Fix 'ansible-lint' E208: Missing file permissions

This patch ensures that the 'E208' error reported by 'ansible-lint' is
fixed in all DebOps roles. The file permissions in files and directories
created by Ansible need to be specified explicitly.

Ref: ansible/ansible#71200
(cherry picked from commit 059e685)
(cherry picked from commit b79f473)

CHANGELOG.rst

@@ -59,6 +59,12 @@ LDAP
 Fixed
 ~~~~~
 
+General
+'''''''
+
+- The missing ``mode`` parameter which specifies file/directory permissions has
+  been added to various roles to satisfy :command:`ansible-lint` requirements.
+
 :ref:`debops.ifupdown` role
 '''''''''''''''''''''''''''
 

ansible/roles/apache/tasks/main.yml

@@ -84,6 +84,7 @@
   file:
     path: '{{ apache__config_path + "/conf-enabled/" + item.key + ".conf" }}'
     src: '../conf-available/{{ item.key }}.conf'
+    mode: '0644'
     force: '{{ ansible_check_mode|d() | bool }}'
     state: '{{ (((item.value.enabled|d(True)
                   if (item.value is mapping)

ansible/roles/apt/tasks/main.yml

@@ -179,6 +179,7 @@
     regexp: '^\s+"configured":\s+'
     line: '    "configured": true,'
     state: 'present'
+    mode: '0755'
   register: apt__register_facts_status
   when: (apt__enabled|bool and ansible_local|d() and ansible_local.apt|d() and
          not ansible_local.apt.configured|bool)

ansible/roles/avahi/tasks/avahi_alias.yml

@@ -37,6 +37,7 @@
     state: '{{ "present"
                if item.value.cname_state|d(item.value.state | d("present")) != "absent"
                else "absent" }}'
+    mode: '0644'
   with_dict: '{{ avahi__combined_services }}'
   register: avahi__register_aliases
   when: item.value.cname|d()

ansible/roles/avahi/tasks/main.yml

@@ -80,6 +80,7 @@
                               if item.value.endswith("." + avahi__domain)
                               else (item.value + "." + avahi__domain)) }}'
     state: 'present'
+    mode: '0644'
   with_dict: '{{ avahi__hosts | combine(avahi__group_hosts) | combine(avahi__host_hosts) }}'
   when: item.key|d() and item.value|d()
 

ansible/roles/console/tasks/main.yml

@@ -34,6 +34,7 @@
     regexp: '^{{ console_serial_inittab }}'
     state: 'present'
     line: '{{ console_serial_inittab }}'
+    mode: '0644'
   when: ((console_serial is defined and console_serial) and
          ((console_register_inittab is defined and console_register_inittab) and
           console_register_inittab.stat.exists))
@@ -45,6 +46,7 @@
     regexp: 'FSCKFIX='
     state: 'present'
     line: 'FSCKFIX={{ console_fsckfix }}'
+    mode: '0644'
   when: ansible_distribution_release in console_fsckfix_releases
 
 - include: filesystem_mount.yml

ansible/roles/cryptsetup/tasks/manage_devices.yml

@@ -278,6 +278,7 @@
   file:
     path: '{{ item.mount | d(cryptsetup__mountpoint_parent_directory + "/" + item.name) }}'
     state: 'directory'
+    mode: '0755'
   when: (item.state|d(cryptsetup__state) in [ 'present' ] and (item.manage_filesystem|d(True) | bool))
   with_items: '{{ cryptsetup__process_devices|d([]) }}'
 

ansible/roles/debops-contrib.apparmor/tasks/main.yml

@@ -31,6 +31,7 @@
     regexp: '{{ item.regexp }}'
     line: '{{ item.line }}'
     insertbefore: '{{ item.insertbefore }}'
+    mode: '0644'
   when: ((apparmor__manage_grub|d() | bool) and (apparmor__enabled|d() | bool))
   with_items:
     - regexp: '^GRUB_CMDLINE_LINUX='
@@ -47,6 +48,7 @@
     regexp: '^GRUB_CMDLINE_LINUX="(.*?)\$GRUB_CMDLINE_LINUX_ANSIBLE_APPARMOR(.*)"'
     line: 'GRUB_CMDLINE_LINUX="\1 \2"'
     backrefs: yes
+    mode: '0644'
   when: (apparmor__manage_grub and not (apparmor__enabled|d() | bool))
   notify: [ 'Update grub' ]
 
@@ -115,6 +117,7 @@
   file:
     path: '/etc/apparmor.d/tunables/home.d'
     state: 'directory'
+    mode: '0755'
 
 - name: Configure tunables
   template:

