Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- FreeBSD , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'fraenki-proftpd', '2.0.0'
Learn more about managing modules with a PuppetfileDocumentation
puppet-proftpd
Table of Contents
Overview
A Puppet module for ProFTPD, hiera-friendly, highly configurable and well-tested.
Requirements
- Puppet 5 or 6
- puppetlabs/concat
- puppetlabs/stdlib
Usage
Beginning with proftpd
This example will install packages, setup a minimal configuration and activate the service for you:
class { 'proftpd': }
Loading additional modules is easy too:
class { 'proftpd':
load_modules => {
ban => {},
tls => {},
sql => {},
}
}
It is simple to add new options or overwrite the defaults in the configuration root or any (sub) section:
class { 'proftpd':
options => {
'ROOT' => {
'ServerName' => 'FTP server',
'MaxInstances' => '10',
},
'IfModule mod_vroot.c' => {
'VRootEngine' => 'on',
},
},
}
NOTE: You don't need to take care for section brackets or closing tags. The module will add this automatically.
Enabling anonymous login and customizing it's default options works the same way:
class { 'proftpd':
anonymous_enable => true,
options => {
'Anonymous ~ftp' => {
'Directory uploads/*' => {
'Limit STOR' => {
'AllowAll' => true,
'DenyAll' => false,
},
},
},
},
You may opt to disable the default configuration and do everything from scratch:
class { 'proftpd':
default_config => false,
options => {...}
}
(Here the options hash must contain all options required to run ProFTPD.)
Using Hiera
You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:
proftpd::default_config: false
# load modules in a specific order if necessary
proftpd::load_modules:
sql:
order: 1
sql_mysql:
order: 2
quotatab:
order: 3
quotatab_sql:
order: 4
rewrite:
order: 5
ban: {}
tls: {}
proftpd::options:
ROOT:
ServerType: 'standalone'
DefaultServer: 'on'
ScoreboardFile: '/var/run/proftpd.scoreboard'
DelayTable: '/var/run/proftpd.delay'
ControlsSocket: '/var/run/proftpd.socket'
User: 'www'
Group: 'www'
Umask: '006'
UseReverseDNS: 'off'
DefaultRoot: '~ !'
DefaultChdir: '/var/ftp'
ServerName: '%{::fqdn}'
Port: '21'
PassivePorts: '49152 65534'
TransferLog: 'NONE'
LogFormat:
- 'default "%h %l %u %t \"%r\" %s %b"'
- 'auth "%t %v [%P] %h \"%r\" %s"'
- 'access "%h %l %u %t \"%r\" %s %b"'
ExtendedLog:
- '/var/log/proftpd/access.log INFO,DIRS,MISC,READ,WRITE access'
- '/var/log/proftpd/auth.log AUTH auth'
MaxClients: '20 "Connection limit reached (%m)."'
MaxInstances: '20'
MaxClientsPerHost: '15 "Connection limit reached (%m)."'
MaxClientsPerUser: '10 "Connection limit reached (%m)."'
TLSEngine: 'on'
TLSProtocol: 'SSLv23'
TLSRequired: 'off'
TLSOptions: 'NoCertRequest'
TLSCipherSuite: 'ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
TLSVerifyClient: 'off'
TLSRSACertificateFile: '/etc/ssl/%{::fqdn}.crt'
TLSRSACertificateKeyFile: '/etc/ssl/%{::fqdn}.key'
TLSLog: '/var/log/proftpd/tls.log'
Global:
RequireValidShell: 'off'
UseFtpUsers: 'on'
AllowRetrieveRestart: 'on'
AllowStoreRestart: 'on'
AllowOverwrite: 'yes'
AccessGrantMsg: '"Login OK"'
IdentLookups: 'off'
ServerIdent: 'on "FTP Service"'
AllowForeignAddress: 'on'
DirFakeUser: 'on www'
DirFakeGroup: 'on www'
PathDenyFilter: '"(\.ftpaccess)$"'
ListOptions: '"-a"'
MaxLoginAttempts: '2'
AuthUserFile: '/etc/proftpd/proftpd.passwd'
AuthGroupFile: '/etc/proftpd/proftpd.group'
TimeoutLogin: '1800'
TimeoutIdle: '1800'
TimeoutStalled: '1800'
TimeoutNoTransfer: '1800'
'Directory /':
AllowOverwrite: 'on'
'VirtualHost 127.0.1.1':
ServerName: '"FTP Server 1"'
PassivePorts: '60000 65534'
'IfModule mod_rewrite.c':
RewriteEngine: 'on'
RewriteLog: '/var/log/proftpd/rewrite.log'
RewriteMap:
- |
replace int:replaceall
RewriteCondition %m ^(STOR)$
RewriteRule ^(.*)$ "${replace:/$1/ /_}"
- |
replace int:replaceall
RewriteCondition %m ^(STOR)$
RewriteRule ^(.*)$ "${replace:/$1/\?/_}"
- |
replace int:replaceall
RewriteCondition %m ^(STOR)$
RewriteRule ^(.*)$ "${replace:/$1/Ü/UE}"
'Directory /mnt/exchange/user1/*':
RewriteCondition:
- |-
'%f "^[[:cntrl:] ]+"
RewriteRule "^[[:cntrl:] ]+([^[:cntrl:]]+)" $1'
- |-
'%f "[[:cntrl:] ]+$"
RewriteRule "([^[:cntrl:]]+)[[:cntrl:] ]+$" $1'
- |-
'%f "[[:cntrl:]]"
RewriteRule "([^[:cntrl:]]+)[[:cntrl:]]*([^[:cntrl:]]*)[[:cntrl:]]*([^[:cntrl:]]*)" $1$2$3'
Reference
Syntax
You may want to use the $options
parameter to overwrite default configuration options or build a ProFTPD configuration from scratch. There are few things you need to know:
sections
: ProFTPD's configuration uses a number of <sections>. You create a new section by specifying a hash, the module's erb template will do the rest for you. This works for special cases like <IfDefine X> too.ROOT
: To add items to the root of the ProFTPD configuration, use this namespace.false
: Setting a value to 'false' will remove the item from the configuration.multiple values
: If you want to specify multiple values for the same configuration item (i.e.LogFormat
orExtendedLog
), you need to specify these values as an array.
