update..

group_vars/all/main.yml

@@ -554,10 +554,18 @@ apt_initial_install_bionic:
   - ifupdown
   - socat
 
-microcode_package: 
+microcode_intel_package: 
   - intel-microcode
+
+microcode_amd_package: 
   - amd64-microcode
 
+firmware_packages:
+  - firmware-linux
+
+firmware_non_free_packages:
+   - firmware-linux-nonfree
+
 apt_install_state: latest
 
 apt_remove:
@@ -727,6 +735,198 @@ apt_install_client_samba:
 samba_server: file-akb.akb.netz
 
 
+# ==========
+# vars used by roles/common/tasks/pure-ftpd-install.yml
+# ==========
+
+pureftpd_global_config_file: /etc/default/pure-ftpd-common
+
+pureftpd_config_dir: /etc/pure-ftpd
+pureftpd_config_conf_dir: "{{ pureftpd_config_dir }}/conf"
+pureftpd_config_auth_dir: "{{ pureftpd_config_dir }}/auth"
+pureftpd_config_db_dir: "{{ pureftpd_config_dir }}/db"
+
+pureftpd_config_fortune_file: "{{ pureftpd_config_dir }}/pureftpd-fortune.txt"
+
+pureftpd_tls_certificate_pem: /etc/ssl/private/pure-ftpd.pem
+
+pureftpd_packages:
+  - pure-ftpd-common
+  - pure-ftpd
+
+# pure-ftpd-common.j2
+pureftpd_global_config_mode: standalone
+pureftpd_global_config_virtualchroot: false
+pureftpd_global_config_uploadscript: '' 
+pureftpd_global_config_uploaduid: ''
+pureftpd_global_config_uploadgid: ''
+
+pureftpd_config:
+  AltLog: 'clf:/var/log/pure-ftpd/transfer.log'
+  AnonymousCantUpload: 'yes'
+  Bind: ',21'
+  CustomerProof: 'yes'
+  DisplayDotFiles: 'yes'
+  DontResolve: 'yes'
+  FSCharset: 'UTF-8'
+  ForcePassiveIP: ''
+  MaxDiskUsage: '80'
+  MinUID: '1000'
+  NoAnonymous: 'yes'
+  PAMAuthentication: 'no'
+  PassivePortRange: '50000 50400'
+  ProhibitDotFilesRead: 'no'
+  ProhibitDotFilesWrite:  'yes'
+  PureDB: '/etc/pure-ftpd/pureftpd.pdb'
+  SyslogFacility: 'ftp'
+  TLS: '1'
+  TLSCipherSuite: 'HIGH'
+  UnixAuthentication: 'no'
+  # 
+  # Available properties
+  #
+  # Available properties
+  # AllowAnonymousFXP: 'no'
+  # AllowUserFXP: 'no'
+  # AltLog: 'clf:/var/log/pure-ftpd/transfer.log'
+  # AnonymousBandwidth: '8'
+  # AnonymousCanCreateDirs: 'no'
+  # AnonymousCantUpload: 'yes'
+  # AnonymousOnly: 'no'
+  # AnonymousRatio: '1 10'
+  # AntiWarez: 'yes'
+  # AutoRename: 'no'
+  # Bind: '127.0.0.1,21'
+  # BrokenClientsCompatibility: 'no'
+  # CallUploadScript: 'yes'
+  # ChrootEveryone: 'yes'
+  # ClientCharset: 'UTF-8'
+  # CreateHomeDir: 'yes'
+  # CustomerProof: 'yes'
+  # Daemonize: 'yes'
+  # DisplayDotFiles: 'yes'
+  # DontResolve: 'yes'
+  # ExtAuth: /var/run/ftpd.sock
+  # ForcePassiveIP: '192.168.0.1'
+  # FortunesFile: '/etc/pure-ftpd/cookie'
+  # FSCharset: 'utf8'
+  # IPV4Only: 'yes'
+  # IPV6Only: 'yes'
+  # KeepAllFiles: 'yes'
+  # LDAPConfigFile: /etc/pureftpd-ldap.conf
+  # LimitRecursion: '10000 8'
+  # LogPID: 'yes'
+  # MaxClientsNumber: '10'
+  # MaxClientsPerIP: "{{ ansible_processor_cores }}"
+  # MaxDiskUsage: '80'
+  # MaxIdleTime: '15'
+  # MaxLoad: '4'
+  # MinUID: '1000'
+  # MySQLConfigFile: /etc/pure-ftpd/mysql.conf
+  # NoAnonymous: 'yes'
+  # NoChmod: 'yes'
+  # NoRename: 'yes'
+  # NoTruncate: 'yes'
+  # PAMAuthentication: 'no'
+  # PassivePortRange: '30000 50000'
+  # PerUserLimits: '3 20'
+  # PGSQLConfigFile: /etc/pureftpd-pgsql.conf
+  # PIDFile: '/var/run/pure-ftpd.pid'
+  # ProhibitDotFilesRead: 'yes'
+  # ProhibitDotFilesWrite: 'yes'
+  # PureDB: /etc/pure-ftpd/pureftpd.pdb
+  # Quota: '1000 10'
+  # SyslogFacility: 'ftp'
+  # TLS: '0'
+  # TLSCipherSuite: 'ALL:!aNULL:!SSLv3'
+  # TrustedIP: '10.1.1.1'
+  # Umask: '113 002'
+  # UnixAuthentication: 'no'
+  # UserBandwidth: '8'
+  # UserRatio: '1 10'
+  # VerboseLog: 'no'
+
+pureftpd_auth_puredb: 50
+pureftpd_auth_mysql: 0
+pureftpd_auth_postgresql: 0
+pureftpd_auth_ldap: 0
+pureftpd_auth_unix: 65
+pureftpd_auth_pam: 70
+
+# Default FTP user/group
+pureftpd_virtual_users_group: nobody
+pureftpd_virtual_users_user: nogroup
+# pureftpd_virtual_users_gid: '65534'
+# pureftpd_virtual_users_uid: '65534'
+
+pureftpd_virtual_users:
+  - name: maica_scan
+    password: maica_scan
+    homedir: /data/samba/Scans/Maica_scans
+    uid: maica
+    gid: users
+  - name: buero_scan
+    password: buero_scan
+    homedir: /data/samba/Scans/Buero_Scans
+    uid: buero
+    gid: users
+  - name: jibran_scan
+    password: jibran_scan
+    homedir: /data/samba/Scans/Jibran_scan_Scans
+    uid: jibran
+    gid: users
+  # Available properties
+  # - name: vuser1
+  #   password: p4ssW0rd
+  #   homedir: /var/ftp/vuser1
+  #   uid: 2000
+  #   gid: 2000
+  #   quota_files: 2000
+  #   quota_size: 500
+  #   bandwidth_ul: 5
+  #   bandwidth_dl: 5
+  #   ratio_ul: 10
+  #   ratio_dl: 1
+
+pureftpd_virtual_deleted_users: []
+  # Available properties
+  # - name: vuser2
+
+pureftpd_virtual_users_import: false
+
+# pureftpd_tls_certificate_method
+#
+# possible values:
+#   - generate
+#   - certbot - Not YET integrated
+#   - upload  - Not YET integrated
+#
+pureftpd_tls_certificate_method: 'generate'
+
+# for method 'generate'
+# 
+pureftpd_tls_certificate_openssl:
+  size: 4096
+  days: 3650
+  fqdn: file-akb.akb.netz
+  country: 'DE'
+  state: 'Brandenburg'
+  locality: 'Potsdam'
+  organization: 'O.OPEN'
+  unit: 'Network services'
+  # Available properties
+  # size: 4096
+  # days: 365
+  # fqdn: ftp.example.com
+  # country: ''
+  # state: ''
+  # locality: ''
+  # organization: ''
+  # unit: ''
+
+
+
+
 # ==========
 # vars used by roles/common/tasks/user.yml
 # ==========

