Did a whole bunch more reading and thought I’d hit a solution (a one size fits all playbook) :
╭─x@titan ~/ResilioSync/motorforker/ansy
╰─➤ cat FF.yaml
---
- name: file module demo
# hosts: all
# hosts: apple, x86_64_RHEL
hosts: apple
gather_facts: no
vars:
mydiry1: "~x/ResilioSync/motorforker/SHONKO/"
myfile1: "~x/ResilioSync/motorforker/SHONKO/shonko.expect"
myfile2: "~x/ResilioSync/motorforker/SHONKO/crap.expect"
become: false
tasks:
- name: check permission FILE
ansible.builtin.file:
path: "{{ mydiry1 }}"
state: directory
recurse: yes
mode: '0700'
- name: check permission DIR
ansible.builtin.file:
path: "{{ mydiry1 }}"
state: directory
recurse: yes
mode: '0600'
- name: check permission
ansible.builtin.file:
path: "{{ myfile1 }}"
state: file
mode: '0700'
- name: check permission
ansible.builtin.file:
path: "{{ myfile2 }}"
state: file
mode: '0700'
But the “check permission DIR” breaks everything - i.e. it sets the parent folder to 0600 first, and then it can’t do anything else 'cause the folder’s now 0600… I guess I could settle for everything having u+x (0700) but that’s STILL NOT THE ANSWER!
So I thought I’d fixed that but it still barfs :
╭─x@titan ~/ResilioSync/motorforker/ansy
╰─➤ cat FF.yaml 2 ↵
---
- name: file module demo
# hosts: all
# hosts: apple, x86_64_RHEL
# hosts: apple
hosts: x86_64_RHEL
gather_facts: no
vars:
mydiry1: "~x/ResilioSync/motorforker/SHONKO"
myfile1: "~x/ResilioSync/motorforker/SHONKO/shonko.expect"
myfile2: "~x/ResilioSync/motorforker/SHONKO/crap.expect"
become: false
tasks:
- name: check permission FILE
ansible.builtin.file:
path: "{{ mydiry1 }}"
state: directory
recurse: yes
mode: '0600'
- name: check permission DIR
ansible.builtin.file:
path: "{{ mydiry1 }}"
state: directory
recurse: no
mode: '0700'
- name: check permission
ansible.builtin.file:
path: "{{ myfile1 }}"
state: file
mode: '0700'
- name: check permission
ansible.builtin.file:
path: "{{ myfile2 }}"
state: file
mode: '0700
i.e. I changed the order around, but it seems to me that ansible is :
- setting ~/ResilioSync/motorforker/SHONKO/ parent folder to 0600 - and thereafter it can’t traverse to that folder to recursively set the contents to 0600…
- folder is 0600 - ansible cannot access it - evertying thing else fails thereafter
I need the parent folder to be 0700, but the files therein to be 0600, except for the expect scripts, which also need 0700…
I think I’m going to have to settle for 0700 for everything, to avoid having 4 playbooks - which is cumbersome, and tiring…
This will kinda/sorta, work for me, but - it WILL NOT work for managing key files, e.g. PEM files - and other SSH stuff in your ~/.ssh/ folder, the files of which NEED to be 0600.
The answer :
╭─x@titan ~/ResilioSync/motorforker/ansy
╰─➤ cat ZZ.yaml
---
- name: file module demo
hosts: all
gather_facts: no
vars:
mydiry1: "~x/ResilioSync/motorforker/SHONKO"
become: false
tasks:
- name: check permission FILE and DIR
ansible.builtin.file:
path: "{{ mydiry1 }}"
state: directory
recurse: yes
mode: '0700'
But I’m not happy, I don’t think 0700 on files, that don’t need 700, is the answer, it’s a kludgy workaround, but I’ll use it…
Been google-fu’ing the intert00bs again - can’t find an answer, there are ansible mobiles specifically for managing SSH stuff - they probably/maybe have builtin knowledge that a public / private keypair should be 0600…
e.g. : ansible.posix.authorized_key – Adds or removes an SSH authorized key — Ansible Documentation
But nothing seems to match what I’m seeking…
Just noticed - openssh doesn’t seem to care if my keys are 0700… or other files in ~/.ssh/ either… hmmm…