Use owner with template, rather than become with an unprivileged user

When connecting to a host as an unprivileged user, using "become" to become *another* unprivileged user can be problematic. Since we were using the unprivileged taiga_user in two instances only so we could drop a file as that user, become root instead and let it drop the file as owned by taiga_user instead. Reference: https://docs.ansible.com/ansible/latest/user_guide/become.html#becoming-an-unprivileged-user
fghaas · Jan 3, 2021 · 6b42dac · 6b42dac
1 parent bdafc28
commit 6b42dac
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/roles/taiga-back/tasks/systemd.yml b/roles/taiga-back/tasks/systemd.yml
@@ -1,8 +1,9 @@
 - name: add taiga to systemd
   become: true
-  become_user: "{{ taiga_user }}"
+  become_user: root
   template:
     mode: "0644"
+    owner: "{{ taiga_user }}"
     src: "{{ item }}.service.j2"
     dest: "/etc/systemd/system/{{ item }}.service"
   with_items:

diff --git a/roles/taiga-webserver/tasks/nginx.yml b/roles/taiga-webserver/tasks/nginx.yml
@@ -41,9 +41,10 @@
 
 - name: add taiga to nginx
   become: true
-  become_user: "{{ taiga_user }}"
+  become_user: root
   template:
     mode: '0644'
+    owner: "{{ taiga_user }}"
     src: taiga.conf.j2
     dest: "/etc/nginx/conf.d/taiga.conf"
   notify: