convert to pureftpd role

defaults/main.yml

@@ -1,13 +1,8 @@
 ---
-# defaults file for ansible-role-vsftpd
+# defaults file for ansible-role-pureftpd
-vsftpd_service_state: "started"
+pureftpd_service_state: "started"
-vsftpd_service_enabled: true
+pureftpd_service_enabled: true
 
 
-vsftpd_enable_ssl: false
-vsftpd_cert_file: ssl-cert.pem
-vsftpd_key_file: ssl-cert.key
 # config variables
-vsftpd_config: {}
+pureftpd_sssd: true
-
-vsftpd_sssd: true

handlers/main.yml

@@ -1,10 +1,10 @@
 ---
-# handlers file for ansible-role-vsftpd
+# handlers file for ansible-role-pureftpd
-- name: restart vsftpd
+- name: Restart pureftpd
   ansible.builtin.service:
-    name: vsftpd
+    name: pure-ftpd
     state: restarted
-  when: vsftpd_service_state != 'stopped'
+  when: pureftpd_service_state != 'stopped'
   become: true
   # Ignore errors due to: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754762;msg=9
-  ignore_errors: yes
+  ignore_errors: true

tasks/main.yml

@@ -2,34 +2,35 @@
 # tasks file for ansible-role-vsftpd
 
 - name: Installing packages
-  ansible.builtin.package:
+  aur:
-    name: "{{ vsftpd_package }}"
+    name: "{{ pureftpd_package }}"
     state: present
   become: true
+  become_user: aur_builder
 
-- name: Configuring vsftp
+- name: Configuring pureftpd
   ansible.builtin.template:
-    src: "vsftpd.j2"
+    src: "pure-ftpd.j2"
     dest: "{{ vsftpd_config_template_path }}"
     owner: root
     group: root
     mode: "0644"
   become: true
-  notify: restart vsftpd  
+  notify: Restart pureftpd  
 
 - name: Configuring service
   ansible.builtin.service:
-    name: vsftpd
+    name: pure-ftpd
-    state: "{{ vsftpd_service_state }}"
+    state: "{{ pureftpd_service_state }}"
-    enabled: "{{ vsftpd_service_enabled }}"
+    enabled: "{{ pureftpd_service_enabled }}"
   become: true
 
 - name: Configure pam for sssd
   ansible.builtin.template:
-    src: "pam.d/vsftpd.j2"
+    src: "pam.d/pure-ftpd.j2"
-    dest: "/etc/pam.d/vsftpd"
+    dest: "/etc/pam.d/pure-ftpd"
     owner: root
     group: root
     mode: "0644"
   become: true 
-  when: vsftpd_sssd == true
+  when: pureftpd_sssd is true

templates/pure-ftpd.j2

@@ -0,0 +1,474 @@
+# {{ ansible_managed }}
+
+
+############################################################
+#                                                          #
+#             Configuration file for pure-ftpd             #
+#                                                          #
+############################################################
+
+# If you want to run Pure-FTPd with this configuration
+# instead of command-line options, please run the
+# following command :
+#
+# @sbindir@/sbin/pure-ftpd @sysconfdir@/pure-ftpd.conf
+#
+# Online documentation:
+# https://www.pureftpd.org/project/pure-ftpd/doc
+
+
+# Restrict users to their home directory
+
+ChrootEveryone               no
+
+
+
+# If the previous option is set to "no", members of the following group
+# won't be restricted. Others will be. If you don't want chroot()ing anyone,
+# just comment out ChrootEveryone and TrustedGID.
+
+# TrustedGID                   100
+
+
+
+# Turn on compatibility hacks for broken clients
+
+BrokenClientsCompatibility   no
+
+
+
+# Maximum number of simultaneous users
+
+MaxClientsNumber             50
+
+
+
+# Run as a background process
+
+Daemonize                    yes
+
+
+
+# Maximum number of simultaneous clients with the same IP address
+
+MaxClientsPerIP              8
+
+
+
+# If you want to log all client commands, set this to "yes".
+# This directive can be specified twice to also log server responses.
+
+VerboseLog                   no
+
+
+
+# List dot-files even when the client doesn't send "-a".
+
+DisplayDotFiles              yes
+
+
+
+# Disallow authenticated users - Act only as a public FTP server.
+
+AnonymousOnly                no
+
+
+
+# Disallow anonymous connections. Only accept authenticated users.
+
+NoAnonymous                  no
+
+
+
+# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
+# The default facility is "ftp". "none" disables logging.
+
+SyslogFacility               ftp
+
+
+
+# Display fortune cookies
+
+# FortunesFile                 /usr/share/fortune/zippy
+
+
+
+# Don't resolve host names in log files. Recommended unless you trust
+# reverse host names, and don't care about DNS resolution being possibly slow.
+
+DontResolve                  yes
+
+
+
+# Maximum idle time in minutes (default = 15 minutes)
+
+MaxIdleTime                  15
+
+
+
+# LDAP configuration file (see README.LDAP)
+
+# LDAPConfigFile               /etc/pureftpd-ldap.conf
+
+
+
+# MySQL configuration file (see README.MySQL)
+
+# MySQLConfigFile              /etc/pureftpd-mysql.conf
+
+
+# PostgreSQL configuration file (see README.PGSQL)
+
+# PGSQLConfigFile              /etc/pureftpd-pgsql.conf
+
+
+# PureDB user database (see README.Virtual-Users)
+
+# PureDB                       /etc/pureftpd.pdb
+
+
+# Path to pure-authd socket (see README.Authentication-Modules)
+
+# ExtAuth                      /var/run/ftpd.sock
+
+
+
+# If you want to enable PAM authentication, uncomment the following line
+
+# PAMAuthentication            yes
+
+
+
+# If you want simple Unix (/etc/passwd) authentication, uncomment this
+
+# UnixAuthentication           yes
+
+
+
+# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
+# UnixAuthentication can be used specified once, but can be combined
+# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
+# the SQL server will be used first. If the SQL authentication fails because the
+# user wasn't found, a new attempt will be done using system authentication.
+# If the SQL authentication fails because the password didn't match, the
+# authentication chain stops here. Authentication methods are chained in
+# the order they are given.
+
+
+
+# 'ls' recursion limits. The first argument is the maximum number of
+# files to be displayed. The second one is the max subdirectories depth.
+
+LimitRecursion               10000 8
+
+
+
+# Are anonymous users allowed to create new directories?
+
+AnonymousCanCreateDirs       no
+
+
+
+# If the system load is greater than the given value, anonymous users
+# aren't allowed to download.
+
+MaxLoad                      4
+
+
+
+# Port range for passive connections - keep it as broad as possible.
+
+# PassivePortRange             30000 50000
+
+
+
+# Force an IP address in PASV/EPSV replies. - for NAT.
+# Symbolic host names are also accepted for gateways with dynamic IP
+# addresses.
+
+# ForcePassiveIP               192.168.0.1
+
+
+
+# Upload/download ratio for anonymous users.
+
+# AnonymousRatio               1 10
+
+
+
+# Upload/download ratio for all users.
+# This directive supersedes the previous one.
+
+# UserRatio                    1 10
+
+
+
+# Disallow downloads of files owned by the "ftp" system user;
+# files that were uploaded but not validated by a local admin.
+
+AntiWarez                    yes
+
+
+
+# IP address/port to listen to (default=all IP addresses, port 21).
+
+# Bind                         127.0.0.1,21
+
+
+
+# Maximum bandwidth for anonymous users in KB/s
+
+# AnonymousBandwidth           8
+
+
+
+# Maximum bandwidth for *all* users (including anonymous) in KB/s
+# Use AnonymousBandwidth *or* UserBandwidth, not both.
+
+# UserBandwidth                8
+
+
+
+# File creation mask. <umask for files>:<umask for dirs> .
+# 177:077 if you feel paranoid.
+
+Umask                        133:022
+
+
+
+# Minimum UID for an authenticated user to log in.
+# For example, a value of 100 prevents all users whose user id is below
+# 100 from logging in. If you want "root" to be able to log in, use 0.
+
+MinUID                       100
+
+
+
+# Allow FXP transfers for authenticated users.
+
+AllowUserFXP                 no
+
+
+
+# Allow anonymous FXP for anonymous and non-anonymous users.
+
+AllowAnonymousFXP            no
+
+
+
+# Users can't delete/write files starting with a dot ('.')
+# even if they own them. But if TrustedGID is enabled, that group
+# will exceptionally have access to dot-files.
+
+ProhibitDotFilesWrite        no
+
+
+
+# Prohibit *reading* of files starting with a dot (.history, .ssh...)
+
+ProhibitDotFilesRead         no
+
+
+
+# Don't overwrite files. When a file whose name already exist is uploaded,
+# it gets automatically renamed to file.1, file.2, file.3, ...
+
+AutoRename                   no
+
+
+
+# Prevent anonymous users from uploading new files (no = upload is allowed)
+
+AnonymousCantUpload          no
+
+
+
+# Only connections to this specific IP address are allowed to be
+# non-anonymous. You can use this directive to open several public IPs for
+# anonymous FTP, and keep a private firewalled IP for remote administration.
+# You can also only allow a non-routable local IP (such as 10.x.x.x) for
+# authenticated users, and run a public anon-only FTP server on another IP.
+
+# TrustedIP                    10.1.1.1
+
+
+
+# To add the PID to log entries, uncomment the following line.
+
+# LogPID                       yes
+
+
+
+# Create an additional log file with transfers logged in a Apache-like format :
+# fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
+# This log file can then be processed by common HTTP traffic analyzers.
+
+# AltLog                       clf:/var/log/pureftpd.log
+
+
+
+# Create an additional log file with transfers logged in a format optimized
+# for statistic reports.
+
+# AltLog                       stats:/var/log/pureftpd.log
+
+
+
+# Create an additional log file with transfers logged in the standard W3C
+# format (compatible with many HTTP log analyzers)
+
+# AltLog                       w3c:/var/log/pureftpd.log
+
+
+
+# Disallow the CHMOD command. Users cannot change perms of their own files.
+
+# NoChmod                      yes
+
+
+
+# Allow users to resume/upload files, but *NOT* to delete them.
+
+# KeepAllFiles                 yes
+
+
+
+# Automatically create home directories if they are missing
+
+# CreateHomeDir                yes
+
+
+
+# Enable virtual quotas. The first value is the max number of files.
+# The second value is the maximum size, in megabytes.
+# So 1000:10 limits every user to 1000 files and 10 MB.
+
+# Quota                        1000:10
