100 lines
2.7 KiB
YAML
100 lines
2.7 KiB
YAML
---
|
|
- ansible.builtin.include: accounts_password.yml
|
|
when: item.password is undefined
|
|
loop: "{{ proftpd_accounts }}"
|
|
tags:
|
|
- proftpd
|
|
|
|
- ansible.builtin.set_fact:
|
|
proftpd_accounts_final: "{{ proftpd_accounts_final + [ item ] }}"
|
|
when: item.password is defined
|
|
loop: "{{ proftpd_accounts }}"
|
|
tags:
|
|
- proftpd
|
|
|
|
- name: Create FTP account
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/proftpd/vpasswd
|
|
state: present
|
|
create: yes
|
|
mode: "0440"
|
|
line: "{{ item.name | mandatory }}:{{ item.password }}:{{ item.uid }}:{{ item.gid }}::{{ item.home | mandatory }}:/bin/false"
|
|
regexp: "^{{ item.name }}:.*"
|
|
loop: "{{ proftpd_accounts_final }}"
|
|
notify: restart proftpd
|
|
tags:
|
|
- proftpd
|
|
|
|
- name: Allow FTP account (FTP)
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
|
state: present
|
|
line: "\tAllowUser {{ item.name }}"
|
|
insertbefore: "DenyAll"
|
|
loop: "{{ proftpd_accounts_final }}"
|
|
notify: restart proftpd
|
|
when: proftpd_ftp_enable | bool
|
|
tags:
|
|
- proftpd
|
|
|
|
- name: Allow FTP account (FTPS)
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/proftpd/conf.d/ftps.conf
|
|
state: present
|
|
line: "\tAllowUser {{ item.name }}"
|
|
insertbefore: "DenyAll"
|
|
loop: "{{ proftpd_accounts_final }}"
|
|
notify: restart proftpd
|
|
when: proftpd_ftps_enable | bool
|
|
tags:
|
|
- proftpd
|
|
|
|
- name: Allow FTP account (SFTP)
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/proftpd/conf.d/sftp.conf
|
|
state: present
|
|
line: "\tAllowUser {{ item.name }}"
|
|
insertbefore: "DenyAll"
|
|
loop: "{{ proftpd_accounts_final }}"
|
|
notify: restart proftpd
|
|
when: proftpd_sftp_enable | bool
|
|
tags:
|
|
- proftpd
|
|
|
|
- name: Whitelist ip for users (SFTP)
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/proftpd/conf.d/sftp.conf
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK - Whitelist ip for users"
|
|
block: |
|
|
{% for user in proftpd_accounts_final %}
|
|
{% if user.group is defined %}
|
|
<IfUser {{ user.name }}>
|
|
<Limit LOGIN>
|
|
{% for ip in proftpd_sftp_ips_whitelist[user.group] %}
|
|
Allow from {{ ip }}
|
|
{% endfor %}
|
|
DenyAll
|
|
</Limit>
|
|
</IfUser>
|
|
{% endif %}
|
|
{% endfor %}
|
|
insertbefore: "</IfModule>"
|
|
notify: restart proftpd
|
|
when: proftpd_sftp_enable_user_whitelist | bool
|
|
|
|
- name: Allow keys for SFTP account
|
|
ansible.builtin.template:
|
|
dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}"
|
|
src: authorized_keys.j2
|
|
mode: 0644
|
|
loop: "{{ proftpd_accounts_final }}"
|
|
loop_control:
|
|
loop_var: _proftpd_account
|
|
notify: restart proftpd
|
|
when:
|
|
- proftpd_sftp_enable | bool
|
|
- proftpd_sftp_use_publickeys | bool
|
|
- _proftpd_account.sshkeys is defined
|
|
tags:
|
|
- proftpd
|