From 7883fb62b56a077380c04faecfc7feb54e341ec5 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Sun, 28 Dec 2025 15:14:41 +0300 Subject: [PATCH] Feat(playbooks): Use symbolic modes --- .../add-apache-vhost/tasks/add-vhost.yaml | 4 ++-- .../add-apache-vhost/tasks/dehydrated.yaml | 6 +++--- .../debian/add-dns-domain/tasks/main.yaml | 2 +- playbooks/roles/debian/apache/tasks/main.yaml | 8 ++++---- .../roles/debian/dehydrated/tasks/main.yaml | 2 +- .../roles/debian/firewall/tasks/main.yaml | 6 +++--- playbooks/roles/debian/gitweb/tasks/main.yaml | 4 ++-- playbooks/roles/debian/named/tasks/main.yaml | 4 ++-- .../debian/remove-systemd/tasks/main.yaml | 6 +++--- playbooks/roles/init-system/tasks/apt.yaml | 2 +- playbooks/roles/logcheck/tasks/main.yaml | 4 ++-- playbooks/roles/openvpn/tasks/main.yaml | 2 +- .../roles/redhat/firewall/tasks/main.yaml | 6 +++--- playbooks/roles/root/tasks/mc.yaml | 4 ++-- playbooks/roles/root/tasks/root.yaml | 20 +++++++++---------- playbooks/roles/sudo/tasks/main.yaml | 2 +- playbooks/update-root.yaml | 12 +++++------ 17 files changed, 47 insertions(+), 47 deletions(-) diff --git a/playbooks/roles/debian/add-apache-vhost/tasks/add-vhost.yaml b/playbooks/roles/debian/add-apache-vhost/tasks/add-vhost.yaml index 2f2030d..f60c1f5 100644 --- a/playbooks/roles/debian/add-apache-vhost/tasks/add-vhost.yaml +++ b/playbooks/roles/debian/add-apache-vhost/tasks/add-vhost.yaml @@ -5,7 +5,7 @@ dest: "/etc/apache2/sites-available/{{ virtual_host }}.conf" owner: root group: root - mode: '0640' + mode: 'u=rw,g=r,o=' - name: Enable site become: true @@ -19,7 +19,7 @@ state: directory owner: root group: www-data - mode: '0755' + mode: 'u=rwx,go=rx' loop: ['/usr/local/apache2/cgi-bin', '/usr/local/apache2/htdocs', '/var/log/apache2', ] diff --git a/playbooks/roles/debian/add-apache-vhost/tasks/dehydrated.yaml b/playbooks/roles/debian/add-apache-vhost/tasks/dehydrated.yaml index 1831f3c..fb5bb87 100644 --- a/playbooks/roles/debian/add-apache-vhost/tasks/dehydrated.yaml +++ b/playbooks/roles/debian/add-apache-vhost/tasks/dehydrated.yaml @@ -5,7 +5,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u=rwx,go=' - name: Configure dehydrated become: true @@ -14,7 +14,7 @@ dest: "/usr/local/apache2/.dehydrated/{{ virtual_host }}" owner: root group: root - mode: '0600' + mode: 'u=rw,go=' loop: ['config', 'domains.txt'] - name: Configure dehydrated script @@ -24,4 +24,4 @@ dest: "/usr/local/apache2/.dehydrated/{{ virtual_host }}" owner: root group: root - mode: '0700' + mode: 'u=rwx,go=' diff --git a/playbooks/roles/debian/add-dns-domain/tasks/main.yaml b/playbooks/roles/debian/add-dns-domain/tasks/main.yaml index 0937af6..78b3539 100644 --- a/playbooks/roles/debian/add-dns-domain/tasks/main.yaml +++ b/playbooks/roles/debian/add-dns-domain/tasks/main.yaml @@ -12,7 +12,7 @@ dest: "/etc/bind/{{ domain }}" owner: bind group: bind - mode: '0600' + mode: 