ansible/roles/debops-contrib.firejail/tasks/main.yml

@@ -90,6 +90,7 @@
   file:
     path: '{{ firejail__system_local_bin_path }}'
     state: 'directory'
+    mode: '0755'
 
 - name: Create/remove symlinks for sandboxed programs
   file:
@@ -118,6 +119,7 @@
                ) else "absent" }}'
     owner: 'root'
     group: 'root'
+    mode: '0755'
     force: '{{ ansible_check_mode|d(omit) }}'
   when: not (item in firejail__combined_program_sandboxes and firejail__combined_program_sandboxes[item].system_wide_sandboxed|d("present") in ["ignored"])
   with_items: '{{ firejail__combined_program_sandboxes.keys() | list | union(firejail__fact_system_wide_profiles) }}'
@@ -212,6 +214,7 @@
   file:
     path: '~/.local/share/applications'
     state: 'directory'
+    mode: '0755'
   become: True
   become_user: '{{ item.name }}'
   no_log: '{{ not (firejail__ansible_log | bool) }}'

ansible/roles/debops-contrib.fuse/tasks/main.yml

@@ -16,6 +16,7 @@
   template:
     src: 'etc/fuse.conf.j2'
     dest: '/etc/fuse.conf'
+    mode: '0644'
 
 - name: Ensure fuse system group is present
   group:
@@ -37,6 +38,7 @@
   template:
     src: 'etc/udev/rules.d/fuse.rules.j2'
     dest: '/etc/udev/rules.d/99-fuse.rules'
+    mode: '0644'
   when: fuse_restrict_access | bool
 
 - name: Ensure FUSE permissions are applied immediately

ansible/roles/debops-contrib.snapshot_snapper/tasks/configure_snapper_volume.yml

@@ -7,5 +7,6 @@
     dest: '/etc/snapper/configs/{{ snapshot_snapper__volume.name }}'
     regexp: '^{{ item.key }}='
     line: '{{ item.key }}="{{ item.value }}"'
+    mode: '0644'
   with_dict: '{{ (snapshot_snapper__templates_combined[snapshot_snapper__volume.template|d("default")]|d({}))
                  | combine(snapshot_snapper__volume.config|d({})) }}'

ansible/roles/debops-contrib.snapshot_snapper/tasks/main.yml

@@ -60,6 +60,7 @@
     backrefs: yes
     regexp: '^(# )?PRUNENAMES=(".*)"$'
     line: 'PRUNENAMES=\2 {{ snapshot_snapper__directory }}"'
+    mode: '0644'
   when: snapshot_snapper__register_updatedb_configured.rc != 0
 # .. ]]]
 
@@ -114,6 +115,7 @@
            | map(attribute="path")
            | map("replace", "/etc/snapper/configs/", "")
            | join(" ") }}"'
+    mode: '0644'
   when: (snapshot_snapper__auto_reinit|bool)
   tags: [ 'role::snapshot_snapper:reinit' ]
 # .. ]]]

ansible/roles/debops_api/tasks/main.yml

@@ -53,6 +53,7 @@
     state: 'directory'
     owner: '{{ debops_api__user }}'
     group: '{{ debops_api__group }}'
+    mode: '0755'
 
 - name: Clone DebOps API input data
   git:
@@ -75,6 +76,7 @@
     state: 'directory'
     owner: '{{ debops_api__user }}'
     group: '{{ debops_api__group }}'
+    mode: '0755'
 
 - name: Clone debops-api source code
   git:
@@ -98,6 +100,7 @@
     state: 'directory'
     owner: '{{ debops_api__user }}'
     group: '{{ debops_api__group }}'
+    mode: '0755'
 
 - name: Ensure that the DebOps API data update script is present
   template:

ansible/roles/dhparam/tasks/main.yml

@@ -34,6 +34,7 @@
   file:
     path: '{{ dhparam__source_path }}'
     state: 'directory'
+    mode: '0755'
   delegate_to: 'localhost'
   become: False
   run_once: True
@@ -81,6 +82,7 @@
     dest: '{{ dhparam__path + "/params/" + dhparam__set_prefix + item + "/" }}'
     owner: 'root'
     group: 'root'
+    mode: '0644'
     force: False
   when: dhparam__deploy_state in ['present']
   with_sequence: 'start=0 count={{ dhparam__sets }}'
@@ -92,6 +94,7 @@
              + dhparam__prefix + dhparam__default_length + dhparam__suffix }}'
     path: '{{ dhparam__path + "/" + dhparam__set_prefix + item }}'
     state: 'link'
+    mode: '0644'
   when: dhparam__deploy_state in ['present']
   with_sequence: 'start=0 count={{ dhparam__sets }}'
 

ansible/roles/docker_gen/tasks/main.yml

@@ -28,6 +28,7 @@
     copy: False
     owner: 'root'
     group: 'root'
