From 89b4408e0b91ee670bda0c6ea5a1f9d183e2504a Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Thu, 30 Sep 2021 18:06:45 +0200 Subject: ftp: add role --- roles/ftp/Readme.md | 25 +++++++++++++++++ roles/ftp/defaults/main.yml | 15 ++++++++++ roles/ftp/files/pure-ftpd-custom.service | 12 ++++++++ roles/ftp/handlers/main.yml | 7 +++++ roles/ftp/tasks/main.yml | 36 ++++++++++++++++++++++++ roles/ftp/templates/ldap.conf.j2 | 15 ++++++++++ roles/ftp/templates/pure-ftpd.conf.j2 | 48 ++++++++++++++++++++++++++++++++ 7 files changed, 158 insertions(+) create mode 100644 roles/ftp/Readme.md create mode 100644 roles/ftp/defaults/main.yml create mode 100644 roles/ftp/files/pure-ftpd-custom.service create mode 100644 roles/ftp/handlers/main.yml create mode 100644 roles/ftp/tasks/main.yml create mode 100644 roles/ftp/templates/ldap.conf.j2 create mode 100644 roles/ftp/templates/pure-ftpd.conf.j2 (limited to 'roles/ftp') diff --git a/roles/ftp/Readme.md b/roles/ftp/Readme.md new file mode 100644 index 0000000..e68df3a --- /dev/null +++ b/roles/ftp/Readme.md @@ -0,0 +1,25 @@ +# FTP + +Simple PB for pure-ftpd FTP server. + +LDAP mode is untested. + +Creates a new unit, the Debian wrapper for pure-ftpd is stupid to automate. + +``` +--- +ftp: + ldap: + enable: false + host: 'ldap.example.com' + port: 636 + bind_dn: '' + bind_pw: '' + base: '' + filter: '(&(objectClass=posixAccount)(uid=\L))' + enable_pam: false + tls: + enable: false + cert: '' + key: '' +``` diff --git a/roles/ftp/defaults/main.yml b/roles/ftp/defaults/main.yml new file mode 100644 index 0000000..e5142ba --- /dev/null +++ b/roles/ftp/defaults/main.yml @@ -0,0 +1,15 @@ +--- +ftp: + ldap: + enable: false + host: 'ldap.example.com' + port: 636 + bind_dn: '' + bind_pw: '' + base: '' + filter: '(&(objectClass=posixAccount)(uid=\L))' + enable_pam: false + tls: + enable: false + cert: '' + key: '' diff --git a/roles/ftp/files/pure-ftpd-custom.service b/roles/ftp/files/pure-ftpd-custom.service new file mode 100644 index 0000000..da5b712 --- /dev/null +++ b/roles/ftp/files/pure-ftpd-custom.service @@ -0,0 +1,12 @@ +[Unit] +Description=Pure FTPd +After=syslog.target +After=network.target + +[Service] +Type=simple +Restart=no +ExecStart=/usr/sbin/pure-ftpd-ldap /etc/pure-ftpd/pure-ftpd.conf + +[Install] +WantedBy=multi-user.target diff --git a/roles/ftp/handlers/main.yml b/roles/ftp/handlers/main.yml new file mode 100644 index 0000000..256b7b0 --- /dev/null +++ b/roles/ftp/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart + systemd: + name: pure-ftpd-custom.service + enabled: yes + state: restarted + become: yes diff --git a/roles/ftp/tasks/main.yml b/roles/ftp/tasks/main.yml new file mode 100644 index 0000000..c3135ee --- /dev/null +++ b/roles/ftp/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Install FTP + apt: + name: + - pure-ftpd-ldap + become: yes + +- name: Install Config + template: + src: pure-ftpd.conf.j2 + dest: /etc/pure-ftpd/pure-ftpd.conf + become: yes + notify: restart + +- name: Install Config + template: + src: ldap.conf.j2 + dest: /etc/pure-ftpd/db/ldap.conf + mode: '0600' + when: ftp.ldap.enable + become: yes + notify: restart + +- name: Remove original systemd unit + systemd: + name: pure-ftpd-ldap.service + state: stopped + enabled: no + become: yes + +- name: Install custom unit file + copy: + src: pure-ftpd-custom.service + dest: /etc/systemd/system/pure-ftpd-custom.service + become: yes + notify: restart diff --git a/roles/ftp/templates/ldap.conf.j2 b/roles/ftp/templates/ldap.conf.j2 new file mode 100644 index 0000000..33b663f --- /dev/null +++ b/roles/ftp/templates/ldap.conf.j2 @@ -0,0 +1,15 @@ +# Managed by Ansible. Do NOT change. + +LDAPScheme ldaps +LDAPServer {{ ftp.ldap.host }} +LDAPPort {{ ftp.ldap.port }} +LDAPVersion 3 + +LDAPBaseDN {{ ftp.ldap.base }} + +LDAPBindDN {{ ftp.ldap.bind_dn }} +LDAPBindPW {{ ftp.ldap.bind_pw }} + +LDAPAuthMethod BIND + +LDAPFilter {{ ftp.ldap.filter }} diff --git a/roles/ftp/templates/pure-ftpd.conf.j2 b/roles/ftp/templates/pure-ftpd.conf.j2 new file mode 100644 index 0000000..9faccf5 --- /dev/null +++ b/roles/ftp/templates/pure-ftpd.conf.j2 @@ -0,0 +1,48 @@ +# Managed by Ansible. Do NOT change. + +ChrootEveryone yes +BrokenClientsCompatibility no +MaxClientsNumber 50 +Daemonize no +MaxClientsPerIP 8 +VerboseLog yes +DisplayDotFiles yes +AnonymousOnly no +NoAnonymous yes +#SyslogFacility ftp +DontResolve yes +MaxIdleTime 15 + +{% if ftp.ldap.enable %} +LDAPConfigFile /etc/pure-ftpd/db/ldap.conf +{% endif %} + +{% if ftp.enable_pam %} +PAMAuthentication yes +{% endif %} + +{% if ftp.tls.enable %} +TLS 2 +TLSCipherSuite HIGH +CertFileAndKey "{{ ftp.tls.cert }}" "{{ ftp.tls.key }}" +{% endif %} + +LimitRecursion 10000 8 +AnonymousCanCreateDirs no +MaxLoad 4 +AntiWarez yes + +# File creation mask. : . +# 177:077 if you feel paranoid. +Umask 177:077 + +MinUID 100 +AllowUserFXP no +AllowAnonymousFXP no +ProhibitDotFilesWrite no +ProhibitDotFilesRead no +AutoRename no +AnonymousCantUpload yes +CreateHomeDir yes +MaxDiskUsage 99 +CustomerProof yes -- cgit v1.2.3