'u=rw,go=' - name: Update domain config become: true diff --git a/playbooks/roles/debian/apache/tasks/main.yaml b/playbooks/roles/debian/apache/tasks/main.yaml index e4bf624..28f9736 100644 --- a/playbooks/roles/debian/apache/tasks/main.yaml +++ b/playbooks/roles/debian/apache/tasks/main.yaml @@ -32,7 +32,7 @@ dest: /etc/apache2/conf-available owner: root group: root - mode: '0640' + mode: 'u=rw,g=r,o=' - name: Setup default host become: true @@ -41,8 +41,8 @@ dest: /usr/local/apache2 owner: root group: www-data - directory_mode: '0755' - mode: '0644' + directory_mode: 'u=rwx,go=rx' + mode: 'u=rw,go=r' - name: Enable config become: true @@ -57,4 +57,4 @@ dest: /etc/logrotate.d owner: root group: root - mode: '0640' + mode: 'u=rw,g=r,o=' diff --git a/playbooks/roles/debian/dehydrated/tasks/main.yaml b/playbooks/roles/debian/dehydrated/tasks/main.yaml index 49ac18d..79f5b89 100644 --- a/playbooks/roles/debian/dehydrated/tasks/main.yaml +++ b/playbooks/roles/debian/dehydrated/tasks/main.yaml @@ -52,4 +52,4 @@ dest: /etc/cron.weekly owner: root group: root - mode: '0700' + mode: 'u=rwx,go=' diff --git a/playbooks/roles/debian/firewall/tasks/main.yaml b/playbooks/roles/debian/firewall/tasks/main.yaml index d36b01c..e9027bc 100644 --- a/playbooks/roles/debian/firewall/tasks/main.yaml +++ b/playbooks/roles/debian/firewall/tasks/main.yaml @@ -35,15 +35,15 @@ dest: / owner: root group: root - directory_mode: '0750' - mode: '0750' + directory_mode: 'u=rwx,g=rx,o=' + mode: 'u=rwx,g=rx,o=' notify: Restart firewall - name: Fix permissions for /etc/network/functions become: true file: path: /etc/network/functions.phd - mode: '0640' + mode: 'u=rw,g=r,o=' notify: Restart firewall - name: Remove iptables leftovers diff --git a/playbooks/roles/debian/gitweb/tasks/main.yaml b/playbooks/roles/debian/gitweb/tasks/main.yaml index 2b273dd..43d4204 100644 --- a/playbooks/roles/debian/gitweb/tasks/main.yaml +++ b/playbooks/roles/debian/gitweb/tasks/main.yaml @@ -17,6 +17,6 @@ dest: /etc/apache2/sites-available owner: root group: root - directory_mode: '0755' - mode: '0644' + directory_mode: 'u=rwx,go=rx' + mode: 'u=rw,go=r' diff --git a/playbooks/roles/debian/named/tasks/main.yaml b/playbooks/roles/debian/named/tasks/main.yaml index 9bc3d00..3366530 100644 --- a/playbooks/roles/debian/named/tasks/main.yaml +++ b/playbooks/roles/debian/named/tasks/main.yaml @@ -27,7 +27,7 @@ dest: /etc/bind/named.conf.options owner: bind group: bind - mode: '0600' + mode: 'u=rw,go=' - name: Reload BIND become: true @@ -42,5 +42,5 @@ dest: /etc/resolv.conf owner: root group: root - mode: '0644' + mode: 'u=rw,go=r' when: named_conf.stdout in ('', "0") diff --git a/playbooks/roles/debian/remove-systemd/tasks/main.yaml b/playbooks/roles/debian/remove-systemd/tasks/main.yaml index c64121d..060d73e 100644 --- a/playbooks/roles/debian/remove-systemd/tasks/main.yaml +++ b/playbooks/roles/debian/remove-systemd/tasks/main.yaml @@ -5,8 +5,8 @@ dest: / owner: root group: root - directory_mode: '0755' - mode: '0644' + directory_mode: 'u=rwx,go=rx' + mode: 'u=rw,go=r' - name: Install SysV init become: true @@ -27,7 +27,7 @@ dest: /etc/inittab owner: root group: root - mode: '0644' + mode: 'u=rw,go=r' - name: Purge SystemD import_tasks: remove-systemd.yaml diff --git a/playbooks/roles/init-system/tasks/apt.yaml b/playbooks/roles/init-system/tasks/apt.yaml index ea9c7b0..096095f 100644 --- a/playbooks/roles/init-system/tasks/apt.yaml +++ b/playbooks/roles/init-system/tasks/apt.yaml @@ -5,7 +5,7 @@ dest: /etc/apt/sources.list owner: root group: root - mode: '0640' + mode: 'u=rw,g=r,o=' - name: Install minimal software packages become: true diff --git a/playbooks/roles/logcheck/tasks/main.yaml b/playbooks/roles/logcheck/tasks/main.yaml index 3650864..c9ae5fc 100644 --- a/playbooks/roles/logcheck/tasks/main.yaml +++ b/playbooks/roles/logcheck/tasks/main.yaml @@ -47,6 +47,6 @@ dest: "/etc/logcheck/ignore.d.{{ item }}" owner: root group: logcheck - directory_mode: '0750' - mode: 'u=rwX,g=rX,o=' + directory_mode: 'u=rwx,g=rx,o=' + mode: 'u=rw,g=r,o=' loop: ['server', 'workstation'] diff --git a/playbooks/roles/openvpn/tasks/main.yaml b/playbooks/roles/openvpn/tasks/main.yaml index 7185cb5..1716162 100644 --- a/playbooks/roles/openvpn/tasks/main.yaml +++ b/playbooks/roles/openvpn/tasks/main.yaml @@ -54,4 +54,4 @@ dest: /etc/sudoers.d/openvpn owner: root group: "{% if ansible_facts.os_family == 'Debian' %}sudo{% elif ansible_facts.os_family == 'RedHat' %}root{% endif %}" - mode: 0640 + mode: 'u=rw,g=r,o=' diff --git a/playbooks/roles/redhat/firewall/tasks/main.yaml b/playbooks/roles/redhat/firewall/tasks/main.yaml index 5432869..90744d7 100644 --- a/playbooks/roles/redhat/firewall/tasks/main.yaml +++ b/playbooks/roles/redhat/firewall/tasks/main.yaml @@ -34,13 +34,13 @@ dest: / owner: root group: root - directory_mode: '0750' - mode: '0750' + directory_mode: 'u=rwx,g=rx,o=' + mode: 'u=rwx,g=rx,o=' notify: Restart firewall - name: Fix permissions for /etc/network/functions become: true file: path: /etc/network/functions.phd - mode: '0640' + mode: 'u=rw,g=r,o=' notify: Restart firewall diff --git a/playbooks/roles/root/tasks/mc.yaml b/playbooks/roles/root/tasks/mc.yaml index 655878e..3c10cc4 100644 --- a/playbooks/roles/root/tasks/mc.yaml +++ b/playbooks/roles/root/tasks/mc.yaml @@ -16,7 +16,7 @@ file: path: "~root/{{ item }}" state: directory - mode: "0700" + mode: 'u=rwx,go=' loop: ['.cache', '.config', '.local/share'] - name: "Setup root mc - remove mc directories" @@ -51,5 +51,5 @@ dest: ~root/.mc owner: root group: root - mode: "0600" + mode: 'u=rw,go=' loop: ['hotlist', 'ini', 'panels.ini'] diff --git a/playbooks/roles/root/tasks/root.yaml b/playbooks/roles/root/tasks/root.yaml index 52e8cf2..d9c05f5 100644 --- a/playbooks/roles/root/tasks/root.yaml +++ b/playbooks/roles/root/tasks/root.yaml @@ -6,8 +6,8 @@ dest: ~root owner: root group: root - directory_mode: "0700" - mode: "0600" + directory_mode: 'u=rwx,go=' + mode: 'u=rw,go=' loop: ['.bashrc', 'admin/home/root/.profile'] - name: "Setup ~root - copy directories from ~phd" @@ -18,8 +18,8 @@ dest: ~root owner: root group: root - directory_mode: "0700" - mode: "0700" + directory_mode: 'u=rwx,go=' + mode: 'u=rwx,go=' loop: ['.mc', '.ssh', 'bin', 'lib'] - name: "Setup ~root - copy vim from ~phd" @@ -30,8 +30,8 @@ dest: ~root owner: root group: root - directory_mode: "0700" - mode: "0700" + directory_mode: 'u=rwx,go=' + mode: 'u=rwx,go=' loop: ['.vim'] - name: "Setup ~root - copy files from ~phd without overwriting" @@ -42,8 +42,8 @@ dest: ~root owner: root group: root - directory_mode: "0700" - mode: "0600" + directory_mode: 'u=rwx,go=' + mode: 'u=rw,go=' loop: ['.bash_logout', '.inputrc', '.less', '.lesskey', '.screenrc', '.shellrc', '.tmux.conf', '.vimrc', ] @@ -62,7 +62,7 @@ state: touch owner: root group: root - mode: "0600" + mode: 'u=rw,go=' when: not sh_history.stat.exists - name: "Setup ~root - remove .bash_history" @@ -85,5 +85,5 @@ state: directory owner: root group: root - mode: "0700" + mode: 'u=rwx,go=' recurse: yes diff --git a/playbooks/roles/sudo/tasks/main.yaml b/playbooks/roles/sudo/tasks/main.yaml index 338af66..4fd47e8 100644 --- a/playbooks/roles/sudo/tasks/main.yaml +++ b/playbooks/roles/sudo/tasks/main.yaml @@ -17,4 +17,4 @@ dest: /etc/sudoers.d/phd owner: root group: "{% if ansible_facts.os_family == 'Debian' %}sudo{% elif ansible_facts.os_family == 'RedHat' %}root{% endif %}" - mode: 0640 + mode: 'u=rw,g=r,o=' diff --git a/playbooks/update-root.yaml b/playbooks/update-root.yaml index dcca23e..53298d9 100644 --- a/playbooks/update-root.yaml +++ b/playbooks/update-root.yaml @@ -21,7 +21,7 @@ dest: ~root owner: root group: root - mode: "0600" + mode: 'u=rw,go=' loop: ['.bashrc', 'admin/home/root/.profile', '.bash_logout', '.inputrc', '.less', '.lesskey', '.screenrc', '.shellrc', '.tmux.conf', '.vimrc', @@ -34,7 +34,7 @@ dest: ~root/.ssh/known_hosts owner: root group: root - mode: "0600" + mode: 'u=rw,go=' - name: "Create ~root/admin/prog/" file: @@ -42,7 +42,7 @@ state: directory owner: root group: root - mode: "0600" + mode: 'u=rw,go=' - name: "Update ~root/admin/prog/bash_prompt" copy: @@ -51,7 +51,7 @@ dest: ~root/admin/prog/bash_prompt owner: root group: root - mode: "0600" + mode: 'u=rw,go=' - name: "Update root mc - overwrite files from ~phd/.mc" become: true @@ -61,7 +61,7 @@ dest: ~root/.mc owner: root group: root - mode: "0600" + mode: 'u=rw,go=' loop: ['bashrc', 'mc.ext', 'mc.ext.ini'] - name: "Update root mc - overwrite files from ~phd/admin" @@ -72,7 +72,7 @@ dest: ~root/.mc owner: root group: root - mode: "0600" + mode: 'u=rw,go=' loop: ['hotlist', 'ini', 'panels.ini'] - name: "Update root mc - sync extfs from ~phd" -- 2.47.3