fix E208 'File permissions not mentioned'

playbooks/tasks/fetch-borg-keys.yml

@@ -4,7 +4,7 @@
   hosts: 127.0.0.1
   tasks:
       - name: create borg-keys directory
-        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory
+        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory mode=preserve
 
 - name: fetch borg keys
   hosts: borg_clients

playbooks/tasks/pacman-website.yml

@@ -14,10 +14,10 @@
         get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.gz dest={{ tempdir.path }}/pacman.tar.gz
 
       - name: create extraction dir
-        file: path={{ tempdir.path }}/pacman state=directory
+        file: path={{ tempdir.path }}/pacman state=directory owner=root group=root mode=0755
 
       - name: unpack tarball
-        unarchive: src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/
+        unarchive: src={{ tempdir.path }}/pacman.tar.gz dest={{ tempdir.path }}/pacman/ owner=root group=root mode=0755
 
       - name: configure
         command: ./configure chdir={{ tempdir.path }}/pacman/pacman-{{ pacman_version }}

playbooks/tasks/sync-ssh-hostkeys.yml

@@ -21,26 +21,36 @@
         copy:
           dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
           content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].ssh_hostkeys.stdout }}\n\n{% endfor %}"
+          mode: preserve
         delegate_to: localhost
       - name: store known_hosts
         copy:
           dest: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
           content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].known_hosts.stdout }}\n\n{% endfor %}"
+          owner: root
+          group: root
+          mode: 0644
         delegate_to: localhost
       - name: manually append rsync.net host keys
         lineinfile:
           path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
           line: "{% for host in query('inventory_hostnames', 'rsync_net') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n\n{% endfor %}"
+          owner: root
+          group: root
+          mode: 0644
         delegate_to: localhost
       - name: manually append Hetzner Storageboxes host keys
         lineinfile:
           path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
           line: "{% for host in query('inventory_hostnames', 'hetzner_storageboxes') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n\n{% endfor %}"
+          owner: root
+          group: root
+          mode: 0644
         delegate_to: localhost
 
 - name: upload known_hosts to all nodes
   hosts: all,!rsync_net,!hetzner_storageboxes
   tasks:
       - name: upload known_hosts
-        copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
+        copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
         tags: ['upload-known-hosts']

roles/arch_boxes/tasks/main.yml

@@ -17,17 +17,17 @@
   copy: src=virtualbox.conf dest=/etc/modules-load.d/virtualbox.conf owner=root group=root mode=0644
 
 - name: adjust permissions of git checkout
-  file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}"
+  file: path="{{ archboxes_git_dir }}" state=directory recurse=yes owner="{{ archboxes_user }}" group="{{ archboxes_user }}" mode=preserve
 
 - name: ensure controller.py of arch-boxes is executable
-  file: path="{{ archboxes_git_dir }}/controller.py" mode='0744'
+  file: path="{{ archboxes_git_dir }}/controller.py" mode=0744 owner=root group=root
 
 - name: replace placeholder to vagrantcloud API Key
   no_log: true
-  replace: path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}"
+  replace: path="{{ archboxes_git_dir }}/vagrant.json" regexp='PLACEHOLDER' replace="{{ vault_archboxes_apikey }}" owner=root group=root mode=0600
 
 - name: install sudoers file
-  template: src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes
+  template: src=sudoers.d.j2 dest=/etc/sudoers.d/archboxes owner=root group=root mode=0440
 
 - name: install arch-boxes service
   template: src='arch-boxes.service.j2' dest='/etc/systemd/system/arch-boxes.service' owner=root group=root mode=0644

roles/archbuild/tasks/main.yml

@@ -109,4 +109,4 @@
   template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
 
 - name: install archbuild sudoers config
-  copy: src=sudoers dest=/etc/sudoers.d/archbuild
+  copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440

roles/archweb/tasks/main.yml

@@ -16,7 +16,7 @@
   user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
 
 - name: fix home permissions
-  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
+  file: state=directory owner=archweb group=archweb mode=0750 path="{{ archweb_dir }}"
 
