From 0ba86ec5f5949fb873b3ccf5ac143ef5c0c004e4 Mon Sep 17 00:00:00 2001 From: Jim Myhrberg Date: Sat, 18 Jan 2020 02:12:02 +0000 Subject: [PATCH] refactor: Improve permission handling and overall reliability --- tasks/install.yml | 2 +- tasks/latest_version.yml | 8 ++++++- tasks/main.yml | 42 ++++++++++------------------------ tasks/paths.yml | 47 +++++++++++++++++++++++++++++++++++++++ tasks/systemd_service.yml | 2 +- 5 files changed, 68 insertions(+), 33 deletions(-) create mode 100644 tasks/paths.yml diff --git a/tasks/install.yml b/tasks/install.yml index 4217f2e..24e2913 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -23,7 +23,7 @@ copy: src: "{{ adguardhome_unpack_dir }}/{{ adguardhome_bin_name }}" dest: "{{ adguardhome_bin_file }}" - mode: "755" + mode: "0755" remote_src: yes notify: restart adguardhome diff --git a/tasks/latest_version.yml b/tasks/latest_version.yml index 79788e7..f6a2925 100644 --- a/tasks/latest_version.yml +++ b/tasks/latest_version.yml @@ -1,4 +1,9 @@ --- +- name: Install python dependencies + pip: + name: github3.py + state: present + - name: Lookup latest release github_release: action: latest_release @@ -8,5 +13,6 @@ - name: Set desired version to version of latest release set_fact: - adguardhome_version: "{{ adguardhome_latest_release.tag | regex_replace('^v', '') }}" + adguardhome_version: >- + {{ adguardhome_latest_release.tag | regex_replace('^v', '') }} when: adguardhome_latest_release.tag is defined diff --git a/tasks/main.yml b/tasks/main.yml index 5ec5ef8..f4fe94c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,11 +7,6 @@ include_tasks: setup_redhat.yml when: ansible_os_family == 'RedHat' -- name: Install python dependencies - pip: - name: github3.py - state: present - - name: Check if binary is installed stat: path: "{{ adguardhome_bin_file }}" @@ -33,16 +28,12 @@ changed_when: >- adguardhome_version_check.stdout.find('v' + adguardhome_version) == -1 failed_when: >- - adguardhome_version_check.rc != 0 and adguardhome_version_check.rc != 141 + adguardhome_version_check.rc != 0 and + adguardhome_version_check.rc != 1 and + adguardhome_version_check.rc != 141 when: >- adguardhome_binary_check.stat.exists -- name: "Install binary (v{{ adguardhome_version }} / {{ adguardhome_arch }})" - include_tasks: install.yml - when: >- - adguardhome_version_check.changed - or (not adguardhome_binary_check.stat.exists) - - name: Ensure user exists user: name: "{{ adguardhome_user }}" @@ -50,28 +41,19 @@ system: "{{ adguardhome_system_user }}" state: present -- name: Ensure data directory exists and has correct permissions - file: - path: "{{ adguardhome_data_dir }}" - owner: "{{ adguardhome_user }}" - group: "{{ adguardhome_group }}" - mode: "755" - recurse: yes - state: directory +- name: "Install binary (v{{ adguardhome_version }} / {{ adguardhome_arch }})" + include_tasks: install.yml + when: >- + adguardhome_version_check.changed + or (not adguardhome_binary_check.stat.exists) -- name: Ensure config directory exists and has correct permissions - file: - path: "{{ adguardhome_config_dir }}" - owner: "{{ adguardhome_user }}" - group: "{{ adguardhome_group }}" - mode: "755" - recurse: yes - state: directory +- name: Ensure various paths exist with correct permissions + include_tasks: paths.yml - name: Allow binary to bind to ports lower than 1024 as a non-root user capabilities: path: "{{ adguardhome_bin_file }}" - capability: CAP_NET_BIND_SERVICE=+eip + capability: cap_net_bind_service+eip state: present when: >- adguardhome_user != "root" @@ -79,7 +61,7 @@ - name: Disallow binary to bind to ports lower than 1024 as a non-root user capabilities: path: "{{ adguardhome_bin_file }}" - capability: CAP_NET_BIND_SERVICE=+eip + capability: cap_net_bind_service+eip state: absent when: >- adguardhome_user == "root" diff --git a/tasks/paths.yml b/tasks/paths.yml new file mode 100644 index 0000000..f5dc8ed --- /dev/null +++ b/tasks/paths.yml @@ -0,0 +1,47 @@ +--- +- name: Ensure binary file has correct permissions + file: + path: "{{ adguardhome_bin_file }}" + owner: "{{ adguardhome_user }}" + group: "{{ adguardhome_group }}" + mode: "0755" + +- name: Check state of data directory + file: + path: "{{ adguardhome_data_dir }}" + register: adguardhome_data_directory_state + +- name: Ensure data directory exists and has correct permissions + file: + path: "{{ adguardhome_data_dir }}" + owner: "{{ adguardhome_user }}" + group: "{{ adguardhome_group }}" + mode: "0755" + recurse: yes + state: directory + when: >- + adguardhome_data_directory_state.owner != adguardhome_user or + adguardhome_data_directory_state.group != adguardhome_group or + adguardhome_data_directory_state.mode != "0755" + +- name: Ensure config directory exists and has correct permissions + file: + path: "{{ adguardhome_config_dir }}" + owner: "{{ adguardhome_user }}" + group: "{{ adguardhome_group }}" + mode: "0755" + recurse: no + state: directory + +- name: Check if config file exists + stat: + path: "{{ adguardhome_config_file }}" + register: adguardhome_config_file_state + +- name: Ensure config file has correct permissions + file: + path: "{{ adguardhome_config_file }}" + owner: "{{ adguardhome_user }}" + group: "{{ adguardhome_group }}" + mode: "0644" + when: adguardhome_config_file_state.stat.exists diff --git a/tasks/systemd_service.yml b/tasks/systemd_service.yml index 510d77f..742a4e9 100644 --- a/tasks/systemd_service.yml +++ b/tasks/systemd_service.yml @@ -14,7 +14,7 @@ template: src: adguardhome.service.j2 dest: "/etc/systemd/system/{{ adguardhome_service_name }}.service" - mode: "755" + mode: "0664" register: adguardhome_systemd_unit notify: - reload systemd daemon