Secure files permission

tasks/prepare.yml

@@ -19,6 +19,6 @@
     nginx_modules: "{{ shell_modules.stdout_lines }}"
 
 - name: FILE | Create folders
-  file: dest={{ item }} owner=root mode=0755 state=directory
+  file: dest="{{ item.dir }}" owner="{{ item.owner }}" mode="{{ item.mode }}" state=directory
   with_items: "{{ nginx_dirs }}"
 

tasks/ssl.yml

@@ -25,6 +25,7 @@
   copy: >
     content="{{ item.key }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
+    mode=0640
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.key is defined
   notify: reload nginx
@@ -34,6 +35,7 @@
   copy: >
     content="{{ item.cert }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
+    mode=0644
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.cert is defined
   notify: reload nginx

tests/test.yml

@@ -147,6 +147,7 @@
         location:
           '/hello':
             - htpasswd: 'hello'
+        use_error_log: true
       - name: 'test-htpasswd-all.local'
         template: '_base'
         htpasswd: 'hello'

vars/main.yml

@@ -23,9 +23,15 @@ nginx_upstream_server_params:
 #    min_version: '1.5.12'
 
 nginx_dirs:
-  - "{{ nginx_htpasswd_dir }}"
-  - "{{ nginx_ssl_dir }}"
-  - "{{ nginx_helper_dir }}"
+  - dir: "{{ nginx_htpasswd_dir }}"
+    mode: "0750"
+    owner: "{{ nginx_user }}"
+  - dir: "{{ nginx_ssl_dir }}"
+    mode: "0750"
+    owner: "root"
+  - dir: "{{ nginx_helper_dir }}"
+    mode: "0755"
+    owner: "root"
 
 nginx_templates_no_dir:
   - '_backuppc'