From 30faa849acd830d0a01a33bd7742e7608b638627 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 28 Sep 2020 00:03:50 +0200 Subject: [PATCH] update.. --- group_vars/all/main.yml | 3 +- roles/common/tasks/pure-ftpd-install.yml | 193 +----------------- .../common/tasks/pure-ftpd/authentication.yml | 66 ++++++ roles/common/tasks/pure-ftpd/configure.yml | 45 ++++ .../pure-ftpd/create-virtual-ftp-user.yml | 8 +- .../tasks/pure-ftpd/remove-virtual-user.yml | 19 ++ roles/common/tasks/pure-ftpd/setup.yml | 21 ++ .../tasks/pure-ftpd/tls-certificate.yml | 40 ++++ .../common/tasks/pure-ftpd/virtual-users.yml | 57 ++++++ 9 files changed, 260 insertions(+), 192 deletions(-) create mode 100644 roles/common/tasks/pure-ftpd/authentication.yml create mode 100644 roles/common/tasks/pure-ftpd/configure.yml create mode 100644 roles/common/tasks/pure-ftpd/remove-virtual-user.yml create mode 100644 roles/common/tasks/pure-ftpd/setup.yml create mode 100644 roles/common/tasks/pure-ftpd/tls-certificate.yml create mode 100644 roles/common/tasks/pure-ftpd/virtual-users.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 3b5405a..0894b83 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -888,7 +888,8 @@ pureftpd_virtual_users: # ratio_ul: 10 # ratio_dl: 1 -pureftpd_virtual_deleted_users: [] +pureftpd_virtual_deleted_users: + - name: maica_scan # Available properties # - name: vuser2 diff --git a/roles/common/tasks/pure-ftpd-install.yml b/roles/common/tasks/pure-ftpd-install.yml index d21f410..07f2d94 100644 --- a/roles/common/tasks/pure-ftpd-install.yml +++ b/roles/common/tasks/pure-ftpd-install.yml @@ -4,213 +4,36 @@ # Install PureFTP Daemon # --- -- name: (pure-ftpd-install.yml) Ensure Pure-FTPd is installed. - apt: - name: "{{ pureftpd_packages }}" - state: present - cache_valid_time: 3600 - update_cache: yes - -- name: (pure-ftpd-install.yml) Upload Pure-FTPd global configuration file. - template: - src: etc/default/pure-ftpd-common.j2 - dest: "{{ pureftpd_global_config_file }}" - owner: root - group: root - mode: '0644' - notify: restart Pure-FTPd +- include: pure-ftpd/setup.yml # --- # Configure PureFTP Daemon # --- -# Remove old current configurations if exists +- include: pure-ftpd/configure.yml -- name: (pure-ftpd-install.yml) Compile Pure-FTPd configurations (set fact..). - set_fact: - pureftpd_config_compiled: "{{ pureftpd_config }}" - -- name: (pure-ftpd-install.yml) Get current configuration. - command: ls -1 {{ pureftpd_config_conf_dir }} - register: pureftpd_current_config - changed_when: false - -- name: (pure-ftpd-install.yml) Delete old configuration. - file: - path: "{{ pureftpd_config_conf_dir }}/{{ item }}" - state: absent - when: pureftpd_config_compiled[item] is not defined - with_items: "{{ pureftpd_current_config.stdout_lines }}" - notify: restart Pure-FTPd - -# write new configuration - -- name: (pure-ftpd-install.yml) Write configuration. - template: - src: etc/pure-ftpd/conf/config.j2 - dest: "{{ pureftpd_config_conf_dir }}/{{ item.key }}" - owner: root - group: root - mode: '0644' - with_dict: '{{ pureftpd_config_compiled }}' - notify: restart Pure-FTPd +# --- # Authentication Configuration - -- name: (pure-ftpd-install.yml) Get current authentications. - command: ls -1 {{ pureftpd_config_auth_dir }} - register: pureftpd_current_auth - changed_when: false - -- name: (pure-ftpd-install.yml) Define empty pureftpd_authentications variable. - set_fact: - pureftpd_authentications: [] - -- name: (pure-ftpd-install.yml) Enable PureDB authentication. - file: - src: "{{ pureftpd_config_conf_dir }}/PureDB" - dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_puredb }}pure" - state: link - when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined - notify: restart Pure-FTPd - -- name: (pure-ftpd-install.yml) Add PureDB to Pure-FTPd authentications. - set_fact: - pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_puredb }}pure']" - when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined - -- name: (pure-ftpd-install.yml) Add PAM to Pure-FTPd authentications. - set_fact: - pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_pam }}pam']" - when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined - - -- name: (pure-ftpd-install.yml) Enable UNIX authentication. - file: - src: "{{ pureftpd_config_conf_dir }}/UnixAuthentication" - dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_unix }}unix" - state: link - when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined - notify: restart Pure-FTPd - -- name: (pure-ftpd-install.yml) Add UnixAuthentication to Pure-FTPd authentications. - set_fact: - pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_unix }}unix']" - when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined - - -- name: (pure-ftpd-install.yml) Enable PAM authentication. - file: - src: "{{ pureftpd_config_conf_dir }}/PAMAuthentication" - dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_pam }}pam" - state: link - when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined - notify: restart Pure-FTPd - -# --- -# Delete unused authentification if exists # --- -- name: (pure-ftpd-install.yml) Delete old authentications. - file: - path: "{{ pureftpd_config_auth_dir }}/{{ item }}" - state: absent - when: item not in pureftpd_authentications - with_items: "{{ pureftpd_current_auth.stdout_lines }}" - notify: restart Pure-FTPd +- include: pure-ftpd/authentication.yml # --- -# Defaults +# Virtual user # --- -- name: (pure-ftpd-install.yml) Ensure Pure-FTPd group exists. - group: - name: "{{ pureftpd_virtual_users_group }}" - gid: "{{ pureftpd_virtual_users_gid | default(omit) }}" - system: no - state: present - when: pureftpd_virtual_users | length > 0 - -- name: (pure-ftpd-install.yml) Ensure Pure-FTPd user exists. - user: - name: "{{ pureftpd_virtual_users_user }}" - uid: "{{ pureftpd_virtual_users_uid | default(omit) }}" - group: "{{ pureftpd_virtual_users_group }}" - home: /dev/null - shell: /usr/sbin/nologin - system: no - state: present - when: pureftpd_virtual_users | length > 0 - -- name: (pure-ftpd-install.yml) Verify virtual users database existence. - stat: - path: "{{ pureftpd_config_dir }}/pureftpd.passwd" - register: pureftpd_virtual_users_database - -- name: (pure-ftpd-install.yml) Ensure virtual users database exists. - file: - path: "{{ pureftpd_config_dir }}/pureftpd.passwd" - owner: root - group: root - mode: '0600' - state: touch - when: (pureftpd_virtual_users | length > 0) and not pureftpd_virtual_users_database.stat.exists | default(False) - - -# --- -# virtual users -# --- - -- include_tasks: pure-ftpd/create-virtual-ftp-user.yml - vars: - user: "{{ item }}" - with_items: "{{ pureftpd_virtual_users }}" - when: pureftpd_virtual_users | length > 0 - no_log: true - +- include: pure-ftpd/virtual-users.yml + # --- # TLS Certificate # --- -# - method 'generate' +- include: pure-ftpd/tls-certificate.yml -- name: Generate Pure-FTPd TLS certificate. - command: openssl req -x509 -nodes -newkey rsa:{{ pureftpd_tls_certificate_openssl.size | default(4096) }} -sha256 -days {{ pureftpd_tls_certificate_openssl.days | default(365) }} -keyout {{ pureftpd_tls_certificate_pem }} -out {{ pureftpd_tls_certificate_pem }} -subj "/C={{ pureftpd_tls_certificate_openssl.country | default('') }}/ST={{ pureftpd_tls_certificate_openssl.state | default('') }}/L={{ pureftpd_tls_certificate_openssl.locality | default('') }}/O={{ pureftpd_tls_certificate_openssl.organization | default('') }}/OU={{ pureftpd_tls_certificate_openssl.unit | default('') }}/CN={{ pureftpd_tls_certificate_openssl.fqdn }}" - args: - creates: "{{ pureftpd_tls_certificate_pem }}" - when: - - pureftpd_tls_certificate_method == 'generate' - - pureftpd_tls_certificate_openssl | length > 0 - notify: restart Pure-FTPd - -- name: Ensure Pure-FTPd TLS certificate permissions. - file: - path: "{{ pureftpd_tls_certificate_pem }}" - owner: root - group: root - mode: '0600' - state: file - when: - - pureftpd_tls_certificate_method == 'generate' - - pureftpd_tls_certificate_openssl | length > 0 - -# - final checks - -- name: (pure-ftpd-install.yml) Verify TLS certificate exists. - stat: - path: "{{ pureftpd_tls_certificate_pem }}" - register: pureftpd_tls_certificate - -- name: (pure-ftpd-install.yml) Fail when no certificate is found. - fail: - msg: | - The certificate file was not found at {{ pureftpd_tls_certificate_pem }} - when: not pureftpd_tls_certificate.stat.exists | default(False) - -# --- - name: (pure-ftpd-install.yml) Ensure Pure-FTPd service is started enabled on startup. service: diff --git a/roles/common/tasks/pure-ftpd/authentication.yml b/roles/common/tasks/pure-ftpd/authentication.yml new file mode 100644 index 0000000..f5686e3 --- /dev/null +++ b/roles/common/tasks/pure-ftpd/authentication.yml @@ -0,0 +1,66 @@ +--- + +# --- +# Authentication Configuration +# --- + +- name: (pure-ftpd-install.yml) Get current authentications. + command: ls -1 {{ pureftpd_config_auth_dir }} + register: pureftpd_current_auth + changed_when: false + +- name: (pure-ftpd-install.yml) Define empty pureftpd_authentications variable. + set_fact: + pureftpd_authentications: [] + +- name: (pure-ftpd-install.yml) Enable PureDB authentication. + file: + src: "{{ pureftpd_config_conf_dir }}/PureDB" + dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_puredb }}pure" + state: link + when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined + notify: restart Pure-FTPd + +- name: (pure-ftpd-install.yml) Add PureDB to Pure-FTPd authentications. + set_fact: + pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_puredb }}pure']" + when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined + +- name: (pure-ftpd-install.yml) Add PAM to Pure-FTPd authentications. + set_fact: + pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_pam }}pam']" + when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined + + +- name: (pure-ftpd-install.yml) Enable UNIX authentication. + file: + src: "{{ pureftpd_config_conf_dir }}/UnixAuthentication" + dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_unix }}unix" + state: link + when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined + notify: restart Pure-FTPd + +- name: (pure-ftpd-install.yml) Add UnixAuthentication to Pure-FTPd authentications. + set_fact: + pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_unix }}unix']" + when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined + + +- name: (pure-ftpd-install.yml) Enable PAM authentication. + file: + src: "{{ pureftpd_config_conf_dir }}/PAMAuthentication" + dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_pam }}pam" + state: link + when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined + notify: restart Pure-FTPd + + +# Delete unused authentification if exists + +- name: (pure-ftpd-install.yml) Delete old authentications. + file: + path: "{{ pureftpd_config_auth_dir }}/{{ item }}" + state: absent + when: item not in pureftpd_authentications + with_items: "{{ pureftpd_current_auth.stdout_lines }}" + notify: restart Pure-FTPd diff --git a/roles/common/tasks/pure-ftpd/configure.yml b/roles/common/tasks/pure-ftpd/configure.yml new file mode 100644 index 0000000..d45efa9 --- /dev/null +++ b/roles/common/tasks/pure-ftpd/configure.yml @@ -0,0 +1,45 @@ +--- + +# --- +# Configure PureFTP Daemon +# --- + +# Remove old current configurations if exists + +- name: Upload Pure-FTPd global configuration file. + template: + src: etc/default/pure-ftpd-common.j2 + dest: "{{ pureftpd_global_config_file }}" + owner: root + group: root + mode: '0644' + notify: restart Pure-FTPd + +- name: (pure-ftpd-install.yml) Compile Pure-FTPd configurations (set fact..). + set_fact: + pureftpd_config_compiled: "{{ pureftpd_config }}" + +- name: (pure-ftpd-install.yml) Get current configuration. + command: ls -1 {{ pureftpd_config_conf_dir }} + register: pureftpd_current_config + changed_when: false + +- name: (pure-ftpd-install.yml) Delete old configuration. + file: + path: "{{ pureftpd_config_conf_dir }}/{{ item }}" + state: absent + when: pureftpd_config_compiled[item] is not defined + with_items: "{{ pureftpd_current_config.stdout_lines }}" + notify: restart Pure-FTPd + +# write new configuration + +- name: (pure-ftpd-install.yml) Write configuration. + template: + src: etc/pure-ftpd/conf/config.j2 + dest: "{{ pureftpd_config_conf_dir }}/{{ item.key }}" + owner: root + group: root + mode: '0644' + with_dict: '{{ pureftpd_config_compiled }}' + notify: restart Pure-FTPd diff --git a/roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml b/roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml index 0654722..989a3d2 100644 --- a/roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml +++ b/roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml @@ -1,10 +1,10 @@ --- # --- -# virtual ftp users +# Add virtual ftp users # --- -- name: "(create-virtual-ftp-user.yml) Verify if virtual ftp it user {{ user.name }} exists" +- name: "(create-virtual-ftp-user.yml) Verify if virtual ftp user {{ user.name }} exists" command: pure-pw show {{ user.name }} register: pureftpd_virtual_user_exists changed_when: "pureftpd_virtual_user_exists.rc != 0" @@ -15,10 +15,6 @@ loop_control: label: '{{ user.name }}' -#- name: "Debug Verify if virtual ftp it user {{ user.name }} exists" -# debug: -# msg: "{{ pureftpd_virtual_user_exists }}" - - name: "(create-virtual-ftp-user.yml) Create virtual ftp user {{ user.name }} ." shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw useradd {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}" #when: pureftpd_virtual_user_exists.failed is defined and pureftpd_virtual_user_exists.failed diff --git a/roles/common/tasks/pure-ftpd/remove-virtual-user.yml b/roles/common/tasks/pure-ftpd/remove-virtual-user.yml new file mode 100644 index 0000000..9d24c13 --- /dev/null +++ b/roles/common/tasks/pure-ftpd/remove-virtual-user.yml @@ -0,0 +1,19 @@ +--- + +# --- +# Remove virtual ftp users +# --- + +- name: "User {{ user.name }}: Verify if it exists" + command: pure-pw show {{ user.name }} + register: pureftpd_virtual_user_exists + changed_when: "pureftpd_virtual_user_exists.rc == 0" + failed_when: + - "pureftpd_virtual_user_exists.rc != 0" + - "pureftpd_virtual_user_exists.rc != 16" + ignore_errors: true + +- name: "User {{ user.name }}: Remove virtual user" + shell: "pure-pw userdel {{ user.name }}" + when: pureftpd_virtual_user_exists.changed + notify: reload Pure-FTPd users diff --git a/roles/common/tasks/pure-ftpd/setup.yml b/roles/common/tasks/pure-ftpd/setup.yml new file mode 100644 index 0000000..e23c56a --- /dev/null +++ b/roles/common/tasks/pure-ftpd/setup.yml @@ -0,0 +1,21 @@ +--- + +# --- +# Install PureFTP Daemon +# --- + +- name: (pure-ftpd-install.yml) Ensure Pure-FTPd is installed. + apt: + name: "{{ pureftpd_packages }}" + state: present + cache_valid_time: 3600 + update_cache: yes + +- name: (pure-ftpd-install.yml) Upload Pure-FTPd global configuration file. + template: + src: etc/default/pure-ftpd-common.j2 + dest: "{{ pureftpd_global_config_file }}" + owner: root + group: root + mode: '0644' + notify: restart Pure-FTPd diff --git a/roles/common/tasks/pure-ftpd/tls-certificate.yml b/roles/common/tasks/pure-ftpd/tls-certificate.yml new file mode 100644 index 0000000..ea14750 --- /dev/null +++ b/roles/common/tasks/pure-ftpd/tls-certificate.yml @@ -0,0 +1,40 @@ +--- + +# --- +# TLS Certificate +# --- + +# - method 'generate' + +- name: Generate Pure-FTPd TLS certificate. + command: openssl req -x509 -nodes -newkey rsa:{{ pureftpd_tls_certificate_openssl.size | default(4096) }} -sha256 -days {{ pureftpd_tls_certificate_openssl.days | default(365) }} -keyout {{ pureftpd_tls_certificate_pem }} -out {{ pureftpd_tls_certificate_pem }} -subj "/C={{ pureftpd_tls_certificate_openssl.country | default('') }}/ST={{ pureftpd_tls_certificate_openssl.state | default('') }}/L={{ pureftpd_tls_certificate_openssl.locality | default('') }}/O={{ pureftpd_tls_certificate_openssl.organization | default('') }}/OU={{ pureftpd_tls_certificate_openssl.unit | default('') }}/CN={{ pureftpd_tls_certificate_openssl.fqdn }}" + args: + creates: "{{ pureftpd_tls_certificate_pem }}" + when: + - pureftpd_tls_certificate_method == 'generate' + - pureftpd_tls_certificate_openssl | length > 0 + notify: restart Pure-FTPd + +- name: Ensure Pure-FTPd TLS certificate permissions. + file: + path: "{{ pureftpd_tls_certificate_pem }}" + owner: root + group: root + mode: '0600' + state: file + when: + - pureftpd_tls_certificate_method == 'generate' + - pureftpd_tls_certificate_openssl | length > 0 + +# - final checks + +- name: (pure-ftpd-install.yml) Verify TLS certificate exists. + stat: + path: "{{ pureftpd_tls_certificate_pem }}" + register: pureftpd_tls_certificate + +- name: (pure-ftpd-install.yml) Fail when no certificate is found. + fail: + msg: | + The certificate file was not found at {{ pureftpd_tls_certificate_pem }} + when: not pureftpd_tls_certificate.stat.exists | default(False) diff --git a/roles/common/tasks/pure-ftpd/virtual-users.yml b/roles/common/tasks/pure-ftpd/virtual-users.yml new file mode 100644 index 0000000..9514f94 --- /dev/null +++ b/roles/common/tasks/pure-ftpd/virtual-users.yml @@ -0,0 +1,57 @@ +--- + +# Default virtual users/group + +- name: (pure-ftpd-install.yml) Ensure Pure-FTPd group exists. + group: + name: "{{ pureftpd_virtual_users_group }}" + gid: "{{ pureftpd_virtual_users_gid | default(omit) }}" + system: no + state: present + when: pureftpd_virtual_users | length > 0 + +- name: (pure-ftpd-install.yml) Ensure Pure-FTPd user exists. + user: + name: "{{ pureftpd_virtual_users_user }}" + uid: "{{ pureftpd_virtual_users_uid | default(omit) }}" + group: "{{ pureftpd_virtual_users_group }}" + home: /dev/null + shell: /usr/sbin/nologin + system: no + state: present + when: pureftpd_virtual_users | length > 0 + +# user databas + +- name: (pure-ftpd-install.yml) Verify virtual users database existence. + stat: + path: "{{ pureftpd_config_dir }}/pureftpd.passwd" + register: pureftpd_virtual_users_database + +- name: (pure-ftpd-install.yml) Ensure virtual users database exists. + file: + path: "{{ pureftpd_config_dir }}/pureftpd.passwd" + owner: root + group: root + mode: '0600' + state: touch + when: (pureftpd_virtual_users | length > 0) and not pureftpd_virtual_users_database.stat.exists | default(False) + + +# - Cretate virtual user + +- include_tasks: create-virtual-ftp-user.yml + vars: + user: "{{ item }}" + with_items: "{{ pureftpd_virtual_users }}" + when: pureftpd_virtual_users | length > 0 + no_log: true + + +# Remove virtual user +# - +- include_tasks: remove-virtual-user.yml + vars: + user: "{{ item }}" + with_items: "{{ pureftpd_virtual_deleted_users }}" + when: pureftpd_virtual_deleted_users | length > 0