+
+
+
+# If your pure-ftpd has been compiled with standalone support, you can change
+# the location of the pid file. The default is /var/run/pure-ftpd.pid
+
+# PIDFile                      /var/run/pure-ftpd.pid
+
+
+
+# If your pure-ftpd has been compiled with pure-uploadscript support,
+# this will make pure-ftpd write info about new uploads to
+# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
+# spawn a script to handle the upload.
+# Don't enable this option if you don't actually use pure-uploadscript.
+
+# CallUploadScript             yes
+
+
+
+# This option is useful on servers where anonymous upload is
+# allowed. When the partition is more that percententage full,
+# new uploads are disallowed.
+
+MaxDiskUsage                   99
+
+
+
+# Set to 'yes' to prevent users from renaming files.
+
+# NoRename                     yes
+
+
+
+# Be 'customer proof': forbids common customer mistakes such as
+# 'chmod 0 public_html', that are valid, but can cause customers to
+# unintentionally shoot themselves in the foot.
+
+CustomerProof                yes
+
+
+
+# Per-user concurrency limits. Will only work if the FTP server has
+# been compiled with --with-peruserlimits.
+# Format is: <max sessions per user>:<max anonymous sessions>
+# For example, 3:20 means that an authenticated user can have up to 3 active
+# sessions, and that up to 20 anonymous sessions are allowed.
+
+# PerUserLimits                3:20
+
+
+
+# When a file is uploaded and there was already a previous version of the file
+# with the same name, the old file will neither get removed nor truncated.
+# The file will be stored under a temporary name and once the upload is
+# complete, it will be atomically renamed. For example, when a large PHP
+# script is being uploaded, the web server will keep serving the old version and
+# later switch to the new one as soon as the full file will have been
+# transferred. This option is incompatible with virtual quotas.
+
+# NoTruncate                   yes
+
+
+
+# This option accepts three values:
+# 0: disable SSL/TLS encryption layer (default).
+# 1: accept both cleartext and encrypted sessions.
+# 2: refuse connections that don't use the TLS security mechanism,
+#    including anonymous sessions.
+# Do _not_ uncomment this blindly. Double check that:
+# 1) The server has been compiled with TLS support (--with-tls),
+# 2) A valid certificate is in place,
+# 3) Only compatible clients will log in.
+
+# TLS                          1
+
+
+# Cipher suite for TLS sessions.
+# The default suite is secure and setting this property is usually
+# only required to *lower* the security to cope with legacy clients.
+# Prefix with -C: in order to require valid client certificates.
+# If -C: is used, make sure that clients' public keys are present on
+# the server.
+
+# TLSCipherSuite               HIGH
+
+
+
+# Certificate file, for TLS
+# The certificate itself and the keys can be bundled into the same
+# file or split into two files.
+# CertFile is for a cert+key bundle, CertFileAndKey for separate files.
+# Use only one of these.
+
+# CertFile                     /etc/ssl/private/pure-ftpd.pem
+# CertFileAndKey               "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key"
+
+
+
+# Unix socket of the external certificate handler, for TLS
+
+# ExtCert                      /var/run/ftpd-certs.sock
+
+
+# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
+# By default, both IPv4 and IPv6 are enabled.
+
+# IPV4Only                     yes
+
+
+
+# Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4)
+# By default, both IPv4 and IPv6 are enabled.
+
+# IPV6Only                     yes
+
+
+
+# Append the content of another file, if the file exists.
+# If the file doesn't exist, the directive is ignored.
+# More files can be recursively included.
+
+# Include                      additional_configuration.conf
+
+
+{% for key, value in vsftpd_config.items() %}
+{{ key }}     {{ {true: "yes", false: "no"}[value] | default(value) }}
+{% endfor %}

