diff --git a/group_vars/vsftpd.yml b/group_vars/vsftpd.yml
deleted file mode 100644
index e77bfa3f1cf6371586c47184cca63923da6076ab..0000000000000000000000000000000000000000
--- a/group_vars/vsftpd.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-glob_vsftpd:
- root: /pool/memorial
- cert: /etc/letsencrypt/live/crans.org/cert.pem
- private_key: /etc/letsencrypt/live/crans.org/privkey.pem
diff --git a/group_vars/vsftpd_cameras.yml b/group_vars/vsftpd_cameras.yml
new file mode 100644
index 0000000000000000000000000000000000000000..abbad98ed322fba2e1429d812bcd6425d99db139
--- /dev/null
+++ b/group_vars/vsftpd_cameras.yml
@@ -0,0 +1,6 @@
+---
+glob_vsftpd_cameras:
+ local: yes
+ write: yes
+ userlist:
+ - cameras
diff --git a/group_vars/vsftpd_mirror.yml b/group_vars/vsftpd_mirror.yml
new file mode 100644
index 0000000000000000000000000000000000000000..892dbecb4f6acf892a649f72d79e7e9d8b73f752
--- /dev/null
+++ b/group_vars/vsftpd_mirror.yml
@@ -0,0 +1,7 @@
+---
+glob_vsftpd_mirror:
+ ssl:
+ cert: /etc/letsencrypt/live/crans.org/cert.pem
+ private_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ anonymous: {}
+ passive: yes
diff --git a/host_vars/charybde.cachan-adm.crans.org.yml b/host_vars/charybde.cachan-adm.crans.org.yml
index e6d3a88b0c0e5b8ad1ca05fa3041d1ffca964dd5..da91159e521694d1a7007b6941e228a2f039b5bd 100644
--- a/host_vars/charybde.cachan-adm.crans.org.yml
+++ b/host_vars/charybde.cachan-adm.crans.org.yml
@@ -12,7 +12,8 @@ loc_ntp_server:
- 172.16.32.0/22
loc_vsftpd:
- root: /pool/mirror/pub
+ anonymous:
+ root: /pool/mirror/pub
loc_ftpsync:
root: /pool/mirror/pub
diff --git a/host_vars/eclat.adm.crans.org.yml b/host_vars/eclat.adm.crans.org.yml
index a08fc386079061e7c37c3d58224bbfe938bb6528..cc342837e8fd161f4a7f8188ee6dc26121291699 100644
--- a/host_vars/eclat.adm.crans.org.yml
+++ b/host_vars/eclat.adm.crans.org.yml
@@ -51,4 +51,5 @@ loc_nginx:
- "add_after_body /.html/FOOTER.html"
loc_vsftpd:
- root: /mirror/pub
+ anonymous:
+ root: /mirror/pub
diff --git a/host_vars/ptf.adm.crans.org.yml b/host_vars/ptf.adm.crans.org.yml
index c14432ac4dafd6d38352d8e8b5374b0cd8dcec4b..c0e5bbb1f075d086ed964675be121ce8479155c7 100644
--- a/host_vars/ptf.adm.crans.org.yml
+++ b/host_vars/ptf.adm.crans.org.yml
@@ -70,4 +70,5 @@ loc_nginx:
- "mp4_max_buffer_size 5m"
loc_vsftpd:
- root: /ftp
+ anonymous:
+ root: /ftp
diff --git a/hosts b/hosts
index 9d4dbc1d1d6eb1260e3b0719b385c024f19e2133..db9f35bbac7f996fd13d7440e9df946e08cbf589 100644
--- a/hosts
+++ b/hosts
@@ -43,7 +43,7 @@ postfix
radius # We use certbot to manage LE certificates
reverseproxy
thelounge
-vsftpd
+vsftpd_mirror
[constellation:children]
constellation_front
@@ -269,11 +269,14 @@ virtu_cachan
[virtu_cachan]
gulp.cachan-adm.crans.org
-[vsftpd]
+[vsftpd_mirror]
charybde.cachan-adm.crans.org
eclat.adm.crans.org
ptf.adm.crans.org
+[vsftpd_cameras]
+zephir.cachan-adm.crans.org
+
[wiki]
kiwi.adm.crans.org
sputnik.adm.crans.org
diff --git a/plays/vsftpd.yml b/plays/vsftpd.yml
index 34cc967586d21476164894fc74f328722320afce..efc6e691c0bfbf8ee56d7a1b946deed6a663c9da 100755
--- a/plays/vsftpd.yml
+++ b/plays/vsftpd.yml
@@ -1,10 +1,17 @@
#!/usr/bin/env ansible-playbook
---
-# Deploy vsftpd server
-- hosts: vsftpd
+# Deploy vsftpd server on the mirrors
+- hosts: vsftpd_mirror
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
- vsftpd: '{{ glob_vsftpd | default({}) | combine(loc_vsftpd | default({})) }}'
+ vsftpd: '{{ glob_vsftpd_mirror | default({}) | combine(loc_vsftpd | default({})) }}'
roles:
- certbot
- vsftpd
+
+# Deploy vstfpd on the camera serveur
+- hosts: vsftpd_cameras
+ vars:
+ vsftpd: '{{ glob_vsftpd_cameras | default({}) | combine(loc_vsftpd | default({})) }}'
+ roles:
+ - vsftpd
diff --git a/roles/vsftpd/handlers/main.yml b/roles/vsftpd/handlers/main.yml
index 8bb22f76d850f8f6741a870b079acce788b91f0b..061d4f21be414e977a9e44c2ff4e68bdafeb87e5 100644
