roles: update default permissions for config files

Use 0600 by default since other users do not need access to config files.

See: #78
Signed-off-by: Zakhar Bessarab <[email protected]>

Author: zekker6

roles/vmalert/tasks/configure.yml

@@ -57,7 +57,7 @@
   ansible.builtin.template:
     src: alerts.yml.j2
     dest: "{{ vic_vm_alert_rules_config_path }}"
-    mode: 0751
+    mode: 0600
     owner: "{{ vic_vm_alert_system_user }}"
     group: "{{ vic_vm_alert_system_group }}"
     validate: "/usr/local/bin/vmalert-prod {% for k, v in vic_vm_alert_service_args.items() %}{% if k.startswith('license') %} -{{ k }}={{ v }} {%endif %}{% endfor %} -dryRun -rule %s"

roles/vmauth/tasks/configure.yml

@@ -28,7 +28,7 @@
     dest: "{{ vmauth_config_dir }}/auth.yaml"
     owner: "{{ vmauth_system_user }}"
     group: "{{ vmauth_system_group }}"
-    mode: 0644
+    mode: 0600
   no_log: true
   when:
     - vmauth_auth_config != ""
@@ -40,5 +40,5 @@
     src: "vmauth.conf.j2"
     owner: "{{ vmauth_system_user }}"
     group: "{{ vmauth_system_group }}"
-    mode: 0644
+    mode: 0600
   notify: Restart vmauth service

roles/vminsert/tasks/configure.yml

@@ -28,7 +28,7 @@
     dest: "{{ vminsert_config_dir }}/relabel.yaml"
     owner: "{{ vminsert_system_user }}"
     group: "{{ vminsert_system_group }}"
-    mode: 0644
+    mode: 0600
   when:
     - vminsert_relabel_config != ""
   notify: Restart vminsert service

roles/vmsingle/tasks/configure.yml

@@ -59,7 +59,7 @@
       become: true
       ansible.builtin.copy:
         dest: ~/.aws/config
-        mode: 0644
+        mode: 0600
         content: |
           [default]
           region = eu-west-1
@@ -69,7 +69,7 @@
       ansible.builtin.template:
         src: creds.j2
         dest: ~/.aws/credentials
-        mode: 0644
+        mode: 0600
 
     - name: Set proxy config
       ansible.builtin.set_fact: