2018-02-27 17:10:25 +01:00
|
|
|
---
|
2023-03-20 23:33:19 +01:00
|
|
|
- ansible.builtin.include: accounts_password.yml
|
2018-02-27 17:10:25 +01:00
|
|
|
when: item.password is undefined
|
2021-05-04 14:18:40 +02:00
|
|
|
loop: "{{ proftpd_accounts }}"
|
2018-02-27 17:10:25 +01:00
|
|
|
tags:
|
|
|
|
- proftpd
|
|
|
|
|
2023-03-20 23:33:19 +01:00
|
|
|
- ansible.builtin.set_fact:
|
2018-02-28 17:37:24 +01:00
|
|
|
proftpd_accounts_final: "{{ proftpd_accounts_final + [ item ] }}"
|
2018-02-27 17:10:25 +01:00
|
|
|
when: item.password is defined
|
2021-05-04 14:18:40 +02:00
|
|
|
loop: "{{ proftpd_accounts }}"
|
2018-02-27 17:10:25 +01:00
|
|
|
tags:
|
|
|
|
- proftpd
|
|
|
|
|
|
|
|
- name: Create FTP account
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2018-02-27 17:10:25 +01:00
|
|
|
dest: /etc/proftpd/vpasswd
|
|
|
|
state: present
|
|
|
|
create: yes
|
|
|
|
mode: "0440"
|
|
|
|
line: "{{ item.name | mandatory }}:{{ item.password }}:{{ item.uid }}:{{ item.gid }}::{{ item.home | mandatory }}:/bin/false"
|
|
|
|
regexp: "^{{ item.name }}:.*"
|
2021-05-04 14:18:40 +02:00
|
|
|
loop: "{{ proftpd_accounts_final }}"
|
2018-02-27 17:10:25 +01:00
|
|
|
notify: restart proftpd
|
|
|
|
tags:
|
|
|
|
- proftpd
|
|
|
|
|
2019-01-24 11:47:03 +01:00
|
|
|
- name: Allow FTP account (FTP)
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2018-02-27 17:10:25 +01:00
|
|
|
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
|
|
|
state: present
|
2018-02-27 17:24:21 +01:00
|
|
|
line: "\tAllowUser {{ item.name }}"
|
2018-02-27 17:10:25 +01:00
|
|
|
insertbefore: "DenyAll"
|
2021-05-04 14:18:40 +02:00
|
|
|
loop: "{{ proftpd_accounts_final }}"
|
2018-02-27 17:10:25 +01:00
|
|
|
notify: restart proftpd
|
2021-05-09 23:06:42 +02:00
|
|
|
when: proftpd_ftp_enable | bool
|
2019-01-24 11:47:03 +01:00
|
|
|
tags:
|
|
|
|
- proftpd
|
|
|
|
|
|
|
|
- name: Allow FTP account (FTPS)
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2019-01-24 11:47:03 +01:00
|
|
|
dest: /etc/proftpd/conf.d/ftps.conf
|
|
|
|
state: present
|
|
|
|
line: "\tAllowUser {{ item.name }}"
|
|
|
|
insertbefore: "DenyAll"
|
2021-05-04 14:18:40 +02:00
|
|
|
loop: "{{ proftpd_accounts_final }}"
|
2019-01-24 11:47:03 +01:00
|
|
|
notify: restart proftpd
|
2021-05-09 23:06:42 +02:00
|
|
|
when: proftpd_ftps_enable | bool
|
2019-01-24 11:47:03 +01:00
|
|
|
tags:
|
|
|
|
- proftpd
|
|
|
|
|
|
|
|
- name: Allow FTP account (SFTP)
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2019-01-24 11:47:03 +01:00
|
|
|
dest: /etc/proftpd/conf.d/sftp.conf
|
|
|
|
state: present
|
|
|
|
line: "\tAllowUser {{ item.name }}"
|
|
|
|
insertbefore: "DenyAll"
|
2021-05-04 14:18:40 +02:00
|
|
|
loop: "{{ proftpd_accounts_final }}"
|
2019-01-24 11:47:03 +01:00
|
|
|
notify: restart proftpd
|
2021-05-09 23:06:42 +02:00
|
|
|
when: proftpd_sftp_enable | bool
|
2018-02-27 17:10:25 +01:00
|
|
|
tags:
|
|
|
|
- proftpd
|
2022-09-13 16:29:59 +02:00
|
|
|
|
2024-04-30 17:38:14 +02:00
|
|
|
- name: IP Whitelists for SFTP users are present
|
2024-03-15 09:19:55 +01:00
|
|
|
ansible.builtin.blockinfile:
|
|
|
|
dest: /etc/proftpd/conf.d/sftp.conf
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK - Whitelist ip for users"
|
|
|
|
block: |
|
|
|
|
{% for user in proftpd_accounts_final %}
|
|
|
|
{% if user.group is defined %}
|
|
|
|
<IfUser {{ user.name }}>
|
|
|
|
<Limit LOGIN>
|
|
|
|
{% for ip in proftpd_sftp_ips_whitelist[user.group] %}
|
|
|
|
Allow from {{ ip }}
|
|
|
|
{% endfor %}
|
|
|
|
DenyAll
|
|
|
|
</Limit>
|
|
|
|
</IfUser>
|
|
|
|
{% endif %}
|
|
|
|
{% endfor %}
|
|
|
|
insertbefore: "</IfModule>"
|
|
|
|
notify: restart proftpd
|
|
|
|
when: proftpd_sftp_enable_user_whitelist | bool
|
|
|
|
|
2024-04-30 17:38:14 +02:00
|
|
|
- name: IP Whitelists for SFTP users are absent
|
|
|
|
ansible.builtin.blockinfile:
|
|
|
|
dest: /etc/proftpd/conf.d/sftp.conf
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK - Whitelist ip for users"
|
|
|
|
state: absent
|
|
|
|
notify: restart proftpd
|
|
|
|
when: not (proftpd_sftp_enable_user_whitelist | bool)
|
|
|
|
|
2022-09-13 16:29:59 +02:00
|
|
|
- name: Allow keys for SFTP account
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.template:
|
2022-12-08 17:32:53 +01:00
|
|
|
dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}"
|
|
|
|
src: authorized_keys.j2
|
2022-12-09 10:19:51 +01:00
|
|
|
mode: 0644
|
2022-09-13 16:29:59 +02:00
|
|
|
loop: "{{ proftpd_accounts_final }}"
|
2022-12-08 17:32:53 +01:00
|
|
|
loop_control:
|
|
|
|
loop_var: _proftpd_account
|
2022-09-13 16:29:59 +02:00
|
|
|
notify: restart proftpd
|
2023-01-06 09:54:51 +01:00
|
|
|
when:
|
2022-09-13 16:29:59 +02:00
|
|
|
- proftpd_sftp_enable | bool
|
|
|
|
- proftpd_sftp_use_publickeys | bool
|
2024-02-07 11:32:41 +01:00
|
|
|
- _proftpd_account.sshkeys is defined
|
2022-09-13 16:29:59 +02:00
|
|
|
tags:
|
|
|
|
- proftpd
|