testing

roles/base/tasks/firewall.yml

@@ -32,12 +32,14 @@
   ansible.builtin.template:
     src: fail2ban-ssh.conf.j2
     dest: /etc/fail2ban/jail.d/sshd.conf
+    mode: 0640
   notify: restart_fail2ban
 
 - name: Install Fail2ban IP allow list
   ansible.builtin.template:
     src: fail2ban-allowlist.conf.j2
     dest: /etc/fail2ban/jail.d/allowlist.conf
+    mode: 0640
   when: fail2ban_ignoreip is defined
   notify: restart_fail2ban
 

roles/base/tasks/mail.yml

@@ -11,9 +11,10 @@
   ansible.builtin.template:
     src: msmtprc.j2
     dest: /root/.msmtprc
-    mode: 0700
+    mode: 0600
 
 - name: Install /etc/aliases
   ansible.builtin.copy:
     dest: /etc/aliases
     content: "root: {{ mail.rootalias }}"
+    mode: 0644

roles/base/tasks/main.yml

@@ -1,24 +1,31 @@
-- ansible.builtin.import_tasks: ansible.yml
+- name: Import Ansible tasks
+  ansible.builtin.import_tasks: ansible.yml
   tags: ansible
 
-- ansible.builtin.import_tasks: system.yml
+- name: Import System tasks
+  ansible.builtin.import_tasks: system.yml
   tags: system
 
-- ansible.builtin.import_tasks: firewall.yml
+- name: Import Firewall tasks
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
-- ansible.builtin.import_tasks: network.yml
+- name: Import Network tasks
+  ansible.builtin.import_tasks: network.yml
   tags: network
   when: manage_network
 
-- ansible.builtin.import_tasks: mail.yml
+- name: Import Mail tasks
+  ansible.builtin.import_tasks: mail.yml
   tags: mail
   when: mail is defined
 
-- ansible.builtin.import_tasks: ddclient.yml
+- name: Import ddclient tasks
+  ansible.builtin.import_tasks: ddclient.yml
   tags: ddclient
   when: ddclient is defined
 
-- ansible.builtin.import_tasks: wireguard.yml
+- name: Import WireGuard tasks
+  ansible.builtin.import_tasks: wireguard.yml
   tags: wireguard
   when: wireguard is defined

roles/base/tasks/network.yml

@@ -10,5 +10,6 @@
   ansible.builtin.template:
     src: "interface.j2"
     dest: "/etc/network/interfaces.d/{{ item.name }}"
+    mode: 0400
   loop: "{{ interfaces }}"
   notify: reboot_host

roles/base/tasks/system.yml

@@ -8,6 +8,7 @@
   ansible.builtin.template:
     src: authorized_keys.j2
     dest: /root/.ssh/authorized_keys
+    mode: 0400
   when: authorized_keys is defined
 
 - name: Manage filesystem mounts

roles/base/tasks/wireguard.yml

@@ -5,7 +5,9 @@
     update_cache: true
 
 - name: Generate WireGuard keys
-  ansible.builtin.shell: wg genkey | tee privatekey | wg pubkey > publickey
+  ansible.builtin.shell: |
+    set -o pipefail
+    wg genkey | tee privatekey | wg pubkey > publickey
   args:
     chdir: /etc/wireguard/
     creates: /etc/wireguard/privatekey
@@ -19,8 +21,8 @@
   ansible.builtin.template:
     src: wireguard.j2
     dest: /etc/wireguard/wg0.conf
-  notify:
+    mode: 0400
-    - restart_wireguard
+  notify: restart_wireguard
 
 - name: Start WireGuard interface
   ansible.builtin.service:

roles/docker/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Reload systemd manager configuration
+  ansible.builtin.systemd:
+    daemon_reload: true
+  listen: compose_systemd

roles/docker/tasks/main.yml

@@ -8,17 +8,14 @@
   ansible.builtin.file:
     path: "{{ docker_compose_root }}"
     state: directory
+    mode: 0500
 
