vsftpd: Support TLS in the Ubuntu role.

2020-03-19 13:31:38 +01:00 · 2020-03-19 13:31:38 +01:00 · 37d23844e3
parent 59717eae9c
commit 37d23844e3
2 changed files with 28 additions and 1 deletions
--- a/library/roles/vsftpd/defaults/main.yml
+++ b/library/roles/vsftpd/defaults/main.yml
@ -22,3 +22,10 @@ vsftpd_manage_user_acls: True
 vsftpd_manage_real_users: False
 vsftpd_manage_valid_shells: False

+vsftpd_tls_enabled: True
+vsftpd_force_tls: True
+vsftpd_tls_letsencrypt: True
+vsftpd_ssl_ca_certificate: '{{ letsencrypt_acme_certs_dir }}/fullchain'
+vsftpd_ssl_certificate: '{{ letsencrypt_acme_certs_dir }}/cert'
+vsftpd_ssl_certificate_key: '{{ letsencrypt_acme_certs_dir }}/privkey'
+
--- a/library/roles/vsftpd/templates/vsftpd.conf.j2
+++ b/library/roles/vsftpd/templates/vsftpd.conf.j2
@ -117,10 +117,30 @@ secure_chroot_dir=/var/run/vsftpd/empty
 # This string is the name of the PAM service vsftpd will use.
 pam_service_name=vsftpd
 #
+{% if vsftpd_tls_enabled %}
+# SSL/TLS
+ssl_enable=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+{% if ansible_distribution_version is version_compare('18.04', '>=') %}
+ssl_tlsv1=NO
+ssl_tlsv1_1=NO
+ssl_tlsv1_2=YES
+{% else %}
+ssl_tlsv1=YES
+{% endif %}
+ca_certs_file={{ vsftpd_ssl_ca_certificate }}
+rsa_cert_file={{ vsftpd_ssl_certificate }}
+rsa_private_key_file={{ vsftpd_ssl_certificate_key }}
+{% if vsftpd_force_tls %}
+force_local_logins_ssl=YES
+force_local_data_ssl=YES
+{% endif %}
+{% else %}
 # This option specifies the location of the RSA certificate to use for SSL
 # encrypted connections.
 rsa_cert_file=/etc/ssl/private/vsftpd.pem
-
+{% endif %}

 local_root={{ vsftpd_local_root }}
 pasv_min_port={{ vsftpd_pasv_min_port }}