hosts

@@ -53,4 +53,8 @@ file-akb.akb.netz ansible_user=root
 file-akb.akb.netz ansible_user=root
 192.168.82.20 ansible_user=root
 
+[ftp_server]
+file-akb.akb.netz ansible_user=root
+192.168.82.20 ansible_user=root
+
 [gateway_server]

roles/common/handlers/main.yml

@@ -59,3 +59,12 @@
     name: cups-browsed
     daemon_reload: yes
     state: restarted
+
+- name: reload Pure-FTPd users
+  command: pure-pw mkdb
+
+- name: restart Pure-FTPd
+  service:
+    name: pure-ftpd
+    state: restarted
+

roles/common/tasks/apt.yml

@@ -96,12 +96,17 @@
   tags:
     - apt-initial-install
 
-- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch)
+# ---
+# Microcode
+# ---
+
+- name: (apt.yml) Ensure we have CPU microcode from backports for Intel CPU (debian stretch)
   apt:
-    name: "{{ microcode_package }}"
+    name: "{{ microcode_intel_package }}"
     state: present
     default_release: "{{ ansible_distribution_release }}-backports"
   when:
+    - apt_backports_enable
     - ansible_facts['distribution'] == "Debian"
     - ansible_facts['distribution_major_version'] == "9"
     - ansible_facts['processor']|string is search("Intel")
@@ -109,9 +114,24 @@
     - apt-initial-install
     - apt-microcode
 