 - name: set archweb groups
   user: name=archweb groups=uwsgi
@@ -33,7 +33,7 @@
   when: archweb_site|bool
 
 - name: make rsync iso dir
-  file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb
+  file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
   when: archweb_site|bool
 
 - name: clone archweb repo
@@ -59,11 +59,11 @@
   register: virtualenv
 
 - name: create media dir
-  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}/media"
+  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
   when: archweb_site|bool
 
 - name: fix home permissions
-  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
+  file: state=directory owner=archweb group=archweb mode=0750 path="{{ archweb_dir }}"
 
 - name: configure archweb
   template: src=local_settings.py.j2 dest=/srv/http/archweb/local_settings.py owner=archweb group=archweb mode=0660
@@ -196,7 +196,7 @@
   when: archweb_services or archweb_pgp_import
 
 - name: create pacman.d hooks dir
-  file: state=directory owner=root group=root path="/etc/pacman.d/hooks"
+  file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
   when: archweb_services or archweb_pgp_import
 
 - name: install pgp_import hook
@@ -265,7 +265,7 @@
 - name: deploy new release
   become: true
   become_user: archweb
-  file: path=/etc/uwsgi/vassals/archweb.ini state=touch
+  file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=root group=root mode=0600
   when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
   notify: restart archweb memcached
 
@@ -320,7 +320,7 @@
   when: archweb_donor_import|bool
 
 - name: create retro dir
-  file: state=directory owner=archweb group=archweb path="{{ archweb_retro_dir }}"
+  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
   when: archweb_site|bool
 
 - name: clone archweb-retro repo

roles/archwiki/tasks/main.yml

@@ -21,7 +21,7 @@
   register: user_created
 
 - name: fix home permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}"
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
@@ -47,16 +47,16 @@
     - run wiki updatescript
 
 - name: fix home permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}"
 
 - name: fix cache permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/cache"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/cache"
 
 - name: fix sessions permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/sessions"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/sessions"
 
 - name: fix uploads permissions
-  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/uploads"
+  file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads"
 
 - name: configure archwiki
   template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
@@ -119,7 +119,7 @@
   file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
 
 - name: create pacman.d hooks dir
-  file: state=directory owner=root group=root path=/etc/pacman.d/hooks
+  file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
 
 - name: install archwiki question updater hook
   template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644

roles/aurweb/tasks/main.yml

@@ -56,7 +56,7 @@
   register: tubylaws_release
 
 - name: create necessary directories
-  file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }}
+  file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
   with_items:
     - 'aurblup'
     - 'sessions'
@@ -91,13 +91,13 @@
   when: release.changed or db_created.changed
 
 - name: create aurweb conf dir
-  file: path={{ aurweb_conf_dir }} state=directory
+  file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
 
 - name: copy aurweb configuration file
-  copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes
+  copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
 
 - name: install custom aurweb configuration
-  template: src=config.j2 dest={{ aurweb_conf_dir }}/config
+  template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
 
 - name: Install python module
   command: "python3 setup.py install --install-scripts=/usr/local/bin"
@@ -126,11 +126,11 @@
   when: tubylaws_release.changed
 
 - name: Install Trusted User documentation
-  copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes
+  copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes owner={{ aurweb_user }} group=http mode=0644
   when: tubylaws_release.changed
 
 - name: Install Trusted User documentation symlink
-  file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link
+  file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link owner={{ aurweb_user }} group=http mode=0644
   when: tubylaws_release.changed
 
 - name: set up nginx
@@ -152,7 +152,7 @@
   service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
 
 - name: install cgit configuration
-  template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc"
+  template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
 
 - name: configure cgit uwsgi service
   template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
@@ -160,7 +160,7 @@
 - name: deploy new cgit release
   become: true
   become_user: "{{ aurweb_user }}"
-  file: path=/etc/uwsgi/vassals/cgit.ini state=touch
+  file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
   when: cgit.changed
 