 - name: Install docker-compose systemd service
   ansible.builtin.template:
     src: docker-compose.service.j2
     dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
-  register: compose_systemd
+    mode: 0400
-
+  notify: compose_systemd
-- name: Reload systemd manager configuration
-  ansible.builtin.systemd:
-    daemon_reload: true
-  when: compose_systemd.changed
 
 - name: Add users to docker group
   ansible.builtin.user:

roles/jellyfin/tasks/main.yml

@@ -2,18 +2,19 @@
   ansible.builtin.file:
     path: "{{ jellyfin_root }}"
     state: directory
+    mode: 0500
 
 - name: Create jellyfin user
   ansible.builtin.user:
     name: jellyfin
     state: present
 
-- name: jellyfin user uid
+- name: Get user jellyfin uid
   ansible.builtin.getent:
     database: passwd
     key: jellyfin
 
-- name: jellyfin user gid
+- name: Get user jellyfin gid
   ansible.builtin.getent:
     database: group
     key: jellyfin
@@ -22,12 +23,14 @@
   ansible.builtin.template:
     src: docker-compose.yml.j2
     dest: "{{ jellyfin_root }}/docker-compose.yml"
+    mode: 0400
   notify: restart_jellyfin
 
 - name: Install Jellyfin's docker-compose variables
   ansible.builtin.template:
     src: compose-env.j2
     dest: "{{ jellyfin_root }}/.env"
+    mode: 0400
   notify: restart_jellyfin
 
 - name: Start and enable Jellyfin service

roles/proxy/tasks/main.yml

@@ -36,12 +36,13 @@
     src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
     dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
     state: link
+    mode: 0400
   loop: "{{ nginx_sites.results }}"
   when: item.changed
   notify: reload_nginx
 
 - name: Generate self-signed certificate
-  ansible.builtin.shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
           -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
           -keyout /etc/ssl/private/nginx-selfsigned.key \
           -out    /etc/ssl/certs/nginx-selfsigned.crt'
@@ -60,13 +61,14 @@
   ansible.builtin.template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
-    mode: '0600'
+    mode: 0400
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
   ansible.builtin.file:
     path: /etc/letsencrypt/renewal-hooks/post
     state: directory
+    mode: 0500
   when: proxy.production is defined and proxy.production
 
 - name: Install nginx post renewal hook

roles/traefik/handlers/main.yml

@@ -2,6 +2,7 @@
   ansible.builtin.file:
     path: "{{ traefik_root }}/config/dynamic"
     state: touch
+    mode: 0500
   listen: reload_traefik
 
 - name: Restart Traefik

roles/traefik/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: Create Traefik directories
   ansible.builtin.file:
     path: "{{ traefik_root }}/config/dynamic"
+    mode: 0500
     state: directory
 
 - name: Install dynamic security configuration
@@ -9,13 +10,14 @@
     dest: "{{ traefik_root }}/config/dynamic/security.yml"
     owner: root
     group: root
-    mode: 0600
+    mode: 0400
   notify: reload_traefik
 
 - name: Install dynamic non-docker configuration
   ansible.builtin.template:
     src: "external.yml.j2"
     dest: "{{ traefik_root }}/config/dynamic/{{ item.name }}.yml"
+    mode: 0400
   loop: "{{ traefik_external }}"
   when: traefik_external is defined
 
@@ -23,18 +25,21 @@
   ansible.builtin.template:
     src: docker-compose.yml.j2
     dest: "{{ traefik_root }}/docker-compose.yml"
+    mode: 0400
   notify: restart_traefik
 
 - name: Install Traefik's docker-compose variables
   ansible.builtin.template:
     src: compose-env.j2
     dest: "{{ traefik_root }}/.env"
+    mode: 0400
   notify: restart_traefik
 
 - name: Install static Traefik configuration
   ansible.builtin.template:
     src: traefik.yml.j2
     dest: "{{ traefik_root }}/config/traefik.yml"
+    mode: 0400
   notify: restart_traefik
 
 - name: Start and enable Traefik service