extra_custom_certs_file_directory_certs_dir:
file.directory:
- name: /etc/nginx/ssl
+ - user: root
+ - group: root
+ - dir_mode: 0750
+ - file_mode: 0640
- require:
- pkg: nginx_install
+ - recurse:
+ - user
+ - group
+ - mode
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- force: true
- user: root
- group: root
+ - mode: 0640
- unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
# from that.
ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
+ ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
fi
git push $NODE $BRANCH
ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
+ ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
fi
# The update case.
logfile=deploy-${NODE}-$(date -Iseconds).log
if [[ "$NODE" = localhost ]] ; then
- SUDO=''
+ SUDO=''
if [[ $(whoami) != 'root' ]] ; then
SUDO=sudo
fi
echo "Initializing $SETUPDIR"
git init $SETUPDIR
+ chmod 700 $SETUPDIR
cp -r *.sh tests $SETUPDIR
cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}
cert_name=${2}
mkdir -p /srv/salt/certs
+ chmod 700 /srv/salt/certs
if [ -f ${cert_dir}/${cert_name}.crt ]; then
cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
+ chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
else
echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
exit 1
fi
if [ -f ${cert_dir}/${cert_name}.key ]; then
cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
+ chmod 600 /srv/salt/certs/arvados-${cert_name}.key
else
echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
exit 1
grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
mkdir -p /srv/salt/certs
+ chmod 700 /srv/salt/certs
if [ "${SSL_MODE}" = "bring-your-own" ]; then
# Copy certs to formula extra/files
cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+ chmod 600 /srv/salt/certs/*
# We add the custom_certs state
grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
fi