first commit

README.md

@@ -0,0 +1,22 @@
+# geekoops-pureftpd
+
+Install and configure the secure `PureFTPd` server.
+
+## Role Variables
+
+
+## Example Playbook
+
+    - hosts: jellyfish
+      roles:
+         - { role: geekoops-pureftp }
+
+## License
+
+MIT
+
+## Author Information
+
+phoenix
+
+Have a lot of fun!

defaults/main.yml

@@ -0,0 +1,28 @@
+---
+# defaults file for geekoops-pureftpd
+
+config_firewall: false
+firewall_zone: "public"
+
+
+
+MaxClientsNumber: 10
+MaxClientsPerIP: 3
+AnonymousOnly: "yes"
+PAMAuthentication: "no"
+NoAnonymous: "no"
+MaxIdleTime: "5"
+MaxLoad: "4"
+# PassivePortRange
+PassivePortMin: 30000
+PassivePortMax: 30100
+ForcePassiveIP: ""
+# Bind Address,Port (e.g. 127.0.0.1,21)
+Bind: ""
+# Max Bandwidth for all users in KB/s
+Bandwidth: ""
+TrustedIP: ""
+MaxUserSessions: 3
+MaxAnonSessions: 20
+IPV4Only: "no"
+IPV6Only: "no"

handlers/main.yml

@@ -0,0 +1,11 @@
+---
+# handlers file for geekoops-pureftpd
+
+
+- name: restart pureftpd
+  service:
+    name: "{{pureftpd_service}}"
+    state: restarted
+
+- name: reload firewalld
+  shell: firewall-cmd --reload

meta/main.yml

@@ -0,0 +1,18 @@
+galaxy_info:
+  author: Felix Niederwanger
+  description: Install and configure PureFTPd
+  company: SUSE
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  license: MIT
+
+  min_ansible_version: 2.9
+
+  platforms:
+    - name: opensuse
+      versions:
+        - 15.2
+
+  galaxy_tags: ['ftp']
+
+dependencies: []

tasks/firewall.yml

@@ -0,0 +1,21 @@
+---
+# Configure firewall
+
+- name: Ensure ftp service is enabled
+  firewalld:
+    zone: "{{firewall_zone}}"
+    service: ftp
+    permanent: true
+    state: enabled
+  notify: reload firewalld
+  tags: ['ftp', 'firewall']
+
+- name: Enable passive ftp range
+  firewalld:
+    zone: "{{firewall_zone}}"
+    port: "{{PassivePortMin}}-{{PassivePortMax}}/tcp"
+    permanent: true
+    state: enabled
+  notify: reload firewalld
+  tags: ['ftp', 'firewall']
+  when: PassivePortMin > 0 and PassivePortMax > 0

tasks/main.yml

@@ -0,0 +1,31 @@
+---
+# tasks file for geekoops-pureftpd
+
+# Distribution specific vars are ALWAYS needed, so don't forget the tags here
+- name: include distribution specific vars
+  include_vars: "{{ansible_distribution}}_{{ansible_distribution_version}}.yml"
+  tags: ['ftp']
+
+
+- name: Ensure PureFTPd is installed
+  package:
+    name: "{{ packages }}"
+    state: present
+  tags: ['ftp']
+- name: Configure PureFTPd
+  template:
+    src: pure-ftpd.conf.j2
+    dest: /etc/pure-ftpd/pure-ftpd.conf
+    owner: root
+    group: root
+    mode: 0744
+  notify: restart pureftpd
+- name: Ensure PureFTPd service is enabled
+  systemd:
+    name: "{{pureftpd_service}}"
+    state: started
+    enabled: true
+  tags: ['ftp', 'systemd']
+
+- include: firewall.yml
+  when: config_firewall == true

