ansible(backup): rclone config 0640 root:postgres; drop unused /root/.config dir task
- SHA
211ece3aecb6c584a9719fe9ce56d9897ce3ab1c- Parents
-
9eff67e - Tree
383dd5b
tenseleyflow/shithub
/
211ece3
Browse files
1 changed file
| Status | File | + | - |
|---|---|---|---|
| M |
deploy/ansible/roles/backup/tasks/main.yml
|
11 | 9 |
deploy/ansible/roles/backup/tasks/main.ymlmodified@@ -31,17 +31,19 @@ | ||
| 31 | 31 | - { src: run.sh, mode: "0755" } |
| 32 | 32 | - { src: smoke-queries.sql, mode: "0644" } |
| 33 | 33 | |
| 34 | -- name: rclone config dir | |
| 35 | - file: | |
| 36 | - path: /root/.config/rclone | |
| 37 | - state: directory | |
| 38 | - mode: "0700" | |
| 39 | - | |
| 40 | -- name: rclone config — Spaces credentials | |
| 34 | +# Single rclone config shared by every script that talks to Spaces: | |
| 35 | +# - root-owned for the daily/cross-region cron jobs (running as root) | |
| 36 | +# - postgres-readable (group 0640) for archive_command, which Postgres | |
| 37 | +# invokes as the postgres user. The previous /root/.config/rclone/ | |
| 38 | +# path was unreachable to postgres because /root is mode 0700; | |
| 39 | +# moving to /etc/ with explicit group sidesteps the traversal block. | |
| 40 | +- name: rclone config — Spaces credentials, shared with postgres | |
| 41 | 41 | template: |
| 42 | 42 | src: rclone.conf.j2 |
| 43 | - dest: /root/.config/rclone/rclone.conf | |
| 44 | - mode: "0600" | |
| 43 | + dest: /etc/rclone-shithub.conf | |
| 44 | + owner: root | |
| 45 | + group: postgres | |
| 46 | + mode: "0640" | |
| 45 | 47 | |
| 46 | 48 | - name: cron — daily logical backup |
| 47 | 49 | cron: |