 - name: configure smartgit uwsgi service
@@ -169,7 +169,7 @@
 - name: deploy new smartgit release
   become: true
   become_user: "{{ aurweb_user }}"
-  file: path=/etc/uwsgi/vassals/smartgit.ini state=touch
+  file: path=/etc/uwsgi/vassals/smartgit.ini state=touch mode=preserve
   when: git.changed
 
 - name: create git repo dir
@@ -227,6 +227,9 @@
   file:
     src: "{{ aurweb_git_hook }}"
     dest: "{{ aurweb_git_dir }}/hooks/update"
+    owner: root
+    group: root
+    mode: 0755
     state: link
 
 - name: install AUR systemd service and timers

roles/borg_client/tasks/main.yml

@@ -42,7 +42,7 @@
   changed_when: check_postgres_user.stdout | length > 0
 
 - name: make postgres backup directory
-  file: path={{ postgres_backup_dir }} owner=root group=root state=directory
+  file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory
   when: check_postgres_user is succeeded and postgres_backup_dir is defined
 
 - name: install mysql backup script
@@ -50,11 +50,11 @@
   when: mysql_backup_dir is defined
 
 - name: install mysql backup config
-  template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }}
+  template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644
   when: mysql_backup_defaults is defined
 
 - name: create mysql backup directory
-  file: path={{ mysql_backup_dir }} state=directory owner=root group=root
+  file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
   when: mysql_backup_dir is defined
 
 - name: install gitlab backup script

roles/bugbot/tasks/main.yml

@@ -22,7 +22,7 @@
   template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
 
 - name: install bugbot systemd service
-  copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service
+  copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644
 
 - name: start and enable bugbot service
   systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes

roles/common/tasks/main.yml

@@ -55,7 +55,7 @@
   when: configure_network
 
 - name: create symlink to resolv.conf
-  file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
+  file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes owner=root group=root mode=0755
   when: configure_network and not host_has_local_dns_resolver
 
 - name: create resolv.conf

roles/conf_archlinux/tasks/main.yml

@@ -14,10 +14,10 @@
   register: release
 
 - name: fix home permissions
-  file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ conference_dir }}"
+  file: state=directory owner={{ conference_user }} group={{ conference_user }} mode=0750 path="{{ conference_dir }}"
 
 - name: create static conf.archlinux.org dir
-  file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ static_conference_dir }}"
+  file: state=directory owner={{ conference_user }} group={{ conference_user }} mode=0755 path="{{ static_conference_dir }}"
 
 - name: generate conf.archlinux.org site
   command: hugo

roles/dbscripts/tasks/main.yml

@@ -76,7 +76,7 @@
   tags: ["archusers"]
 
 - name: create dbscripts paths
-  file: path="{{ item }}" state=directory
+  file: path="{{ item }}" state=directory owner=root group=root mode=0755
   with_items:
     - /srv/repos/svn-community
     - /srv/repos/svn-packages
@@ -167,19 +167,19 @@
     - svn-packages
 
 - name: make /srv/svn
-  file: path=/srv/svn state=directory
+  file: path=/srv/svn state=directory owner=root group=root mode=0755
 
 - name: symlink /srv/svn/community to /srv/repos/svn-community/svn
-  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link
+  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
 
 - name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
-  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link
+  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
 
 - name: symlink /community to /srv/repos/svn-community/dbscripts
-  file: path=/community src=/srv/repos/svn-community/dbscripts state=link
+  file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
 
 - name: symlink /packages to /srv/repos/svn-packages/dbscripts
-  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link
+  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
 
 - name: put rsyncd.conf into tmpfiles
   copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
@@ -301,7 +301,7 @@
     - firewall
 
 - name: configure svnserve
-  copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
+  copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
 
 - name: start and enable svnserve
   service: name=svnserve enabled=yes state=started

roles/docker_image/tasks/main.yml

@@ -12,7 +12,7 @@
   git: repo="{{ docker_image_git_remote }}" version="{{ docker_image_git_tag }}" dest="{{ docker_image_git_dir }}" force=yes
 
