From 84d7268a5cba61494dc9a749d5a49dddfff94bcb Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Thu, 29 Jul 2021 13:22:29 +0200
Subject: [PATCH] [vsftpd] Update role and for cameras

---
 group_vars/vsftpd.yml                       |  5 ---
 group_vars/vsftpd_cameras.yml               |  6 +++
 group_vars/vsftpd_mirror.yml                |  7 ++++
 host_vars/charybde.cachan-adm.crans.org.yml |  3 +-
 host_vars/eclat.adm.crans.org.yml           |  3 +-
 host_vars/ptf.adm.crans.org.yml             |  3 +-
 hosts                                       |  7 +++-
 plays/vsftpd.yml                            | 13 ++++--
 roles/vsftpd/handlers/main.yml              |  4 +-
 roles/vsftpd/tasks/main.yml                 | 11 +++++-
 roles/vsftpd/templates/vsftpd.conf.j2       | 44 ++++++++++++++++-----
 roles/vsftpd/templates/vsftpd.user_list.j2  |  3 ++
 12 files changed, 82 insertions(+), 27 deletions(-)
 delete mode 100644 group_vars/vsftpd.yml
 create mode 100644 group_vars/vsftpd_cameras.yml
 create mode 100644 group_vars/vsftpd_mirror.yml
 create mode 100644 roles/vsftpd/templates/vsftpd.user_list.j2

diff --git a/group_vars/vsftpd.yml b/group_vars/vsftpd.yml
deleted file mode 100644
index e77bfa3f..00000000
--- a/group_vars/vsftpd.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-glob_vsftpd:
-  root: /pool/memorial
-  cert: /etc/letsencrypt/live/crans.org/cert.pem
-  private_key: /etc/letsencrypt/live/crans.org/privkey.pem
diff --git a/group_vars/vsftpd_cameras.yml b/group_vars/vsftpd_cameras.yml
new file mode 100644
index 00000000..abbad98e
--- /dev/null
+++ b/group_vars/vsftpd_cameras.yml
@@ -0,0 +1,6 @@
+---
+glob_vsftpd_cameras:
+  local: yes
+  write: yes
+  userlist:
+    - cameras
diff --git a/group_vars/vsftpd_mirror.yml b/group_vars/vsftpd_mirror.yml
new file mode 100644
index 00000000..892dbecb
--- /dev/null
+++ b/group_vars/vsftpd_mirror.yml
@@ -0,0 +1,7 @@
+---
+glob_vsftpd_mirror:
+  ssl:
+    cert: /etc/letsencrypt/live/crans.org/cert.pem
+    private_key: /etc/letsencrypt/live/crans.org/privkey.pem
+  anonymous: {}
+  passive: yes
diff --git a/host_vars/charybde.cachan-adm.crans.org.yml b/host_vars/charybde.cachan-adm.crans.org.yml
index e6d3a88b..da91159e 100644
--- a/host_vars/charybde.cachan-adm.crans.org.yml
+++ b/host_vars/charybde.cachan-adm.crans.org.yml
@@ -12,7 +12,8 @@ loc_ntp_server:
     - 172.16.32.0/22
 
 loc_vsftpd:
-  root: /pool/mirror/pub
+  anonymous:
+    root: /pool/mirror/pub
 
 loc_ftpsync:
   root: /pool/mirror/pub
diff --git a/host_vars/eclat.adm.crans.org.yml b/host_vars/eclat.adm.crans.org.yml
index a08fc386..cc342837 100644
--- a/host_vars/eclat.adm.crans.org.yml
+++ b/host_vars/eclat.adm.crans.org.yml
@@ -51,4 +51,5 @@ loc_nginx:
             - "add_after_body /.html/FOOTER.html"
 
 loc_vsftpd:
-  root: /mirror/pub
+  anonymous:
+    root: /mirror/pub
diff --git a/host_vars/ptf.adm.crans.org.yml b/host_vars/ptf.adm.crans.org.yml
index c14432ac..c0e5bbb1 100644
--- a/host_vars/ptf.adm.crans.org.yml
+++ b/host_vars/ptf.adm.crans.org.yml
@@ -70,4 +70,5 @@ loc_nginx:
             - "mp4_max_buffer_size 5m"
 
