7 files changed, 7 insertions, 7 deletions

diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index fc171a3..3fcb31f 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -1,36 +1,36 @@
 - name: Install Dovecot
   apt: pkg={{ item }}
   with_items:
     - dovecot-core
     - dovecot-ldap
     - dovecot-imapd
     - dovecot-lmtpd
     - dovecot-antispam
     - dovecot-managesieved
     - dovecot-sieve
 
 # 7 5   * * * root users=$(mktemp --tmpdir) && sudo -u dovecot /usr/local/bin/list-members.pl && sudo -u vmail nice -n 19 /usr/bin/doveadm purge -F"$users"
 - name: Copy list-users.pl
   copy: src=usr/local/bin/list-users.pl
         dest=/usr/local/bin/list-users.pl
-        owner=root group=root
+        owner=root group=staff
         mode=0755
 
 - name: Create a user 'vmail'
   user: name=vmail system=yes
         createhome=no
         home=/home/mail
         shell=/usr/sbin/nologin
         password=!
         state=present
 
 ## TODO: make a LDAP query listing all users using iterate_attrs and
 ## iterate_filter.  (Alternatively, use a dict, see
 ## https://www.opensource.apple.com/source/dovecot/dovecot-293/dovecot.Config/dovecot-dict-auth.conf.ext)
 ## Required for dbox, see
 ## http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
 #- name: Create a nightly cron job to purge expunged messages
 #  cron: name="Purge expunged messages"
 #        minute=7 hour=5
 #        user=vmail cron_file=doveadm-purge
 #        job="/usr/bin/doveadm purge -A"
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 5f19d9f..bd6f088 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -56,41 +56,41 @@
     - catchall.cf
 
 - name: Copy lookup tables (2)
   template: src=etc/postfix/virtual/transport.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport
             owner=root group=root
             mode=0644
 
 - name: Compile the Postfix transport maps
   # trivial-rewrite(8) is a long-running process, so it's safer to reload
   postmap: instance={{ postfix_instance[inst].name }}
            src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb
            owner=root group=root
            mode=0644
   notify:
     - Reload Postfix
 
 - name: Copy reserved-alias.pl
   copy: src=usr/local/bin/reserved-alias.pl
         dest=/usr/local/bin/reserved-alias.pl
-        owner=root group=root
+        owner=root group=staff
         mode=0755
 
 - name: Create directory /etc/postfix/ssl
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
         state=directory
         owner=root group=root
         mode=0755
   tags:
     - genkey
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 - name: Fetch Postfix's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
   fetch_cmd: cmd="openssl x509 -noout -pubkey"
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 6ad561e..22265cd 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -115,36 +115,36 @@
 
 - name: Load the back_monitor overlay
   openldap: module=back_monitor
 
 # We assume a clean (=stock) cn=config
 - name: Configure the LDAP database
   openldap: target=etc/ldap/database.ldif.j2 local=template
 
 # On read-only replicates, you might have to temporarily switch back to
 # read-write, delete the SyncRepl, and delete the DN manually:
 #     sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
 - name: Remove cn=admin,dc=fripost,dc=org
   openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
 
 - name: Remove the rootDN under the 'config' database
   openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW
 
 - name: Copy /usr/local/sbin/slapcat-all.sh
   copy: src=usr/local/sbin/slapcat-all.sh
         dest=/usr/local/sbin/slapcat-all.sh
-        owner=root group=root
+        owner=root group=staff
         mode=0755
 
 
 - name: Install 'slapd2' Munin plugin
   # we don't install 'slapd_' because it doesn't support SASL binds and
   # ours is more parcimonious with LDAP connections
   file: src=/usr/local/share/munin/plugins/slapd2
         dest=/etc/munin/plugins/slapd2
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
index 29c0e2b..d418326 100644
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -3,38 +3,38 @@
   with_items:
     - iptables
     - netmask
     - bsdutils
 
 - name: Create directory /etc/iptables
   file: path=/etc/iptables
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Generate /etc/iptables/services
   template: src=etc/iptables/services.j2
             dest=/etc/iptables/services
             owner=root group=root
             mode=0600
 