templates/vsftpd.j2

@@ -1,156 +0,0 @@
-# {{ ansible_managed }}
-#
-# The default compiled in settings are fairly paranoid. This sample file
-# loosens things up a bit, to make the ftp daemon more usable.
-# Please see vsftpd.conf.5 for all compiled in defaults.
-#
-# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
-# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
-# capabilities.
-#
-#
-# Run standalone?  vsftpd can run either from an inetd or as a standalone
-# daemon started from an initscript.
-listen=YES
-#
-# Run standalone with IPv6?
-# Like the listen parameter, except vsftpd will listen on an IPv6 socket
-# instead of an IPv4 one. This parameter and the listen parameter are mutually
-# exclusive.
-#listen_ipv6=YES
-#
-# Allow anonymous FTP? (Disabled by default)
-anonymous_enable=NO
-#
-# Uncomment this to allow local users to log in.
-local_enable=YES
-#
-# Uncomment this to enable any form of FTP write command.
-write_enable=YES
-#
-# Default umask for local users is 077. You may wish to change this to 022,
-# if your users expect that (022 is used by most other ftpd's)
-#local_umask=022
-#
-# Uncomment this to allow the anonymous FTP user to upload files. This only
-# has an effect if the above global write enable is activated. Also, you will
-# obviously need to create a directory writable by the FTP user.
-#anon_upload_enable=YES
-#
-# Uncomment this if you want the anonymous FTP user to be able to create
-# new directories.
-#anon_mkdir_write_enable=YES
-#
-# Activate directory messages - messages given to remote users when they
-# go into a certain directory.
-dirmessage_enable=YES
-#
-# If enabled, vsftpd will display directory listings with the time
-# in  your  local  time  zone.  The default is to display GMT. The
-# times returned by the MDTM FTP command are also affected by this
-# option.
-use_localtime=YES
-#
-# Activate logging of uploads/downloads.
-xferlog_enable=YES
-#
-# Make sure PORT transfer connections originate from port 20 (ftp-data).
-connect_from_port_20=YES
-#
-# If you want, you can arrange for uploaded anonymous files to be owned by
-# a different user. Note! Using "root" for uploaded files is not
-# recommended!
-#chown_uploads=YES
-#chown_username=whoever
-#
-# You may override where the log file goes if you like. The default is shown
-# below.
-#xferlog_file=/var/log/vsftpd.log
-#
-# If you want, you can have your log file in standard ftpd xferlog format.
-# Note that the default log file location is /var/log/xferlog in this case.
-#xferlog_std_format=YES
-#
-# You may change the default value for timing out an idle session.
-#idle_session_timeout=600
-#
-# You may change the default value for timing out a data connection.
-#data_connection_timeout=120
-#
-# It is recommended that you define on your system a unique user which the
-# ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
-#
-# Enable this and the server will recognise asynchronous ABOR requests. Not
-# recommended for security (the code is non-trivial). Not enabling it,
-# however, may confuse older FTP clients.
-#async_abor_enable=YES
-#
-# By default the server will pretend to allow ASCII mode but in fact ignore
-# the request. Turn on the below options to have the server actually do ASCII
-# mangling on files when in ASCII mode.
-# Beware that on some FTP servers, ASCII support allows a denial of service
-# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
-# predicted this attack and has always been safe, reporting the size of the
-# raw file.
-# ASCII mangling is a horrible feature of the protocol.
-#ascii_upload_enable=YES
-#ascii_download_enable=YES
-#
-# You may fully customise the login banner string:
-#ftpd_banner=Welcome to blah FTP service.
-#
-# You may specify a file of disallowed anonymous e-mail addresses. Apparently
-# useful for combatting certain DoS attacks.
-#deny_email_enable=YES
-# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
-#
-# You may restrict local users to their home directories.  See the FAQ for
-# the possible risks in this before using chroot_local_user or
-# chroot_list_enable below.
-
-# You may specify an explicit list of local users to chroot() to their home
-# directory. If chroot_local_user is YES, then this list becomes a list of
-# users to NOT chroot().
-# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
-# the user does not have write access to the top level directory within the
-# chroot)
-#chroot_local_user=YES
-#chroot_list_enable=YES
-#allow_writeable_chroot=YES
-# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
-#
-# You may activate the "-R" option to the builtin ls. This is disabled by
-# default to avoid remote users being able to cause excessive I/O on large
-# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
-# the presence of the "-R" option, so there is a strong case for enabling it.
-#ls_recurse_enable=YES
-#
-# Customization
-#
-# Some of vsftpd's settings don't fit the filesystem layout by
-# default.
-#
-# This option should be the name of a directory which is empty.  Also, the
-# directory should not be writable by the ftp user. This directory is used
-# as a secure chroot() jail at times vsftpd does not require filesystem
-# access.
-# secure_chroot_dir=/var/run/vsftpd/empty
-#
-# This string is the name of the PAM service vsftpd will use.
-pam_service_name=vsftpd
-#
-{% if vsftpd_enable_ssl %}
-# This option specifies the location of the RSA certificate to use for SSL
-# encrypted connections.
-rsa_cert_file={{ openssl_certs_path }}/{{ vsftpd_cert_file }}
-# This option specifies the location of the RSA key to use for SSL
-# encrypted connections.
-rsa_private_key_file={{ openssl_keys_path }}/{{ vsftpd_key_file }}
-{% endif %}
-
-{% for key, value in vsftpd_config.items() %}
-{{ key }}={{ {true: "YES", false: "NO"}[value] | default(value) }}
-{% endfor %}

tests/test.yml

@@ -1,4 +1,4 @@
 ---
 - hosts: all
   roles:
-    - ansible-role-vsftpd
+    - ansible-role-pureftpd

vars/main.yml

@@ -1,4 +1,4 @@
 ---
 # vars file for ansible-role-vsftpd
-vsftpd_package: vsftpd
+pureftpd_package: pure-ftpd
-vsftpd_config_template_path: "/etc/vsftpd.conf"
+vsftpd_config_template_path: "/etc/pure-ftpd/pure-ftpd.conf"