From 2c874afb3ccec884105718b4946bee8791fb6622 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Thu, 24 Jan 2019 11:47:03 +0100
Subject: [PATCH] proftpd: add FTPS and SFTP support

---
 CHANGELOG.md                   |  1 +
 proftpd/defaults/main.yml      |  9 ++++++++-
 proftpd/tasks/accounts.yml     | 27 ++++++++++++++++++++++++++-
 proftpd/tasks/main.yml         | 25 ++++++++++++++++++++++++-
 proftpd/templates/ftps.conf.j2 | 33 +++++++++++++++++++++++++++++++++
 proftpd/templates/sftp.conf.j2 | 28 ++++++++++++++++++++++++++++
 6 files changed, 120 insertions(+), 3 deletions(-)
 create mode 100644 proftpd/templates/ftps.conf.j2
 create mode 100644 proftpd/templates/sftp.conf.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 99ffac3f..9b05512b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
 * redis: add a variable for renamed/disabled commands
 * redis: add a variable to disable the restart handler
 * redis: add a variable to force a restart (even with no change)
+* proftpd: add FTPS and SFTP support
 
 ### Changed
 * redis: distinction between main and master password
diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml
index 8bba4c29..f955cd39 100644
--- a/proftpd/defaults/main.yml
+++ b/proftpd/defaults/main.yml
@@ -2,6 +2,13 @@
 proftpd_hostname: "{{ ansible_hostname }}"
 proftpd_fqdn: "{{ ansible_fqdn }}"
 proftpd_default_address: []
-proftpd_port: "21"
+proftpd_ftp_enable: True
+proftpd_port: 21
+proftpd_ftps_enable: False
+proftpd_ftps_port: 990
+proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+proftpd_sftp_enable: False
+proftpd_sftp_port: 2222
 proftpd_accounts: []
 proftpd_accounts_final: []
diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml
index b1563eaf..95098df2 100644
--- a/proftpd/tasks/accounts.yml
+++ b/proftpd/tasks/accounts.yml
@@ -25,7 +25,7 @@
   tags:
     - proftpd
 
-- name: Allow FTP account
+- name: Allow FTP account (FTP)
   lineinfile:
     dest: /etc/proftpd/conf.d/z-evolinux.conf
     state: present
@@ -33,5 +33,30 @@
     insertbefore: "DenyAll"
   with_items: "{{ proftpd_accounts_final }}"
   notify: restart proftpd
+  when: proftpd_ftp_enable
+  tags:
+    - proftpd
+
+- name: Allow FTP account (FTPS)
+  lineinfile:
+    dest: /etc/proftpd/conf.d/ftps.conf
+    state: present
+    line: "\tAllowUser {{ item.name }}"
+    insertbefore: "DenyAll"
+  with_items: "{{ proftpd_accounts_final }}"
+  notify: restart proftpd
+  when: proftpd_ftps_enable
+  tags:
+    - proftpd
+
+- name: Allow FTP account (SFTP)
+  lineinfile:
+    dest: /etc/proftpd/conf.d/sftp.conf
+    state: present
+    line: "\tAllowUser {{ item.name }}"
+    insertbefore: "DenyAll"
+  with_items: "{{ proftpd_accounts_final }}"
+  notify: restart proftpd
+  when: proftpd_sftp_enable
   tags:
     - proftpd
diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml
index 5fe33dbb..71b95e9b 100644
--- a/proftpd/tasks/main.yml
+++ b/proftpd/tasks/main.yml
@@ -15,13 +15,36 @@
   tags:
     - proftpd
 
-- name: local jail is installed
+- name: FTP jail is installed
   template:
     src: evolinux.conf.j2
     dest: /etc/proftpd/conf.d/z-evolinux.conf
     mode: "0644"
     force: no
   notify: restart proftpd
+  when: proftpd_ftp_enable
+  tags:
+    - proftpd
+
+- name: FTPS jail is installed
+  template:
+    src: ftps.conf.j2
+    dest: /etc/proftpd/conf.d/ftps.conf
+    mode: "0644"
+    force: no
+  notify: restart proftpd
+  when: proftpd_ftps_enable
+  tags:
+    - proftpd
+
+- name: SFTP jail is installed
+  template:
+    src: sftp.conf.j2
+    dest: /etc/proftpd/conf.d/sftp.conf
+    mode: "0644"
+    force: no
+  notify: restart proftpd
+  when: proftpd_sftp_enable
   tags:
     - proftpd
 
diff --git a/proftpd/templates/ftps.conf.j2 b/proftpd/templates/ftps.conf.j2
new file mode 100644
index 00000000..ceec0631
--- /dev/null
+++ b/proftpd/templates/ftps.conf.j2
@@ -0,0 +1,33 @@
+<IfModule !mod_tls.c>
+    LoadModule mod_tls.c
+</IfModule>
+
+<VirtualHost 0.0.0.0>
+    TLSEngine                               on
+    TLSLog                                  /var/log/proftpd/ftps.log
+    TLSProtocol                             TLSv1
+    
+    TLSRSACertificateFile                   {{ proftpd_ftps_cert }}
+    TLSRSACertificateKeyFile                {{ proftpd_ftps_key }}
+    
+    #TLSOptions                             AllowClientRenegotiations
+    
+    TLSOptions                              AllowPerUser
+    TLSVerifyClient                         off
+    TLSRequired                             off
+    
+    TLSRenegotiate                          required off
+    TLSOptions                              NoSessionReuseRequired
+    
+    RequireValidShell                       off
+    Port                                    {{ proftpd_ftps_port }}
+    AuthUserFile                            /etc/proftpd/vpasswd
+    DefaultRoot                             ~
+    
+    PassivePorts                            60000 61000
+    
+    <Limit LOGIN>
+        AllowGroup ftpusers
+        DenyAll
+    </Limit>
+</VirtualHost>
diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2
new file mode 100644
index 00000000..5f12ca9c
--- /dev/null
+++ b/proftpd/templates/sftp.conf.j2
@@ -0,0 +1,28 @@
+<IfModule !mod_tls.c>
+    LoadModule mod_tls.c
+</IfModule>
+
+<IfModule !mod_sftp.c>
+    LoadModule mod_sftp.c
+</IfModule>
+
+<VirtualHost 0.0.0.0>
+    SFTPEngine   on
+    Port         {{ proftpd_sftp_port }}
+    DefaultRoot  ~
+    
+    SFTPLog      /var/log/proftpd/sftp.log
+    
+    SFTPAuthMethods password
+    SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
+    SFTPHostKey /etc/ssh/ssh_host_rsa_key
+    
+    RequireValidShell off
+    
+    AuthUserFile /etc/proftpd/vpasswd
+    
+    <Limit LOGIN>
+        AllowGroup ftpusers
+        DenyAll
+    </Limit>
+</VirtualHost>