UploadShied/scripts/ansible/upload-logger-provision.yml

---
# Ansible playbook snippet to provision upload-logger directories and permissions.
# Usage: ansible-playbook -i inventory scripts/ansible/upload-logger-provision.yml

- hosts: web
  become: true
  vars:
    upload_logger_root: "{{ playbook_dir | default('.') | dirname | realpath }}"
    quarantine_dir: "{{ upload_logger_root }}/quarantine"
    state_dir: "{{ upload_logger_root }}/state"
    quarantine_owner: "root"
    quarantine_group: "www-data"
    quarantine_perms: "0700"
    state_perms: "0750"
    selinux_fcontext: "httpd_sys_rw_content_t"

  tasks:
    - name: Ensure quarantine directory exists
      file:
        path: "{{ quarantine_dir }}"
        state: directory
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "{{ quarantine_perms }}"

    - name: Ensure state directory exists
      file:
        path: "{{ state_dir }}"
        state: directory
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "{{ state_perms }}"

    - name: Ensure quarantined files have strict permissions (files -> 0600)
      find:
        paths: "{{ quarantine_dir }}"
        file_type: file
      register: quarantine_files

    - name: Set strict mode on existing quarantined files
      file:
        path: "{{ item.path }}"
        mode: '0600'
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
      loop: "{{ quarantine_files.files }}"
      when: quarantine_files.matched > 0

    - name: Set SELinux fcontext for quarantine dir (when selinux enabled)
      when: ansible_selinux.status == 'enabled'
      sefcontext:
        target: "{{ quarantine_dir }}(/.*)?"
        setype: "{{ selinux_fcontext }}"

    - name: Set SELinux fcontext for state dir (when selinux enabled)
      when: ansible_selinux.status == 'enabled'
      sefcontext:
        target: "{{ state_dir }}(/.*)?"
        setype: "{{ selinux_fcontext }}"

    - name: Apply SELinux contexts
      when: ansible_selinux.status == 'enabled'
      command: restorecon -Rv {{ quarantine_dir }} {{ state_dir }}