From 29ae53a730d2de4cc9a9ab01c05be0370cfe7584 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Sch=C3=A4fer?= <felix@thegcat.net> Date: Fri, 28 Jan 2022 17:52:42 +0100 Subject: [PATCH] Explicit file permissions --- tasks/certpaths.yml | 3 +++ tasks/configure.yml | 52 +++++++++++++++++++++++++++++++++++++++- tasks/install.yml | 9 +++++++ tasks/standalone_tls.yml | 3 +++ 4 files changed, 66 insertions(+), 1 deletion(-) diff --git a/tasks/certpaths.yml b/tasks/certpaths.yml index e2ef548..f7af67d 100644 --- a/tasks/certpaths.yml +++ b/tasks/certpaths.yml @@ -4,4 +4,7 @@ template: src: certpaths.j2 dest: "/etc/haproxy/{{ item.name }}.certpaths" + owner: root + group: root + mode: 0644 when: item.ssl is defined and (item.ssl.cert is defined or item.ssl.acme_domains is defined) diff --git a/tasks/configure.yml b/tasks/configure.yml index daeb606..fcbac9c 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -37,6 +37,9 @@ file: path: "{{ haproxy_config_dir }}/frontends.d" state: directory + owner: root + group: root + mode: 0755 - name: "List files for the frontends" find: @@ -56,6 +59,9 @@ template: src: "frontend.cfg" dest: "{{ haproxy_config_dir }}/frontends.d/{{ item.name }}.cfg" + owner: root + group: root + mode: 0644 loop: "{{ haproxy_frontends }}" when: haproxy_frontends is defined @@ -65,6 +71,9 @@ file: path: "{{ haproxy_config_dir }}/backends.d" state: directory + owner: root + group: root + mode: 0755 - name: "List files for the backends" find: @@ -84,6 +93,9 @@ template: src: "backend.cfg" dest: "{{ haproxy_config_dir }}/backends.d/{{ item.name }}.cfg" + owner: root + group: root + mode: 0644 loop: "{{ haproxy_backends }}" when: haproxy_backends is defined @@ -93,6 +105,9 @@ file: path: "{{ haproxy_config_dir }}/listen.d" state: directory + owner: root + group: root + mode: 0755 - name: "List files the listen sections" find: @@ -112,6 +127,9 @@ template: src: "listen.cfg" dest: "{{ haproxy_config_dir }}/listen.d/{{ item.name }}.cfg" + owner: root + group: root + mode: 0644 loop: "{{ haproxy_listen }}" when: haproxy_listen is defined @@ -121,6 +139,9 @@ file: path: "{{ haproxy_config_dir }}/userlists.d" state: directory + owner: root + group: root + mode: 0755 - name: "List files for the userlists" find: @@ -140,13 +161,21 @@ template: src: userlist.cfg dest: "{{ haproxy_config_dir }}/userlists.d/{{ item.name }}.cfg" + owner: root + group: root + mode: 0644 loop: "{{ haproxy_userlists }}" when: haproxy_userlists is defined ## ASSEMBLE CONFIG - GLOBAL & DEFAULT - name: 'Create the compiled folder' - file: path={{ haproxy_config_dir }}/compiled state=directory + file: + path: "{{ haproxy_config_dir }}/compiled" + state: directory + owner: root + group: root + mode: 0755 - name: 'Merge global config' set_fact: @@ -156,6 +185,9 @@ template: src: "global.cfg" dest: "{{ haproxy_config_dir }}/compiled/01-global.cfg" + owner: root + group: root + mode: 0644 - name: 'Merge default config' set_fact: @@ -165,6 +197,9 @@ template: src: "defaults.cfg" dest: "{{ haproxy_config_dir }}/compiled/02-defaults.cfg" + owner: root + group: root + mode: 0644 when: haproxy_defaults is defined ## ASSEMBLE FINAL CONFIG @@ -173,25 +208,40 @@ assemble: src: "{{ haproxy_config_dir }}/backends.d" dest: "{{ haproxy_config_dir }}/compiled/03-backends.cfg" + owner: root + group: root + mode: 0644 - name: 'Assemble the frontends configuration file' assemble: src: "{{ haproxy_config_dir }}/frontends.d" dest: "{{ haproxy_config_dir }}/compiled/04-frontends.cfg" + owner: root + group: root + mode: 0644 - name: 'Assemble the listen sections configuration file' assemble: src: "{{ haproxy_config_dir }}/listen.d" dest: "{{ haproxy_config_dir }}/compiled/05-listen.cfg" + owner: root + group: root + mode: 0644 - name: 'Assemble the userlists sections configuration file' assemble: src: "{{ haproxy_config_dir }}/userlists.d" dest: "{{ haproxy_config_dir }}/compiled/06-userlists.cfg" + owner: root + group: root + mode: 0644 - name: 'Assemble the final configuration file' assemble: src: "{{ haproxy_config_dir }}/compiled" dest: "{{ haproxy_config_file }}" + owner: root + group: root + mode: 0644 backup: true notify: reload haproxy diff --git a/tasks/install.yml b/tasks/install.yml index 4fecaf3..915fbb2 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -50,12 +50,18 @@ file: name: "{{ haproxy_global.chroot }}" state: directory + owner: root + group: root + mode: 0755 when: haproxy_global.chroot is defined and haproxy_global.chroot - name: Create service override directory file: path: /etc/systemd/system/haproxy.service.d state: directory + owner: root + group: root + mode: 0755 - name: Copy service override copy: @@ -64,3 +70,6 @@ [Unit] Wants=network-online.target After=network-online.target + owner: root + group: root + mode: 0644 diff --git a/tasks/standalone_tls.yml b/tasks/standalone_tls.yml index cb6544c..32e7a17 100644 --- a/tasks/standalone_tls.yml +++ b/tasks/standalone_tls.yml @@ -3,6 +3,9 @@ template: src: tls_temp.cfg dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: 0644 - name: Restart haproxy systemd: -- GitLab