Classes and Parameters
Classes and parameters are documented in REFERENCE.md.
Limitations
No Ruby 1.8 support
Some users reported issues when running this module on Ruby 1.8. The config file may change on every puppet run. Please upgrade to Ruby 1.9 to fix this issue. (See PUP-1755 for more details and a description of the root cause.)
OS Compatibility
This module was tested on FreeBSD, CentOS and Debian. Please open a new issue if your operating system is not supported yet, and provide information about problems or missing features.
Template Issues
The proftpd.conf.erb
template... sucks. It suffers from code repetition. Furthermore it is limited to only four nested configuration sections (which should still be enough, even for rather complex configurations). If you come up with a better idea please let me know.
Development
Please use the github issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.
Contributors
This module is heavily inspired by and in part based on the following modules:
See the LICENSE
file for further information.
Reference
Table of Contents
Classes
Public Classes
proftpd
: Install and configure ProFTPD
Private Classes
proftpd::config
: Setup ProFTPD configurationproftpd::install
: Install ProFTPD packagesproftpd::service
: Manage the ProFTPD service
Defined types
Public Defined types
proftpd::ftpasswd_user
: Add a user to ftpasswd
Private Defined types
proftpd::module
: Load a ProFTPD module
Classes
proftpd
Install and configure ProFTPD
Parameters
The following parameters are available in the proftpd
class.
config_template
Data type: String[1]
Specify which erb template to use.
default_config
Data type: Boolean
Set to false
to disable loading of the default configuration. Defaults to true
.
manage_config_file
Data type: Boolean
Set to false
to disable managing of the ProFTPD configuration file(s).
manage_ftpasswd_file
Data type: Boolean
Set to false
to disable managing of the ProFTPD ftpasswd file.
package_ensure
Data type: String
Overwrite the package ensure
parameter.
package_manage
Data type: Boolean
Set to false
to disable package management. Defaults to true
.
service_manage
Data type: Boolean
Set to false
to disable service management. Defaults to true
.
service_enable
Data type: Boolean
Set to false
to disable the ProFTPD system service. Defaults to true
.
service_ensure
Data type: String
Overwrite the service ensure
parameter.
prefix
Data type: Optional[Stdlib::Absolutepath]
Prefix to be added to all paths. Only required on certain operating systems or special installations.
Default value: undef
config_mode
Data type: Stdlib::Filemode
File mode to be used for config files. Defaults to 0644
.
prefix_bin
Data type: Stdlib::Absolutepath
Path to the ProFTPD binary.
config
Data type: Stdlib::Absolutepath
Path to the ProFTPD configuration file.
base_dir
Data type: Stdlib::Absolutepath
Directory for additional configuration files.
log_dir
Data type: Stdlib::Absolutepath
Directory for log files.
run_dir
Data type: Stdlib::Absolutepath
Directory for runtime files (except PIDfile).
packages
Data type: Array[String[1]]
An array of packages which should be installed.
service_name
Data type: String[1]
The name of the ProFTPD service.
user
Data type: String[1]
Set the user under which the server will run.
group
Data type: String[1]
Set the group under which the server will run.
config_user
Data type: String[1]
Set the user that should own all configuration files.
config_group
Data type: String[1]
Set the user that should own all configuration files.
pidfile
Data type: Stdlib::Absolutepath
Path and name of the PID file for the ProFTPD service.
scoreboardfile
Data type: Stdlib::Absolutepath
Path and name of the ScoreboardFile for the ProFTPD service.
ftpasswd_file
Data type: Stdlib::Absolutepath
Path and name of the ftpasswd file.
anonymous_options
Data type: Hash
An optional hash containing the default options to configure ProFTPD for anonymous FTP access. Use this to overwrite these defaults.
anonymous_enable
Data type: Boolean
Set to true
to enable loading of the $anonymous_options
hash.
default_options
Data type: Hash
A hash containing a set of working default options for ProFTPD. This should make it easy to get a running service and to overwrite a few settings.
