From f30c881bf546856df38598649868948d2f4e5de8 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Wed, 10 Jun 2020 09:58:11 +0200
Subject: [PATCH] Use tmpfiles for the ask-password ACL

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 .../files/ask-password-robosignatory.conf            |  1 +
 roles/robosignatory/tasks/main.yml                   | 12 ++++++------
 2 files changed, 7 insertions(+), 6 deletions(-)
 create mode 100644 roles/robosignatory/files/ask-password-robosignatory.conf

diff --git a/roles/robosignatory/files/ask-password-robosignatory.conf b/roles/robosignatory/files/ask-password-robosignatory.conf
new file mode 100644
index 0000000000..8150439896
--- /dev/null
+++ b/roles/robosignatory/files/ask-password-robosignatory.conf
@@ -0,0 +1 @@
+a       /run/systemd/ask-password       -       -       -       -       u:robosignatory:rwx
diff --git a/roles/robosignatory/tasks/main.yml b/roles/robosignatory/tasks/main.yml
index e0524751f7..b0a7582017 100644
--- a/roles/robosignatory/tasks/main.yml
+++ b/roles/robosignatory/tasks/main.yml
@@ -192,12 +192,12 @@
   - robosignatory
 
 - name: Allow robosignatory to use systemd-ask-password
-  acl:
-    path: /run/systemd/ask-password
-    entity: robosignatory
-    etype: user
-    permissions: rwx
-    state: present
+  copy:
+    src: ask-password-robosignatory.conf
+    dest: /etc/tmpfiles.d/ask-password-robosignatory.conf
+    owner: root
+    group: root
+    mode: 0644
   tags:
   - config
   - robosignatory