-- name: (apt.yml) Install CPU microcode (debian buster)
+- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch)
   apt:
-    name: "{{ microcode_package }}"
+    name: "{{ microcode_amd_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release }}-backports"
+  when:
+    - apt_backports_enable
+    - apt_debian_contrib_nonfree_enable
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "9"
+    - ansible_facts['processor']|string is search("AMD")
+  tags:
+    - apt-initial-install
+    - apt-microcode
+
+- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster)
+  apt:
+    name: "{{ microcode_intel_package }}"
     state: present
     default_release: "{{ ansible_distribution_release }}"
   when:
@@ -122,9 +142,23 @@
     - apt-initial-install
     - apt-microcode
 
-- name: (apt.yml) Install CPU microcode (ubuntu bionic)
+- name: (apt.yml) Install CPU microcode for AMD CPU (debian buster)
   apt:
-    name: "{{ microcode_package }}"
+    name: "{{ microcode_amd_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release }}"
+  when:
+    - apt_debian_contrib_nonfree_enable
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "10"
+    - ansible_facts['processor']|string is search("AMD")
+  tags:
+    - apt-initial-install
+    - apt-microcode
+
+- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic)
+  apt:
+    name: "{{ microcode_intel_package }}"
     state: present
     default_release: "{{ ansible_distribution_release }}"
   when:
@@ -135,9 +169,23 @@
     - apt-initial-install
     - apt-microcode
 
-- name: (apt.yml) Install CPU microcode (ubuntu xenial)
+- name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic)
   apt:
-    name: "{{ microcode_package }}"
+    name: "{{ microcode_amd_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release }}"
+  when:
+    - apt_debian_contrib_nonfree_enable
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_release'] == "bionic"
+    - ansible_facts['processor']|string is search("AMD")
+  tags:
+    - apt-initial-install
+    - apt-microcode
+
+- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial)
+  apt:
+    name: "{{ microcode_intel_package }}"
     state: present
     default_release: "{{ ansible_distribution_release }}"
   when:
@@ -148,6 +196,49 @@
     - apt-initial-install
     - apt-microcode
 
+- name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial)
+  apt:
+    name: "{{ microcode_amd_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release }}"
+  when:
+    - apt_debian_contrib_nonfree_enable
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_release'] == "xenial"
+    - ansible_facts['processor']|string is search("AMD")
+  tags:
+    - apt-initial-install
+    - apt-microcode
+
+# ---
+# Firmware
+# ---
+
+- name: (apt.yml) Install Firmware packages
+  apt:
+     name: "{{ firmware_non_free_packages }}"
+     state: present
+     default_release: "{{ ansible_distribution_release }}"
+  tags:
+    - apt-initial-install
+    - apt-firmware
+
+- name: (apt.yml) Install non-free Firmware packages
+  apt:
+     name: "{{ firmware_non_free_packages }}"
+     state: present
+     default_release: "{{ ansible_distribution_release }}"
+  when:
+    - apt_debian_contrib_nonfree_enable
+  tags:
+    - apt-initial-install
+    - apt-firmware
+
+
+# ---
+# unwanted packages
+# ---
+
 - name: (apt.yml) Remove unwanted packages
   apt:
     name: "{{ apt_remove }}"

roles/common/tasks/main.yml

@@ -55,6 +55,14 @@
   tags:
     - cups
 
+# tags supported inside cups-install.yml:
+#
+- import_tasks: pure-ftpd-install.yml
+  when: 
+    - groups['ftp_server']|string is search(inventory_hostname)
+  tags:
+    - pure-ftpd
+
 # tags supported inside nfs.yml:
 #
 #    nfs-server

roles/common/tasks/pure-ftpd-install.yml

@@ -0,0 +1,220 @@
+---
+
+# ---
+# Install PureFTP Daemon
+# ---
+
+- name: (pure-ftpd-install.yml) Ensure Pure-FTPd is installed.
+  apt:
+    name: "{{ pureftpd_packages }}"
+    state: present
+    cache_valid_time: 3600
+    update_cache: yes
+
+- name: (pure-ftpd-install.yml) Upload Pure-FTPd global configuration file.
+  template:
+    src: etc/default/pure-ftpd-common.j2
+    dest: "{{ pureftpd_global_config_file }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart Pure-FTPd
+
+
+# ---
+# Configure PureFTP Daemon
+# ---
+
+# Remove old current configurations if exists
+
+- name: (pure-ftpd-install.yml) Compile Pure-FTPd configurations (set fact..).
+  set_fact:
+    pureftpd_config_compiled: "{{ pureftpd_config }}"
+
+- name: (pure-ftpd-install.yml) Get current configuration.
+  command: ls -1 {{ pureftpd_config_conf_dir }}
+  register: pureftpd_current_config
+  changed_when: false
+
+- name: (pure-ftpd-install.yml) Delete old configuration.
+  file:
+    path: "{{ pureftpd_config_conf_dir }}/{{ item }}"
+    state: absent
+  when: pureftpd_config_compiled[item] is not defined
+  with_items: "{{ pureftpd_current_config.stdout_lines }}"
+  notify: restart Pure-FTPd
+
+# write new configuration
+
+- name: (pure-ftpd-install.yml) Write configuration.
+  template:
+    src: etc/pure-ftpd/conf/config.j2
+    dest: "{{ pureftpd_config_conf_dir }}/{{ item.key }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_dict: '{{ pureftpd_config_compiled }}'
+  notify: restart Pure-FTPd
+
+# Authentication Configuration
+
+- name: (pure-ftpd-install.yml) Get current authentications.
+  command: ls -1 {{ pureftpd_config_auth_dir }}
+  register: pureftpd_current_auth
+  changed_when: false
+
+- name: (pure-ftpd-install.yml) Define empty pureftpd_authentications variable.
+  set_fact:
+    pureftpd_authentications: []
+
+- name: (pure-ftpd-install.yml) Enable PureDB authentication.
+  file:
+    src: "{{ pureftpd_config_conf_dir }}/PureDB"
+    dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_puredb }}pure"
+    state: link
+  when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined
+  notify: restart Pure-FTPd
+
+- name: (pure-ftpd-install.yml) Add PureDB to Pure-FTPd authentications.
+  set_fact:
+    pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_puredb }}pure']"
+  when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined
+
+- name: (pure-ftpd-install.yml) Add PAM to Pure-FTPd authentications.
+  set_fact:
+    pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_pam }}pam']"
+  when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined
+
+
+- name: (pure-ftpd-install.yml) Enable UNIX authentication.
+  file:
+    src: "{{ pureftpd_config_conf_dir }}/UnixAuthentication"
+    dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_unix }}unix"
+    state: link
+  when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined
+  notify: restart Pure-FTPd
+
+- name: (pure-ftpd-install.yml) Add UnixAuthentication to Pure-FTPd authentications.
+  set_fact:
+    pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_unix }}unix']"
+  when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined
+
+
+- name: (pure-ftpd-install.yml) Enable PAM authentication.
+  file:
+    src: "{{ pureftpd_config_conf_dir }}/PAMAuthentication"
+    dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_pam }}pam"
+    state: link
+  when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined
+  notify: restart Pure-FTPd
+
+# ---
+# Delete unused authentification if exists
+# ---
+
+- name: (pure-ftpd-install.yml) Delete old authentications.
+  file:
+    path: "{{ pureftpd_config_auth_dir }}/{{ item }}"
+    state: absent
+  when: item not in pureftpd_authentications
+  with_items: "{{ pureftpd_current_auth.stdout_lines }}"
+  notify: restart Pure-FTPd
+
+
+# ---
+# Defaults
+# ---
+
+- name: (pure-ftpd-install.yml) Ensure Pure-FTPd group exists.
+  group:
+    name: "{{ pureftpd_virtual_users_group }}"
+    gid: "{{ pureftpd_virtual_users_gid | default(omit) }}"
+    system: no
+    state: present
+  when: pureftpd_virtual_users | length > 0
+
+- name: (pure-ftpd-install.yml) Ensure Pure-FTPd user exists.
+  user:
+    name: "{{ pureftpd_virtual_users_user }}"
+    uid: "{{ pureftpd_virtual_users_uid | default(omit) }}"
+    group: "{{ pureftpd_virtual_users_group }}"
+    home: /dev/null
+    shell: /usr/sbin/nologin
+    system: no
+    state: present
+  when: pureftpd_virtual_users | length > 0
+
+- name: (pure-ftpd-install.yml) Verify virtual users database existence.
+  stat:
+    path: "{{ pureftpd_config_dir }}/pureftpd.passwd"
+  register: pureftpd_virtual_users_database
+
+- name: (pure-ftpd-install.yml) Ensure virtual users database exists.
+  file:
+    path: "{{ pureftpd_config_dir }}/pureftpd.passwd"
+    owner: root
+    group: root
+    mode: '0600'
+    state: touch
+  when: (pureftpd_virtual_users | length > 0) and not pureftpd_virtual_users_database.stat.exists | default(False)
+
+
+# ---
+# virtual users 
+# ---
+
+- include_tasks: pure-ftpd/create-virtual-ftp-user.yml
+  vars:
+    user: "{{ item }}"
+  with_items: "{{ pureftpd_virtual_users }}"
+  when: pureftpd_virtual_users | length > 0
+  no_log: true
+
+
+# ---
+# TLS Certificate
+# ---
+
+# - method 'generate'
+
+- name: Generate Pure-FTPd TLS certificate.
+  command: openssl req -x509 -nodes -newkey rsa:{{ pureftpd_tls_certificate_openssl.size | default(4096) }} -sha256 -days {{ pureftpd_tls_certificate_openssl.days | default(365) }} -keyout {{ pureftpd_tls_certificate_pem }} -out {{ pureftpd_tls_certificate_pem }} -subj "/C={{ pureftpd_tls_certificate_openssl.country | default('') }}/ST={{ pureftpd_tls_certificate_openssl.state | default('') }}/L={{ pureftpd_tls_certificate_openssl.locality | default('') }}/O={{ pureftpd_tls_certificate_openssl.organization | default('') }}/OU={{ pureftpd_tls_certificate_openssl.unit | default('') }}/CN={{ pureftpd_tls_certificate_openssl.fqdn }}"
+  args:
+    creates: "{{ pureftpd_tls_certificate_pem }}"
+  when: 
+    - pureftpd_tls_certificate_method == 'generate'
+    - pureftpd_tls_certificate_openssl | length > 0
+  notify: restart Pure-FTPd
+
+- name: Ensure Pure-FTPd TLS certificate permissions.
+  file:
+    path: "{{ pureftpd_tls_certificate_pem }}"
+    owner: root
+    group: root
+    mode: '0600'
+    state: file
+  when: 
+    - pureftpd_tls_certificate_method == 'generate'
+    - pureftpd_tls_certificate_openssl | length > 0
+
+# - final checks
+
+- name: (pure-ftpd-install.yml) Verify TLS certificate exists.
+  stat:
+    path: "{{ pureftpd_tls_certificate_pem }}"
+  register: pureftpd_tls_certificate
+
+- name: (pure-ftpd-install.yml) Fail when no certificate is found.
+  fail:
+    msg: |
+        The certificate file was not found at {{ pureftpd_tls_certificate_pem }}
+  when: not pureftpd_tls_certificate.stat.exists | default(False)
+
+# ---
+
+- name: (pure-ftpd-install.yml) Ensure Pure-FTPd service is started enabled on startup.
+  service:
+    name: pure-ftpd
+    state: started
+    enabled: yes
+

roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml

@@ -0,0 +1,38 @@
+---
+
+# ---
+# virtual ftp users 
+# ---
+
+- name: "(create-virtual-ftp-user.yml) Verify if virtual ftp it user {{ user.name }} exists"
+  command: pure-pw show {{ user.name }}
+  register: pureftpd_virtual_user_exists
+  changed_when: "pureftpd_virtual_user_exists.rc != 0"
+  failed_when: 
+    - "pureftpd_virtual_user_exists.rc != 0"
+    - "pureftpd_virtual_user_exists.rc != 16"
+  ignore_errors: true
+  loop_control:
+    label: '{{ user.name }}'
+
+#- name: "Debug Verify if virtual ftp it user {{ user.name }} exists"
+#  debug:
+#    msg: "{{ pureftpd_virtual_user_exists }}"
+
+- name: "(create-virtual-ftp-user.yml) Create virtual ftp user {{ user.name }} ."
+  shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw useradd {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}"
+  #when: pureftpd_virtual_user_exists.failed is defined and pureftpd_virtual_user_exists.failed
+  when: pureftpd_virtual_user_exists.changed
+  notify: reload Pure-FTPd users
+
+- name: "User {{ user.name }}: Update virtual user"
+  command: "pure-pw usermod {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}"
+  #when: pureftpd_virtual_user_exists.failed is defined and not pureftpd_virtual_user_exists.failed
+  when: not pureftpd_virtual_user_exists.changed
+  notify: reload Pure-FTPd users
+
+- name: "User {{ user.name }}: Update virtual user password"
+  shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw passwd {{ user.name }}"
+  when: not pureftpd_virtual_user_exists.changed
+  notify: reload Pure-FTPd users
+

roles/common/templates/etc/default/pure-ftpd-common.j2

@@ -0,0 +1,27 @@
+# {{ ansible_managed }}
+# Configuration for pure-ftpd
+# (this file is sourced by /bin/sh, edit accordingly)
+
+# STANDALONE_OR_INETD
+# valid values are "standalone" and "inetd".
+# Any change here overrides the setting in debconf.
+STANDALONE_OR_INETD={{ pureftpd_global_config_mode }}
+
+# VIRTUALCHROOT:
+# whether to use binary with virtualchroot support
+# valid values are "true" or "false"
+# Any change here overrides the setting in debconf.
+VIRTUALCHROOT={{ pureftpd_global_config_virtualchroot }}
+
+# UPLOADSCRIPT: if this is set and the daemon is run in standalone mode,
+# pure-uploadscript will also be run to spawn the program given below
+# for handling uploads. see /usr/share/doc/pure-ftpd/README.gz or
+# pure-uploadscript(8)
+
+# example: UPLOADSCRIPT=/usr/local/sbin/uploadhandler.pl
+UPLOADSCRIPT={{ pureftpd_global_config_uploadscript }}
+
+# if set, pure-uploadscript will spawn  running as the
+# given uid and gid
+UPLOADUID={{ pureftpd_global_config_uploaduid }}
+UPLOADGID={{ pureftpd_global_config_uploadgid }}

