From eda69725d551c349b351a75244bfd6b03816c158 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino+git@evolix.fr>
Date: Fri, 15 Mar 2024 09:19:55 +0100
Subject: [PATCH] proftpd: add whitelist ip in virtualhost sftp

---
 CHANGELOG.md               |  1 +
 proftpd/tasks/accounts.yml | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 908d890d..f305b5a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ The **patch** part is incremented if multiple releases happen the same month
 * autosysadmin-restart_nrpe: add role
 * certbot: Renewal hook for NRPE
 * kvm-host: add minifirewall rules if DRBD interface is configured
+* proftpd: add whitelist ip
 
 ### Changed
 
diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml
index fc97b55b..11b2f60d 100644
--- a/proftpd/tasks/accounts.yml
+++ b/proftpd/tasks/accounts.yml
@@ -61,6 +61,27 @@
   tags:
     - proftpd
 
+- name: Whitelist ip for users (SFTP)
+  ansible.builtin.blockinfile:
+    dest: /etc/proftpd/conf.d/sftp.conf
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - Whitelist ip for users"
+    block: |
+      {% for user in proftpd_accounts_final %}
+      {% if user.group is defined %}
+      <IfUser {{ user.name }}>
+          <Limit LOGIN>
+      {% for ip in proftpd_sftp_ips_whitelist[user.group] %}
+              Allow from {{ ip }}
+      {% endfor %}
+              DenyAll
+          </Limit>
+      </IfUser>
+      {% endif %}
+      {% endfor %}
+    insertbefore: "</IfModule>"
+  notify: restart proftpd
+  when: proftpd_sftp_enable_user_whitelist | bool  
+
 - name: Allow keys for SFTP account
   ansible.builtin.template:
     dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}"