 loc_vsftpd:
-  root: /ftp
+  anonymous:
+    root: /ftp
diff --git a/hosts b/hosts
index 9d4dbc1d..db9f35bb 100644
--- a/hosts
+++ b/hosts
@@ -43,7 +43,7 @@ postfix
 radius  # We use certbot to manage LE certificates
 reverseproxy
 thelounge
-vsftpd
+vsftpd_mirror
 
 [constellation:children]
 constellation_front
@@ -269,11 +269,14 @@ virtu_cachan
 [virtu_cachan]
 gulp.cachan-adm.crans.org
 
-[vsftpd]
+[vsftpd_mirror]
 charybde.cachan-adm.crans.org
 eclat.adm.crans.org
 ptf.adm.crans.org
 
+[vsftpd_cameras]
+zephir.cachan-adm.crans.org
+
 [wiki]
 kiwi.adm.crans.org
 sputnik.adm.crans.org
diff --git a/plays/vsftpd.yml b/plays/vsftpd.yml
index 34cc9675..efc6e691 100755
--- a/plays/vsftpd.yml
+++ b/plays/vsftpd.yml
@@ -1,10 +1,17 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Deploy vsftpd server
-- hosts: vsftpd
+# Deploy vsftpd server on the mirrors
+- hosts: vsftpd_mirror
   vars:
     certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
-    vsftpd: '{{ glob_vsftpd | default({}) | combine(loc_vsftpd | default({})) }}'
+    vsftpd: '{{ glob_vsftpd_mirror | default({}) | combine(loc_vsftpd | default({})) }}'
   roles:
     - certbot
     - vsftpd
+
+# Deploy vstfpd on the camera serveur
+- hosts: vsftpd_cameras
+  vars:
+    vsftpd: '{{ glob_vsftpd_cameras | default({}) | combine(loc_vsftpd | default({})) }}'
+  roles:
+    - vsftpd
diff --git a/roles/vsftpd/handlers/main.yml b/roles/vsftpd/handlers/main.yml
index 8bb22f76..061d4f21 100644
--- a/roles/vsftpd/handlers/main.yml
+++ b/roles/vsftpd/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: reload vsftpd
+- name: systemctl restart vsftpd
   service:
     name: vsftpd
-    state: reloaded
+    state: restarted
diff --git a/roles/vsftpd/tasks/main.yml b/roles/vsftpd/tasks/main.yml
index c1925f52..dcda24a1 100644
--- a/roles/vsftpd/tasks/main.yml
+++ b/roles/vsftpd/tasks/main.yml
@@ -12,9 +12,16 @@
     src: vsftpd.conf.j2
     dest: /etc/vsftpd.conf
     mode: 0644
-  notify: reload vsftpd
+  notify: systemctl restart vsftpd
 
-- name: Start vsftpd service
+- name: Deploy userlist
+  template:
+    src: vsftpd.user_list.j2
+    dest: /etc/vsftpd.user_list
+  notify: systemctl restart vsftpd
+  when: vsftpd.userlist is defined
+
+- name: systemctl enable --now service
   systemd:
     name: vsftpd
     enabled: true
diff --git a/roles/vsftpd/templates/vsftpd.conf.j2 b/roles/vsftpd/templates/vsftpd.conf.j2
index 2ef3aa61..27850c9b 100644
--- a/roles/vsftpd/templates/vsftpd.conf.j2
+++ b/roles/vsftpd/templates/vsftpd.conf.j2
@@ -20,17 +20,33 @@
 listen_ipv6=YES
 #
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+{% if vsftpd.anonymous is defined%}
 anonymous_enable=YES
+{% if vsftpd.ssl is defined and vsftpd.ssl %}
 allow_anon_ssl=YES
-anon_root={{ vsftpd.root }}
+{% endif %}
+anon_root={{ vsftpd.anonymous.root }}
+{% endif %}
 