roles/common/templates/etc/pure-ftpd/conf/config.j2

@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+{{ item.value }}

tatus

@@ -0,0 +1,394 @@
+diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
+index 7b325e6..603929a 100644
+--- a/group_vars/all/main.yml
++++ b/group_vars/all/main.yml
+@@ -554,10 +554,18 @@ apt_initial_install_bionic:
+   - ifupdown
+   - socat
+ 
+-microcode_package: 
++microcode_intel_package: 
+   - intel-microcode
++
++microcode_amd_package: 
+   - amd64-microcode
+ 
++firmware_packages:
++  - firmware-linux
++
++firmware_non_free_packages:
++   - firmware-linux-nonfree
++
+ apt_install_state: latest
+ 
+ apt_remove:
+@@ -727,6 +735,167 @@ apt_install_client_samba:
+ samba_server: file-akb.akb.netz
+ 
+ 
++# ==========
++# vars used by roles/common/tasks/pure-ftpd-install.yml
++# ==========
++
++pureftpd_global_config_file: /etc/default/pure-ftpd-common
++
++pureftpd_config_dir: /etc/pure-ftpd
++pureftpd_config_conf_dir: "{{ pureftpd_config_dir }}/conf"
++pureftpd_config_auth_dir: "{{ pureftpd_config_dir }}/auth"
++pureftpd_config_db_dir: "{{ pureftpd_config_dir }}/db"
++
++pureftpd_config_fortune_file: "{{ pureftpd_config_dir }}/pureftpd-fortune.txt"
++
++pureftpd_tls_certificate_pem: /etc/ssl/private/pure-ftpd.pem
++
++pureftpd_packages:
++  - pure-ftpd-common
++  - pure-ftpd
++
++# pure-ftpd-common.j2
++pureftpd_global_config_mode: standalone
++pureftpd_global_config_virtualchroot: false
++pureftpd_global_config_uploadscript: '' 
++pureftpd_global_config_uploaduid: ''
++pureftpd_global_config_uploadgid: ''
++
++pureftpd_config:
++  AltLog: 'clf:/var/log/pure-ftpd/transfer.log'
++  AnonymousCantUpload: 'yes'
++  Bind: ',21'
++  CustomerProof: 'yes'
++  DisplayDotFiles: 'yes'
++  DontResolve: 'yes'
++  FSCharset: 'UTF-8'
++  ForcePassiveIP: ''
++  MaxDiskUsage: '80'
++  MinUID: '1000'
++  NoAnonymous: 'yes'
++  PAMAuthentication: 'no'
++  PassivePortRange: '50000 50400'
++  ProhibitDotFilesRead: 'no'
++  ProhibitDotFilesWrite:  'yes'
++  PureDB: '/etc/pure-ftpd/pureftpd.pdb'
++  SyslogFacility: 'ftp'
++  TLS: '1'
++  TLSCipherSuite: 'HIGH'
++  UnixAuthentication: 'no'
++  # 
++  # Available properties
++  #
++  # Available properties
++  # AllowAnonymousFXP: 'no'
++  # AllowUserFXP: 'no'
++  # AltLog: 'clf:/var/log/pure-ftpd/transfer.log'
++  # AnonymousBandwidth: '8'
++  # AnonymousCanCreateDirs: 'no'
++  # AnonymousCantUpload: 'yes'
++  # AnonymousOnly: 'no'
++  # AnonymousRatio: '1 10'
++  # AntiWarez: 'yes'
++  # AutoRename: 'no'
++  # Bind: '127.0.0.1,21'
++  # BrokenClientsCompatibility: 'no'
++  # CallUploadScript: 'yes'
++  # ChrootEveryone: 'yes'
++  # ClientCharset: 'UTF-8'
++  # CreateHomeDir: 'yes'
++  # CustomerProof: 'yes'
++  # Daemonize: 'yes'
++  # DisplayDotFiles: 'yes'
++  # DontResolve: 'yes'
++  # ExtAuth: /var/run/ftpd.sock
++  # ForcePassiveIP: '192.168.0.1'
++  # FortunesFile: '/etc/pure-ftpd/cookie'
++  # FSCharset: 'utf8'
++  # IPV4Only: 'yes'
++  # IPV6Only: 'yes'
++  # KeepAllFiles: 'yes'
++  # LDAPConfigFile: /etc/pureftpd-ldap.conf
++  # LimitRecursion: '10000 8'
++  # LogPID: 'yes'
++  # MaxClientsNumber: '10'
++  # MaxClientsPerIP: "{{ ansible_processor_cores }}"
++  # MaxDiskUsage: '80'
++  # MaxIdleTime: '15'
++  # MaxLoad: '4'
++  # MinUID: '1000'
++  # MySQLConfigFile: /etc/pure-ftpd/mysql.conf
++  # NoAnonymous: 'yes'
++  # NoChmod: 'yes'
++  # NoRename: 'yes'
++  # NoTruncate: 'yes'
++  # PAMAuthentication: 'no'
++  # PassivePortRange: '30000 50000'
++  # PerUserLimits: '3 20'
++  # PGSQLConfigFile: /etc/pureftpd-pgsql.conf
++  # PIDFile: '/var/run/pure-ftpd.pid'
++  # ProhibitDotFilesRead: 'yes'
++  # ProhibitDotFilesWrite: 'yes'
++  # PureDB: /etc/pure-ftpd/pureftpd.pdb
