From 7732e5d43fa90e4a40fef935bbea57ffb4a98555 Mon Sep 17 00:00:00 2001
From: saibotk <git@saibotk.de>
Date: Sat, 26 Sep 2020 21:45:15 +0200
Subject: [PATCH] traefik: Adjust directory permissions

This patch reduces the permissions on the install directory to just the root user and also fixes the ansible-lint issue by specifying the `mode`.
---
 roles/traefik/tasks/acmedumper.yml |  3 +++
 roles/traefik/tasks/main.yml       | 10 ++++++++--
 roles/traefik/tasks/tor.yml        | 19 ++++++++++++-------
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/roles/traefik/tasks/acmedumper.yml b/roles/traefik/tasks/acmedumper.yml
index 395ec92..2991488 100644
--- a/roles/traefik/tasks/acmedumper.yml
+++ b/roles/traefik/tasks/acmedumper.yml
@@ -31,6 +31,9 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: '0750'
+    owner: 'root'
+    group: 'root'
     setype: "container_file_t"
     selevel: "{{ traefik_selinux_level | default(omit) }}"
   with_items:
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index 0cce874..dc1256f 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -34,6 +34,9 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
   with_items:
     - "{{ traefik_install_location }}"
   become: true
@@ -42,6 +45,9 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
     setype: "container_file_t"
     selevel: "{{ traefik_selinux_level }}"
   with_items:
@@ -90,8 +96,8 @@
   template:
     src: dynamic_conf.yml
     dest: "{{ traefik_config_location }}/dynamic_conf.yml"
-    owner: root
-    group: root
+    owner: 'root'
+    group: 'root'
     mode: '0600'
     setype: "container_file_t"
     selevel: "{{ traefik_selinux_level }}"
diff --git a/roles/traefik/tasks/tor.yml b/roles/traefik/tasks/tor.yml
index 6b4119a..26f18de 100644
--- a/roles/traefik/tasks/tor.yml
+++ b/roles/traefik/tasks/tor.yml
@@ -33,6 +33,9 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
   with_items:
     - "{{ traefik_tor_location }}"
   become: true
@@ -41,11 +44,11 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: '0700'
+    owner: '994'
+    group: '994'
     setype: "container_file_t"
     selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
-    mode: "0700"
-    owner: "994"
-    group: "994"
   with_items:
     - "{{ traefik_tor_data_location }}"
   become: true
@@ -56,9 +59,9 @@
     state: directory
     setype: "container_file_t"
     selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
-    mode: "0755"
-    owner: root
-    group: root
+    mode: '0750'
+    owner: 'root'
+    group: 'root'
   with_items:
     - "{{ traefik_tor_config_location }}"
   become: true
@@ -69,6 +72,8 @@
     dest: "{{ traefik_tor_config_location }}/traefik"
     setype: "container_file_t"
     selevel: "{{ traefik_tor_selinux_level | default(omit) }}"
-    mode: "0644"
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
   notify: Restart tor proxy
   become: true