templates/pure-ftpd.conf.j2

@@ -0,0 +1,395 @@
+
+############################################################
+#                                                          #
+#             Configuration file for pure-ftpd             #
+# Managed by the geekoops-pureftp ansible role.            #
+# Please don't edit manually, as your changes will be      #
+# overwritten                                              #
+#                                                          #
+############################################################
+
+# Online documentation:
+# https://www.pureftpd.org/project/pure-ftpd/doc
+
+
+# Restrict users to their home directory
+ChrootEveryone               yes
+
+# If the previous option is set to "no", members of the following group
+# won't be restricted. Others will be. If you don't want chroot()ing anyone,
+# just comment out ChrootEveryone and TrustedGID.
+
+# TrustedGID                   100
+
+# Turn on compatibility hacks for broken clients
+
+BrokenClientsCompatibility   no
+
+# Maximum number of simultaneous users
+
+MaxClientsNumber             {{MaxClientsNumber}}
+
+# Run as a background process, do not change as systemd needs this to be
+# foreground
+
+Daemonize                    no
+
+
+
+# Maximum number of simultaneous clients with the same IP address
+
+MaxClientsPerIP              {{MaxClientsPerIP}}
+
+
+
+# If you want to log all client commands, set this to "yes".
+# This directive can be specified twice to also log server responses.
+
+VerboseLog                   no
+
+
+# Allow dot-files
+AllowDotFiles               yes
+
+
+# List dot-files even when the client doesn't send "-a".
+
+DisplayDotFiles              yes
+
+
+
+# Disallow authenticated users - Act only as a public FTP server.
+
+AnonymousOnly                {{AnonymousOnly}}
+
+
+
+# Disallow anonymous connections. Only accept authenticated users.
+
+NoAnonymous                  {{NoAnonymous}}
+
+
+
+# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
+# The default facility is "ftp". "none" disables logging.
+
+SyslogFacility               ftp
+
+
+
+# Display fortune cookies
+
+# FortunesFile                 /usr/share/fortune/zippy
+
+
+
+# Don't resolve host names in log files. Recommended unless you trust
+# reverse host names, and don't care about DNS resolution being possibly slow.
+
+DontResolve                  yes
+
+
+
+# Maximum idle time in minutes (default = 15 minutes)
+
+MaxIdleTime                  {{MaxIdleTime}}
+
+
+# If you want to enable PAM authentication, uncomment the following line
+
+PAMAuthentication            {{PAMAuthentication}}
+
+
+
+# If you want simple Unix (/etc/passwd) authentication, uncomment this
+
+UnixAuthentication           no
+
+
+# 'ls' recursion limits. The first argument is the maximum number of
+# files to be displayed. The second one is the max subdirectories depth.
+
+LimitRecursion               1000 8
+
+
+
+# Are anonymous users allowed to create new directories?
+
+AnonymousCanCreateDirs       no
+
+
+
+# If the system load is greater than the given value, anonymous users
+# aren't allowed to download.
+
+MaxLoad                      {{MaxLoad}}
+
+
+
+# Port range for passive connections - keep it as broad as possible.
+
+PassivePortRange             {{PassivePortMin}} {{PassivePortMax}}
+
+
+
+# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
+# Symbolic host names are also accepted for gateways with dynamic IP
+# addresses.
+{% if ForcePassiveIP != "" %}
+ForcePassiveIP               {{ForcePassiveIP}}
+{% endif %}
+
+
+
+# Disallow downloads of files owned by the "ftp" system user;
+# files that were uploaded but not validated by a local admin.
+
+AntiWarez                    no
+
+
+
+# IP address/port to listen to (default=all IP addresses, port 21).
+
+{% if Bind != "" %}
+Bind                         {{Bind}}
+{% endif %}
+
+
+
+# Maximum bandwidth for all users in KB/s
+
+{% if Bandwidth != "" %}
+UserBandwidth           {{Bandwidth}}
+{% endif %}
+
+
+# File creation mask. <umask for files>:<umask for dirs> .
+# 177:077 if you feel paranoid.
+
+Umask                        177:077
+
+
+
+# Minimum UID for an authenticated user to log in.
+
+MinUID                       1000
+
+
+
+# Allow FXP transfers for authenticated users.
+
+AllowUserFXP                 no
+
+
+
+# Allow anonymous FXP for anonymous and non-anonymous users.
+
+AllowAnonymousFXP            no
+
+
+
+# Users can't delete/write files starting with a dot ('.')
+# even if they own them. But if TrustedGID is enabled, that group
+# will exceptionally have access to dot-files.
+
+ProhibitDotFilesWrite        no
+
+
+
+# Prohibit *reading* of files starting with a dot (.history, .ssh...)
+
+ProhibitDotFilesRead         no
+
+
+
+# Don't overwrite files. When a file whose name already exist is uploaded,
+# it gets automatically renamed to file.1, file.2, file.3, ...
+
+AutoRename                   no
+
+
+
+# Prevent anonymous users from uploading new files (no = upload is allowed)
+
+AnonymousCantUpload          yes
+
+
+
+# Only connections to this specific IP address are allowed to be
+# non-anonymous. You can use this directive to open several public IPs for
+# anonymous FTP, and keep a private firewalled IP for remote administration.
+# You can also only allow a non-routable local IP (such as 10.x.x.x) for
+# authenticated users, and run a public anon-only FTP server on another IP.
+
+{% if TrustedIP != "" %}
+TrustedIP                    {{TrustedIP}}
+{% endif %}
+
+
+
+# To add the PID to log entries, uncomment the following line.
+
+# LogPID                       yes
+
+
+
+# Create an additional log file with transfers logged in a Apache-like format :
+# fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
+# This log file can then be processed by common HTTP traffic analyzers.
+
+# AltLog                       clf:/var/log/pureftpd.log
+
+
+
+# Create an additional log file with transfers logged in a format optimized
+# for statistic reports.
+
+# AltLog                       stats:/var/log/pureftpd.log
+
+
+
+# Create an additional log file with transfers logged in the standard W3C
+# format (compatible with many HTTP log analyzers)
+
+# AltLog                       w3c:/var/log/pureftpd.log
+
+
+
+# Disallow the CHMOD command. Users cannot change perms of their own files.
+
+# NoChmod                      yes
+
+
+
+# Allow users to resume/upload files, but *NOT* to delete them.
+
+# KeepAllFiles                 yes
+
+
+
+# Automatically create home directories if they are missing
+
+CreateHomeDir                  no
+
+
+
+# Enable virtual quotas. The first value is the max number of files.
+# The second value is the maximum size, in megabytes.
+# So 1000:10 limits every user to 1000 files and 10 MB.
+
+# Quota                        1000:10
+
+
+
+# If your pure-ftpd has been compiled with standalone support, you can change
+# the location of the pid file. The default is /var/run/pure-ftpd.pid
+
+# PIDFile                      /var/run/pure-ftpd.pid
+
+
+
+# If your pure-ftpd has been compiled with pure-uploadscript support,
+# this will make pure-ftpd write info about new uploads to
+# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
+# spawn a script to handle the upload.
+# Don't enable this option if you don't actually use pure-uploadscript.
+
+# CallUploadScript             yes
+
+
+
+# This option is useful on servers where anonymous upload is
+# allowed. When the partition is more that percententage full,
+# new uploads are disallowed.
+
+MaxDiskUsage                   95
+
+
+
+# Set to 'yes' to prevent users from renaming files.
+
+# NoRename                     yes
+
+
+
+# Be 'customer proof': forbids common customer mistakes such as
+# 'chmod 0 public_html', that are valid, but can cause customers to
+# unintentionally shoot themselves in the foot.
+
+CustomerProof                yes
+
+
+
+# Per-user concurrency limits. Will only work if the FTP server has
+# been compiled with --with-peruserlimits.
+# Format is: <max sessions per user>:<max anonymous sessions>
+# For example, 3:20 means that an authenticated user can have up to 3 active
+# sessions, and that up to 20 anonymous sessions are allowed.
+
+PerUserLimits                {{MaxUserSessions}}:{{MaxAnonSessions}}
+
+
+
+# When a file is uploaded and there was already a previous version of the file
+# with the same name, the old file will neither get removed nor truncated.
+# The file will be stored under a temporary name and once the upload is
+# complete, it will be atomically renamed. For example, when a large PHP
+# script is being uploaded, the web server will keep serving the old version and
+# later switch to the new one as soon as the full file will have been
+# transferred. This option is incompatible with virtual quotas.
+
+# NoTruncate                   yes
+
+
+
+# This option accepts three values:
+# 0: disable SSL/TLS encryption layer (default).
+# 1: accept both cleartext and encrypted sessions.
+# 2: refuse connections that don't use the TLS security mechanism,
+#    including anonymous sessions.
+# Do _not_ uncomment this blindly. Double check that:
+# 1) The server has been compiled with TLS support (--with-tls),
+# 2) A valid certificate is in place,
+# 3) Only compatible clients will log in.
+
+# TLS                          1
+
+
+# Cipher suite for TLS sessions.
+# The default suite is secure and setting this property is usually
+# only required to *lower* the security to cope with legacy clients.
+# Prefix with -C: in order to require valid client certificates.
+# If -C: is used, make sure that clients' public keys are present on
+# the server.
+
+# TLSCipherSuite               HIGH
+
+
+
+# Certificate file, for TLS
+# The certificate itself and the keys can be bundled into the same
+# file or split into two files.
+# CertFile is for a cert+key bundle, CertFileAndKey for separate files.
+# Use only one of these.
+
+# CertFile                     /etc/ssl/private/pure-ftpd.pem
+# CertFileAndKey               "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key"
+
+
+
+# Unix socket of the external certificate handler, for TLS
+
+# ExtCert                      /var/run/ftpd-certs.sock
+
+
+# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
+# By default, both IPv4 and IPv6 are enabled.
+
+IPV4Only                       {{IPV4Only}}
+
+
+
+# Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4)
+# By default, both IPv4 and IPv6 are enabled.
+
+IPV6Only                       {{IPV6Only}}

vars/main.yml

@@ -0,0 +1,4 @@
+---
+# vars file for geekoops-pureftpd
+
+pureftpd_service: "pure-ftpd"

vars/openSUSE Leap_15.2.yml

@@ -0,0 +1,8 @@
+---
+# openSUSE Leap 15.2 specific variables
+
+## Software packages
+
+packages: ['pure-ftpd']
+
+