http user and group configurateable

warehost-api/defaults/main.yml

@@ -4,3 +4,4 @@ warehost_api_internal_ip: 127.0.0.1
 warehost_api_internal_port: 60990
 warehost_api_ssl: true
 warehost_api_domain: api.warehost.de
+http_usr: http

warehost-api/tasks/caddy.yml

@@ -1,4 +1,4 @@
 ---
 - name: Configurate caddy
-  template: src=caddy.conf dest=/etc/caddy/hosts/80-warehost-api.act owner=http mode=0644
+  template: src=caddy.conf dest=/etc/caddy/hosts/80-warehost-api.act owner={{http_usr}} mode=0644
   notify: reload caddy

warehost-api/tasks/nginx.yml

@@ -6,5 +6,5 @@
   when: warehostv2_api_ssl
 
 - name: Configurate nginx
-  template: src=nginx.conf dest=/etc/nginx/servers/80-{{ warehost_api_domain }}.act owner=http mode=644
+  template: src=nginx.conf dest=/etc/nginx/servers/80-{{ warehost_api_domain }}.act owner={{http_usr}} mode=644
   notify: reload nginx

warehost-db/tasks/main.yml

@@ -1,12 +1,14 @@
 ---
 - name: Create database
-  become: postgres
+  become: true
+  become_user: postgres
   become_method: su
   postgresql_db: name={{ warehost_db_dbname }}
   when: warehost_db_pass is defined
 
 - name: Create users for database
-  become: postgres
+  become: true
+  become_user: postgres
   become_method: su
   postgresql_user: db={{ warehost_db_dbname }} name={{ warehost_db_user }} password='{{ warehost_db_pass }}'
   register: createdb

warehost-ftp/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 warehost_db_host: localhost
-warehost_ftp_port: 22
+warehost_ftp_port: 21
 warehost_ftp_data_path: /srv/ftp
 warehost_ftp_host_path: /srv/http/domain
 warehost_ftp_web_path: /srv/http/web
+http_grp: http

warehost-ftp/tasks/main.yml

@@ -3,7 +3,7 @@
   copy: src=warehost-ftp dest=/usr/local/bin/warehost-ftp owner=root group=root mode=0755
 
 - name: Create data folder
-  file: path={{warehost_ftp_data_path}} state=directory owner=warehost group=http mode=0770
+  file: path={{warehost_ftp_data_path}} state=directory owner=warehost group={{http_grp}} mode=0770
 
 - name: Configurate warehost
   template: src=config.yml dest=/etc/warehost/ftp.conf owner=warehost mode=0600

warehost-ftp/templates/warehost-ftp.unit

@@ -11,5 +11,13 @@ Group=nobody
 ExecStart=/usr/local/bin/warehost-ftp -c /etc/warehost/ftp.conf
 Restart=always
 
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+
 [Install]
 WantedBy=multi-user.target

warehost-host/defaults/main.yml

@@ -8,3 +8,4 @@ warehost_host_db_host: ""
 warehost_host_db_user: root
 warehost_host_db_pass: "{{ lookup('password', 'credentials/mysql_root length=15') }}"
 warehost_host_db_prefix: warehost_db
+http_grp: http

warehost-host/tasks/main.yml

@@ -11,7 +11,7 @@
   notify: restart warehost-host
 
 - name: Configurate warehost-host
-  file: path={{warehost_host_web_path}} state=touch owner=warehost group=http mode=0660
+  file: path={{warehost_host_web_path}} state=touch owner=warehost group={{http_grp}} mode=0660
 
 - name: Install service
   template: src=warehost-host.{{item}} dest=/lib/systemd/system/warehost-host.{{item}} owner=root mode=644

warehost-web/defaults/main.yml

@@ -3,3 +3,4 @@ warehost_db_host: localhost
 warehost_web_internal_ip: 127.0.0.1
 warehost_web_internal_port: 60000
 warehost_web_webroot: /srv/http/web
+http_grp: http

warehost-web/tasks/main.yml

@@ -3,7 +3,7 @@
   copy: src=warehost-web dest=/usr/local/bin/warehost-web owner=root group=root mode=0755
 
 - name: Create web folder
-  file: path={{warehost_web_webroot}} state=directory owner=warehost group=http mode=0770
+  file: path={{warehost_web_webroot}} state=directory owner=warehost group={{http_grp}} mode=0770
 
 - name: Configurate warehost
   template: src=config.yml dest=/etc/warehost/web.conf owner=warehost mode=0600