fix E208 'File permissions not mentioned'

63887d3b · Frederik Schwan · Sven-Hendrik Haase · 04b2e3b1 · 63887d3b · 63887d3b
Commit 63887d3b authored Aug 18, 2020 by Frederik Schwan Committed by Sven-Hendrik Haase Aug 27, 2020
--- a/playbooks/tasks/fetch-borg-keys.yml
+++ b/playbooks/tasks/fetch-borg-keys.yml
@@ -4,7 +4,7 @@
  hosts: 127.0.0.1
  tasks:
      - name: create borg-keys directory
-        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory
+        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory mode=preserve

 - name: fetch borg keys
  hosts: borg_clients

--- a/playbooks/tasks/pacman-website.yml
+++ b/playbooks/tasks/pacman-website.yml
@@ -14,10 +14,10 @@
        get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.gz dest={{ tempdir.path }}/pacman.tar.gz

      - name: create extraction dir
-        file: path={{ tempdir.path }}/pacman state=directory
+        file: path={{ tempdir.path }}/pacman state=directory owner=root group=root mode=0755

      - name: unpack tarball
-        unarchive: src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/
+        unarchive: src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/ owner=root group=root mode=0755

      - name: configure
        command: ./configure chdir={{ tempdir.path }}/pacman/pacman-{{ pacman_version }}

--- a/playbooks/tasks/sync-ssh-hostkeys.yml
+++ b/playbooks/tasks/sync-ssh-hostkeys.yml
@@ -21,26 +21,36 @@
        copy:
          dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
          content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].ssh_hostkeys.stdout }}\n\n{% endfor %}"
+          mode: preserve
        delegate_to: localhost
      - name: store known_hosts
        copy:
          dest: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
          content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].known_hosts.stdout }}\n\n{% endfor %}"
+          owner: root
+          group: root
+          mode: 0644
        delegate_to: localhost
      - name: manually append rsync.net host keys
        lineinfile:
          path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
          line: "{% for host in query('inventory_hostnames', 'rsync_net') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n\n{% endfor %}"
+          owner: root
+          group: root
+          mode: 0644
        delegate_to: localhost
      - name: manually append Hetzner Storageboxes host keys
        lineinfile:
          path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
          line: "{% for host in query('inventory_hostnames', 'hetzner_storageboxes') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n\n{% endfor %}"
+          owner: root
+          group: root
+          mode: 0644
        delegate_to: localhost

 - name: upload known_hosts to all nodes
  hosts: all,!rsync_net,!hetzner_storageboxes
  tasks:
      - name: upload known_hosts
-        copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
+        copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
        tags: ['upload-known-hosts']
--- a/roles/arch_boxes/tasks/main.yml
+++ b/roles/arch_boxes/tasks/main.yml
@@ -17,17 +17,17 @@
  copy: src=virtualbox.conf dest=/etc/modules-load.d/virtualbox.conf owner=root group=root mode=0644

 - name: adjust permissions of git checkout
-  file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}"
+  file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}" mode=preserve

 - name: ensure controller.py of arch-boxes is executable
-  file: path="{{ archboxes_git_dir }}/controller.py" mode='0744'
+  file: path="{{ archboxes_git_dir }}/controller.py" mode=0744 owner=root group=root

 - name: replace placeholder to vagrantcloud API Key
  no_log: true
-  replace: path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}"
+  replace: path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}" owner=root group=root mode=0600

 - name: install sudoers file
-  template: src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes
+  template: src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes owner=root group=root mode=0440

 - name: install arch-boxes service
  template: src='arch-boxes.service.j2' dest='/etc/systemd/system/arch-boxes.service' owner=root group=root mode=0644

--- a/roles/archbuild/tasks/main.yml
+++ b/roles/archbuild/tasks/main.yml
@@ -109,4 +109,4 @@
  template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644

 - name: install archbuild sudoers config
-  copy: src=sudoers dest=/etc/sudoers.d/archbuild
+  copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -16,7 +16,7 @@
  user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no

 - name: fix home permissions
-  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
+  file: state=directory owner=archweb group=archweb mode=0750 path="{{ archweb_dir }}"

 - name: set archweb groups
  user: name=archweb groups=uwsgi
@@ -33,7 +33,7 @@
  when: archweb_site|bool

 - name: make rsync iso dir
-  file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb
+  file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
  when: archweb_site|bool

 - name: clone archweb repo
@@ -59,11 +59,11 @@
  register: virtualenv

 - name: create media dir
-  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}/media"
+  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
  when: archweb_site|bool

 - name: fix home permissions
-  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
+  file: state=directory owner=archweb group=archweb mode=0750 path="{{ archweb_dir }}"

 - name: configure archweb
  template: src=local_settings.py.j2 dest=/srv/http/archweb/local_settings.py owner=archweb group=archweb mode=0660
@@ -196,7 +196,7 @@
  when: archweb_services or archweb_pgp_import

 - name: create pacman.d hooks dir
-  file: state=directory owner=root group=root path="/etc/pacman.d/hooks"
+  file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
  when: archweb_services or archweb_pgp_import

 - name: install pgp_import hook
@@ -265,7 +265,7 @@
 - name: deploy new release
  become: true
  become_user: archweb
-  file: path=/etc/uwsgi/vassals/archweb.ini state=touch
+  file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=root group=root mode=0600
  when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
  notify: restart archweb memcached

@@ -320,7 +320,7 @@
  when: archweb_donor_import|bool

 - name: create retro dir
-  file: state=directory owner=archweb group=archweb path="{{ archweb_retro_dir }}"
+  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
  when: archweb_site|bool

 - name: clone archweb-retro repo

--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -21,7 +21,7 @@
  register: user_created

 - name: fix home permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}"

 - name: set up nginx
  template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
@@ -47,16 +47,16 @@
    - run wiki updatescript

 - name: fix home permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}"

 - name: fix cache permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/cache"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/cache"

 - name: fix sessions permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/sessions"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/sessions"

 - name: fix uploads permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/uploads"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads"

 - name: configure archwiki
  template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
@@ -119,7 +119,7 @@
  file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644

 - name: create pacman.d hooks dir
-  file: state=directory owner=root group=root path=/etc/pacman.d/hooks
+  file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks

 - name: install archwiki question updater hook
  template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -56,7 +56,7 @@
  register: tubylaws_release

 - name: create necessary directories
-  file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }}
+  file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
  with_items:
    - 'aurblup'
    - 'sessions'
@@ -91,13 +91,13 @@
  when: release.changed or db_created.changed

 - name: create aurweb conf dir
-  file: path={{ aurweb_conf_dir }} state=directory
+  file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755

 - name: copy aurweb configuration file
-  copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes
+  copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644

 - name: install custom aurweb configuration
-  template: src=config.j2 dest={{ aurweb_conf_dir }}/config
+  template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644

 - name: Install python module
  command: "python3 setup.py install --install-scripts=/usr/local/bin"
@@ -126,11 +126,11 @@
  when: tubylaws_release.changed

 - name: Install Trusted User documentation
-  copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes
+  copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes owner={{ aurweb_user }} group=http mode=0644
  when: tubylaws_release.changed

 - name: Install Trusted User documentation symlink
-  file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link
+  file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link owner={{ aurweb_user }} group=http mode=0644
  when: tubylaws_release.changed

 - name: set up nginx
@@ -152,7 +152,7 @@
  service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true

 - name: install cgit configuration
-  template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc"
+  template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644

 - name: configure cgit uwsgi service
  template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
@@ -160,7 +160,7 @@
 - name: deploy new cgit release
  become: true
  become_user: "{{ aurweb_user }}"
-  file: path=/etc/uwsgi/vassals/cgit.ini state=touch
+  file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
  when: cgit.changed

