From e6d942db67fd560cb11df049bd355bbd664784f6 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Fri, 14 Dec 2018 16:14:58 +0000 Subject: [PATCH] Add basic FTP daemon to angor --- cookbooks/ftp/.foodcritic | 5 + cookbooks/ftp/README.md | 3 + cookbooks/ftp/metadata.rb | 9 ++ cookbooks/ftp/recipes/default.rb | 42 ++++++++ .../ftp/templates/default/vsftpd.conf.erb | 95 +++++++++++++++++++ roles/angor.rb | 3 +- roles/ftp.rb | 6 ++ 7 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 cookbooks/ftp/.foodcritic create mode 100644 cookbooks/ftp/README.md create mode 100644 cookbooks/ftp/metadata.rb create mode 100644 cookbooks/ftp/recipes/default.rb create mode 100644 cookbooks/ftp/templates/default/vsftpd.conf.erb create mode 100644 roles/ftp.rb diff --git a/cookbooks/ftp/.foodcritic b/cookbooks/ftp/.foodcritic new file mode 100644 index 000000000..0c118ec61 --- /dev/null +++ b/cookbooks/ftp/.foodcritic @@ -0,0 +1,5 @@ +~FC001 +~FC064 +~FC065 +~FC066 +~FC071 diff --git a/cookbooks/ftp/README.md b/cookbooks/ftp/README.md new file mode 100644 index 000000000..f5da71853 --- /dev/null +++ b/cookbooks/ftp/README.md @@ -0,0 +1,3 @@ +# FTP Cookbook + +Installs and configures a ftp server. diff --git a/cookbooks/ftp/metadata.rb b/cookbooks/ftp/metadata.rb new file mode 100644 index 000000000..cb7987ada --- /dev/null +++ b/cookbooks/ftp/metadata.rb @@ -0,0 +1,9 @@ +name "ftp" +maintainer "Grant Slater" +maintainer_email "chef@firefishy.com" +license "Apache-2.0" +description "Installs/Configures ftp daemon" +long_description IO.read(File.join(File.dirname(__FILE__), "README.md")) +version "0.1" +supports "ubuntu" +depends "networking" diff --git a/cookbooks/ftp/recipes/default.rb b/cookbooks/ftp/recipes/default.rb new file mode 100644 index 000000000..58fc9c80b --- /dev/null +++ b/cookbooks/ftp/recipes/default.rb @@ -0,0 +1,42 @@ +# +# Cookbook Name:: FTP +# Recipe:: default +# +# Copyright 2018, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package "vsftpd" + +template "/etc/vsftpd.conf" do + source "vsftpd.conf.erb" + owner "root" + group "root" + mode 0o644 +end + +service "vsftpd" do + action [:enable] # Do not start the service as config may be broken from failed chef run + supports :status => true, :restart => true, :reload => true + subscribes :restart, "template[/etc/vsftpd.conf]" +end + +firewall_rule "accept-ftp-tcp" do + action :helper + source "net" + dest "fw" + proto "tcp" + dest_ports "ftp" + source_ports "-" +end diff --git a/cookbooks/ftp/templates/default/vsftpd.conf.erb b/cookbooks/ftp/templates/default/vsftpd.conf.erb new file mode 100644 index 000000000..b51879401 --- /dev/null +++ b/cookbooks/ftp/templates/default/vsftpd.conf.erb @@ -0,0 +1,95 @@ +# Run standalone? vsftpd can run either from an inetd or as a standalone +# daemon started from an initscript. +listen=NO + +# This directive enables listening on IPv6 sockets. By default, listening +# on the IPv6 "any" address (::) will accept connections from both IPv6 +# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 +# sockets. If you want that (perhaps because you want to listen on specific +# addresses) then you must run two copies of vsftpd with two configuration +# files. +listen_ipv6=YES + +# Allow anonymous FTP? (Disabled by default). +anonymous_enable=NO + +# Uncomment this to allow local users to log in. +local_enable=YES + +# Uncomment this to enable any form of FTP write command. +write_enable=YES + +# +# Default umask for local users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +local_umask=022 + +anon_upload_enable=NO +anon_mkdir_write_enable=NO +anon_other_write_enable=NO + +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES + +# If enabled, vsftpd will display directory listings with the time +# in your local time zone. The default is to display GMT. The +# times returned by the MDTM FTP command are also affected by this +# option. +use_localtime=YES + +# Activate logging of uploads/downloads. +xferlog_enable=YES + +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES + +# It is recommended that you define on your system a unique user which the +# ftp server can use as a totally isolated and unprivileged user. +#nopriv_user=ftpsecure + + +# Enable this and the server will recognise asynchronous ABOR requests. Not +# recommended for security (the code is non-trivial). Not enabling it, +# however, may confuse older FTP clients. +#async_abor_enable=YES + +# You may fully customise the login banner string: +#ftpd_banner=Welcome to blah FTP service. + +# You may restrict local users to their home directories. See the FAQ for +# the possible risks in this before using chroot_local_user or +# chroot_list_enable below. +chroot_local_user=YES + +# You may specify an explicit list of local users to chroot() to their home +# directory. If chroot_local_user is YES, then this list becomes a list of +# users to NOT chroot(). +# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that +# the user does not have write access to the top level directory within the +# chroot) +#chroot_local_user=YES +#chroot_list_enable=YES +# (default follows) +#chroot_list_file=/etc/vsftpd.chroot_list +# +# You may activate the "-R" option to the builtin ls. This is disabled by +# default to avoid remote users being able to cause excessive I/O on large +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume +# the presence of the "-R" option, so there is a strong case for enabling it. +#ls_recurse_enable=YES + +# This string is the name of the PAM service vsftpd will use. +pam_service_name=vsftpd + +# This option specifies the location of the RSA certificate to use for SSL +# encrypted connections. +rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +ssl_enable=NO + +guest_enable=YES +guest_username=ftp + +pasv_min_port=30000 +pasv_max_port=30999 diff --git a/roles/angor.rb b/roles/angor.rb index ff735add6..1b392ae9d 100644 --- a/roles/angor.rb +++ b/roles/angor.rb @@ -40,5 +40,6 @@ default_attributes( run_list( "role[inxza]", - "role[tilecache]" + "role[tilecache]", + "role[ftp]" ) diff --git a/roles/ftp.rb b/roles/ftp.rb new file mode 100644 index 000000000..002929866 --- /dev/null +++ b/roles/ftp.rb @@ -0,0 +1,6 @@ +name "ftp" +description "Role applied to all ftp servers" + +run_list( + "recipe[ftp]" +) -- 2.39.5