restrict permissions on mounts

roles/nextcloud/tasks/rclone.yml

@@ -1,10 +1,10 @@
 ---
 # ensure rclone.conf is present (meta role dependencies)
 
-- name: Create rclone mount dir
+- name: Create Rclone mount directory
   file:
     path: "{{ nextcloud_rclone_mount_dir }}"
-    mode: 0755
+    mode: 0770
     state: directory
 
 # Touch rclone log file to set permissions
@@ -12,7 +12,7 @@
   file:
     path: "{{ rclone_log_dir }}/mount_nextcloud.log"
     state: touch
-    mode: 0644
+    mode: 0640
     access_time: preserve
     modification_time: preserve
 
@@ -20,7 +20,7 @@
   template:
     src: rclone_mount_nextcloud.service.j2
     dest: /etc/systemd/system/rclone_mount_nextcloud.service
-    mode: 0644
+    mode: 0640
   notify: restart rclone_mount_nextcloud
 
 - name: "Add {{ webserver_user }} user to rclone group"

roles/nextcloud/templates/rclone_mount_nextcloud.service.j2

@@ -11,12 +11,13 @@ Type=notify
 ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_dir }} \
         --devname rclone \
         --use-mmap \
+        --default-permissions \
         --allow-other \
         --uid {{ created_rclone_user.uid }} \
         --gid {{ created_rclone_group.gid }} \
-        --umask 002 \
+        --umask 0007 \
-        --dir-perms 775 \
+        --dir-perms 0770 \
-        --file-perms 664 \
+        --file-perms 0660 \
         --dir-cache-time 8760h \
         --poll-interval 1h \
         --buffer-size 64M \

roles/rclone/tasks/main.yml

@@ -69,7 +69,7 @@
 - name: Create rclone cache/log directory
   file:
     path: "{{ item }}"
-    mode: 0755
+    mode: 0750
     state: directory
   loop:
     - "{{ rclone_cache_dir }}"

roles/webserver/tasks/volume.yml

@@ -11,6 +11,7 @@
   file:
     path: "{{ hcloud_webserver_volume_path }}"
     state: directory
+    mode: 0750
     force: false
 
 - name: Mount hcloud volume