+    mode: 'u=rwX,g=rX,o=rX'
   register: docker_gen__register_install
 
 - name: Copy docker-gen templates to remote host

ansible/roles/docker_server/tasks/main.yml

@@ -91,13 +91,15 @@
     path: '{{ docker_server__virtualenv_python_symlink }}'
     src:  '{{ docker_server__virtualenv_python_interpreter }}'
     state: 'link'
+    mode: '0755'
   when: docker_server__install_virtualenv
 
 - name: Symlink selected Python scripts to /usr/local/bin
   file:
     path: '{{ item.path }}'
     src: '{{ item.src }}'
     state: 'link'
+    mode: '0755'
   with_flattened:
     - '{{ docker_server__default_pip_packages }}'
     - '{{ docker_server__pip_packages }}'

ansible/roles/dokuwiki/tasks/main.yml

@@ -204,6 +204,7 @@
     dest: '{{ dokuwiki__farm_path + "/" + item + "/" }}'
     owner: '{{ dokuwiki__user }}'
     group: '{{ dokuwiki__webserver_user }}'
+    mode: '0750'
     force: False
   with_items: '{{ dokuwiki__farm_animals }}'
   when: (dokuwiki__farm|bool and dokuwiki__farm_animals)

ansible/roles/elasticsearch/tasks/main.yml

@@ -124,6 +124,7 @@
   template:
     src: 'secret/elasticsearch/dependent_config/config.json.j2'
     dest: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+    mode: '0644'
   become: False
   delegate_to: 'localhost'
   tags: [ 'role::elasticsearch:config' ]

ansible/roles/etc_aliases/tasks/main.yml

@@ -61,5 +61,6 @@
   template:
     src: 'secret/etc_aliases/dependent_config/inventory_hostname/recipients.json.j2'
     dest: '{{ secret + "/etc_aliases/dependent_config/" + inventory_hostname + "/recipients.json" }}'
+    mode: '0644'
   become: False
   delegate_to: 'localhost'

ansible/roles/etckeeper/tasks/main.yml

@@ -112,6 +112,7 @@
     section: 'user'
     option: '{{ item.key }}'
     value: '{{ item.value }}'
+    mode: '0644'
   with_dict:
     name: '{{ etckeeper__vcs_user }}'
     email: '{{ etckeeper__vcs_email }}'

ansible/roles/fail2ban/tasks/main.yml

@@ -30,6 +30,7 @@
     regexp: '^(enabled  = )true'
     line: '\1false'
     backrefs: yes
+    mode: '0644'
   notify: [ 'Reload fail2ban jails' ]
 
 - name: Install custom fail2ban rule files
@@ -38,6 +39,7 @@
     dest: '/etc/fail2ban/'
     owner: 'root'
     group: 'root'
+    mode: 'u=rwX,g=rX,o=rX'
   notify: [ 'Reload fail2ban jails' ]
 
 - name: Configure custom fail2ban actions

ansible/roles/fcgiwrap/tasks/configure_sysvinit.yml

@@ -23,6 +23,7 @@
     regexp: '^# Provides:\s+fcgiwrap.*$'
     line: '# Provides:          fcgiwrap-{{ item.name }}'
     state: 'present'
+    mode: '0755'
   with_items: '{{ fcgiwrap__instances }}'
 
 - name: Modify fcgiwrap instance init script (name)
@@ -31,6 +32,7 @@
     regexp: '^NAME="fcgiwrap.*"$'
     line: 'NAME="fcgiwrap-{{ item.name }}"'
     state: 'present'
+    mode: '0755'
   with_items: '{{ fcgiwrap__instances }}'
 
 - name: Enable fcgiwrap instance init script

ansible/roles/ferm/tasks/main.yml

@@ -180,6 +180,7 @@
     dest: '/etc/default/ferm'
     regexp: '^ENABLED="'
     line: 'ENABLED="no"'
+    mode: '0644'
   when: not ferm__enabled | bool
 
 - name: Ensure that Ansible local facts directory exists

ansible/roles/freeradius/tasks/main.yml

@@ -116,6 +116,7 @@
     state: 'link'
     owner: '{{ item.owner | d(freeradius__user) }}'
     group: '{{ item.group | d(freeradius__group) }}'
+    mode:  '{{ item.mode  | d("0640") }}'
   with_items: '{{ freeradius__combined_configuration | parse_kv_items }}'
   notify: [ 'Check freeradius configuration and restart' ]
   when: (item.name|d() and item.state|d('present') not in [ 'absent', 'ignore', 'init' ] and

ansible/roles/gitlab/handlers/main.yml

@@ -27,6 +27,7 @@
   file:
     path: '{{ gitlab_ce_git_checkout + "/tmp/restart.txt" }}'
     state: 'touch'
+    mode: '0644'
   when: (ansible_local|d() and ansible_local.nginx|d() and
