From 4275cab72a93193ff44251126e543c544527e1ae Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 16 Sep 2021 17:25:24 +0200
Subject: [PATCH] systemd files : 644 permissions and owner/group

---
 CHANGELOG.md                        | 1 +
 docker-host/tasks/main.yml          | 2 ++
 elasticsearch/tasks/plugin_head.yml | 3 +++
 evolinux-base/tasks/log2mail.yml    | 2 ++
 evolinux-base/tasks/system.yml      | 2 ++
 memcached/tasks/main.yml            | 3 +++
 mysql/tasks/config_stretch.yml      | 3 +++
 nginx/tasks/munin_vhost.yml         | 3 +++
 postgresql/tasks/config.yml         | 3 +++
 squid/tasks/systemd.yml             | 3 +++
 10 files changed, 25 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17dd6ce3..98ef37e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ The **patch** part changes incrementally at each release.
 
 * Use python3 modules for Debian 11 and later
 * Remove embedded GPG keys only if legacy keyring is present
+* systemd files : 644 permissions and owner/group
 * apt: remove workaround for Evolix public repositories with Debian 11
 * apt: use the new security repository for Bullseye
 * certbot: silence letsencrypt deprecation warnings
diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml
index 796c800d..2eacdd92 100644
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@@ -70,6 +70,8 @@
   copy:
     src: docker.conf
     dest: /etc/systemd/system/docker.service.d/
+    owner: root
+    group: root
     mode: "0644"
   notify: reload systemd
 
diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml
index 2f7cae39..cd63c65e 100644
--- a/elasticsearch/tasks/plugin_head.yml
+++ b/elasticsearch/tasks/plugin_head.yml
@@ -60,6 +60,9 @@
   template:
     src: elasticsearch-head.service.j2
     dest: /etc/systemd/system/elasticsearch-head.service
+    owner: root
+    group: root
+    mode: "0644"
   tags:
     - elasticsearch
     - systemd
diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml
index e6f624c1..930166bb 100644
--- a/evolinux-base/tasks/log2mail.yml
+++ b/evolinux-base/tasks/log2mail.yml
@@ -3,6 +3,8 @@
   copy:
     src: log2mail.service
     dest: /etc/systemd/system/log2mail.service
+    owner: root
+    group: root
     mode: "0644"
 
 - name: Remove log2mail sysvinit service
diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml
index 486dc2e8..04e3d555 100644
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@@ -168,6 +168,8 @@
     src: alert5.service
     dest: /etc/systemd/system/alert5.service
     force: yes
+    owner: root
+    group: root
     mode: "0644"
   when:
     - evolinux_system_alert5_init | bool
diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml
index 0159f8d6..dde09e83 100644
--- a/memcached/tasks/main.yml
+++ b/memcached/tasks/main.yml
@@ -28,6 +28,9 @@
   copy:
     src: memcached@.service
     dest: /etc/systemd/system/memcached@.service
+    owner: root
+    group: root
+    mode: "0644"
   tags:
     - memcached
   when: memcached_instance_name | length > 0
diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml
index cfbeedfe..721b43a7 100644
--- a/mysql/tasks/config_stretch.yml
+++ b/mysql/tasks/config_stretch.yml
@@ -35,6 +35,9 @@
     src: mariadb.systemd.j2
     dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   register: mariadb_systemd_override
 
 - name: reload systemd and restart MariaDB
diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml
index 83754ba4..d058e513 100644
--- a/nginx/tasks/munin_vhost.yml
+++ b/nginx/tasks/munin_vhost.yml
@@ -32,6 +32,9 @@
   copy:
     src: systemd/spawn-fcgi-munin-graph.service
     dest: /etc/systemd/system/spawn-fcgi-munin-graph.service
+    owner: root
+    group: root
+    mode: "0644"
 
 - name: Enable and start Munin-fcgi
   systemd:
diff --git a/postgresql/tasks/config.yml b/postgresql/tasks/config.yml
index 83b10e25..8cd9fb0c 100644
--- a/postgresql/tasks/config.yml
+++ b/postgresql/tasks/config.yml
@@ -10,6 +10,9 @@
     src: postgresql.service.override.conf
     dest: /etc/systemd/system/postgresql@.service.d/override.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - reload systemd
     - restart postgresql
diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml
index ac9eb7e9..a8925a1f 100644
--- a/squid/tasks/systemd.yml
+++ b/squid/tasks/systemd.yml
@@ -19,6 +19,9 @@
   template:
     src: systemd-override.conf.j2
     dest: /etc/systemd/system/squid.service.d/override.conf
+    owner: root
+    group: root
+    mode: "0644"
     force: yes
   register: _squid_systemd_override