diff --git a/CHANGELOG.md b/CHANGELOG.md
index 99ffac3f..9b05512b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
* redis: add a variable for renamed/disabled commands
* redis: add a variable to disable the restart handler
* redis: add a variable to force a restart (even with no change)
+* proftpd: add FTPS and SFTP support
### Changed
* redis: distinction between main and master password
diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml
index 8bba4c29..f955cd39 100644
--- a/proftpd/defaults/main.yml
+++ b/proftpd/defaults/main.yml
@@ -2,6 +2,13 @@
proftpd_hostname: "{{ ansible_hostname }}"
proftpd_fqdn: "{{ ansible_fqdn }}"
proftpd_default_address: []
-proftpd_port: "21"
+proftpd_ftp_enable: True
+proftpd_port: 21
+proftpd_ftps_enable: False
+proftpd_ftps_port: 990
+proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+proftpd_sftp_enable: False
+proftpd_sftp_port: 2222
proftpd_accounts: []
proftpd_accounts_final: []
diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml
index b1563eaf..95098df2 100644
--- a/proftpd/tasks/accounts.yml
+++ b/proftpd/tasks/accounts.yml
@@ -25,7 +25,7 @@
tags:
- proftpd
-- name: Allow FTP account
+- name: Allow FTP account (FTP)
lineinfile:
dest: /etc/proftpd/conf.d/z-evolinux.conf
state: present
@@ -33,5 +33,30 @@
insertbefore: "DenyAll"
with_items: "{{ proftpd_accounts_final }}"
notify: restart proftpd
+ when: proftpd_ftp_enable
+ tags:
+ - proftpd
+
+- name: Allow FTP account (FTPS)
+ lineinfile:
+ dest: /etc/proftpd/conf.d/ftps.conf
+ state: present
+ line: "\tAllowUser {{ item.name }}"
+ insertbefore: "DenyAll"
+ with_items: "{{ proftpd_accounts_final }}"
+ notify: restart proftpd
+ when: proftpd_ftps_enable
+ tags:
+ - proftpd
+
+- name: Allow FTP account (SFTP)
+ lineinfile:
+ dest: /etc/proftpd/conf.d/sftp.conf
+ state: present
+ line: "\tAllowUser {{ item.name }}"
+ insertbefore: "DenyAll"
+ with_items: "{{ proftpd_accounts_final }}"
+ notify: restart proftpd
+ when: proftpd_sftp_enable
tags:
- proftpd
diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml
index 5fe33dbb..71b95e9b 100644
--- a/proftpd/tasks/main.yml
+++ b/proftpd/tasks/main.yml
@@ -15,13 +15,36 @@
tags:
- proftpd
-- name: local jail is installed
+- name: FTP jail is installed
template:
src: evolinux.conf.j2
dest: /etc/proftpd/conf.d/z-evolinux.conf
mode: "0644"
force: no
notify: restart proftpd
+ when: proftpd_ftp_enable
+ tags:
+ - proftpd
+
+- name: FTPS jail is installed
+ template:
+ src: ftps.conf.j2
+ dest: /etc/proftpd/conf.d/ftps.conf
+ mode: "0644"
+ force: no
+ notify: restart proftpd
+ when: proftpd_ftps_enable
+ tags:
+ - proftpd
+
+- name: SFTP jail is installed
+ template:
+ src: sftp.conf.j2
+ dest: /etc/proftpd/conf.d/sftp.conf
+ mode: "0644"
+ force: no
+ notify: restart proftpd
+ when: proftpd_sftp_enable
tags:
- proftpd
diff --git a/proftpd/templates/ftps.conf.j2 b/proftpd/templates/ftps.conf.j2
new file mode 100644
index 00000000..ceec0631
--- /dev/null
+++ b/proftpd/templates/ftps.conf.j2
@@ -0,0 +1,33 @@
+
+ LoadModule mod_tls.c
+
+
+
+ TLSEngine on
+ TLSLog /var/log/proftpd/ftps.log
+ TLSProtocol TLSv1
+
+ TLSRSACertificateFile {{ proftpd_ftps_cert }}
+ TLSRSACertificateKeyFile {{ proftpd_ftps_key }}
+
+ #TLSOptions AllowClientRenegotiations
+
+ TLSOptions AllowPerUser
+ TLSVerifyClient off
+ TLSRequired off
+
+ TLSRenegotiate required off
+ TLSOptions NoSessionReuseRequired
+
+ RequireValidShell off
+ Port {{ proftpd_ftps_port }}
+ AuthUserFile /etc/proftpd/vpasswd
+ DefaultRoot ~
+
+ PassivePorts 60000 61000
+
+
+ AllowGroup ftpusers
+ DenyAll
+
+
diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2
new file mode 100644
index 00000000..5f12ca9c
--- /dev/null
+++ b/proftpd/templates/sftp.conf.j2
@@ -0,0 +1,28 @@
+
+ LoadModule mod_tls.c
+
+
+
+ LoadModule mod_sftp.c
+
+
+
+ SFTPEngine on
+ Port {{ proftpd_sftp_port }}
+ DefaultRoot ~
+
+ SFTPLog /var/log/proftpd/sftp.log
+
+ SFTPAuthMethods password
+ SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
+ SFTPHostKey /etc/ssh/ssh_host_rsa_key
+
+ RequireValidShell off
+
+ AuthUserFile /etc/proftpd/vpasswd
+
+
+ AllowGroup ftpusers
+ DenyAll
+
+