roles/websites: Set authorized_keys file perms

Because the various "webapp.*" users' home directories are under `/srv/www`, the default SELinux context type is `httpd_sys_content_t`. The SSH daemon is not allowed to read files with this label, so it cannot load the contents of these users' `authorized_keys` files. To address this, we have to explicitly set the SELinux type to `ssh_home_t`.
2020-12-30 20:59:27 -06:00 · 2020-12-30 20:59:27 -06:00 · f9e8c78e5a
parent c92af29e84
commit f9e8c78e5a
4 changed files with 30 additions and 0 deletions
--- a/roles/websites/darkchestofwonders.us/tasks/main.yml
+++ b/roles/websites/darkchestofwonders.us/tasks/main.yml
@ -37,6 +37,14 @@
    user: webapp.dcow
    exclusive: true

+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/darkchestofwonders.us/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.dcow
+    group: webapp.dcow
+    setype: ssh_home_t
+
 - name: ensure virtualenv exists
  become: true
  become_user: webapp.dcow
--- a/roles/websites/dustin.hatch.name/tasks/main.yml
+++ b/roles/websites/dustin.hatch.name/tasks/main.yml
@ -36,6 +36,13 @@
    key: "{{ dchwww_publisher_keys|join('\n') }}"
    user: webapp.dchwww
    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/dustin.hatch.name/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.dchwww
+    group: webapp.dchwww
+    setype: ssh_home_t

 - name: ensure virtualenv exists
  become: true
--- a/roles/websites/ebonfire.com/tasks/main.yml
+++ b/roles/websites/ebonfire.com/tasks/main.yml
@ -28,6 +28,14 @@
    key: "{{ ebonfire_publisher_keys|join('\n') }}"
    user: webapp.ebonfire
    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/ebonfire.com/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.ebonfire
+    group: webapp.ebonfire
+    setype: ssh_home_t
+

 - name: ensure apache is configured to serve ebonfire.com
  copy:
--- a/roles/websites/nratonpass.com/tasks/main.yml
+++ b/roles/websites/nratonpass.com/tasks/main.yml
@ -28,6 +28,13 @@
    key: "{{ nratonpass_publisher_keys|join('\n') }}"
    user: webapp.nratonpass
    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/nratonpass.com/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.nratonpass
+    group: webapp.nratonpass
+    setype: ssh_home_t

 - name: ensure apache is configured to serve nratonpass.com
  copy: