Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

copr-be: fix the lighty permissions

Browse source 
.. and idempotence of the playbook, finally.  The 'root' group needs to
stay '---', while 'lighty' gets 'r--'.
This commit is contained in:
Pavel Raiskup 2021-12-07 18:26:26 +01:00
parent bb0537b997
commit c2a50a9e84
1 changed files with 36 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

53
roles/copr/backend/tasks/install_certs.yml
View file

@ -1,16 +1,23 @@
--- ---
# Some files need to be made readable by lighttpd using the ACLs, so we need to
# set the mode 0640 (the group mode means mask).
- name: copy httpd ssl certificates - name: copy httpd ssl certificates
copy: src="{{ private }}/files/httpd/{{ item }}" copy: src="{{ private }}/files/httpd/{{ item.file }}"
dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=0600 dest="/etc/lighttpd/{{ item.file }}" owner=root group=root
mode={{ item.mode | default('0600') }}
with_items: with_items:
- copr-be.cloud.fedoraproject.org.key - file: copr-be.cloud.fedoraproject.org.key
- copr-be.cloud.fedoraproject.org.cert - file: copr-be.cloud.fedoraproject.org.cert
- copr-be.cloud.fedoraproject.org.pem - file: copr-be.cloud.fedoraproject.org.pem
- copr-be.cloud.fedoraproject.org.intermediate.cert mode: "0640"
- copr.fedorainfracloud.org.key - file: copr-be.cloud.fedoraproject.org.intermediate.cert
- copr.fedorainfracloud.org.crt mode: "0640"
- copr.fedorainfracloud.org.pem - file: copr.fedorainfracloud.org.key
- copr.fedorainfracloud.org.intermediate.crt - file: copr.fedorainfracloud.org.crt
- file: copr.fedorainfracloud.org.pem
- file: copr.fedorainfracloud.org.intermediate.crt
notify: notify:
- restart lighttpd - restart lighttpd
tags: tags:
@ -27,14 +34,26 @@
# Note that the items here must match the configuration in lighttpd.conf! # Note that the items here must match the configuration in lighttpd.conf!
- name: allow lighttpd to read the certificates - name: allow lighttpd to read the certificates
acl: acl:
path: "{{ item }}" path: "{{ item.0 }}"
entity: lighttpd etype: "{{ item.1.etype }}"
etype: user entity: "{{ item.1.entity }}"
permissions: r permissions: "{{ item.1.permissions }}"
state: present state: present
with_items: loop: "{{ files|product(perms)|list }}"
- "/etc/lighttpd/copr-be.cloud.fedoraproject.org.pem" vars:
- "/etc/lighttpd/copr-be.cloud.fedoraproject.org.intermediate.cert" files:
- "/etc/lighttpd/copr-be.cloud.fedoraproject.org.pem"
- "/etc/lighttpd/copr-be.cloud.fedoraproject.org.intermediate.cert"
perms:
# make sure the default 'root' group has '---' perms
- etype: group
permissions: "---"
entity: null
# and grant lighty the read access
- etype: user
entity: lighttpd
permissions: "r--"
tags: tags:
- config - config
- config_httpd_certificates - config_httpd_certificates