roles/websites: Set authorized_keys file perms

Because the various "webapp.*" users' home directories are under `/srv/www`, the default SELinux context type is `httpd_sys_content_t`. The SSH daemon is not allowed to read files with this label, so it cannot load the contents of these users' `authorized_keys` files. To address this, we have to explicitly set the SELinux type to `ssh_home_t`.
2020-12-30 20:59:27 -06:00
parent c92af29e84
commit f9e8c78e5a
4 changed files with 30 additions and 0 deletions
--- a/roles/websites/dustin.hatch.name/tasks/main.yml
+++ b/roles/websites/dustin.hatch.name/tasks/main.yml
@@ -36,6 +36,13 @@
    key: "{{ dchwww_publisher_keys|join('\n') }}"
    user: webapp.dchwww
    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/dustin.hatch.name/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.dchwww
+    group: webapp.dchwww
+    setype: ssh_home_t

 - name: ensure virtualenv exists
  become: true