Replace incron with inotify script

group_vars/all.yaml

@@ -1,5 +1,6 @@
 ---
 sftp_root: "/var/sftp" # no trailing /
+software_package_root: "/opt"
 
 # temporary fix for https://github.com/ansible/ansible/issues/8603
 _lizmap_version: 3.7.6

playbook.yaml

@@ -1,8 +1,6 @@
 ---
 - name: Setup QGIS-Server and Lizmap
   hosts: testing
-  vars_files:
-    - variables/public.yaml
   handlers:
     - name: Ensure nginx is restarted
       become: true
@@ -22,12 +20,13 @@
         name: "php{{ php['version'] }}-fpm"
         state: restarted
 
-    - name: Ensure incron is restarted and enabled
+    - name: Ensure sftp-permissions is restarted and enabled
       become: true
       ansible.builtin.systemd:
-        name: incron
+        name: sftp-permissions
         state: restarted
         enabled: true
+        daemon_reload: true
 
   tasks:
     - name: Ensure valid apt cache and required tools are present
@@ -43,7 +42,7 @@
           - software-properties-common
           - postgresql
           - acl # bug: https://github.com/ansible/ansible/issues/74830
-          - incron
+          - inotify-tools
         state: present
 
     - name: Ensure qgis-server is valid
@@ -442,29 +441,35 @@
         group: sftp
         mode: u=rwX,g=rwXs,o=
 
-    - name: Ensure incron is latest
+    - name: Ensure sftp-permissions is latest
       notify:
-        - Ensure incron is restarted and enabled
+        - Ensure sftp-permissions is restarted and enabled
       become: true
       block:
-        - name: Ensure incron for root is enabled
-          ansible.builtin.blockinfile:
-            path: /etc/incron.allow
-            block: "root"
-            create: true
+        - name: Ensure sftp-permissions dir exists
+          ansible.builtin.file:
+            dest: "{{ software_package_root }}/sftp-permissions"
+            state: directory
             owner: root
-            group: incron
-            mode: u=rw,g=r,o=
+            group: root
+            mode: u=rwX,g=rX,o=rX
+
+        - name: Ensure sftp-permissions script is latest
+          ansible.builtin.template:
+            src: ./templates/sftp-inotify.sh.j2
+            dest: "{{ software_package_root }}/sftp-permissions/sftp-inotify.sh"
+            owner: root
+            group: root
+            mode: u=rwx,g=r,o=
             backup: true
 
-        - name: Ensure incron task for root is latest
-          ansible.builtin.blockinfile:
-            path: /var/spool/incron/root
-            block: "{{ lizmap['root_repositories'] }}  IN_ATTRIB,IN_CREATE,IN_MOVED_TO chmod g+rw $@/$#"
-            create: true
+        - name: Ensure sftp-permissions service is latest
+          ansible.builtin.template:
+            src: ./templates/sftp-permissions.service.j2
+            dest: /etc/systemd/system/sftp-permissions.service
             owner: root
-            group: incron
-            mode: u=rw,g=,o=
+            group: root
+            mode: u=rw,g=r,o=r
 
     - name: Ensure sshd config is latest
       notify:

templates/sftp-inotify.sh.j2

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+inotifywait -m -r -e attrib -e create -e moved_to --format '%w%f' {{ sftp_root }} | while read file
+do
+    current_permissions=$(stat -c %A "$file")
+    if ! [[ "$current_permissions" =~ ^[^\ ](rw[^\ ]){2}[^\ ]{3}$ ]]; then # long: ^[^\ ]rw[^\ ]rw[^\ ][^\ ][^\ ][^\ ]$ matches "?rw?rw????"
+         echo "Attribute change detected on $file"
+         chmod u+rw,g+rw "$file"
+    else
+         echo "Skipped change for $file"
+    fi
+done

templates/sftp-permissions.service.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Inotify Monitoring Service
+
+[Service]
+ExecStart={{ software_package_root }}/sftp-permissions/sftp-inotify.sh
+;;Restart=always
+
+[Install]
+WantedBy=multi-user.target