From b9228588a8b344ae132c02af83495663e9037f04 Mon Sep 17 00:00:00 2001 From: Mike Wilson Date: Wed, 22 Feb 2023 19:36:39 -0500 Subject: [PATCH] Fixed some file permission issues --- ansible/roles/gitea/files/ssh_shim.sh | 1 + ansible/roles/gitea/tasks/main.yml | 30 ++++++++++++------- .../roles/gitea/templates/docker-compose.yml | 18 +++++++---- .../roles/lidarr/templates/docker-compose.yml | 1 + .../prowlarr/templates/docker-compose.yml | 1 + ansible/roles/pve/tasks/media-share.yml | 4 +-- .../qbittorrent/templates/docker-compose.yml | 1 + .../roles/radarr/templates/docker-compose.yml | 1 + .../roles/sonarr/templates/docker-compose.yml | 1 + 9 files changed, 38 insertions(+), 20 deletions(-) create mode 100644 ansible/roles/gitea/files/ssh_shim.sh diff --git a/ansible/roles/gitea/files/ssh_shim.sh b/ansible/roles/gitea/files/ssh_shim.sh new file mode 100644 index 0000000..8840ca6 --- /dev/null +++ b/ansible/roles/gitea/files/ssh_shim.sh @@ -0,0 +1 @@ +ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" diff --git a/ansible/roles/gitea/tasks/main.yml b/ansible/roles/gitea/tasks/main.yml index 86f1d3b..6cc1513 100644 --- a/ansible/roles/gitea/tasks/main.yml +++ b/ansible/roles/gitea/tasks/main.yml @@ -1,10 +1,27 @@ - name: Create service user user: - name: "{{ role_name }}" - system: true + name: git + password_lock: yes + generate_ssh_key: yes + ssh_key_comment: Gitea Host Key register: service_user become: true +- name: Add user git's ssh key to its own authorized_key file + ansible.posix.authorized_key: + user: git + key: "{{ service_user.ssh_public_key }}" + become: true + +- name: Install SSH shim script + copy: + src: ssh_shim.sh + dest: /usr/local/bin/gitea + owner: "{{ service_user.uid }}" + group: "{{ service_user.group }}" + mode: 711 + become: true + - name: Create install directory file: path: "{{ install_directory }}/{{ role_name }}" @@ -13,15 +30,6 @@ mode: "{{ docker_compose_directory_mask }}" become: true -- name: Create config directory - file: - path: "{{ data_dir }}/{{ role_name }}" - state: directory - owner: "{{ service_user.uid }}" - group: "{{ service_user.uid }}" - mode: "{{ docker_compose_directory_mask }}" - become: true - - name: Copy docker-compose file to destination template: src: docker-compose.yml diff --git a/ansible/roles/gitea/templates/docker-compose.yml b/ansible/roles/gitea/templates/docker-compose.yml index 77faad3..b380cc8 100644 --- a/ansible/roles/gitea/templates/docker-compose.yml +++ b/ansible/roles/gitea/templates/docker-compose.yml @@ -16,18 +16,24 @@ services: networks: - traefik - default + ports: + - "127.0.0.1:2222:2222" environment: - "USER_UID={{ service_user.uid }}" - - "USER_GID={{ service_user.uid }}" - - GITEA_database__DB_TYPE=postgres - - GITEA_database__HOST=db:5432 - - GITEA_database__NAME=gitea - - GITEA_database__USER=gitea - - GITEA_database__PASSWD=gitea + - "USER_GID={{ service_user.group }}" + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=db:5432 + - GITEA__database__NAME=gitea + - GITEA__database__USER=gitea + - GITEA__database__PASSWD=gitea + - GITEA__server__START_SSH_SERVER=true + - GITEA__server__BUILTIN_SSH_SERVER_USER=git + - GITEA__server__SSH_LISTEN_PORT=2222 volumes: - "{{ data_dir }}/gitea:/data" - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro + - /home/git/.ssh:/data/git/.ssh # For SSH passthrough labels: traefik.enable: true traefik.http.routers.gitea.rule: "Host(`git.