--- /dev/null
+#
+# Cookbook Name:: FTP
+# Recipe:: default
+#
+# Copyright 2018, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package "vsftpd"
+
+template "/etc/vsftpd.conf" do
+ source "vsftpd.conf.erb"
+ owner "root"
+ group "root"
+ mode 0o644
+end
+
+service "vsftpd" do
+ action [:enable] # Do not start the service as config may be broken from failed chef run
+ supports :status => true, :restart => true, :reload => true
+ subscribes :restart, "template[/etc/vsftpd.conf]"
+end
+
+firewall_rule "accept-ftp-tcp" do
+ action :helper
+ source "net"
+ dest "fw"
+ proto "tcp"
+ dest_ports "ftp"
+ source_ports "-"
+end
--- /dev/null
+# Run standalone? vsftpd can run either from an inetd or as a standalone
+# daemon started from an initscript.
+listen=NO
+
+# This directive enables listening on IPv6 sockets. By default, listening
+# on the IPv6 "any" address (::) will accept connections from both IPv6
+# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
+# sockets. If you want that (perhaps because you want to listen on specific
+# addresses) then you must run two copies of vsftpd with two configuration
+# files.
+listen_ipv6=YES
+
+# Allow anonymous FTP? (Disabled by default).
+anonymous_enable=NO
+
+# Uncomment this to allow local users to log in.
+local_enable=YES
+
+# Uncomment this to enable any form of FTP write command.
+write_enable=YES
+
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+local_umask=022
+
+anon_upload_enable=NO
+anon_mkdir_write_enable=NO
+anon_other_write_enable=NO
+
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+
+# If enabled, vsftpd will display directory listings with the time
+# in your local time zone. The default is to display GMT. The
+# times returned by the MDTM FTP command are also affected by this
+# option.
+use_localtime=YES
+
+# Activate logging of uploads/downloads.
+xferlog_enable=YES
+
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+#nopriv_user=ftpsecure
+
+
+# Enable this and the server will recognise asynchronous ABOR requests. Not
+# recommended for security (the code is non-trivial). Not enabling it,
+# however, may confuse older FTP clients.
+#async_abor_enable=YES
+
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+
+# You may restrict local users to their home directories. See the FAQ for
+# the possible risks in this before using chroot_local_user or
+# chroot_list_enable below.
+chroot_local_user=YES
+
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
+# the user does not have write access to the top level directory within the
+# chroot)
+#chroot_local_user=YES
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+
+# This option specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+ssl_enable=NO
+
+guest_enable=YES
+guest_username=ftp
+
+pasv_min_port=30000
+pasv_max_port=30999