roles/websites: Set authorized_keys file perms
Because the various "webapp.*" users' home directories are under `/srv/www`, the default SELinux context type is `httpd_sys_content_t`. The SSH daemon is not allowed to read files with this label, so it cannot load the contents of these users' `authorized_keys` files. To address this, we have to explicitly set the SELinux type to `ssh_home_t`.jenkins-master
parent
c92af29e84
commit
f9e8c78e5a
|
|
@ -37,6 +37,14 @@
|
||||||
user: webapp.dcow
|
user: webapp.dcow
|
||||||
exclusive: true
|
exclusive: true
|
||||||
|
|
||||||
|
- name: ensure authorized_keys file permissions are correct
|
||||||
|
file:
|
||||||
|
path: /srv/www/darkchestofwonders.us/.ssh/authorized_keys
|
||||||
|
mode: '0600'
|
||||||
|
owner: webapp.dcow
|
||||||
|
group: webapp.dcow
|
||||||
|
setype: ssh_home_t
|
||||||
|
|
||||||
- name: ensure virtualenv exists
|
- name: ensure virtualenv exists
|
||||||
become: true
|
become: true
|
||||||
become_user: webapp.dcow
|
become_user: webapp.dcow
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,13 @@
|
||||||
key: "{{ dchwww_publisher_keys|join('\n') }}"
|
key: "{{ dchwww_publisher_keys|join('\n') }}"
|
||||||
user: webapp.dchwww
|
user: webapp.dchwww
|
||||||
exclusive: true
|
exclusive: true
|
||||||
|
- name: ensure authorized_keys file permissions are correct
|
||||||
|
file:
|
||||||
|
path: /srv/www/dustin.hatch.name/.ssh/authorized_keys
|
||||||
|
mode: '0600'
|
||||||
|
owner: webapp.dchwww
|
||||||
|
group: webapp.dchwww
|
||||||
|
setype: ssh_home_t
|
||||||
|
|
||||||
- name: ensure virtualenv exists
|
- name: ensure virtualenv exists
|
||||||
become: true
|
become: true
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,14 @@
|
||||||
key: "{{ ebonfire_publisher_keys|join('\n') }}"
|
key: "{{ ebonfire_publisher_keys|join('\n') }}"
|
||||||
user: webapp.ebonfire
|
user: webapp.ebonfire
|
||||||
exclusive: true
|
exclusive: true
|
||||||
|
- name: ensure authorized_keys file permissions are correct
|
||||||
|
file:
|
||||||
|
path: /srv/www/ebonfire.com/.ssh/authorized_keys
|
||||||
|
mode: '0600'
|
||||||
|
owner: webapp.ebonfire
|
||||||
|
group: webapp.ebonfire
|
||||||
|
setype: ssh_home_t
|
||||||
|
|
||||||
|
|
||||||
- name: ensure apache is configured to serve ebonfire.com
|
- name: ensure apache is configured to serve ebonfire.com
|
||||||
copy:
|
copy:
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,13 @@
|
||||||
key: "{{ nratonpass_publisher_keys|join('\n') }}"
|
key: "{{ nratonpass_publisher_keys|join('\n') }}"
|
||||||
user: webapp.nratonpass
|
user: webapp.nratonpass
|
||||||
exclusive: true
|
exclusive: true
|
||||||
|
- name: ensure authorized_keys file permissions are correct
|
||||||
|
file:
|
||||||
|
path: /srv/www/nratonpass.com/.ssh/authorized_keys
|
||||||
|
mode: '0600'
|
||||||
|
owner: webapp.nratonpass
|
||||||
|
group: webapp.nratonpass
|
||||||
|
setype: ssh_home_t
|
||||||
|
|
||||||
- name: ensure apache is configured to serve nratonpass.com
|
- name: ensure apache is configured to serve nratonpass.com
|
||||||
copy:
|
copy:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue