Add TLS support to the CentOS vsftpd role.
This commit is contained in:
parent
0d5bf23f5e
commit
f64f5ca21c
|
@ -22,3 +22,13 @@ vsftpd_chroot_list_enable: 'YES'
|
|||
vsftpd_text_userdb_names: 'YES'
|
||||
vsftpd_pasv_min_port: 19000
|
||||
vsftpd_pasv_max_port: 19999
|
||||
|
||||
# The first listens on ipv4 only. The second on both, despite the name
|
||||
vsftpd_listen: "NO"
|
||||
vsftpd_listen_ipv6: "YES"
|
||||
vsftpd_tls_enabled: True
|
||||
vsftpd_force_tls: True
|
||||
vsftpd_tls_letsencrypt: True
|
||||
vsftpd_ssl_ca_certificate: '{{ letsencrypt_acme_certs_dir }}/fullchain'
|
||||
vsftpd_ssl_certificate: '{{ letsencrypt_acme_certs_dir }}/cert'
|
||||
vsftpd_ssl_certificate_key: '{{ letsencrypt_acme_certs_dir }}/privkey'
|
||||
|
|
|
@ -1,13 +1,6 @@
|
|||
---
|
||||
- name: Install the ftp server packages
|
||||
yum: pkg={{ item }} state={{ pkg_state }}
|
||||
with_items: vsftpd_pkgs
|
||||
tags:
|
||||
- ftp
|
||||
- vsftpd
|
||||
|
||||
- name: Ensure that the vsftpd service is enabled
|
||||
service: name=vsftpd enabled=yes
|
||||
yum: pkg={{ vsftpd_pkgs }} state={{ pkg_state }}
|
||||
tags:
|
||||
- ftp
|
||||
- vsftpd
|
||||
|
@ -26,13 +19,14 @@
|
|||
tags:
|
||||
- ftp
|
||||
- vsftpd
|
||||
- vsftpd_config
|
||||
|
||||
- name: Set the needed SELinux booleans when local users are enabled
|
||||
seboolean: name={{ item }} state=yes persistent=yes
|
||||
with_items:
|
||||
- ftp_home_dir
|
||||
- ftpd_full_access
|
||||
when: vsftpd_local
|
||||
when: vsftpd_local | bool
|
||||
tags:
|
||||
- ftp
|
||||
- vsftpd
|
||||
|
@ -42,7 +36,24 @@
|
|||
with_items:
|
||||
- allow_ftpd_full_access
|
||||
- allow_ftpd_anon_write
|
||||
when: vsftpd_anonymous_upload
|
||||
when: vsftpd_anonymous_upload | bool
|
||||
tags:
|
||||
- ftp
|
||||
- vsftpd
|
||||
|
||||
- name: Ensure that the vsftpd service is started and enabled
|
||||
service: name=vsftpd enabled=yes
|
||||
tags:
|
||||
- ftp
|
||||
- vsftpd
|
||||
|
||||
- name: Manage the letsencrypt hook
|
||||
block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install the vsftp hook for letsencrypt
|
||||
template: src=vsftpd-letsencrypt-hook.sh.j2 dest=/usr/lib/acme/hooks/vsftpd owner=root group=root mode=0550
|
||||
|
||||
when: vsftpd_tls_letsencrypt | bool
|
||||
tags: [ 'ftp', 'vsftpd', 'vsftpd_config', 'letsencrypt' ]
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
systemctl restart vsftpd
|
||||
|
||||
exit 0
|
|
@ -10,6 +10,13 @@
|
|||
#
|
||||
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
|
||||
anonymous_enable={{ vsftpd_anonymous_enable }}
|
||||
{% if vsftpd_anonymous and vsftpd_tls_enabled %}
|
||||
allow_anon_ssl=YES
|
||||
{% if vsftpd_force_tls %}
|
||||
force_anon_data_ssl=YES
|
||||
force_anon_logins_ssl=YES
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
#
|
||||
# Uncomment this to allow local users to log in.
|
||||
local_enable={{ vsftpd_local_enable }}
|
||||
|
@ -112,9 +119,9 @@ chroot_list_file=/etc/vsftpd/chroot_list
|
|||
pam_service_name=vsftpd
|
||||
userlist_enable=YES
|
||||
#enable for standalone mode
|
||||
listen=NO
|
||||
listen={{ vsftpd_listen }}
|
||||
# This one listens on both ipv4 and ipv6 sockets
|
||||
listen_ipv6=YES
|
||||
listen_ipv6={{ vsftpd_listen_ipv6 }}
|
||||
# maximum number of clients which may be connected.
|
||||
max_clients=50
|
||||
max_per_ip=10
|
||||
|
@ -131,3 +138,20 @@ pasv_min_port={{ vsftpd_pasv_min_port }}
|
|||
pasv_max_port={{ vsftpd_pasv_max_port }}
|
||||
#
|
||||
use_localtime=YES
|
||||
|
||||
{% if vsftpd_tls_enabled %}
|
||||
# SSL/TLS
|
||||
ssl_enable=YES
|
||||
ssl_sslv2=NO
|
||||
ssl_sslv3=NO
|
||||
ssl_tlsv1=NO
|
||||
ssl_tlsv1_1=NO
|
||||
ssl_tlsv1_2=YES
|
||||
ca_certs_file={{ vsftpd_ssl_ca_certificate }}
|
||||
rsa_cert_file={{ vsftpd_ssl_certificate }}
|
||||
rsa_private_key_file={{ vsftpd_ssl_certificate_key }}
|
||||
{% if vsftpd_force_tls %}
|
||||
force_local_logins_ssl=YES
|
||||
force_local_data_ssl=YES
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
Loading…
Reference in New Issue