Explicit file permissions

29ae53a7 · Felix Schäfer · 7edc46ec · 29ae53a7 · 29ae53a7 · 29ae53a7
Commit 29ae53a7 authored Jan 28, 2022 by Felix Schäfer
--- a/tasks/certpaths.yml
+++ b/tasks/certpaths.yml
@@ -4,4 +4,7 @@
  template:
    src: certpaths.j2
    dest: "/etc/haproxy/{{ item.name }}.certpaths"
+    owner: root
+    group: root
+    mode: 0644
  when: item.ssl is defined and (item.ssl.cert is defined or item.ssl.acme_domains is defined)
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -37,6 +37,9 @@
  file:
    path: "{{ haproxy_config_dir }}/frontends.d"
    state: directory
+    owner: root
+    group: root
+    mode: 0755

 - name: "List files for the frontends"
  find:
@@ -56,6 +59,9 @@
  template:
    src: "frontend.cfg"
    dest: "{{ haproxy_config_dir }}/frontends.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
  loop: "{{ haproxy_frontends }}"
  when: haproxy_frontends is defined

@@ -65,6 +71,9 @@
  file:
    path: "{{ haproxy_config_dir }}/backends.d"
    state: directory
+    owner: root
+    group: root
+    mode: 0755

 - name: "List files for the backends"
  find:
@@ -84,6 +93,9 @@
  template:
    src: "backend.cfg"
    dest: "{{ haproxy_config_dir }}/backends.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
  loop: "{{ haproxy_backends }}"
  when: haproxy_backends is defined

@@ -93,6 +105,9 @@
  file:
    path: "{{ haproxy_config_dir }}/listen.d"
    state: directory
+    owner: root
+    group: root
+    mode: 0755

 - name: "List files the listen sections"
  find:
@@ -112,6 +127,9 @@
  template:
    src: "listen.cfg"
    dest: "{{ haproxy_config_dir }}/listen.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
  loop: "{{ haproxy_listen }}"
  when: haproxy_listen is defined

@@ -121,6 +139,9 @@
  file:
    path: "{{ haproxy_config_dir }}/userlists.d"
    state: directory
+    owner: root
+    group: root
+    mode: 0755

 - name: "List files for the userlists"
  find:
@@ -140,13 +161,21 @@
  template:
    src: userlist.cfg
    dest: "{{ haproxy_config_dir }}/userlists.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
  loop: "{{ haproxy_userlists }}"
  when: haproxy_userlists is defined

 ## ASSEMBLE CONFIG - GLOBAL & DEFAULT

 - name: 'Create  the compiled folder'
-  file: path={{ haproxy_config_dir }}/compiled state=directory
+  file:
+    path: "{{ haproxy_config_dir }}/compiled"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755

 - name: 'Merge global config'
  set_fact:
@@ -156,6 +185,9 @@
  template:
    src: "global.cfg"
    dest: "{{ haproxy_config_dir }}/compiled/01-global.cfg"
+    owner: root
+    group: root
+    mode: 0644

 - name: 'Merge default config'
  set_fact:
@@ -165,6 +197,9 @@
  template:
    src: "defaults.cfg"
    dest: "{{ haproxy_config_dir }}/compiled/02-defaults.cfg"
+    owner: root
+    group: root
+    mode: 0644
  when: haproxy_defaults is defined

 ## ASSEMBLE FINAL CONFIG
@@ -173,25 +208,40 @@
  assemble:
    src: "{{ haproxy_config_dir }}/backends.d"
    dest: "{{ haproxy_config_dir }}/compiled/03-backends.cfg"
+    owner: root
+    group: root
+    mode: 0644

 - name: 'Assemble the frontends configuration file'
  assemble:
    src: "{{ haproxy_config_dir }}/frontends.d"
    dest: "{{ haproxy_config_dir }}/compiled/04-frontends.cfg"
+    owner: root
+    group: root
+    mode: 0644

 - name: 'Assemble the listen sections configuration file'
  assemble:
    src: "{{ haproxy_config_dir }}/listen.d"
    dest: "{{ haproxy_config_dir }}/compiled/05-listen.cfg"
+    owner: root
+    group: root
+    mode: 0644

 - name: 'Assemble the userlists sections configuration file'
  assemble:
    src: "{{ haproxy_config_dir }}/userlists.d"
    dest: "{{ haproxy_config_dir }}/compiled/06-userlists.cfg"
+    owner: root
+    group: root
+    mode: 0644

 - name: 'Assemble the final configuration file'
  assemble:
    src: "{{ haproxy_config_dir }}/compiled"
    dest: "{{ haproxy_config_file }}"
+    owner: root
+    group: root
+    mode: 0644
    backup: true
  notify: reload haproxy
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -50,12 +50,18 @@
  file:
    name: "{{ haproxy_global.chroot }}"
    state: directory
+    owner: root
+    group: root
+    mode: 0755
  when: haproxy_global.chroot is defined and haproxy_global.chroot

 - name: Create service override directory
  file:
    path: /etc/systemd/system/haproxy.service.d
    state: directory
+    owner: root
+    group: root
+    mode: 0755

 - name: Copy service override
  copy:
@@ -64,3 +70,6 @@
      [Unit]
      Wants=network-online.target
      After=network-online.target
+    owner: root
+    group: root
+    mode: 0644
--- a/tasks/standalone_tls.yml
+++ b/tasks/standalone_tls.yml
@@ -3,6 +3,9 @@
  template:
    src: tls_temp.cfg
    dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: 0644

 - name: Restart haproxy
  systemd: