Ansible playbook deploys .env and docker-compose files as root:root instead of ansible_user #313
Description
Summary
The deploy-compose-files.yml Ansible playbook deploys files to /opt/torrust/ with owner: root and group: root, but other playbooks correctly use {{ ansible_user }}. This creates an inconsistency in file ownership.
Current Behavior
# templates/ansible/deploy-compose-files.yml (lines 44-49)
- name: Copy Docker Compose files to remote host
ansible.builtin.copy:
src: "{{ local_compose_dir }}/"
dest: "{{ remote_deploy_dir }}/"
mode: "0644"
directory_mode: "0755"
owner: root # <-- Problem
group: root # <-- ProblemResult:
/opt/torrust/.env→ owned byroot:root/opt/torrust/docker-compose.yml→ owned byroot:root
Expected Behavior
Files should use the same pattern as other playbooks (e.g., deploy-caddy-config.yml):
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"Impact
- Security: Files containing secrets (
.env) are owned by root when they should be owned by the app user - Consistency: Other storage directories (
/opt/torrust/storage/tracker/, etc.) are correctly owned by the ansible user - Backup operations: Sidecar containers running as non-root need consistent file ownership
Proposed Fix
Update templates/ansible/deploy-compose-files.yml:
- name: Copy Docker Compose files to remote host
ansible.builtin.copy:
src: "{{ local_compose_dir }}/"
dest: "{{ remote_deploy_dir }}/"
mode: "0640" # More restrictive for .env with secrets
directory_mode: "0755"
owner: "{{ ansible_user }}" # Consistent with other playbooks
group: "{{ ansible_user }}"Also update the directory creation task (lines 36-40):
- name: Ensure remote deployment directory exists
ansible.builtin.file:
path: "{{ remote_deploy_dir }}"
state: directory
mode: "0755"
owner: "{{ ansible_user }}" # Was: root
group: "{{ ansible_user }}" # Was: rootRelated
- Discovered during backup research: Research database backup strategies #310
- PR: docs: [#310] research database backup strategies #312