Replace incron with inotify script
This commit is contained in:
parent
b183ddb51c
commit
ade6e4ce3e
@ -1,5 +1,6 @@
|
||||
---
|
||||
sftp_root: "/var/sftp" # no trailing /
|
||||
software_package_root: "/opt"
|
||||
|
||||
# temporary fix for https://github.com/ansible/ansible/issues/8603
|
||||
_lizmap_version: 3.7.6
|
||||
|
@ -1,8 +1,6 @@
|
||||
---
|
||||
- name: Setup QGIS-Server and Lizmap
|
||||
hosts: testing
|
||||
vars_files:
|
||||
- variables/public.yaml
|
||||
handlers:
|
||||
- name: Ensure nginx is restarted
|
||||
become: true
|
||||
@ -22,12 +20,13 @@
|
||||
name: "php{{ php['version'] }}-fpm"
|
||||
state: restarted
|
||||
|
||||
- name: Ensure incron is restarted and enabled
|
||||
- name: Ensure sftp-permissions is restarted and enabled
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: incron
|
||||
name: sftp-permissions
|
||||
state: restarted
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
|
||||
tasks:
|
||||
- name: Ensure valid apt cache and required tools are present
|
||||
@ -43,7 +42,7 @@
|
||||
- software-properties-common
|
||||
- postgresql
|
||||
- acl # bug: https://github.com/ansible/ansible/issues/74830
|
||||
- incron
|
||||
- inotify-tools
|
||||
state: present
|
||||
|
||||
- name: Ensure qgis-server is valid
|
||||
@ -442,29 +441,35 @@
|
||||
group: sftp
|
||||
mode: u=rwX,g=rwXs,o=
|
||||
|
||||
- name: Ensure incron is latest
|
||||
- name: Ensure sftp-permissions is latest
|
||||
notify:
|
||||
- Ensure incron is restarted and enabled
|
||||
- Ensure sftp-permissions is restarted and enabled
|
||||
become: true
|
||||
block:
|
||||
- name: Ensure incron for root is enabled
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/incron.allow
|
||||
block: "root"
|
||||
create: true
|
||||
- name: Ensure sftp-permissions dir exists
|
||||
ansible.builtin.file:
|
||||
dest: "{{ software_package_root }}/sftp-permissions"
|
||||
state: directory
|
||||
owner: root
|
||||
group: incron
|
||||
mode: u=rw,g=r,o=
|
||||
group: root
|
||||
mode: u=rwX,g=rX,o=rX
|
||||
|
||||
- name: Ensure sftp-permissions script is latest
|
||||
ansible.builtin.template:
|
||||
src: ./templates/sftp-inotify.sh.j2
|
||||
dest: "{{ software_package_root }}/sftp-permissions/sftp-inotify.sh"
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rwx,g=r,o=
|
||||
backup: true
|
||||
|
||||
- name: Ensure incron task for root is latest
|
||||
ansible.builtin.blockinfile:
|
||||
path: /var/spool/incron/root
|
||||
block: "{{ lizmap['root_repositories'] }} IN_ATTRIB,IN_CREATE,IN_MOVED_TO chmod g+rw $@/$#"
|
||||
create: true
|
||||
- name: Ensure sftp-permissions service is latest
|
||||
ansible.builtin.template:
|
||||
src: ./templates/sftp-permissions.service.j2
|
||||
dest: /etc/systemd/system/sftp-permissions.service
|
||||
owner: root
|
||||
group: incron
|
||||
mode: u=rw,g=,o=
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
||||
- name: Ensure sshd config is latest
|
||||
notify:
|
||||
|
12
templates/sftp-inotify.sh.j2
Normal file
12
templates/sftp-inotify.sh.j2
Normal file
@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
inotifywait -m -r -e attrib -e create -e moved_to --format '%w%f' {{ sftp_root }} | while read file
|
||||
do
|
||||
current_permissions=$(stat -c %A "$file")
|
||||
if ! [[ "$current_permissions" =~ ^[^\ ](rw[^\ ]){2}[^\ ]{3}$ ]]; then # long: ^[^\ ]rw[^\ ]rw[^\ ][^\ ][^\ ][^\ ]$ matches "?rw?rw????"
|
||||
echo "Attribute change detected on $file"
|
||||
chmod u+rw,g+rw "$file"
|
||||
else
|
||||
echo "Skipped change for $file"
|
||||
fi
|
||||
done
|
9
templates/sftp-permissions.service.j2
Normal file
9
templates/sftp-permissions.service.j2
Normal file
@ -0,0 +1,9 @@
|
||||
[Unit]
|
||||
Description=Inotify Monitoring Service
|
||||
|
||||
[Service]
|
||||
ExecStart={{ software_package_root }}/sftp-permissions/sftp-inotify.sh
|
||||
;;Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user