++  # Quota: '1000 10'
++  # SyslogFacility: 'ftp'
++  # TLS: '0'
++  # TLSCipherSuite: 'ALL:!aNULL:!SSLv3'
++  # TrustedIP: '10.1.1.1'
++  # Umask: '113 002'
++  # UnixAuthentication: 'no'
++  # UserBandwidth: '8'
++  # UserRatio: '1 10'
++  # VerboseLog: 'no'
++
++pureftpd_auth_puredb: 50
++pureftpd_auth_mysql: 0
++pureftpd_auth_postgresql: 0
++pureftpd_auth_ldap: 0
++pureftpd_auth_unix: 65
++pureftpd_auth_pam: 70
++
++# Default FTP user/group
++pureftpd_virtual_users_group: nobody
++pureftpd_virtual_users_user: nogroup
++# pureftpd_virtual_users_gid: '65534'
++# pureftpd_virtual_users_uid: '65534'
++
++pureftpd_virtual_users:
++  - name: maica_scan
++    password: maica_scan
++    homedir: /data/samba/Scans/Maica_scans
++    uid: maica
++    gid: users
++  - name: buero_scan
++    password: buero_scan
++    homedir: /data/samba/Scans/Buero_Scans
++    uid: buero
++    gid: users
++  - name: jibran_scan
++    password: jibran_scan
++    homedir: /data/samba/Scans/Jibran_scan_Scans
++    uid: jibran
++    gid: users
++  # Available properties
++  # - name: vuser1
++  #   password: p4ssW0rd
++  #   homedir: /var/ftp/vuser1
++  #   uid: 2000
++  #   gid: 2000
++  #   quota_files: 2000
++  #   quota_size: 500
++  #   bandwidth_ul: 5
++  #   bandwidth_dl: 5
++  #   ratio_ul: 10
++  #   ratio_dl: 1
++
++pureftpd_virtual_deleted_users: []
++  # Available properties
++  # - name: vuser2
++
++pureftpd_virtual_users_import: false
++
++
++
+ # ==========
+ # vars used by roles/common/tasks/user.yml
+ # ==========
+diff --git a/hosts b/hosts
+index 98add24..e3079cd 100644
+--- a/hosts
++++ b/hosts
+@@ -53,4 +53,8 @@ file-akb.akb.netz ansible_user=root
+ file-akb.akb.netz ansible_user=root
+ 192.168.82.20 ansible_user=root
+ 
++[ftp_server]
++file-akb.akb.netz ansible_user=root
++192.168.82.20 ansible_user=root
++
+ [gateway_server]
+diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
+index f9391f6..be73450 100644
+--- a/roles/common/handlers/main.yml
++++ b/roles/common/handlers/main.yml
+@@ -59,3 +59,12 @@
+     name: cups-browsed
+     daemon_reload: yes
+     state: restarted
++
++- name: reload Pure-FTPd users
++  command: pure-pw mkdb
++
++- name: restart Pure-FTPd
++  service:
++    name: pure-ftpd
++    state: restarted
++
+diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml
+index 466edd1..77fd1c4 100644
+--- a/roles/common/tasks/apt.yml
++++ b/roles/common/tasks/apt.yml
+@@ -96,12 +96,17 @@
+   tags:
+     - apt-initial-install
+ 
+-- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch)
++# ---
++# Microcode
++# ---
++
++- name: (apt.yml) Ensure we have CPU microcode from backports for Intel CPU (debian stretch)
+   apt:
+-    name: "{{ microcode_package }}"
++    name: "{{ microcode_intel_package }}"
+     state: present
+     default_release: "{{ ansible_distribution_release }}-backports"
+   when:
++    - apt_backports_enable
+     - ansible_facts['distribution'] == "Debian"
+     - ansible_facts['distribution_major_version'] == "9"
+     - ansible_facts['processor']|string is search("Intel")
+@@ -109,9 +114,24 @@
+     - apt-initial-install
+     - apt-microcode
+ 
+-- name: (apt.yml) Install CPU microcode (debian buster)
++- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch)
++  apt:
++    name: "{{ microcode_amd_package }}"
++    state: present
++    default_release: "{{ ansible_distribution_release }}-backports"
++  when:
++    - apt_backports_enable
++    - apt_debian_contrib_nonfree_enable
++    - ansible_facts['distribution'] == "Debian"
++    - ansible_facts['distribution_major_version'] == "9"
++    - ansible_facts['processor']|string is search("AMD")
++  tags:
++    - apt-initial-install