 #banner_file=/etc/ftp.banner
 #
 # Uncomment this to allow local users to log in.
+{% if vsftpd.local is defined and vsftpd.local %}
+local_enable=YES
+{% else %}
 #local_enable=YES
+{% endif %}
 #
 # Uncomment this to enable any form of FTP write command.
+{% if vsftpd.write is defined and vsftpd.write %}
+write_enable=YES
+{% else %}
 #write_enable=YES
+{% endif %}
+{% if vsftpd.userlist is defined %}
+userlist_deny=NO
+userlist_enable=YES
+{% endif %}
 #
 # Default umask for local users is 077. You may wish to change this to 022,
 # if your users expect that (022 is used by most other ftpd's)
@@ -47,13 +63,13 @@ anon_root={{ vsftpd.root }}
 #
 # Activate directory messages - messages given to remote users when they
 # go into a certain directory.
-dirmessage_enable=YES
+#dirmessage_enable=YES
 #
 # Activate logging of uploads/downloads.
 xferlog_enable=YES
 #
 # Make sure PORT transfer connections originate from port 20 (ftp-data).
-connect_from_port_20=YES
+#connect_from_port_20=YES
 #
 # If you want, you can arrange for uploaded anonymous files to be owned by
 # a different user. Note! Using "root" for uploaded files is not
@@ -63,10 +79,10 @@ connect_from_port_20=YES
 #
 # You may override where the log file goes if you like. The default is shown
 # below.
-xferlog_file=/var/log/xferlog
+#xferlog_file=/var/log/xferlog
 #
 # If you want, you can have your log file in standard ftpd xferlog format
-xferlog_std_format=YES
+#xferlog_std_format=YES
 #
 # You may change the default value for timing out an idle session.
 #idle_session_timeout=600
@@ -106,7 +122,11 @@ xferlog_std_format=YES
 # You may restrict local users to their home directories.  See the FAQ for
 # the possible risks in this before using chroot_local_user or
 # chroot_list_enable below.
+{% if vsftpd.local is defined and vsftpd.local %}
+chroot_local_user=YES
+{% else %}
 #chroot_local_user=YES
+{%endif%}
 #
 # You may specify an explicit list of local users to chroot() to their home
 # directory. If chroot_local_user is YES, then this list becomes a list of
@@ -131,19 +151,23 @@ xferlog_std_format=YES
 # directory should not be writable by the ftp user. This directory is used
 # as a secure chroot() jail at times vsftpd does not require filesystem
 # access.
-secure_chroot_dir=/var/run/vsftpd/empty
+#secure_chroot_dir=/var/run/vsftpd/empty
 #
 # This string is the name of the PAM service vsftpd will use.
-pam_service_name=vsftpd
+#pam_service_name=vsftpd
 #
 # This option specifies the location of the RSA certificate to use for SSL
 # encrypted connections.
-rsa_cert_file= {{ vsftpd.cert }}
-rsa_private_key_file= {{ vsftpd.private_key }}
+{% if vsftpd.ssl is defined %}
+rsa_cert_file= {{ vsftpd.ssl.cert }}
+rsa_private_key_file= {{ vsftpd.ssl.private_key }}
 ssl_enable=YES
+{% endif %}
 
 # Limitation à 5Mo pour les connexions anonymes
 #anon_max_rate=5242880
-pasv_enable=Yes
+{% if vsftpd.passive is defined and vsftpd.passive %}
+pasv_enable=YES
 pasv_min_port=45000
 pasv_max_port=48000
+{% endif %}
diff --git a/roles/vsftpd/templates/vsftpd.user_list.j2 b/roles/vsftpd/templates/vsftpd.user_list.j2
new file mode 100644
index 00000000..b9953aa6
--- /dev/null
+++ b/roles/vsftpd/templates/vsftpd.user_list.j2
@@ -0,0 +1,3 @@
+{% for user in vsftpd.userlist %}
+{{ user }}
+{% endfor %}
-- 
GitLab