{{ personal_domain }}`)" diff --git a/ansible/roles/lidarr/templates/docker-compose.yml b/ansible/roles/lidarr/templates/docker-compose.yml index 6d0f15a..86c50b3 100644 --- a/ansible/roles/lidarr/templates/docker-compose.yml +++ b/ansible/roles/lidarr/templates/docker-compose.yml @@ -15,6 +15,7 @@ services: - "PUID={{ service_user.uid }}" - "PGID={{ media_gid }}" - "TZ={{ timezone }}" + - "UMASK=002" volumes: - "{{ data_dir }}/{{ role_name }}:/config" - "{{ media_storage_mnt }}/data:/data" diff --git a/ansible/roles/prowlarr/templates/docker-compose.yml b/ansible/roles/prowlarr/templates/docker-compose.yml index cfdc5fc..efe433b 100644 --- a/ansible/roles/prowlarr/templates/docker-compose.yml +++ b/ansible/roles/prowlarr/templates/docker-compose.yml @@ -15,6 +15,7 @@ services: - "PUID={{ service_user.uid }}" - "PGID={{ media_gid }}" - "TZ={{ timezone }}" + - "UMASK=002" volumes: - "{{ data_dir }}/{{ role_name }}:/config" - "{{ media_storage_mnt }}/data:/data" diff --git a/ansible/roles/pve/tasks/media-share.yml b/ansible/roles/pve/tasks/media-share.yml index 1452ed9..292c6d2 100644 --- a/ansible/roles/pve/tasks/media-share.yml +++ b/ansible/roles/pve/tasks/media-share.yml @@ -8,9 +8,7 @@ - name: Set media directory permissions ansible.builtin.file: path: "{{ media_storage_mnt }}/data" - state: directory - owner: "{{ primary_gid }}" group: media - mode: 0775 + mode: "a=,a+rX,u+w,g+w" recurse: yes become: true diff --git a/ansible/roles/qbittorrent/templates/docker-compose.yml b/ansible/roles/qbittorrent/templates/docker-compose.yml index 2f7b2b5..9f144b6 100644 --- a/ansible/roles/qbittorrent/templates/docker-compose.yml +++ b/ansible/roles/qbittorrent/templates/docker-compose.yml @@ -10,6 +10,7 @@ services: - "PUID={{ service_user.uid }}" - "PGID={{ media_gid }}" - "TZ={{ timezone }}" + - "UMASK=002" #- DOCKER_MODS=arafatamim/linuxserver-io-mod-vuetorrent volumes: - "{{ data_dir }}/{{ role_name }}:/config" diff --git a/ansible/roles/radarr/templates/docker-compose.yml b/ansible/roles/radarr/templates/docker-compose.yml index c670d77..3717825 100644 --- a/ansible/roles/radarr/templates/docker-compose.yml +++ b/ansible/roles/radarr/templates/docker-compose.yml @@ -18,6 +18,7 @@ services: - "PUID={{ service_user.uid }}" - "PGID={{ media_gid }}" - "TZ={{ timezone }}" + - "UMASK=002" volumes: - "{{ data_dir }}/{{ role_name }}:/config" - "{{ media_storage_mnt }}/data:/data" diff --git a/ansible/roles/sonarr/templates/docker-compose.yml b/ansible/roles/sonarr/templates/docker-compose.yml index b7fb8fa..37813a7 100644 --- a/ansible/roles/sonarr/templates/docker-compose.yml +++ b/ansible/roles/sonarr/templates/docker-compose.yml @@ -18,6 +18,7 @@ services: - "PUID={{ service_user.uid }}" - "PGID={{ media_gid }}" - "TZ={{ timezone }}" + - "UMASK=002" volumes: - "{{ data_dir }}/{{ role_name }}:/config" - "{{ media_storage_mnt }}/data:/data"