++    - apt-microcode
++
++- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster)
+   apt:
+-    name: "{{ microcode_package }}"
++    name: "{{ microcode_intel_package }}"
+     state: present
+     default_release: "{{ ansible_distribution_release }}"
+   when:
+@@ -122,9 +142,23 @@
+     - apt-initial-install
+     - apt-microcode
+ 
+-- name: (apt.yml) Install CPU microcode (ubuntu bionic)
++- name: (apt.yml) Install CPU microcode for AMD CPU (debian buster)
+   apt:
+-    name: "{{ microcode_package }}"
++    name: "{{ microcode_amd_package }}"
++    state: present
++    default_release: "{{ ansible_distribution_release }}"
++  when:
++    - apt_debian_contrib_nonfree_enable
++    - ansible_facts['distribution'] == "Debian"
++    - ansible_facts['distribution_major_version'] == "10"
++    - ansible_facts['processor']|string is search("AMD")
++  tags:
++    - apt-initial-install
++    - apt-microcode
++
++- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic)
++  apt:
++    name: "{{ microcode_intel_package }}"
+     state: present
+     default_release: "{{ ansible_distribution_release }}"
+   when:
+@@ -135,9 +169,23 @@
+     - apt-initial-install
+     - apt-microcode
+ 
+-- name: (apt.yml) Install CPU microcode (ubuntu xenial)
++- name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic)
+   apt:
+-    name: "{{ microcode_package }}"
++    name: "{{ microcode_amd_package }}"
++    state: present
++    default_release: "{{ ansible_distribution_release }}"
++  when:
++    - apt_debian_contrib_nonfree_enable
++    - ansible_facts['distribution'] == "Ubuntu"
++    - ansible_facts['distribution_release'] == "bionic"
++    - ansible_facts['processor']|string is search("AMD")
++  tags:
++    - apt-initial-install
++    - apt-microcode
++
++- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial)
++  apt:
++    name: "{{ microcode_intel_package }}"
+     state: present
+     default_release: "{{ ansible_distribution_release }}"
+   when:
+@@ -148,6 +196,49 @@
+     - apt-initial-install
+     - apt-microcode
+ 
++- name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial)
++  apt:
++    name: "{{ microcode_amd_package }}"
++    state: present
++    default_release: "{{ ansible_distribution_release }}"
++  when:
++    - apt_debian_contrib_nonfree_enable
++    - ansible_facts['distribution'] == "Ubuntu"
++    - ansible_facts['distribution_release'] == "xenial"
++    - ansible_facts['processor']|string is search("AMD")
++  tags:
++    - apt-initial-install
++    - apt-microcode
++
++# ---
++# Firmware
++# ---
++
++- name: (apt.yml) Install Firmware packages
++  apt:
++     name: "{{ firmware_non_free_packages }}"
++     state: present
++     default_release: "{{ ansible_distribution_release }}"
++  tags:
++    - apt-initial-install
++    - apt-firmware
++
++- name: (apt.yml) Install non-free Firmware packages
++  apt:
++     name: "{{ firmware_non_free_packages }}"
++     state: present
++     default_release: "{{ ansible_distribution_release }}"
++  when:
++    - apt_debian_contrib_nonfree_enable
++  tags:
++    - apt-initial-install
++    - apt-firmware
++
++
++# ---
++# unwanted packages
++# ---
++
+ - name: (apt.yml) Remove unwanted packages
+   apt:
+     name: "{{ apt_remove }}"
+diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
+index cba68be..b9802b6 100644
+--- a/roles/common/tasks/main.yml
++++ b/roles/common/tasks/main.yml
+@@ -55,6 +55,14 @@
+   tags:
+     - cups
+ 
++# tags supported inside cups-install.yml:
++#
++- import_tasks: pure-ftpd-install.yml
++  when: 
++    - groups['ftp_server']|string is search(inventory_hostname)
++  tags:
++    - pure-ftpd
++
+ # tags supported inside nfs.yml:
+ #
+ #    nfs-server