From 9fc48e914176ffd4dbe33496edceb6fc84a2cfa9 Mon Sep 17 00:00:00 2001
From: Paul Brinkmeier <hallo@pbrinkmeier.de>
Date: Tue, 13 Sep 2022 03:06:40 +0200
Subject: [PATCH] Set permissions on /var/lib/pbri

---
 TODO.md                        |  2 +-
 ansible/misc-docker.yaml       | 11 ++++++++++-
 docker/web/docker-compose.yaml |  4 +---
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/TODO.md b/TODO.md
index 44ccd02..83da82d 100644
--- a/TODO.md
+++ b/TODO.md
@@ -3,6 +3,6 @@
 - [ ] Update Readme (CI, Git, plantuml, etc.)
 - [ ] Split `docker/web/docker-compose.yaml` into different configs (e.g. `web`, `gitlab`, `drone`) using the same network
 - [ ] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
-    - [ ] Make it inaccessible to anyone but root (`-rw------`)
+    - [x] Make it inaccessible to anyone but root (`-rw------`)
 - [x] Add [Drone runner](https://docs.drone.io/runner/docker/installation/linux/)
 - [ ] Figure out how to dependably store `.env` files (Ansible vault? Something else?)
diff --git a/ansible/misc-docker.yaml b/ansible/misc-docker.yaml
index 54a64ef..6baf028 100644
--- a/ansible/misc-docker.yaml
+++ b/ansible/misc-docker.yaml
@@ -10,7 +10,16 @@
         mode: u=rw,g=,o=
         # Directories should be listable
         directory_mode: u=rwx,g=rx,o=rx
-    - name: Create global docker volumes
+    - name: Create global docker volumes (/var/lib)
+      become: yes
+      file:
+        path: "/var/lib/pbri/docker/{{ item.name }}"
+        state: directory
+        # Hide contents from non-root users
+        mode: u=rw,g=,o=
+      loop:
+        - name: drone
+    - name: Create global docker volumes (docker_volume)
       become: yes
       docker_volume:
         name: "{{ item.name }}"
diff --git a/docker/web/docker-compose.yaml b/docker/web/docker-compose.yaml
index afe0124..0dfaf57 100644
--- a/docker/web/docker-compose.yaml
+++ b/docker/web/docker-compose.yaml
@@ -104,10 +104,8 @@ services:
       DRONE_SERVER_HOST: ci.pbrinkmeier.de
       DRONE_SERVER_PROTO: https
     volumes:
-      - /var/lib/pbri/docker/drone_server:/data
+      - /var/lib/pbri/docker/drone:/data
     restart: always
-    ports:
-      - 3000:3000
 
   drone_runner:
     image: drone/drone-runner-docker:1