--- # Ansible playbook snippet to provision upload-logger directories and permissions. # Usage: ansible-playbook -i inventory scripts/ansible/upload-logger-provision.yml - hosts: web become: true vars: upload_logger_root: "{{ playbook_dir | default('.') | dirname | realpath }}" quarantine_dir: "{{ upload_logger_root }}/quarantine" state_dir: "{{ upload_logger_root }}/state" quarantine_owner: "root" quarantine_group: "www-data" quarantine_perms: "0700" state_perms: "0750" selinux_fcontext: "httpd_sys_rw_content_t" tasks: - name: Ensure quarantine directory exists file: path: "{{ quarantine_dir }}" state: directory owner: "{{ quarantine_owner }}" group: "{{ quarantine_group }}" mode: "{{ quarantine_perms }}" - name: Ensure state directory exists file: path: "{{ state_dir }}" state: directory owner: "{{ quarantine_owner }}" group: "{{ quarantine_group }}" mode: "{{ state_perms }}" - name: Ensure quarantined files have strict permissions (files -> 0600) find: paths: "{{ quarantine_dir }}" file_type: file register: quarantine_files - name: Set strict mode on existing quarantined files file: path: "{{ item.path }}" mode: '0600' owner: "{{ quarantine_owner }}" group: "{{ quarantine_group }}" loop: "{{ quarantine_files.files }}" when: quarantine_files.matched > 0 - name: Set SELinux fcontext for quarantine dir (when selinux enabled) when: ansible_selinux.status == 'enabled' sefcontext: target: "{{ quarantine_dir }}(/.*)?" setype: "{{ selinux_fcontext }}" - name: Set SELinux fcontext for state dir (when selinux enabled) when: ansible_selinux.status == 'enabled' sefcontext: target: "{{ state_dir }}(/.*)?" setype: "{{ selinux_fcontext }}" - name: Apply SELinux contexts when: ansible_selinux.status == 'enabled' command: restorecon -Rv {{ quarantine_dir }} {{ state_dir }}