--- a/roles/vsftpd/handlers/main.yml
+++ b/roles/vsftpd/handlers/main.yml
@@ -1,5 +1,5 @@
---
-- name: reload vsftpd
+- name: systemctl restart vsftpd
service:
name: vsftpd
- state: reloaded
+ state: restarted
diff --git a/roles/vsftpd/tasks/main.yml b/roles/vsftpd/tasks/main.yml
index c1925f52b8595fba8716b12ee29e27d98a9e5ced..dcda24a1211336f988beba739cc68f53d9fa14fd 100644
--- a/roles/vsftpd/tasks/main.yml
+++ b/roles/vsftpd/tasks/main.yml
@@ -12,9 +12,16 @@
src: vsftpd.conf.j2
dest: /etc/vsftpd.conf
mode: 0644
- notify: reload vsftpd
+ notify: systemctl restart vsftpd
-- name: Start vsftpd service
+- name: Deploy userlist
+ template:
+ src: vsftpd.user_list.j2
+ dest: /etc/vsftpd.user_list
+ notify: systemctl restart vsftpd
+ when: vsftpd.userlist is defined
+
+- name: systemctl enable --now service
systemd:
name: vsftpd
enabled: true
diff --git a/roles/vsftpd/templates/vsftpd.conf.j2 b/roles/vsftpd/templates/vsftpd.conf.j2
index 2ef3aa6127820616d09210ffc5778ea9a42bdea9..27850c9bbf75b173d6e08dc9176319b0ec1f70df 100644
--- a/roles/vsftpd/templates/vsftpd.conf.j2
+++ b/roles/vsftpd/templates/vsftpd.conf.j2
@@ -20,17 +20,33 @@
listen_ipv6=YES
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+{% if vsftpd.anonymous is defined%}
anonymous_enable=YES
+{% if vsftpd.ssl is defined and vsftpd.ssl %}
allow_anon_ssl=YES
-anon_root={{ vsftpd.root }}
+{% endif %}
+anon_root={{ vsftpd.anonymous.root }}
+{% endif %}
#banner_file=/etc/ftp.banner
#
# Uncomment this to allow local users to log in.
+{% if vsftpd.local is defined and vsftpd.local %}
+local_enable=YES
+{% else %}
#local_enable=YES
+{% endif %}
#
# Uncomment this to enable any form of FTP write command.
+{% if vsftpd.write is defined and vsftpd.write %}
+write_enable=YES
+{% else %}
#write_enable=YES
+{% endif %}
+{% if vsftpd.userlist is defined %}
+userlist_deny=NO
+userlist_enable=YES
+{% endif %}
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
@@ -47,13 +63,13 @@ anon_root={{ vsftpd.root }}
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
-dirmessage_enable=YES
+#dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
-connect_from_port_20=YES
+#connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
@@ -63,10 +79,10 @@ connect_from_port_20=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
-xferlog_file=/var/log/xferlog
+#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format
-xferlog_std_format=YES
+#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
@@ -106,7 +122,11 @@ xferlog_std_format=YES
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
+{% if vsftpd.local is defined and vsftpd.local %}
+chroot_local_user=YES
+{% else %}
#chroot_local_user=YES
+{%endif%}
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
@@ -131,19 +151,23 @@ xferlog_std_format=YES
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
-secure_chroot_dir=/var/run/vsftpd/empty
+#secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
-pam_service_name=vsftpd
+#pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
-rsa_cert_file= {{ vsftpd.cert }}
-rsa_private_key_file= {{ vsftpd.private_key }}
+{% if vsftpd.ssl is defined %}
+rsa_cert_file= {{ vsftpd.ssl.cert }}
+rsa_private_key_file= {{ vsftpd.ssl.private_key }}
ssl_enable=YES
+{% endif %}
# Limitation à 5Mo pour les connexions anonymes
#anon_max_rate=5242880
-pasv_enable=Yes
+{% if vsftpd.passive is defined and vsftpd.passive %}
+pasv_enable=YES
pasv_min_port=45000
pasv_max_port=48000
+{% endif %}
diff --git a/roles/vsftpd/templates/vsftpd.user_list.j2 b/roles/vsftpd/templates/vsftpd.user_list.j2
new file mode 100644
index 0000000000000000000000000000000000000000..b9953aa6ac6159f14931cce1e2e2e68d26386932
--- /dev/null
+++ b/roles/vsftpd/templates/vsftpd.user_list.j2
@@ -0,0 +1,3 @@
+{% for user in vsftpd.userlist %}
+{{ user }}
+{% endfor %}