Puppet Class: vsftpd

Defined in:
manifests/init.pp

Overview

This class configures a vsftpd server. It ensures that the appropriate files are in the appropriate places and synchronizes the external materials.

One thing to note is that local users are forced to SSL for security reasons.

Parameters:

  • trusted_nets (Simplib::Netlist) (defaults to: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] }))

    A whitelist of subnets (in CIDR notation) permitted access.

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', { 'default_value' => false }))

    If true, use SIMP’s ‘iptables` to manage firewall rules to accommodate <%= metadata.name %>.

  • pki (Variant[Enum['simp'],Boolean]) (defaults to: simplib::lookup('simp_options::pki', { 'default_value' => false }))

    • If ‘simp’, include SIMP’s pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/vsftpd/x509

    • If true, do not include SIMP’s pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/vsftpd/x509

    • If false, do not include SIMP’s pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:

      • app_pki_dir

      • app_pki_key

      • app_pki_cert

      • app_pki_ca

      • app_pki_ca_dir

  • tcpwrappers (Boolean) (defaults to: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }))

    If true, use SIMP’s ::tcpwrappers to configure TCP Wrappers to accommodate <%= metadata.name %> and set ‘tcp_wrappers’ value in vsftpd.conf to true.

  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', { 'default_value' => false }))

    If true, include ::haveged to assist with entropy generation.

  • cipher_suite (Array[String]) (defaults to: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT','!MEDIUM'] }))

    OpenSSL cipher suite to use. If you are not using this with ::simp_options and the server is in FIPS mode, you need to set this to a FIPS-compliant cipher suite, (e.g., [‘FIPS’, ‘!LOW’]). Corresponds to ssl_ciphers in vsftpd.conf.

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    The ensure status of the vsftpd package

  • vsfptd_user

    Set the user for the vsftpd service.

  • vsftpd_group (String) (defaults to: 'ftp')

    Set the group for the vsftpd service and files.

  • manage_user (Boolean) (defaults to: true)

    Manage vsftpd user.

  • vsftpd_uid (Integer) (defaults to: 14)

    Integer. UID of the vsftpd user.

  • vsftpd_gid (Integer) (defaults to: 50)

    Integer. GID of the vsftpd group.

  • manage_group (Boolean) (defaults to: true)

    Manage vsftpd group.

  • ftp_data_port (Simplib::Port) (defaults to: 20)
  • listen_address (Optional[Simplib::IP::V4]) (defaults to: undef)
  • listen_ipv4 (Boolean) (defaults to: true)
  • listen_port (Simplib::Port) (defaults to: 21)
  • local_enable (Boolean) (defaults to: true)
  • pasv_enable (Boolean) (defaults to: true)
  • pasv_max_port (Optional[Simplib::Port]) (defaults to: undef)
  • pasv_min_port (Optional[Simplib::Port]) (defaults to: undef)
  • ssl_enable (Boolean) (defaults to: true)
  • require_ssl_reuse (Boolean) (defaults to: true)
  • userlist_deny (Boolean) (defaults to: true)
  • userlist_enable (Boolean) (defaults to: true)
  • user_list (Array[String]) (defaults to: ['root','bin','daemon','adm','lp','sync','shutdown','halt','mail','news','uucp','operator','games','nobody'])
  • pam_service_name (String) (defaults to: 'vsftpd')
  • validate_cert (Boolean) (defaults to: true)
  • vsftpd_user (String) (defaults to: 'ftp')

Author:



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'manifests/init.pp', line 65

class vsftpd (
  # SIMP options
  Boolean                       $firewall          = simplib::lookup('simp_options::firewall', { 'default_value' => false }),
  Variant[Enum['simp'],Boolean] $pki               = simplib::lookup('simp_options::pki', { 'default_value' => false }),
  Boolean                       $tcpwrappers       = simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }),
  Simplib::Netlist              $trusted_nets      = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] }),
  Boolean                       $haveged           = simplib::lookup('simp_options::haveged', { 'default_value' => false }),
  Array[String]                 $cipher_suite      = simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT','!MEDIUM'] }),
  String                        $package_ensure    = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),

  # vsftpd.conf options
  Boolean                       $manage_user       = true,
  Boolean                       $manage_group      = true,
  Simplib::Port                 $ftp_data_port     = 20,
  Optional[Simplib::IP::V4]     $listen_address    = undef,
  Boolean                       $listen_ipv4       = true, # listen config item in vsftpd.conf
  Simplib::Port                 $listen_port       = 21,
  Boolean                       $local_enable      = true,
  Boolean                       $pasv_enable       = true,
  Optional[Simplib::Port]       $pasv_max_port     = undef,
  Optional[Simplib::Port]       $pasv_min_port     = undef,
  Boolean                       $ssl_enable        = true,
  Boolean                       $require_ssl_reuse = true,
  Boolean                       $userlist_deny     = true,
  Boolean                       $userlist_enable   = true,
  Array[String]                 $user_list         = ['root','bin','daemon','adm','lp','sync','shutdown','halt','mail','news','uucp','operator','games','nobody'],
  String                        $pam_service_name  = 'vsftpd',
  Boolean                       $validate_cert     = true,
  Integer                       $vsftpd_gid        = 50,
  String                        $vsftpd_group      = 'ftp',
  Integer                       $vsftpd_uid        = 14,
  String                        $vsftpd_user       = 'ftp',
) {

  if $haveged and $ssl_enable {
    simplib::assert_optional_dependency($module_name, 'simp/haveged')

    include 'haveged'
  }

  include 'vsftpd::users'
  include 'vsftpd::install'
  include 'vsftpd::config'
  include 'vsftpd::service'

  Class['vsftpd::users']
  -> Class['vsftpd::install']
  -> Class['vsftpd::config']
  ~> Class['vsftpd::service']
  -> Class['vsftpd']

  if $firewall {
    include 'vsftpd::config::firewall'
  }
  if $tcpwrappers {
    include 'vsftpd::config::tcpwrappers'
  }
}