proftpd: add whitelist ip in virtualhost sftp

CHANGELOG.md

@@ -35,6 +35,7 @@ The **patch** part is incremented if multiple releases happen the same month
 * autosysadmin-restart_nrpe: add role
 * certbot: Renewal hook for NRPE
 * kvm-host: add minifirewall rules if DRBD interface is configured
+* proftpd: add whitelist ip
 
 ### Changed
 

proftpd/tasks/accounts.yml

@@ -61,6 +61,27 @@
   tags:
     - proftpd
 
+- name: Whitelist ip for users (SFTP)
+  ansible.builtin.blockinfile:
+    dest: /etc/proftpd/conf.d/sftp.conf
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - Whitelist ip for users"
+    block: |
+      {% for user in proftpd_accounts_final %}
+      {% if user.group is defined %}
+      <IfUser {{ user.name }}>
+          <Limit LOGIN>
+      {% for ip in proftpd_sftp_ips_whitelist[user.group] %}
+              Allow from {{ ip }}
+      {% endfor %}
+              DenyAll
+          </Limit>
+      </IfUser>
+      {% endif %}
+      {% endfor %}
+    insertbefore: "</IfModule>"
+  notify: restart proftpd
+  when: proftpd_sftp_enable_user_whitelist | bool  
+
 - name: Allow keys for SFTP account
   ansible.builtin.template:
     dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}"