evolix
/
ansible-roles
22
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

proftpd: add FTPS and SFTP support

This commit is contained in:
Victor LABORIE 2019-01-24 11:47:03 +01:00
parent af896fe1fc
commit 2c874afb3c
6 changed files with 120 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
* redis: add a variable for renamed/disabled commands
* redis: add a variable to disable the restart handler
* redis: add a variable to force a restart (even with no change)
* proftpd: add FTPS and SFTP support
### Changed
* redis: distinction between main and master password

9
proftpd/defaults/main.yml
View File

@ -2,6 +2,13 @@
proftpd_hostname: "{{ ansible_hostname }}"
proftpd_fqdn: "{{ ansible_fqdn }}"
proftpd_default_address: []
proftpd_port: "21"
proftpd_ftp_enable: True
proftpd_port: 21
proftpd_ftps_enable: False
proftpd_ftps_port: 990
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
proftpd_sftp_enable: False
proftpd_sftp_port: 2222
proftpd_accounts: []
proftpd_accounts_final: []

27
proftpd/tasks/accounts.yml
View File

@ -25,7 +25,7 @@
tags:
- proftpd
- name: Allow FTP account
- name: Allow FTP account (FTP)
lineinfile:
dest: /etc/proftpd/conf.d/z-evolinux.conf
state: present
@ -33,5 +33,30 @@
insertbefore: "DenyAll"
with_items: "{{ proftpd_accounts_final }}"
notify: restart proftpd
when: proftpd_ftp_enable
tags:
- proftpd
- name: Allow FTP account (FTPS)
lineinfile:
dest: /etc/proftpd/conf.d/ftps.conf
state: present
line: "\tAllowUser {{ item.name }}"
insertbefore: "DenyAll"
with_items: "{{ proftpd_accounts_final }}"
notify: restart proftpd
when: proftpd_ftps_enable
tags:
- proftpd
- name: Allow FTP account (SFTP)
lineinfile:
dest: /etc/proftpd/conf.d/sftp.conf
state: present
line: "\tAllowUser {{ item.name }}"
insertbefore: "DenyAll"
with_items: "{{ proftpd_accounts_final }}"
notify: restart proftpd
when: proftpd_sftp_enable
tags:
- proftpd

25
proftpd/tasks/main.yml
View File

@ -15,13 +15,36 @@
tags:
- proftpd
- name: local jail is installed
- name: FTP jail is installed
template:
src: evolinux.conf.j2
dest: /etc/proftpd/conf.d/z-evolinux.conf
mode: "0644"
force: no
notify: restart proftpd
when: proftpd_ftp_enable
tags:
- proftpd
- name: FTPS jail is installed
template:
src: ftps.conf.j2
dest: /etc/proftpd/conf.d/ftps.conf
mode: "0644"
force: no
notify: restart proftpd
when: proftpd_ftps_enable
tags:
- proftpd
- name: SFTP jail is installed
template:
src: sftp.conf.j2
dest: /etc/proftpd/conf.d/sftp.conf
mode: "0644"
force: no
notify: restart proftpd
when: proftpd_sftp_enable
tags:
- proftpd

33
proftpd/templates/ftps.conf.j2 Normal file
View File

@ -0,0 +1,33 @@
<IfModule !mod_tls.c>
LoadModule mod_tls.c
</IfModule>
<VirtualHost 0.0.0.0>
TLSEngine on
TLSLog /var/log/proftpd/ftps.log
TLSProtocol TLSv1
TLSRSACertificateFile {{ proftpd_ftps_cert }}
TLSRSACertificateKeyFile {{ proftpd_ftps_key }}
#TLSOptions AllowClientRenegotiations
TLSOptions AllowPerUser
TLSVerifyClient off
TLSRequired off
TLSRenegotiate required off
TLSOptions NoSessionReuseRequired
RequireValidShell off
Port {{ proftpd_ftps_port }}
AuthUserFile /etc/proftpd/vpasswd
DefaultRoot ~
PassivePorts 60000 61000
<Limit LOGIN>
AllowGroup ftpusers
DenyAll
</Limit>
</VirtualHost>

28
proftpd/templates/sftp.conf.j2 Normal file
View File

@ -0,0 +1,28 @@
<IfModule !mod_tls.c>
LoadModule mod_tls.c
</IfModule>
<IfModule !mod_sftp.c>
LoadModule mod_sftp.c
</IfModule>
<VirtualHost 0.0.0.0>
SFTPEngine on
Port {{ proftpd_sftp_port }}
DefaultRoot ~
SFTPLog /var/log/proftpd/sftp.log
SFTPAuthMethods password
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
SFTPHostKey /etc/ssh/ssh_host_rsa_key
RequireValidShell off
AuthUserFile /etc/proftpd/vpasswd
<Limit LOGIN>
AllowGroup ftpusers
DenyAll
</Limit>
</VirtualHost>