Add TLS support to the CentOS vsftpd role.

library/centos/roles/vsftpd/defaults/main.yml

@@ -22,3 +22,13 @@ vsftpd_chroot_list_enable: 'YES'
 vsftpd_text_userdb_names: 'YES'
 vsftpd_pasv_min_port: 19000
 vsftpd_pasv_max_port: 19999
+
+# The first listens on ipv4 only. The second on both, despite the name
+vsftpd_listen: "NO"
+vsftpd_listen_ipv6: "YES"
+vsftpd_tls_enabled: True
+vsftpd_force_tls: True
+vsftpd_tls_letsencrypt: True
+vsftpd_ssl_ca_certificate: '{{ letsencrypt_acme_certs_dir }}/fullchain'
+vsftpd_ssl_certificate: '{{ letsencrypt_acme_certs_dir }}/cert'
+vsftpd_ssl_certificate_key: '{{ letsencrypt_acme_certs_dir }}/privkey'

library/centos/roles/vsftpd/tasks/vsftpd.yml

@@ -1,17 +1,10 @@
 ---
 - name: Install the ftp server packages
-  yum: pkg={{ item }} state={{ pkg_state }}
-  with_items: vsftpd_pkgs
+  yum: pkg={{ vsftpd_pkgs }} state={{ pkg_state }}
   tags:
     - ftp
     - vsftpd
 
-- name: Ensure that the vsftpd service is enabled
-  service: name=vsftpd enabled=yes
-  tags:
-    - ftp
-    - vsftpd
-  
 - name: Install the vsftpd blacklist files
   copy: src={{ item }} dest=/etc/vsftpd/{{ item }} owner=root group=root mode=0400
   with_items: vsftpd_blacklist_files
@@ -26,13 +19,14 @@
   tags:
     - ftp
     - vsftpd
+    - vsftpd_config
 
 - name: Set the needed SELinux booleans when local users are enabled
   seboolean: name={{ item }} state=yes persistent=yes
   with_items:
     - ftp_home_dir
     - ftpd_full_access
-  when: vsftpd_local
+  when: vsftpd_local | bool
   tags:
     - ftp
     - vsftpd
@@ -42,7 +36,24 @@
   with_items:
     - allow_ftpd_full_access
     - allow_ftpd_anon_write
-  when: vsftpd_anonymous_upload
+  when: vsftpd_anonymous_upload | bool
   tags:
     - ftp
     - vsftpd
+
+- name: Ensure that the vsftpd service is started and enabled
+  service: name=vsftpd enabled=yes
+  tags:
+    - ftp
+    - vsftpd
+  
+- name: Manage the letsencrypt hook
+  block: 
+    - name: Create the acme hooks directory if it does not yet exist
+      file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
+
+    - name: Install the vsftp hook for letsencrypt
+      template: src=vsftpd-letsencrypt-hook.sh.j2 dest=/usr/lib/acme/hooks/vsftpd owner=root group=root mode=0550
+
+  when: vsftpd_tls_letsencrypt | bool
+  tags: [ 'ftp', 'vsftpd', 'vsftpd_config', 'letsencrypt' ]

library/centos/roles/vsftpd/templates/vsftpd-letsencrypt-hook.sh.j2

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+systemctl restart vsftpd
+
+exit 0

library/centos/roles/vsftpd/templates/vsftpd.conf.j2

@@ -10,6 +10,13 @@
 #
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 anonymous_enable={{ vsftpd_anonymous_enable }}
+{% if vsftpd_anonymous and vsftpd_tls_enabled %}
+allow_anon_ssl=YES
+{% if vsftpd_force_tls %}
+force_anon_data_ssl=YES
+force_anon_logins_ssl=YES
+{% endif %}
+{% endif %}
 #
 # Uncomment this to allow local users to log in.
 local_enable={{ vsftpd_local_enable }}
@@ -112,9 +119,9 @@ chroot_list_file=/etc/vsftpd/chroot_list
 pam_service_name=vsftpd
 userlist_enable=YES
 #enable for standalone mode
-listen=NO
+listen={{ vsftpd_listen }}
 # This one listens on both ipv4 and ipv6 sockets
-listen_ipv6=YES
+listen_ipv6={{ vsftpd_listen_ipv6 }}
 # maximum number of clients which may be connected.
 max_clients=50
 max_per_ip=10
@@ -131,3 +138,20 @@ pasv_min_port={{ vsftpd_pasv_min_port }}
 pasv_max_port={{ vsftpd_pasv_max_port }}
 #
 use_localtime=YES
+
+{% if vsftpd_tls_enabled %}
+# SSL/TLS
+ssl_enable=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+ssl_tlsv1=NO
+ssl_tlsv1_1=NO
+ssl_tlsv1_2=YES
+ca_certs_file={{ vsftpd_ssl_ca_certificate }}
+rsa_cert_file={{ vsftpd_ssl_certificate }}
+rsa_private_key_file={{ vsftpd_ssl_certificate_key }}
+{% if vsftpd_force_tls %}
+force_local_logins_ssl=YES
+force_local_data_ssl=YES
+{% endif %}
+{% endif %}