feat: use extended ACL

defaults/main.yml

@@ -33,11 +33,33 @@ svc_subdirectories:
   data:
     path: "{{ svc_directory.path }}/data"
 
+### Access Control Lists ###
+# Define ACL definitions. See https://docs.ansible.com/ansible/latest/collections/ansible/posix/acl_module.html.
+# path and entity are required. etype defaults to 'user', 'permissions' default to 'r', 'state' defaults to 'present'
+svc_acl_entries: []
+  # - path: /opt/svc
+  #   entity: "myuser"
+  #   permissions: "r"
+  #   recursive: true
+  # - path: /opt/svc
+  #   entity: "myuser"
+  #   permissions: "rwx"
+  #   default: true
+  # - path: /opt/some_dir/myfile.ext
+  #   entity: "{{ svc_group_name }}"
+  #   etype: "group"
+  #   state: "absent"
+  # - path: /opt/some_dir/myfile.ext
+  #   entity: "myuser"
+
 ### Packages ###
 # Manage packages
 svc_manage_packages: true
+# Shared packages to install
+svc_packages_shared:
+  - acl
 # Packages to install. See vars/<ansible_os_family>.yml
-svc_packages: []
+svc_packages: "{{ svc_packages_shared }}"
 # Pip packages to install
 svc_packages_pip:
   - 'docker'

tasks/gather_vars.yml

@@ -0,0 +1,12 @@
+---
+- name: Gather ACL entries
+  block:
+    - name: Find variables starting with '{{ __svc_acl_var_prefix }}'
+      ansible.builtin.set_fact:
+        __svc_acl_matches: "{{ lookup('ansible.builtin.varnames', '^{{ __svc_acl_var_prefix }}(_)?.*') | split(',') }}"
+
+    - name: Merge svc_acl entries
+      ansible.builtin.set_fact:
+        __svc_access_control_list: "{{ __svc_access_control_list + lookup('ansible.builtin.vars', item) }}"
+      with_items: "{{ __svc_acl_matches }}"
+...

tasks/main.yml

@@ -17,6 +17,10 @@
 - name: Include 'user_facts' tasks
   ansible.builtin.import_tasks: user_facts.yml
 
+# Gather variables
+- name: Include 'gather_vars' tasks
+  ansible.builtin.import_tasks: gather_vars.yml
+
 # Manage directories
 - name: Include 'directories' tasks
   ansible.builtin.import_tasks: directories.yml
@@ -27,6 +31,10 @@
   ansible.builtin.import_tasks: packages.yml
   when: svc_manage_packages
 
+# Manage access control
+- name: Include 'access_control' tasks
+  ansible.builtin.import_tasks: set_access_control.yml
+
 # Manage docker networks
 - name: Include 'docker_network' tasks
   ansible.builtin.import_tasks: docker_network.yml

tasks/set_access_control.yml

@@ -0,0 +1,12 @@
+---
+- name: Set access control on files
+  ansible.posix.acl:
+    path: "{{ item.path }}"
+    entity: "{{ item.entity }}"
+    etype: "{{ item.etype | default('user') }}"
+    state: "{{ item.state | default('present') }}"
+    permissions: "{{ item.permissions | default('r') }}"
+    recursive: "{{ item.recursive | default(omit) }}"
+    default: "{{ item.default | default(omit) }}"
+  with_items: "{{ __svc_access_control_list }}"
+...

vars/archlinux.yml

@@ -1,8 +1,5 @@
 ---
 ### Packages ###
 # Packages to install
-svc_packages:
-  - 'python'
-  - 'python-pip'
-  - 'python-virtualenv'
+svc_packages: "{{ svc_packages_shared + ['python', 'python-pip', 'python-virtualenv'] }}"
 ...

vars/debian.yml

@@ -1,8 +1,5 @@
 ---
 ### Packages ###
 # Packages to install
-svc_packages:
-  - 'python3'
-  - 'python3-pip'
-  - 'virtualenv'
+svc_packages: "{{ svc_packages_shared + ['python3', 'python3-pip', 'virtualenv'] }}"
 ...

vars/main.yml

@@ -36,4 +36,9 @@ svc_socketproxy_env_vars_baseline:
 
 # Name of the socketproxy docker network
 svc_socketproxy_network_name: "socket-proxy_net"
+
+# Prefix for the access control list entries variables to look up
+__svc_acl_var_prefix: "svc_acl_entries"
+# Placeholder for the combined access control list entries
+__svc_access_control_list: []
 ...