readonly binds

Author: baszoetekouw

roles/manage/tasks/main.yml

@@ -40,14 +40,14 @@
 - name: Place the serverapplication configfiles
   ansible.builtin.template:
     src: "{{ item }}.j2"
-    dest: /opt/openconext/manage/{{ item }}
-    owner: root
-    group: root
+    dest: "/opt/openconext/manage/{{ item }}"
+    owner: "root"
+    group: "root"
     mode: "0644"
   with_items:
-    - application.yml
-    - logback.xml
-    - manage-api-users.yml
+    - "application.yml"
+    - "logback.xml"
+    - "manage-api-users.yml"
   notify: restart manageserver
 
 - name: Place old __cacert_entrypoint.sh script
@@ -62,8 +62,8 @@
   ansible.builtin.template:
     src: "metadata_configuration/{{ item }}.schema.json.j2"
     dest: "/opt/openconext/manage/metadata_configuration/{{ item }}.schema.json"
-    owner: root
-    group: root
+    owner: "root"
+    group: "root"
     mode: "0640"
   with_items:
     - "{{ manage_tabs_enabled }}"
@@ -90,17 +90,17 @@
     group: root
     mode: "0640"
   with_items:
-    - allowed_attributes.json
-    - extra_saml_attributes.json
+    - "allowed_attributes.json"
+    - "extra_saml_attributes.json"
   notify:
     - "restart manageserver"
 
 - name: Add the mongodb and mariadb  docker network to the list of networks when MongoDB runs in Docker
   ansible.builtin.set_fact:
     manage_docker_networks:
-      - name: loadbalancer
-      - name: openconext_mongodb
-      - name: openconext_mariadb
+      - name: "loadbalancer"
+      - name: "openconext_mongodb"
+      - name: "openconext_mariadb"
   when: mongodb_in_docker | default(false) | bool
 
 - name: Create and start the server container
@@ -114,19 +114,22 @@
     state: started
     networks: "{{ manage_docker_networks }}"
     mounts:
-      - source: /opt/openconext/manage/
-        target: /config/
-        type: bind
-      - source: /opt/openconext/manage/mongoca.pem
-        target: /certificates/mongoca.crt
-        type: bind
-      - source: /opt/openconext/manage/__cacert_entrypoint.sh
-        target: /__cacert_entrypoint.sh
-        type: bind
-      - source: /opt/openconext/manage/stepup_config.json
-        target: /stepup_config.json
-        type: bind
-
+      - source: "/opt/openconext/manage/"
+        target: "/config/"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/manage/mongoca.pem"
+        target: "/certificates/mongoca.crt"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/manage/__cacert_entrypoint.sh"
+        target: "/__cacert_entrypoint.sh"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/manage/stepup_config.json"
+        target: "/stepup_config.json"
+        type: "bind"
+        read_only: true
     command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/"
     etc_hosts:
       host.docker.internal: host-gateway
@@ -183,6 +186,8 @@
       - source: /etc/localtime
         target: /etc/localtime
         type: bind
+        read_only: true
       - source: /opt/openconext/common/favicon.ico
         target: /var/www/favicon.ico
         type: bind
+        read_only: true