 - name: configure smartgit uwsgi service
@@ -169,7 +169,7 @@
 - name: deploy new smartgit release
  become: true
  become_user: "{{ aurweb_user }}"
-  file: path=/etc/uwsgi/vassals/smartgit.ini state=touch
+  file: path=/etc/uwsgi/vassals/smartgit.ini state=touch mode=preserve
  when: git.changed

 - name: create git repo dir
@@ -227,6 +227,9 @@
  file:
    src: "{{ aurweb_git_hook }}"
    dest: "{{ aurweb_git_dir }}/hooks/update"
+    owner: root
+    group: root
+    mode: 0755
    state: link

 - name: install AUR systemd service and timers

--- a/roles/borg_client/tasks/main.yml
+++ b/roles/borg_client/tasks/main.yml
@@ -42,7 +42,7 @@
  changed_when: check_postgres_user.stdout | length > 0

 - name: make postgres backup directory
-  file: path={{ postgres_backup_dir }} owner=root group=root state=directory
+  file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory
  when: check_postgres_user is succeeded and postgres_backup_dir is defined

 - name: install mysql backup script
@@ -50,11 +50,11 @@
  when: mysql_backup_dir is defined

 - name: install mysql backup config
-  template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }}
+  template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644
  when: mysql_backup_defaults is defined

 - name: create mysql backup directory
-  file: path={{ mysql_backup_dir }} state=directory owner=root group=root
+  file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
  when: mysql_backup_dir is defined

 - name: install gitlab backup script

--- a/roles/bugbot/tasks/main.yml
+++ b/roles/bugbot/tasks/main.yml
@@ -22,7 +22,7 @@
  template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600

 - name: install bugbot systemd service
-  copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service
+  copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644

 - name: start and enable bugbot service
  systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -55,7 +55,7 @@
  when: configure_network

 - name: create symlink to resolv.conf
-  file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
+  file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes owner=root group=root mode=0755
  when: configure_network and not host_has_local_dns_resolver

 - name: create resolv.conf

--- a/roles/conf_archlinux/tasks/main.yml
+++ b/roles/conf_archlinux/tasks/main.yml
@@ -14,10 +14,10 @@
  register: release

 - name: fix home permissions
-  file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ conference_dir }}"
+  file: state=directory owner={{ conference_user }} group={{ conference_user }} mode=0750 path="{{ conference_dir }}"

 - name: create static conf.archlinux.org dir
-  file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ static_conference_dir }}"
+  file: state=directory owner={{ conference_user }} group={{ conference_user }} mode=0755 path="{{ static_conference_dir }}"

 - name: generate conf.archlinux.org site
  command: hugo

--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -76,7 +76,7 @@
  tags: ["archusers"]

 - name: create dbscripts paths
-  file: path="{{ item }}" state=directory
+  file: path="{{ item }}" state=directory owner=root group=root mode=0755
  with_items:
    - /srv/repos/svn-community
    - /srv/repos/svn-packages
@@ -167,19 +167,19 @@
    - svn-packages

 - name: make /srv/svn
-  file: path=/srv/svn state=directory
+  file: path=/srv/svn state=directory owner=root group=root mode=0755

 - name: symlink /srv/svn/community to /srv/repos/svn-community/svn
-  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link
+  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755

 - name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
-  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link
+  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755

 - name: symlink /community to /srv/repos/svn-community/dbscripts
-  file: path=/community src=/srv/repos/svn-community/dbscripts state=link
+  file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755

 - name: symlink /packages to /srv/repos/svn-packages/dbscripts
-  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link
+  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755

 - name: put rsyncd.conf into tmpfiles
  copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
@@ -301,7 +301,7 @@
    - firewall

 - name: configure svnserve
-  copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
+  copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"

 - name: start and enable svnserve
  service: name=svnserve enabled=yes state=started

--- a/roles/docker_image/tasks/main.yml
+++ b/roles/docker_image/tasks/main.yml
@@ -12,7 +12,7 @@
  git: repo="{{ docker_image_git_remote }}" version="{{ docker_image_git_tag }}" dest="{{ docker_image_git_dir }}" force=yes

 - name: install sudoers file
-  template: src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image
+  template: src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image owner=root group=root mode=0440

