flatpak-cache: tighten permissions and fix paths to CA

Signed-off-by: Leo Puvilland <leo@craftcat.dev>

roles/flatpak-cache/tasks/main.yml

@@ -32,7 +32,7 @@
   - config
 
 - name: Install squid configuration file
-  template: src=squid.conf dest=/etc/squid/squid.conf
+  template: src=squid.conf dest=/etc/squid/squid.conf owner=squid group=squid
   tags:
   - flatpak-cache
   - config
@@ -43,7 +43,7 @@
     dest: /etc/pki/squid/
     owner: squid
     group: squid
-    mode: 0644
+    mode: 0640
   with_items:
   - "{{private}}/files/flatpak-cache-certs/production/pki/ca.crt"
   - "{{private}}/files/flatpak-cache-certs/production/pki/private/ca.key"

roles/flatpak-cache/templates/squid.conf

@@ -29,7 +29,7 @@ http_access deny all
 # Trust proxies to have correct X-Forwarded-For
 follow_x_forwarded_for allow proxies
 
-http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/pki/squid/ca/ca.crt tls-key=/etc/pki/squid/key/ca.key tls-dh=prime256v1:/etc/pki/squid/dhparam/dh.pem
+http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/pki/squid/ca.crt tls-key=/etc/pki/squid/ca.key tls-dh=prime256v1:/etc/pki/squid/dh.pem
 
 sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
 sslcrtd_children 5