load_modules
Data type: Hash
A hash of optional ProFTPD modules to load. It is possible to load modules in a specific order by using the order attribute.
options
Data type: Hash
Specify a hash containing options to either overwrite the default options or
configure ProFTPD from scratch. Will be merged with $default_options
hash
(as long as $default_config
is not set to false
).
authuserfile_source
Data type: Optional[Stdlib::Filesource]
Inject the AuthUserFile by defining a Puppet source (e.g. puppet:///modules/mymodule/ftpd.passwd)
Default value: undef
authgroupfile_source
Data type: Optional[Stdlib::Filesource]
Inject the AuthGroupFile by defining a Puppet source (e.g. puppet:///modules/mymodule/ftpd.group)
Default value: undef
Defined types
proftpd::ftpasswd_user
Add a user to ftpasswd
Parameters
The following parameters are available in the proftpd::ftpasswd_user
defined type.
hashed_passwd
Data type: Any
A hashed password.
uid
Data type: Any
The UID of the user.
gid
Data type: Any
The GID of the user.
homedir
Data type: Any
The home directory of the user.
Default value: "/home/${name}"
shell
Data type: Any
The shell of the user.
Default value: '/bin/false'
username
Data type: Any
(Namevar) The user's login name.
Default value: $name
gecos
Data type: Any
The GECOS field with additional (optional) information about the user.
Default value: $name
ftpasswd_file
Data type: Any
The target ftpasswd file.
Default value: $proftpd::ftpasswd_file
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
2.0.0 - 2020-06-17
This is a new major release that may contain (unexpected) breaking changes. Please test in non-production environment and report any issues on GitHub.
Changed
- Migrate default values from
params.pp
to module data - Declare officially compatible with Puppet 6 (#35)
- Convert to PDK (#33)
- Replace deprecated functions (#31)
- Convert documentation to Puppet Strings
Fixed
- Fix rubocop offenses
1.4.9 - 2019-08-26
Added
- Introduce Puppet 4 parameter validation (#28)
- Add new parameter
$config_mode
to set file mode for config files (#32)
Changed
- Allow stdlib and concat deps < 6.0.0 (#29)
- Require Puppet >= 5.0.0
Fixed
- Fix "Unknown variable: 'authuser_require'" (#26)
1.4.8 - 2018-05-03
- Breaking: Drop Puppet 3.x support
- Feature: Allow to manage an ftpasswd file using resource declaration
- Bugfix: Remove deprecated concat::fragment parameter
- Bugfix: Fix AuthGroupFile support
- Documentation: Add example for using yaml blocks with multiple hash keys
- Contributors: cedef, crispygoth, AlessandroLorenzi, bc-bjoern
1.4.7 - 2017-04-11
- Bugfix: Fix for AuthUserFile with additional arguments
- Contributor: derkgort
1.4.6 - 2017-04-10
- Feature: Allow additional arguments to AuthUserFile and AuthGroupFile
- Contributor: derkgort
1.4.5 - 2017-03-22
- Feature: Allow injection of AuthUserFile and AuthGroupFile
- Bugfix: Fix permissions of AuthUserFile and AuthGroupFile
- Contributor: adepretis
1.4.4 - 2016-12-19
- Bugfix: Fix service notifies for config changes
- Contributor: rendhalver
1.4.3 - 2016-09-29
- Bugfix: Fix requirements and silence a warning
- Documentation: Known issues when running on Ruby 1.8
- Contributor: franzs
1.4.2 2016-05-03
- Bugfix: Fix puppet-lint issues
1.4.1 - 2016-05-02
- Bugfix: Do not fail if an expected config section does not exist
1.4.0 2016-03-02
- Bugfix: Several fixes to make the validate_cmd more robust
- Feature: Add parameter for ordering modules
- Contributor: cdenneen
1.3.0 - 2015-10-24
- Feature: Create empty AuthUserFile/AuthGroupFile to allow the configtest to succeed
- Bugfix: Fix ERB template to be ready for Puppet 4
- Bugfix: Fix syntax errors in non-hiera example configuration
- Contributors: yarikdot, trlinkin, lmorfitt
1.2.0 . 2015-04-17
- Feature: Add hiera lookup for
$::proftpd::options
to merge values from multiple hierarchy levels - Contributor: cdenneen
1.1.1 - 2015-04-12
- Bugfix: Fix
LogFormat
andExtendedLog
in default configuration
1.1.0 - 2015-03-26
- Feature: Setting an option to 'false' will remove it from the configuration.
- Security: Change insecure default value in
$anonymous_options
to disable write access.
1.0.0 - 2015-03-23
- Initial release
Dependencies
- puppetlabs/concat (>= 1.0.0 <7.0.0)
- puppetlabs/stdlib (>= 4.25.0 <7.0.0)
Copyright (C) 2015-2019 Frank Wall All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ================================================================================ Based in part on arioch/puppet-proftpd: Copyright (C) 2012 Tom De Vylder Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ Based in part on takumin/puppet-proftpd: Copyright (C) 2014 Takumi Takahashi Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ Based in part on cegeka/puppet-proftpd: Copyright (C) 2012 Fabian Dammekens