From 869131dabef0d46c905f69b298a440b361cbd255 Mon Sep 17 00:00:00 2001
From: mg <michael.grote@posteo.de>
Date: Wed, 24 Nov 2021 11:54:31 +0100
Subject: [PATCH] change to script user: zfs_health (#253)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/253
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>
---
 roles/mgrote.zfs_health/defaults/main.yml |  4 ++++
 roles/mgrote.zfs_health/tasks/main.yml    | 14 ++++++++++----
 roles/mgrote.zfs_health/tasks/user.yml    | 18 ++++++++++++++++++
 3 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 roles/mgrote.zfs_health/tasks/user.yml

diff --git a/roles/mgrote.zfs_health/defaults/main.yml b/roles/mgrote.zfs_health/defaults/main.yml
index 37f159dd..49447bae 100644
--- a/roles/mgrote.zfs_health/defaults/main.yml
+++ b/roles/mgrote.zfs_health/defaults/main.yml
@@ -1,3 +1,7 @@
 ---
+  ### when should the script be run
   zfs_extra_cron_minutes_zfs_health: "0,15,30,45"
   zfs_extra_cron_hours_zfs_health: "*"
+  ### under which user the script is run
+  zfs_health_user_group: "root"
+  zfs_health_user: "zfs-health"
diff --git a/roles/mgrote.zfs_health/tasks/main.yml b/roles/mgrote.zfs_health/tasks/main.yml
index 54f41053..383da670 100644
--- a/roles/mgrote.zfs_health/tasks/main.yml
+++ b/roles/mgrote.zfs_health/tasks/main.yml
@@ -1,16 +1,22 @@
 ---
-  - name: copy "zfs-health.sh"
+  - name: include user tasks
+    include_tasks: user.yml
+
+  - name: template script
     become: yes
     ansible.builtin.template:
       src: zfs-health.sh
       dest: /usr/local/bin/zfs-health.sh
-      mode: "+x"
+      mode: 0744
+      owner: "{{ zfs_health_user }}"
+      group: "{{ zfs_health_user_group }}"
 
-  - name: add cronjob "zfs-health.sh"
+  - name: ensure cronjob exists
     become: yes
     ansible.builtin.cron:
-      name: zfs-health
+      name: zfs_health
       state: present
       job: "/usr/local/bin/zfs-health.sh"
       minute: "{{ zfs_extra_cron_minutes_zfs_health }}"
       hour: "{{ zfs_extra_cron_hours_zfs_health }}"
+      user: "{{ zfs_health_user }}"
diff --git a/roles/mgrote.zfs_health/tasks/user.yml b/roles/mgrote.zfs_health/tasks/user.yml
new file mode 100644
index 00000000..6d211807
--- /dev/null
+++ b/roles/mgrote.zfs_health/tasks/user.yml
@@ -0,0 +1,18 @@
+---
+  - name: ensure group exists
+    become: true
+    ansible.builtin.group:
+      name: "{{ zfs_health_user_group }}"
+      state: present
+    when:
+      - zfs_health_user_group is defined
+
+  - name: ensure user exists
+    become: true
+    ansible.builtin.user:
+      name: "{{ zfs_health_user }}"
+      group: "{{ zfs_health_user_group }}"
+      shell: /usr/sbin/nologin
+    when:
+      - zfs_health_user_group is defined
+      - zfs_health_user is defined