 - name: install docker_image service
  template: src='docker-image.service.j2' dest='/etc/systemd/system/docker-image.service' owner=root group=root mode=0644

--- a/roles/fluxbb/tasks/main.yml
+++ b/roles/fluxbb/tasks/main.yml
@@ -11,15 +11,11 @@
    version: "{{ fluxbb_version }}"

 - name: fix home permissions
-  file: >
-    state=directory owner=fluxbb group=fluxbb recurse=yes
-    path="{{ fluxbb_dir }}"
+  file: state=directory owner=fluxbb group=fluxbb mode=0750 recurse=yes path="{{ fluxbb_dir }}"
  changed_when: False

 - name: create uploads directory
-  file: >
-    state=directory owner=fluxbb group=fluxbb
-    path="{{ fluxbb_dir }}/uploads"
+  file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"

 - name: create mariadb database
  mysql_db: name=fluxbb state=present

--- a/roles/flyspray/tasks/main.yml
+++ b/roles/flyspray/tasks/main.yml
@@ -17,7 +17,7 @@
  register: user_created

 - name: fix home permissions
-  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
+  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0750

 - name: set up nginx
  template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
@@ -43,7 +43,7 @@
  register: release

 - name: fix home permissions
-  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
+  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755

 - name: take away setup dir write permissions
  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000

--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -33,6 +33,9 @@
 - name: increase concurrency
  lineinfile:
    path: /etc/gitlab-runner/config.toml
+    owner: root
+    group: root
+    mode: 0640
    regexp: '^concurrent = .*'
    line: concurrent = 100
  notify: restart gitlab-runner

--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
 ---

 - name: set restricted access to kernel logs
-  copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
+  copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
  notify:
    - apply sysctl settings

 - name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
-  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
+  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
  notify:
    - apply sysctl settings

 - name: set restricted access to kernel pointers in proc fs
-  copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
+  copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
  notify:
    - apply sysctl settings

 - name: set kernel lockdown to restricted
-  copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf
+  copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
  when: "'hcloud' in group_names"
  notify:
    - apply sysctl settings
--- a/roles/hetzner_storagebox/tasks/main.yml
+++ b/roles/hetzner_storagebox/tasks/main.yml
@@ -23,7 +23,7 @@
  delegate_to: localhost

 - name: fill tempfile
-  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
+  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
  delegate_to: localhost

 - name: upload authorized_keys file

--- a/roles/install_arch/tasks/main.yml
+++ b/roles/install_arch/tasks/main.yml
@@ -40,7 +40,7 @@
  when: filesystem == "btrfs"

 - name: touch LOCK file on mountpoint
-  file: path=/mnt/LOCK state=touch
+  file: path=/mnt/LOCK state=touch owner=root group=root mode=0644

 - name: download bootstrap image
  get_url:
@@ -51,11 +51,14 @@
  unarchive:
    src: /tmp/archlinux-bootstrap-{{ bootstrap_version }}-x86_64.tar.gz
    dest: /tmp
+    owner: root
+    group: root
+    mode: 0644
    remote_src: yes
    creates: /tmp/root.x86_64

 - name: copy resolv.conf to bootstrap chroot
-  copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf
+  copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644

 - name: mount /proc to bootstrap chroot
  mount:
@@ -147,7 +150,7 @@
    fstab: /dev/dummyfstab

 - name: configure locale.gen
-  lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
+  lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644

 - name: run locale-gen inside chroot
  command: chroot /mnt locale-gen
@@ -189,6 +192,9 @@
 - name: provide default mount options (btrfs)
  lineinfile:
    path: /mnt/etc/default/grub
+    owner: root
+    group: root
+    mode: 0644
    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
    line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
  when: filesystem == "btrfs"
@@ -225,7 +231,7 @@
  template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644

 - name: create symlink to resolv.conf
-  file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
+  file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes owner=root group=root mode=0644

 - name: clean pacman cache
  command: chroot /mnt pacman -Scc --noconfirm