          ansible_local.nginx.flavor == 'passenger')
 

ansible/roles/gitlab/tasks/configure_gitlab_ce.yml

@@ -103,6 +103,7 @@
   template:
     src: 'etc/systemd/system/{{ item }}.j2'
     dest: '/etc/systemd/system/{{ item }}'
+    mode: '0644'
   with_items:
     - 'gitlab.slice'
     - 'gitlab-mailroom.service'
@@ -120,6 +121,7 @@
   template:
     src: 'etc/systemd/system/gitlab-pages.service.j2'
     dest: '/etc/systemd/system/gitlab-pages.service'
+    mode: '0644'
   register: gitlab__register_pages_systemd_services
   when: (gitlab_enable_pages and
          gitlab_register_ce_checkout is changed and

ansible/roles/golang/tasks/golang_build_install.yml

@@ -70,6 +70,7 @@
       file:
         dest: '{{ (golang__gosrc + "/" + url_item.dest) | dirname }}'
         state: 'directory'
+        mode: '0755'
       loop: '{{ build.url }}'
       loop_control:
         loop_var: 'url_item'
@@ -91,6 +92,7 @@
         dest: '{{ golang__gosrc + "/" + (url_item.unarchive_dest | d(url_item.dest | dirname)) }}'
         remote_src: True
         creates: '{{ golang__gosrc + "/" + url_item.unarchive_creates }}'
+        mode: 'u=rwX,g=rwX,o=rX'
       loop: '{{ build.url }}'
       loop_control:
         loop_var: 'url_item'

ansible/roles/grub/tasks/main.yml

@@ -123,6 +123,7 @@
     dest: '/etc/grub.d/10_linux'
     regexp: "^CLASS=(?:\\$\\{[A-Z_]+:-)?([\"'][\\w _-]+)([\"'])\\}?"
     replace: 'CLASS=${GRUB_LINUX_MENUENTRY_CLASS:-\1 ${GRUB_LINUX_MENUENTRY_CLASS_ADDITIONAL:-}\2}'
+    mode: '0755'
   notify: [ 'Update GRUB' ]
   when: (grub__combined_users|length > 0)
 

ansible/roles/hashicorp/tasks/main.yml

@@ -163,6 +163,7 @@
         src: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] + "/" +
                  item + "_" + hashicorp__combined_version_map[item] + "_" + hashicorp__tar_suffix }}'
         dest: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] }}'
+        mode: 'u=rwX,g=rwX,o=rX'
         creates: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] + "/" +
                      ((hashicorp__combined_binary_map[item]
                        if hashicorp__combined_binary_map[item] is string
@@ -178,6 +179,7 @@
         src: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] + "/" +
                  item + "_" + hashicorp__combined_version_map[item] + "_" + hashicorp__consul_webui_suffix }}'
         dest: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] + "/web_ui" + "/" }}'
+        mode: 'u=rwX,g=rwX,o=rX'
         creates: '{{ hashicorp__lib + "/" + item + "/"
                      + hashicorp__combined_version_map[item] + "/web_ui/index.html" }}'
       with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'

ansible/roles/icinga/tasks/main.yml

@@ -123,6 +123,7 @@
     src: '{{ ("../features-available/" + item.feature_name + ".conf")
              if (item.feature_state|d("present") == "present") else omit }}'
     state: '{{ "link" if item.feature_state|d("present") == "present" else "absent" }}'
+    mode: '0644'
     force: '{{ True if ansible_check_mode|bool else omit }}'
   with_items: '{{ icinga__combined_configuration | parse_kv_items }}'
   notify: [ 'Check icinga2 configuration and restart' ]
@@ -149,6 +150,7 @@
   template:
     src: 'secret/icinga/dependent_config/inventory_hostname/configuration.json.j2'
     dest: '{{ secret + "/icinga/dependent_config/" + inventory_hostname + "/configuration.json" }}'
+    mode: '0644'
   become: False
   delegate_to: 'localhost'
 

ansible/roles/icinga_db/tasks/main.yml

@@ -29,6 +29,7 @@
     path: '/etc/icinga2/features-enabled/{{ icinga_db__feature }}.conf'
     src: '../features-available/{{ icinga_db__feature }}.conf'
     state: 'link'
+    mode: '0600'
   notify: [ 'Check icinga2 configuration and restart' ]
   when: icinga_db__icinga_installed|bool and
         icinga_db__feature != 'unknown'