Clean up file permissions

playbooks/vars/9iron-apache.yml

@@ -1,30 +0,0 @@
-# vim:ft=ansible:
-apache_global_vhost_settings: |
-  DirectoryIndex index.php index.html
-  Protocols h2 http/1.1
-  <FilesMatch \.php$>
-  SetHandler "proxy:fcgi://127.0.0.1:9000"
-  </FilesMatch>
-apache_vhosts:
-  - servername: nc.9iron.club
-    extra_parameters: |
-      Redirect permanent / https://nc.9iron.club/
-  - servername: git.9iron.club
-    extra_parameters: |
-      Redirect permanent / https://git.9iron.club/
-apache_vhosts_ssl:
-  - servername: git.9iron.club
-    extra_parameters: |
-      ProxyPreserveHost On
-      ProxyRequests Off
-      ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
-    certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
-    certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
-    certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem
-  - servername: nc.9iron.club
-    extra_parameters: |
-      Header always set Strict-Transport-Security "max-age=31536000"
-    documentroot: /var/www/nextcloud
-    certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
-    certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
-    certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem

playbooks/vars/9iron-certbot.yml

@@ -1,10 +0,0 @@
-# vim:ft=ansible:
-certbot_admin_email: rehashedsalt@cock.li
-certbot_create_if_missing: yes
-certbot_create_method: standalone
-certbot_create_standalone_stop_services:
-  - apache2
-certbot_certs:
-  - domains:
-    - nc.9iron.club
-    - git.9iron.club

playbooks/vars/9iron-gitea.yml

@@ -1,19 +0,0 @@
-# vim:ft=ansible:
-# Look and feel
-gitea_app_name: "9iron Gitea"
-# Core config
-gitea_db_type: postgres
-gitea_db_host: 172.31.47.215:5432
-gitea_db_name: gitea
-gitea_db_user: gitea
-gitea_db_password: "{{ secret_gitea_9iron_db_pass }}"
-gitea_http_domain: git.9iron.club
-gitea_oauth2_enabled: no
-gitea_repository_root: /var/gitea
-gitea_require_signin: no
-gitea_root_url: https://git.9iron.club
-gitea_shell: "/bin/bash"
-gitea_ssh_domain: git.9iron.club
-gitea_ssh_port: 22
-gitea_start_ssh: no
-gitea_user: git

playbooks/web.yml

@@ -74,7 +74,6 @@
         backup_s3backup_list_extra:
           - /app/gitea/gitea
           - /data
-          - /var/lib/gitea
           - /var/www/nc.desu.ltd
           - /var/www/srv.9iron.club
           - /srv/desu.ltd
@@ -100,15 +99,11 @@
     - role: git
       vars:
         git_repos:
-          - repo: https://git.9iron.club/KidiroInfiniti/OTW_Site
-            dest: /var/www/www.otwstudios.org
           - repo: https://git.desu.ltd/salt/gitea-custom
             dest: /data/gitea/data/gitea/custom
       tags: [ web, git ]
     - role: nextcloud
       tags: [ web, nextcloud ]
-#    - role: gitea
-#      tags: [ web, gitea ]
 - hosts: web2.desu.ltd
   module_defaults:
     docker_container:

roles/ansible-pull/tasks/main.yml

@@ -8,9 +8,9 @@
   pip: name=ansible<5,ansible-lint state=latest
   when: ansible_os_family != "Gentoo"
 - name: configure systemd service
-  template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service
+  template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service mode=0644
 - name: configure systemd timer
-  template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer
+  template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer mode=0644
   notify: restart ansiblepull timer
 - name: enable timer
   systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started

roles/backup/tasks/main.yml

@@ -4,9 +4,9 @@
 - name: template out backup script
   template: src={{ backup_script }}.sh dest=/opt/backup.sh mode=0700 owner=root group=root
 - name: configure systemd service
-  template: src=backup.service dest=/etc/systemd/system/backup.service
+  template: src=backup.service dest=/etc/systemd/system/backup.service mode=0644
 - name: configure systemd timer
-  template: src=backup.timer dest=/etc/systemd/system/backup.timer
+  template: src=backup.timer dest=/etc/systemd/system/backup.timer mode=0644
   notify: restart backup timer
 - name: enable timer
   systemd: name=backup.timer state=started enabled=yes daemon_reload=yes

roles/common/tasks/system.yml

@@ -8,4 +8,4 @@
   timezone: name=America/Chicago
   notify: restart cron
 - name: configure shell profile
-  template: src=profile.sh dest=/etc/profile.d/50-ansible.sh
+  template: src=profile.sh dest=/etc/profile.d/50-ansible.sh mode=0644

roles/desktop/tasks/main.yml

@@ -2,9 +2,9 @@
 # vim:ft=ansible:
 ---
 - name: assure xorg.conf.d
-  file: path=/etc/X11/xorg.conf.d state=directory
+  file: path=/etc/X11/xorg.conf.d state=directory mode=0755
 - name: configure X misc
-  template: src={{ item }} dest=/etc/X11/xorg.conf.d/{{ item }}
+  template: src={{ item }} dest=/etc/X11/xorg.conf.d/{{ item }} mode=0644
   loop:
       # Disables mouse acceleration on all mouse peripherals
     - 90-mouse-acceleration.conf

roles/udev/tasks/main.yml

@@ -2,6 +2,6 @@
 # vim:ft=ansible:
 ---
 - name: configure udev rules
-  lineinfile: path=/etc/udev/rules.d/50-ansible.rules line={{ item }} create=yes
+  lineinfile: path=/etc/udev/rules.d/50-ansible.rules line={{ item }} create=yes mode=0644
   loop: "{{ udev_rules }}"
   notify: reload udev

roles/zerotier/tasks/main.yml

@@ -13,7 +13,7 @@
       apt: name=zerotier-one
   when: ansible_pkg_mgr == "apt"
 - name: template unit file
-  template: src=zerotier-one.service dest=/etc/systemd/system/zerotier-one.service
+  template: src=zerotier-one.service dest=/etc/systemd/system/zerotier-one.service mode=0644
   notify: restart zerotier
 - name: join network
   command: