puppet-proftpd

Table of Contents

1. Overview
2. Requirements
3. Usage
   • Beginning with proftpd
   • Using Hiera
4. Reference
   • Syntax
   • Classes and Parameters
5. Limitations
   • OS Compatibility
   • Template Issues
6. Development
7. Contributors

Overview

A Puppet module for ProFTPD, hiera-friendly, highly configurable and well-tested.

Requirements

• Puppet 5 or 6
• puppetlabs/concat
• puppetlabs/stdlib

Usage

Beginning with proftpd

This example will install packages, setup a minimal configuration and activate the service for you:

class { 'proftpd': }

Loading additional modules is easy too:

class { 'proftpd':
  load_modules => {
    ban => {},
    tls => {},
    sql => {},
  }
}

It is simple to add new options or overwrite the defaults in the configuration root or any (sub) section:

class { 'proftpd':
  options => {
    'ROOT'  => {
      'ServerName'   => 'FTP server',
      'MaxInstances' => '10',
    },
    'IfModule mod_vroot.c' => {
      'VRootEngine' => 'on',
    },
  },
}

NOTE: You don't need to take care for section brackets or closing tags. The module will add this automatically.

Enabling anonymous login and customizing it's default options works the same way:

class { 'proftpd':
  anonymous_enable => true,
  options          => {
    'Anonymous ~ftp'        => {
      'Directory uploads/*' => {
        'Limit STOR'        => {
          'AllowAll'        => true,
          'DenyAll'         => false,
        },
      },
    },
  },

You may opt to disable the default configuration and do everything from scratch:

class { 'proftpd':
  default_config => false,
  options => {...}
}

(Here the options hash must contain all options required to run ProFTPD.)

Using Hiera

You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:

proftpd::default_config: false
# load modules in a specific order if necessary
proftpd::load_modules:
  sql:
    order: 1
  sql_mysql:
    order: 2
  quotatab:
    order: 3
  quotatab_sql:
    order: 4
  rewrite:
    order: 5
  ban: {}
  tls: {}

proftpd::options:
  ROOT:
    ServerType: 'standalone'
    DefaultServer: 'on'
    ScoreboardFile: '/var/run/proftpd.scoreboard'
    DelayTable: '/var/run/proftpd.delay'
    ControlsSocket: '/var/run/proftpd.socket'
    User: 'www'
    Group: 'www'
    Umask: '006'
    UseReverseDNS: 'off'
    DefaultRoot: '~ !'
    DefaultChdir: '/var/ftp'
    ServerName: '%{::fqdn}'
    Port: '21'
    PassivePorts: '49152 65534'
    TransferLog: 'NONE'
    LogFormat:
      - 'default "%h %l %u %t \"%r\" %s %b"'
      - 'auth "%t %v [%P] %h \"%r\" %s"'
      - 'access "%h %l %u %t \"%r\" %s %b"'
    ExtendedLog:
      - '/var/log/proftpd/access.log INFO,DIRS,MISC,READ,WRITE access'
      - '/var/log/proftpd/auth.log AUTH auth'
    MaxClients: '20 "Connection limit reached (%m)."'
    MaxInstances: '20'
    MaxClientsPerHost: '15 "Connection limit reached (%m)."'
    MaxClientsPerUser: '10 "Connection limit reached (%m)."'
    TLSEngine: 'on'
    TLSProtocol: 'SSLv23'
    TLSRequired: 'off'
    TLSOptions: 'NoCertRequest'
    TLSCipherSuite: 'ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
    TLSVerifyClient: 'off'
    TLSRSACertificateFile: '/etc/ssl/%{::fqdn}.crt'
    TLSRSACertificateKeyFile: '/etc/ssl/%{::fqdn}.key'
    TLSLog: '/var/log/proftpd/tls.log'
  Global:
    RequireValidShell: 'off'
    UseFtpUsers: 'on'
    AllowRetrieveRestart: 'on'
    AllowStoreRestart: 'on'
    AllowOverwrite: 'yes'
    AccessGrantMsg: '"Login OK"'
    IdentLookups: 'off'
    ServerIdent: 'on "FTP Service"'
    AllowForeignAddress: 'on'
    DirFakeUser: 'on www'
    DirFakeGroup: 'on www'
    PathDenyFilter: '"(\.ftpaccess)$"'
    ListOptions: '"-a"'
    MaxLoginAttempts: '2'
    AuthUserFile: '/etc/proftpd/proftpd.passwd'
    AuthGroupFile: '/etc/proftpd/proftpd.group'
    TimeoutLogin: '1800'
    TimeoutIdle: '1800'
    TimeoutStalled: '1800'
    TimeoutNoTransfer: '1800'
  'Directory /':
    AllowOverwrite: 'on'
  'VirtualHost 127.0.1.1':
    ServerName: '"FTP Server 1"'
    PassivePorts: '60000 65534'
  'IfModule mod_rewrite.c':
    RewriteEngine: 'on'
    RewriteLog: '/var/log/proftpd/rewrite.log'
    RewriteMap:
      - |
        replace int:replaceall
            RewriteCondition        %m ^(STOR)$
            RewriteRule             ^(.*)$  "${replace:/$1/ /_}"
      - |
        replace int:replaceall
            RewriteCondition        %m ^(STOR)$
            RewriteRule             ^(.*)$  "${replace:/$1/\?/_}"
      - |
        replace int:replaceall
            RewriteCondition        %m ^(STOR)$
            RewriteRule             ^(.*)$  "${replace:/$1/Ü/UE}"
  'Directory /mnt/exchange/user1/*':
    RewriteCondition:
      - |-
        '%f "^[[:cntrl:] ]+"
            RewriteRule "^[[:cntrl:] ]+([^[:cntrl:]]+)" $1'
      - |-
        '%f "[[:cntrl:] ]+$"
            RewriteRule "([^[:cntrl:]]+)[[:cntrl:] ]+$" $1'
      - |-
        '%f "[[:cntrl:]]"
            RewriteRule "([^[:cntrl:]]+)[[:cntrl:]]*([^[:cntrl:]]*)[[:cntrl:]]*([^[:cntrl:]]*)" $1$2$3'  

Reference

Syntax

You may want to use the $options parameter to overwrite default configuration options or build a ProFTPD configuration from scratch. There are few things you need to know:

• sections: ProFTPD's configuration uses a number of <sections>. You create a new section by specifying a hash, the module's erb template will do the rest for you. This works for special cases like <IfDefine X> too.
• ROOT: To add items to the root of the ProFTPD configuration, use this namespace.
• false: Setting a value to 'false' will remove the item from the configuration.
• multiple values: If you want to specify multiple values for the same configuration item (i.e. LogFormat or ExtendedLog), you need to specify these values as an array.

Classes and Parameters

Classes and parameters are documented in REFERENCE.md.

Limitations

No Ruby 1.8 support

Some users reported issues when running this module on Ruby 1.8. The config file may change on every puppet run. Please upgrade to Ruby 1.9 to fix this issue. (See PUP-1755 for more details and a description of the root cause.)

OS Compatibility

This module was tested on FreeBSD, CentOS and Debian. Please open a new issue if your operating system is not supported yet, and provide information about problems or missing features.

Template Issues

The proftpd.conf.erb template... sucks. It suffers from code repetition. Furthermore it is limited to only four nested configuration sections (which should still be enough, even for rather complex configurations). If you come up with a better idea please let me know.

Development

Please use the github issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.

Contributors

This module is heavily inspired by and in part based on the following modules:

• arioch/puppet-proftpd
• takumin/puppet-proftpd
• cegeka/puppet-proftpd

See the LICENSE file for further information.

Reference

Table of Contents

Classes

Public Classes

• proftpd: Install and configure ProFTPD

Private Classes

• proftpd::config: Setup ProFTPD configuration
• proftpd::install: Install ProFTPD packages
• proftpd::service: Manage the ProFTPD service

Defined types

Public Defined types

• proftpd::ftpasswd_user: Add a user to ftpasswd

Private Defined types

• proftpd::module: Load a ProFTPD module

Classes

proftpd

Install and configure ProFTPD

Parameters

The following parameters are available in the proftpd class.

config_template

Data type: String[1]

Specify which erb template to use.

default_config

Data type: Boolean

Set to false to disable loading of the default configuration. Defaults to true.

manage_config_file

Data type: Boolean

Set to false to disable managing of the ProFTPD configuration file(s).

manage_ftpasswd_file

Data type: Boolean

Set to false to disable managing of the ProFTPD ftpasswd file.

package_ensure

Data type: String

Overwrite the package ensure parameter.

package_manage

Data type: Boolean

Set to false to disable package management. Defaults to true.

service_manage

Data type: Boolean

Set to false to disable service management. Defaults to true.

service_enable

Data type: Boolean

Set to false to disable the ProFTPD system service. Defaults to true.

service_ensure

Data type: String

Overwrite the service ensure parameter.

prefix

Data type: Optional[Stdlib::Absolutepath]

Prefix to be added to all paths. Only required on certain operating systems or special installations.

Default value: undef

config_mode

Data type: Stdlib::Filemode

File mode to be used for config files. Defaults to 0644.

prefix_bin

Data type: Stdlib::Absolutepath

Path to the ProFTPD binary.

config

Data type: Stdlib::Absolutepath

Path to the ProFTPD configuration file.

base_dir

Data type: Stdlib::Absolutepath

Directory for additional configuration files.

log_dir

Data type: Stdlib::Absolutepath

Directory for log files.

run_dir

Data type: Stdlib::Absolutepath

Directory for runtime files (except PIDfile).

packages

Data type: Array[String[1]]

An array of packages which should be installed.

service_name

Data type: String[1]

The name of the ProFTPD service.

user

Data type: String[1]

Set the user under which the server will run.

group

Data type: String[1]

Set the group under which the server will run.

config_user

Data type: String[1]

Set the user that should own all configuration files.

config_group

Data type: String[1]

Set the user that should own all configuration files.

pidfile

Data type: Stdlib::Absolutepath

Path and name of the PID file for the ProFTPD service.

scoreboardfile

Data type: Stdlib::Absolutepath

Path and name of the ScoreboardFile for the ProFTPD service.

ftpasswd_file

Data type: Stdlib::Absolutepath

Path and name of the ftpasswd file.

anonymous_options

Data type: Hash

An optional hash containing the default options to configure ProFTPD for anonymous FTP access. Use this to overwrite these defaults.

anonymous_enable

Data type: Boolean

Set to true to enable loading of the $anonymous_options hash.

default_options

Data type: Hash

A hash containing a set of working default options for ProFTPD. This should make it easy to get a running service and to overwrite a few settings.

load_modules

Data type: Hash

A hash of optional ProFTPD modules to load. It is possible to load modules in a specific order by using the order attribute.

options

Data type: Hash

Specify a hash containing options to either overwrite the default options or configure ProFTPD from scratch. Will be merged with $default_options hash (as long as $default_config is not set to false).

authuserfile_source

Data type: Optional[Stdlib::Filesource]

Inject the AuthUserFile by defining a Puppet source (e.g. puppet:///modules/mymodule/ftpd.passwd)

Default value: undef

authgroupfile_source

Data type: Optional[Stdlib::Filesource]

Inject the AuthGroupFile by defining a Puppet source (e.g. puppet:///modules/mymodule/ftpd.group)

Default value: undef

Defined types

proftpd::ftpasswd_user

Add a user to ftpasswd

Parameters

The following parameters are available in the proftpd::ftpasswd_user defined type.

hashed_passwd

Data type: Any

A hashed password.

uid

Data type: Any

The UID of the user.

gid

Data type: Any

The GID of the user.

homedir

Data type: Any

The home directory of the user.

Default value: "/home/${name}"

shell

Data type: Any

The shell of the user.

Default value: '/bin/false'

username

Data type: Any

(Namevar) The user's login name.

Default value: $name

gecos

Data type: Any

The GECOS field with additional (optional) information about the user.

Default value: $name

ftpasswd_file

Data type: Any

The target ftpasswd file.

Default value: $proftpd::ftpasswd_file

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

2.1.0 - 2022-08-02

Changed

• Update OS version, Puppet version and dependencies
• Update PDK from 1.18.0 to 2.5.0
• Fix puppet-lint offenses

2.0.0 - 2020-06-17

This is a new major release that may contain (unexpected) breaking changes. Please test in non-production environment and report any issues on GitHub.

Changed

• Migrate default values from params.pp to module data
• Declare officially compatible with Puppet 6 (#35)
• Convert to PDK (#33)
• Replace deprecated functions (#31)
• Convert documentation to Puppet Strings

Fixed

• Fix rubocop offenses

1.4.9 - 2019-08-26

Added

• Introduce Puppet 4 parameter validation (#28)
• Add new parameter $config_mode to set file mode for config files (#32)

Changed

• Allow stdlib and concat deps < 6.0.0 (#29)
• Require Puppet >= 5.0.0

Fixed

• Fix "Unknown variable: 'authuser_require'" (#26)

1.4.8 - 2018-05-03

• Breaking: Drop Puppet 3.x support
• Feature: Allow to manage an ftpasswd file using resource declaration
• Bugfix: Remove deprecated concat::fragment parameter
• Bugfix: Fix AuthGroupFile support
• Documentation: Add example for using yaml blocks with multiple hash keys
• Contributors: cedef, crispygoth, AlessandroLorenzi, bc-bjoern

1.4.7 - 2017-04-11

• Bugfix: Fix for AuthUserFile with additional arguments
• Contributor: derkgort

1.4.6 - 2017-04-10

• Feature: Allow additional arguments to AuthUserFile and AuthGroupFile
• Contributor: derkgort

1.4.5 - 2017-03-22

• Feature: Allow injection of AuthUserFile and AuthGroupFile
• Bugfix: Fix permissions of AuthUserFile and AuthGroupFile
• Contributor: adepretis

1.4.4 - 2016-12-19

• Bugfix: Fix service notifies for config changes
• Contributor: rendhalver

1.4.3 - 2016-09-29

• Bugfix: Fix requirements and silence a warning
• Documentation: Known issues when running on Ruby 1.8
• Contributor: franzs

1.4.2 2016-05-03

• Bugfix: Fix puppet-lint issues

1.4.1 - 2016-05-02

• Bugfix: Do not fail if an expected config section does not exist

1.4.0 2016-03-02

• Bugfix: Several fixes to make the validate_cmd more robust
• Feature: Add parameter for ordering modules
• Contributor: cdenneen

1.3.0 - 2015-10-24

• Feature: Create empty AuthUserFile/AuthGroupFile to allow the configtest to succeed
• Bugfix: Fix ERB template to be ready for Puppet 4
• Bugfix: Fix syntax errors in non-hiera example configuration
• Contributors: yarikdot, trlinkin, lmorfitt

1.2.0 . 2015-04-17

• Feature: Add hiera lookup for $::proftpd::options to merge values from multiple hierarchy levels
• Contributor: cdenneen

1.1.1 - 2015-04-12

• Bugfix: Fix LogFormat and ExtendedLog in default configuration

1.1.0 - 2015-03-26

• Feature: Setting an option to 'false' will remove it from the configuration.
• Security: Change insecure default value in $anonymous_options to disable write access.

1.0.0 - 2015-03-23

• Initial release