 - name: Copy /usr/local/sbin/update-firewall.sh
   copy: src=usr/local/sbin/update-firewall.sh
         dest=/usr/local/sbin/update-firewall.sh
-        owner=root group=root
+        owner=root group=staff
         mode=0755
 
 - name: Make the rulesets persistent
   copy: src=etc/network/{{ item }}
         dest=/etc/network/{{ item }}
         owner=root group=root
         mode=0755
   with_items:
     - if-pre-up.d/iptables
     - if-post-down.d/iptables
 
 - name: Ensure the firewall is up to date
   command: /usr/local/sbin/update-firewall.sh -c
   register: rv
   # A non-zero return value will make ansible stop and show stderr. This
   # is what we want.
   changed_when: rv.rc
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 2fe7a0e..0230c0c 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -21,41 +21,41 @@
 - include: auditd.yml
   tags: auditd
 - include: rkhunter.yml
   tags: rkhunter
 - include: clamav.yml
   tags: clamav
 - include: fail2ban.yml
   tags: fail2ban
 - include: smart.yml
   tags:
     - smartmontools
     - smart
   when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
 - include: haveged.yml
   tags:
     - haveged
     - entropy
 - name: Copy genkeypair.sh and gendhparam.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
-        owner=root group=root
+        owner=root group=staff
         mode=0755
   tags: genkey
   with_items:
     - genkeypair.sh
     - gendhparam.sh
 - name: Generate DH parameters
   command: gendhparam.sh /etc/ssl/dhparams.pem 2048
            creates=/etc/ssl/dhparams.pem
   tags: genkey
 - include: ipsec.yml
   tags:
     - strongswan
     - ipsec
   when: "groups.all | length > 1"
 - include: logging.yml
   tags: logging
 - include: ntp.yml
   tags: ntp
 - include: mail.yml
   tags:
diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml
index a7c8bd6..409a74b 100644
--- a/roles/lists/tasks/mail.yml
+++ b/roles/lists/tasks/mail.yml
@@ -21,41 +21,41 @@
         owner=root group=root
         mode=0644
   # no need to reload upon change, as cleanup(8) is short-running
 
 - name: Compile the Postfix transport maps
   # trivial-rewrite(8) is a long-running process, so it's safer to reload
   postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb
            owner=root group=root
            mode=0644
   notify:
     - Reload Postfix
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 - name: Copy the 'sympa-queue' wrapper
   copy: src=usr/local/bin/sympa-queue
         dest=/usr/local/bin/sympa-queue
-        owner=root group=root
+        owner=root group=staff
         mode=0755
 
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
         dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   with_items:
diff --git a/roles/lists/tasks/mlmmj.yml b/roles/lists/tasks/mlmmj.yml
index e5e029f..45fc8f4 100644
--- a/roles/lists/tasks/mlmmj.yml
+++ b/roles/lists/tasks/mlmmj.yml
@@ -19,41 +19,41 @@
   file: path=/var/spool/mlmmj
         state=directory
         owner=mlmmj group=mlmmj
         mode=0700
 
 - name: Create /var/lib/mlmmj
   file: path=/var/lib/mlmmj
         state=directory
         owner=mlmmj group=mlmmj
         mode=0750
 
 - name: Auto-maintain mlmmj's spool directory
   copy: src=etc/cron.d/mlmmj
         dest=/etc/cron.d/mlmmj
         owner=root group=root
         mode=0644
 
 - name: Copy mlmmj-newlist.sh and mhonarc-scan.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
-        owner=root group=root
+        owner=root group=staff
         mode=0755
   with_items:
     - mlmmj-newlist.sh
     - mhonarc-scan.sh
 
 - name: Copy /etc/mhonarc.rc
   copy: src=etc/mhonarc.rc
         dest=/etc/mhonarc.rc
         owner=root group=root
         mode=0644
 
 - name: Create /usr/share/mlmmj/static/{css,fonts}
   file: path=/usr/share/mlmmj/static/{{ item }}
         state=directory
         owner=root group=root
         mode=0755
   with_items:
     - css
     - fonts