 - name: install sudoers file
-  template: src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image
+  template: src=sudoers.d.j2 dest=/etc/sudoers.d/docker-image owner=root group=root mode=0440
 
 - name: install docker_image service
   template: src='docker-image.service.j2' dest='/etc/systemd/system/docker-image.service' owner=root group=root mode=0644

roles/fluxbb/tasks/main.yml

@@ -11,15 +11,11 @@
     version: "{{ fluxbb_version }}"
 
 - name: fix home permissions
-  file: >
-    state=directory owner=fluxbb group=fluxbb recurse=yes
-    path="{{ fluxbb_dir }}"
+  file: state=directory owner=fluxbb group=fluxbb mode=0750 recurse=yes path="{{ fluxbb_dir }}"
   changed_when: False
 
 - name: create uploads directory
-  file: >
-    state=directory owner=fluxbb group=fluxbb
-    path="{{ fluxbb_dir }}/uploads"
+  file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
 
 - name: create mariadb database
   mysql_db: name=fluxbb state=present

roles/flyspray/tasks/main.yml

@@ -17,7 +17,7 @@
   register: user_created
 
 - name: fix home permissions
-  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
+  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0750
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
@@ -43,7 +43,7 @@
   register: release
 
 - name: fix home permissions
-  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}"
+  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755
 
 - name: take away setup dir write permissions
   file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000

roles/gitlab_runner/tasks/main.yml

@@ -33,6 +33,9 @@
 - name: increase concurrency
   lineinfile:
     path: /etc/gitlab-runner/config.toml
+    owner: root
+    group: root
+    mode: 0640
     regexp: '^concurrent = .*'
     line: concurrent = 100
   notify: restart gitlab-runner

roles/hardening/tasks/main.yml

 ---
 
 - name: set restricted access to kernel logs
-  copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
+  copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
   notify:
     - apply sysctl settings
 
 - name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
-  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
+  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
   notify:
     - apply sysctl settings
 
 - name: set restricted access to kernel pointers in proc fs
-  copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
+  copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
   notify:
     - apply sysctl settings
 
 - name: set kernel lockdown to restricted
-  copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf
+  copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
   when: "'hcloud' in group_names"
   notify:
     - apply sysctl settings

roles/hetzner_storagebox/tasks/main.yml

@@ -23,7 +23,7 @@
   delegate_to: localhost
 
 - name: fill tempfile
-  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
+  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
   delegate_to: localhost
 
 - name: upload authorized_keys file

roles/install_arch/tasks/main.yml

@@ -40,7 +40,7 @@
   when: filesystem == "btrfs"
 
 - name: touch LOCK file on mountpoint
-  file: path=/mnt/LOCK state=touch
+  file: path=/mnt/LOCK state=touch owner=root group=root mode=0644
 
 - name: download bootstrap image
   get_url:
@@ -51,11 +51,14 @@
   unarchive:
     src: /tmp/archlinux-bootstrap-{{ bootstrap_version }}-x86_64.tar.gz
     dest: /tmp
+    owner: root
+    group: root
+    mode: 0644
     remote_src: yes
     creates: /tmp/root.x86_64
 
 - name: copy resolv.conf to bootstrap chroot
-  copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf
+  copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644
 
 - name: mount /proc to bootstrap chroot
   mount:
@@ -147,7 +150,7 @@
     fstab: /dev/dummyfstab
 
 - name: configure locale.gen
-  lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
+  lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644
 
 - name: run locale-gen inside chroot
   command: chroot /mnt locale-gen
@@ -189,6 +192,9 @@
 - name: provide default mount options (btrfs)
   lineinfile:
     path: /mnt/etc/default/grub
+    owner: root
+    group: root
+    mode: 0644
     regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
     line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
   when: filesystem == "btrfs"
@@ -225,7 +231,7 @@
   template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
 
 - name: create symlink to resolv.conf
-  file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
+  file: src=/run/systemd/resolve/stub-resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes owner=root group=root mode=0644
 
 - name: clean pacman cache
   command: chroot /mnt pacman -Scc --noconfirm