From fd08d83275a042c3e9f2f5c9ffe41d595b9907d4 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Thu, 29 Aug 2019 12:19:53 +0000
Subject: [PATCH] Restricted permissions for service files

---
 roles/server/firefox-sync/tasks/main.yml | 6 ++++++
 roles/server/gitea/tasks/main.yml        | 3 +++
 roles/server/node/tasks/main.yml         | 3 +++
 roles/server/spotme/tasks/main.yml       | 3 +++
 4 files changed, 15 insertions(+)

diff --git a/roles/server/firefox-sync/tasks/main.yml b/roles/server/firefox-sync/tasks/main.yml
index 941f5d8..2c5240b 100644
--- a/roles/server/firefox-sync/tasks/main.yml
+++ b/roles/server/firefox-sync/tasks/main.yml
@@ -47,6 +47,9 @@
   template:
     src: "firefox.socket"
     dest: "{{ global_systemd_configuration_directory }}/{{ socket_name }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
   notify:
     - reload systemd
     - restart firefox-sync
@@ -55,6 +58,9 @@
   template:
     src: "firefox.service"
     dest: "{{ global_systemd_configuration_directory }}/{{ service_name }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
   notify:
     - reload systemd
     - restart firefox-sync
diff --git a/roles/server/gitea/tasks/main.yml b/roles/server/gitea/tasks/main.yml
index c658122..b0a4e6f 100644
--- a/roles/server/gitea/tasks/main.yml
+++ b/roles/server/gitea/tasks/main.yml
@@ -76,6 +76,9 @@
   template:
     src: "gitea.service"
     dest: "{{ global_systemd_configuration_directory }}/{{ gitea_service_name }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
   notify:
     - reload systemd
     - restart gitea
diff --git a/roles/server/node/tasks/main.yml b/roles/server/node/tasks/main.yml
index fcb9435..e3f6c9b 100644
--- a/roles/server/node/tasks/main.yml
+++ b/roles/server/node/tasks/main.yml
@@ -11,4 +11,7 @@
   template:
     src: node.service
     dest: "{{ global_systemd_configuration_directory }}/{{ service_name }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
   notify: "restart {{ domain }}"
diff --git a/roles/server/spotme/tasks/main.yml b/roles/server/spotme/tasks/main.yml
index 1ed7743..97ebc98 100644
--- a/roles/server/spotme/tasks/main.yml
+++ b/roles/server/spotme/tasks/main.yml
@@ -92,4 +92,7 @@
   template:
     src: spotme.service
     dest: "{{ global_systemd_configuration_directory }}/{{ spotme_service_name }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
   notify: restart spotme