Change photo archive permissions and mount options

kdkasad · Dec 25, 2024 · ed65369 · ed65369
1 parent 9b1b253
commit ed65369
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/roles/photos_archive/tasks/main.yml b/roles/photos_archive/tasks/main.yml
@@ -4,20 +4,36 @@
     name: cifs-utils
     state: present
 
+- name: Create photos archive group
+  ansible.builtin.group:
+    name: photosarchive
+    state: present
+    system: no
+
+- name: Add users to photos archive group
+  ansible.builtin.user:
+    name: "{{ item }}"
+    groups:
+      - photosarchive
+    append: yes
+  loop:
+    - "{{ users.worker }}"
+    - kian
+
 - name: Render systemd unit files
   ansible.builtin.template:
     src: "{{ item }}"
     dest: /etc/systemd/system/{{ item }}
     owner: root
     group: root
-    mode: 0600
+    mode: 0600 # not world-readable because they contain passwords
   loop:
     - mnt-photosarchive.mount
     - mnt-photosarchive.automount
+  notify: Restart units
 
 - name: Start and enable systemd automount unit
   ansible.builtin.systemd:
-    daemon_reload: yes
     name: mnt-photosarchive.automount
     state: started
     enabled: yes
diff --git a/roles/photos_archive/templates/mnt-photosarchive.mount b/roles/photos_archive/templates/mnt-photosarchive.mount
@@ -7,4 +7,4 @@ Wants=network-online.target
 What=//SNEETCH/Pictures
 Where=/mnt/photosarchive
 Type=cifs
-Options=ro,username={{ photos_archive_user }},password={{ photos_archive_password }},workgroup=WORKGROUP,uid={{ users.worker }},gid={{ users.worker }},iocharset=utf8,file_mode=0600,dir_mode=0700
+Options=ro,username={{ photos_archive_user }},password={{ photos_archive_password }},workgroup=WORKGROUP,gid=photosarchive,forcegid,iocharset=utf8,file_mode=0440,dir_mode=0550,seal,nounix,noatime,nodev,noexec,nosuid