Some of these permissions might need to be redone

In the past we only picked the umask of the client system, but what
happens in case of a directory is not well defined.

Author: vmcj

icpc-wf/ansible/domserver.yml

@@ -75,6 +75,9 @@
       copy:
         src: files/docs.yaml
         dest: "{{ DJ_DIR }}/etc/"
+        mode: 0644
+        group: root
+        owner: root
       notify: clear application cache
 
     - name: add autostart shortcuts

icpc-wf/ansible/roles/base_packages/tasks/main.yml

@@ -113,6 +113,9 @@
   get_url:
     url: https://getcomposer.org/installer
     dest: /root/composer-setup.php
+    owner: root
+    group: root
+    mode: 0755
   when: not composer_file.stat.exists
 
 - name: Install composer

icpc-wf/ansible/roles/cds/tasks/main.yml

@@ -55,6 +55,7 @@
     remote_src: true
     owner: domjudge
     group: domjudge
+    mode: 0644
   when: cds_war.stat.exists
   notify: restart cds
 
@@ -97,6 +98,7 @@
   copy:
     src: cds.service
     dest: /etc/systemd/system/
+    mode: 0644
   notify:
     - restart cds
 
@@ -112,6 +114,9 @@
       template:
         src: cds.conf.j2
         dest: /etc/nginx/sites-available/cds.conf
+        mode: 0644
+        group: root
+        owner: root
       notify: restart nginx
 
     - name: enable nginx conf for CDS

icpc-wf/ansible/roles/clusterssh/tasks/main.yml

@@ -15,6 +15,7 @@
     regexp: '^all'
     line: "all {{ groups['all'] | join(' ') }}"
     create: true
+    mode: 0644
 
 - name: create clusterssh config groups
   become: true
@@ -24,6 +25,7 @@
     regexp: '^{{ item }}s'
     line: "{{ item }}s {{ groups[item] | join(' ') }}"
     create: true
+    mode: 0644
   loop:
     - domserver
     - judgehost

icpc-wf/ansible/roles/domjudge_build/tasks/main.yml

@@ -44,9 +44,15 @@
   copy:
     src: rsyslog.domjudge.conf
     dest: /etc/rsyslog.d/domjudge.conf
+    mode: 0644
+    group: root
+    owner: root
   notify: restart rsyslog
 
 - name: configure domjudge logrotate
   copy:
     src: logrotate.domjudge
     dest: /etc/logrotate.d/domjudge
+    mode: 0644
+    group: root
+    owner: root

icpc-wf/ansible/roles/domjudge_checkout/tasks/main.yml

@@ -7,6 +7,7 @@
     state: directory
     owner: domjudge
     group: domjudge
+    mode: 0755
 
 - name: Update repo URL based on network
   set_fact:

icpc-wf/ansible/roles/domjudge_user/tasks/main.yml

@@ -23,6 +23,7 @@
     value: "{{ item.value }}"
     owner: domjudge
     group: domjudge
+    mode: 0644
   loop:
     - { name: 'email', value: '[email protected]' }
     - { name: 'name', value: 'DOMjudge team' }
@@ -35,13 +36,15 @@
     value: "remote"
     owner: domjudge
     group: domjudge
+    mode: 0644
 
 - name: enable GDM autologin
   lineinfile:
     path: /etc/gdm3/custom.conf
     regexp: 'AutomaticLoginEnable'
     line: 'AutomaticLoginEnable=true'
     create: true
+    mode: 0644
   notify: restart gdm
 
 - name: Automatically login domjudge user
@@ -52,4 +55,9 @@
   notify: restart gdm
 
 - name: make sure autostart directory exists
-  file: dest=/home/domjudge/.config/autostart state=directory owner=domjudge group=domjudge
+  file:
+    dest: /home/domjudge/.config/autostart
+    state: directory
+    owner: domjudge
+    group: domjudge
+    mode: 0755

icpc-wf/ansible/roles/domserver/tasks/main.yml

@@ -5,12 +5,18 @@
   template:
     src: dbpasswords.secret.j2
     dest: "{{ DJ_DIR }}/etc/dbpasswords.secret"
+    mode: 0644
+    group: root
+    owner: root
   notify: fix permissions on domjudge inplace-install
 
 - name: install initial_admin_password.secret file
   template:
     src: initial_admin_password.secret.j2
     dest: "{{ DJ_DIR }}/etc/initial_admin_password.secret"
+    mode: 0644
+    group: domjudge
+    owner: domjudge
   notify: fix permissions on domjudge inplace-install
 
 # When using replication, the DB will be dropped and recreated on the slave later.
@@ -51,12 +57,18 @@
   template:
     src: nginx-domjudge.conf.j2
     dest: /etc/nginx/sites-available/domjudge.conf
+    mode: 0644
+    group: root
+    owner: root
   notify: restart nginx
 
 - name: add domjudge inner nginx conf
   template:
     src: nginx-domjudge-inner.j2
     dest: /etc/nginx/snippets/domjudge-inner
+    mode: 0644
+    group: root
+    owner: root
   notify: restart nginx
 
 - name: enable nginx conf for domjudge

icpc-wf/ansible/roles/grafana/tasks/main.yml

@@ -24,6 +24,9 @@
   template:
     src: prometheus.yml.j2
     dest: /etc/prometheus/prometheus.yml
+    mode: 0644
+    owner: root
+    group: root
   notify: restart prometheus
 
 # Setup loki which gathers our logs

icpc-wf/ansible/roles/judgedaemon/tasks/main.yml

@@ -59,6 +59,9 @@
   copy:
     src: tune_cpu.service
     dest: /etc/systemd/system/
+    mode: 0644
+    group: root
+    owner: root
   notify:
     - enable and restart tune_cpu
 
@@ -67,6 +70,9 @@
     remote_src: true
     src: "{{ DJ_DIR }}/lib/judge/{{ item }}.service"
     dest: /etc/systemd/system/
+    mode: 0644
+    group: root
+    owner: root
   loop:
     - create-cgroups
     - domjudge-judgedaemon@
@@ -77,6 +83,9 @@
   template:
     src: domjudge-judgehost.target.j2
     dest: /etc/systemd/system/domjudge-judgehost.target
+    mode: 0644
+    group: root
+    owner: root
   notify:
     - enable and restart judgedaemon