Add TLS support to the CentOS vsftpd role.

This commit is contained in:
Andrea Dell'Amico 2020-03-14 16:08:22 +01:00
parent 0d5bf23f5e
commit f64f5ca21c
4 changed files with 62 additions and 12 deletions

View File

@ -22,3 +22,13 @@ vsftpd_chroot_list_enable: 'YES'
vsftpd_text_userdb_names: 'YES'
vsftpd_pasv_min_port: 19000
vsftpd_pasv_max_port: 19999
# The first listens on ipv4 only. The second on both, despite the name
vsftpd_listen: "NO"
vsftpd_listen_ipv6: "YES"
vsftpd_tls_enabled: True
vsftpd_force_tls: True
vsftpd_tls_letsencrypt: True
vsftpd_ssl_ca_certificate: '{{ letsencrypt_acme_certs_dir }}/fullchain'
vsftpd_ssl_certificate: '{{ letsencrypt_acme_certs_dir }}/cert'
vsftpd_ssl_certificate_key: '{{ letsencrypt_acme_certs_dir }}/privkey'

View File

@ -1,17 +1,10 @@
---
- name: Install the ftp server packages
yum: pkg={{ item }} state={{ pkg_state }}
with_items: vsftpd_pkgs
yum: pkg={{ vsftpd_pkgs }} state={{ pkg_state }}
tags:
- ftp
- vsftpd
- name: Ensure that the vsftpd service is enabled
service: name=vsftpd enabled=yes
tags:
- ftp
- vsftpd
- name: Install the vsftpd blacklist files
copy: src={{ item }} dest=/etc/vsftpd/{{ item }} owner=root group=root mode=0400
with_items: vsftpd_blacklist_files
@ -26,13 +19,14 @@
tags:
- ftp
- vsftpd
- vsftpd_config
- name: Set the needed SELinux booleans when local users are enabled
seboolean: name={{ item }} state=yes persistent=yes
with_items:
- ftp_home_dir
- ftpd_full_access
when: vsftpd_local
when: vsftpd_local | bool
tags:
- ftp
- vsftpd
@ -42,7 +36,24 @@
with_items:
- allow_ftpd_full_access
- allow_ftpd_anon_write
when: vsftpd_anonymous_upload
when: vsftpd_anonymous_upload | bool
tags:
- ftp
- vsftpd
- name: Ensure that the vsftpd service is started and enabled
service: name=vsftpd enabled=yes
tags:
- ftp
- vsftpd
- name: Manage the letsencrypt hook
block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
- name: Install the vsftp hook for letsencrypt
template: src=vsftpd-letsencrypt-hook.sh.j2 dest=/usr/lib/acme/hooks/vsftpd owner=root group=root mode=0550
when: vsftpd_tls_letsencrypt | bool
tags: [ 'ftp', 'vsftpd', 'vsftpd_config', 'letsencrypt' ]

View File

@ -0,0 +1,5 @@
#!/bin/bash
systemctl restart vsftpd
exit 0

View File

@ -10,6 +10,13 @@
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable={{ vsftpd_anonymous_enable }}
{% if vsftpd_anonymous and vsftpd_tls_enabled %}
allow_anon_ssl=YES
{% if vsftpd_force_tls %}
force_anon_data_ssl=YES
force_anon_logins_ssl=YES
{% endif %}
{% endif %}
#
# Uncomment this to allow local users to log in.
local_enable={{ vsftpd_local_enable }}
@ -112,9 +119,9 @@ chroot_list_file=/etc/vsftpd/chroot_list
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=NO
listen={{ vsftpd_listen }}
# This one listens on both ipv4 and ipv6 sockets
listen_ipv6=YES
listen_ipv6={{ vsftpd_listen_ipv6 }}
# maximum number of clients which may be connected.
max_clients=50
max_per_ip=10
@ -131,3 +138,20 @@ pasv_min_port={{ vsftpd_pasv_min_port }}
pasv_max_port={{ vsftpd_pasv_max_port }}
#
use_localtime=YES
{% if vsftpd_tls_enabled %}
# SSL/TLS
ssl_enable=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
ca_certs_file={{ vsftpd_ssl_ca_certificate }}
rsa_cert_file={{ vsftpd_ssl_certificate }}
rsa_private_key_file={{ vsftpd_ssl_certificate_key }}
{% if vsftpd_force_tls %}
force_local_logins_ssl=YES
force_local_data_ssl=YES
{% endif %}
{% endif %}