diff --git a/roles/autocloudreporter/tasks/main.yml b/roles/autocloudreporter/tasks/main.yml index 28a329fab5..7cbf13666f 100644 --- a/roles/autocloudreporter/tasks/main.yml +++ b/roles/autocloudreporter/tasks/main.yml @@ -112,13 +112,17 @@ tags: - config +# This is kinda icky, as there's no intrinsic reason the group geekotest +# should exist so far as this role is concerned. But as we run this role +# on the same box as openQA, in fact we need to keep the ownership in +# line. This needs making cleaner somehow. - name: Deploy the Fedora infra fedora-messaging key (openQA production) copy: src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key" dest: /etc/pki/fedora-messaging/openqa-key.pem - mode: 0600 + mode: 0640 owner: root - group: root + group: geekotest when: "deployment_type is defined" tags: - config diff --git a/roles/check-compose/tasks/main.yml b/roles/check-compose/tasks/main.yml index 98494fe0f2..dc62a6d683 100644 --- a/roles/check-compose/tasks/main.yml +++ b/roles/check-compose/tasks/main.yml @@ -140,6 +140,8 @@ tags: - config +# We always use the openQA cert and key here for now; we don't really +# need a separate identity for check-compose. - name: Deploy the Fedora infra fedora-messaging cert copy: src: "{{ private }}/files/rabbitmq/{{checkcompose_env}}/pki/issued/openqa{{checkcompose_env_suffix}}.crt" @@ -147,16 +149,22 @@ mode: 0644 owner: root group: root + when: "deployment_type is defined" tags: - config +# This is kinda icky, as there's no intrinsic reason the group geekotest +# should exist so far as this role is concerned. But as we run this role +# on the same box as openQA, in fact we need to keep the ownership in +# line. This needs making cleaner somehow. - name: Deploy the Fedora infra fedora-messaging key copy: src: "{{ private }}/files/rabbitmq/{{checkcompose_env}}/pki/private/openqa{{checkcompose_env_suffix}}.key" dest: /etc/pki/fedora-messaging/openqa{{checkcompose_env_suffix}}-key.pem - mode: 0600 + mode: 0640 owner: root - group: root + group: geekotest + when: "deployment_type is defined" tags: - config diff --git a/roles/openqa/dispatcher/tasks/main.yml b/roles/openqa/dispatcher/tasks/main.yml index 10e58afe5b..33f4f0d5a8 100644 --- a/roles/openqa/dispatcher/tasks/main.yml +++ b/roles/openqa/dispatcher/tasks/main.yml @@ -293,9 +293,9 @@ copy: src: "{{ private }}/files/rabbitmq/{{openqa_env}}/pki/private/openqa{{openqa_env_suffix}}.key" dest: /etc/pki/fedora-messaging/openqa{{openqa_env_suffix}}-key.pem - mode: 0600 + mode: 0640 owner: root - group: root + group: geekotest when: "deployment_type is defined" tags: - config @@ -315,9 +315,9 @@ copy: src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key" dest: /etc/pki/fedora-messaging/openqa-key.pem - mode: 0600 + mode: 0640 owner: root - group: root + group: geekotest when: "deployment_type is defined and deployment_type == 'stg'" tags: - config diff --git a/roles/relvalconsumer/tasks/main.yml b/roles/relvalconsumer/tasks/main.yml index 7ea77fe180..ed566b460d 100644 --- a/roles/relvalconsumer/tasks/main.yml +++ b/roles/relvalconsumer/tasks/main.yml @@ -145,13 +145,17 @@ tags: - config +# This is kinda icky, as there's no intrinsic reason the group geekotest +# should exist so far as this role is concerned. But as we run this role +# on the same box as openQA, in fact we need to keep the ownership in +# line. This needs making cleaner somehow. - name: Deploy the Fedora infra fedora-messaging key copy: src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key" dest: /etc/pki/fedora-messaging/openqa-key.pem - mode: 0600 + mode: 0640 owner: root - group: root + group: geekotest when: "deployment_type is defined" tags: - config