From 423cafe98d84ef80ee4e7672042a84c7d906b36d Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 7 Feb 2025 07:25:45 +0000
Subject: [PATCH] routeros_firmware: Use dedicated user for download

---
 roles/routeros_firmware/tasks/main.yml | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml
index 248abde..024b37d 100644
--- a/roles/routeros_firmware/tasks/main.yml
+++ b/roles/routeros_firmware/tasks/main.yml
@@ -1,11 +1,26 @@
 ---
+- name: Create group
+  ansible.builtin.group:
+    name: routeros
+    system: true
+
+- name: Create user
+  ansible.builtin.user:
+    name: routeros
+    comment: RouterOS Downloader
+    group: routeros
+    create_home: false
+    home: /var/empty
+    shell: /sbin/nologin
+    system: true
+
 - name: Create download directory
   ansible.builtin.file:
     path: /srv/web/oob.foo.sh/routeros
     state: directory
-    mode: "0755"
+    mode: "0775"
     owner: root
-    group: "{{ ansible_wheel }}"
+    group: routeros
 
 - name: Install README.md
   ansible.builtin.copy:
@@ -27,5 +42,6 @@
   ansible.builtin.cron:
     name: download-routeros-firmware
     job: /usr/local/bin/download-routeros-firmware
+    user: routeros
     hour: "05"
     minute: "25"