
@@ -4,4 +4,7 @@
   template:
     src: certpaths.j2
     dest: "/etc/haproxy/{{ item.name }}.certpaths"
+    owner: root
+    group: root
+    mode: 0644
   when: item.ssl is defined and (item.ssl.cert is defined or item.ssl.acme_domains is defined)
diff --git a/tasks/configure.yml b/tasks/configure.yml
index daeb606..fcbac9c 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -37,6 +37,9 @@
   file:
     path: "{{ haproxy_config_dir }}/frontends.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files for the frontends"
   find:
@@ -56,6 +59,9 @@
   template:
     src: "frontend.cfg"
     dest: "{{ haproxy_config_dir }}/frontends.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_frontends }}"
   when: haproxy_frontends is defined
 
@@ -65,6 +71,9 @@
   file:
     path: "{{ haproxy_config_dir }}/backends.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files for the backends"
   find:
@@ -84,6 +93,9 @@
   template:
     src: "backend.cfg"
     dest: "{{ haproxy_config_dir }}/backends.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_backends }}"
   when: haproxy_backends is defined
 
@@ -93,6 +105,9 @@
   file:
     path: "{{ haproxy_config_dir }}/listen.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files the listen sections"
   find:
@@ -112,6 +127,9 @@
   template:
     src: "listen.cfg"
     dest: "{{ haproxy_config_dir }}/listen.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_listen }}"
   when: haproxy_listen is defined
 
@@ -121,6 +139,9 @@
   file:
     path: "{{ haproxy_config_dir }}/userlists.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files for the userlists"
   find:
@@ -140,13 +161,21 @@
   template:
     src: userlist.cfg
     dest: "{{ haproxy_config_dir }}/userlists.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_userlists }}"
   when: haproxy_userlists is defined
 
 ## ASSEMBLE CONFIG - GLOBAL & DEFAULT
 
 - name: 'Create  the compiled folder'
-  file: path={{ haproxy_config_dir }}/compiled state=directory
+  file:
+    path: "{{ haproxy_config_dir }}/compiled"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: 'Merge global config'
   set_fact:
@@ -156,6 +185,9 @@
   template:
     src: "global.cfg"
     dest: "{{ haproxy_config_dir }}/compiled/01-global.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Merge default config'
   set_fact:
@@ -165,6 +197,9 @@
   template:
     src: "defaults.cfg"
     dest: "{{ haproxy_config_dir }}/compiled/02-defaults.cfg"
+    owner: root
+    group: root
+    mode: 0644
   when: haproxy_defaults is defined
 
 ## ASSEMBLE FINAL CONFIG
@@ -173,25 +208,40 @@
   assemble:
     src: "{{ haproxy_config_dir }}/backends.d"
     dest: "{{ haproxy_config_dir }}/compiled/03-backends.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the frontends configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/frontends.d"
     dest: "{{ haproxy_config_dir }}/compiled/04-frontends.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the listen sections configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/listen.d"
     dest: "{{ haproxy_config_dir }}/compiled/05-listen.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the userlists sections configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/userlists.d"
     dest: "{{ haproxy_config_dir }}/compiled/06-userlists.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the final configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/compiled"
     dest: "{{ haproxy_config_file }}"
+    owner: root
+    group: root
+    mode: 0644
     backup: true
   notify: reload haproxy
diff --git a/tasks/install.yml b/tasks/install.yml
index 4fecaf3..915fbb2 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -50,12 +50,18 @@
   file:
     name: "{{ haproxy_global.chroot }}"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
   when: haproxy_global.chroot is defined and haproxy_global.chroot
 
 - name: Create service override directory
   file:
     path: /etc/systemd/system/haproxy.service.d
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: Copy service override
   copy:
@@ -64,3 +70,6 @@
       [Unit]
       Wants=network-online.target
       After=network-online.target
+    owner: root
+    group: root
+    mode: 0644
diff --git a/tasks/standalone_tls.yml b/tasks/standalone_tls.yml
index cb6544c..32e7a17 100644
--- a/tasks/standalone_tls.yml
+++ b/tasks/standalone_tls.yml
@@ -3,6 +3,9 @@
   template:
     src: tls_temp.cfg
     dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: 0644
 
 - name: Restart haproxy
   systemd:
-- 
GitLab