Set permissions on /var/lib/pbri

2022-09-13 03:06:40 +02:00 · 2022-09-13 03:06:40 +02:00 · 9fc48e9141
commit 9fc48e9141
parent 704abbcbd8
3 changed files with 12 additions and 5 deletions
--- a/TODO.md
+++ b/TODO.md
@ -3,6 +3,6 @@
 - [ ] Update Readme (CI, Git, plantuml, etc.)
 - [ ] Split `docker/web/docker-compose.yaml` into different configs (e.g. `web`, `gitlab`, `drone`) using the same network
 - [ ] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
-    - [ ] Make it inaccessible to anyone but root (`-rw------`)
+    - [x] Make it inaccessible to anyone but root (`-rw------`)
 - [x] Add [Drone runner](https://docs.drone.io/runner/docker/installation/linux/)
 - [ ] Figure out how to dependably store `.env` files (Ansible vault? Something else?)
--- a/ansible/misc-docker.yaml
+++ b/ansible/misc-docker.yaml
@ -10,7 +10,16 @@
        mode: u=rw,g=,o=
        # Directories should be listable
        directory_mode: u=rwx,g=rx,o=rx
-    - name: Create global docker volumes
+    - name: Create global docker volumes (/var/lib)
+      become: yes
+      file:
+        path: "/var/lib/pbri/docker/{{ item.name }}"
+        state: directory
+        # Hide contents from non-root users
+        mode: u=rw,g=,o=
+      loop:
+        - name: drone
+    - name: Create global docker volumes (docker_volume)
      become: yes
      docker_volume:
        name: "{{ item.name }}"
--- a/docker/web/docker-compose.yaml
+++ b/docker/web/docker-compose.yaml
@ -104,10 +104,8 @@ services:
      DRONE_SERVER_HOST: ci.pbrinkmeier.de
      DRONE_SERVER_PROTO: https
    volumes:
-      - /var/lib/pbri/docker/drone_server:/data
+      - /var/lib/pbri/docker/drone:/data
    restart: always
-    ports:
-      - 3000:3000

  drone_runner:
    image: drone/drone-runner-docker:1