From cbbf3d951acc209b7db47940b2b49f205f3e5650 Mon Sep 17 00:00:00 2001 From: Bastian Blank Date: Fri, 31 Mar 2017 15:38:32 +0200 Subject: [PATCH] Add systemd backed vsftpd service --- modules/vsftpd/manifests/site_systemd.pp | 93 +++++++++++++++++++ .../templates/systemd-vsftpd.service.erb | 11 +++ .../templates/systemd-vsftpd.socket.erb | 13 +++ 3 files changed, 117 insertions(+) create mode 100644 modules/vsftpd/manifests/site_systemd.pp create mode 100644 modules/vsftpd/templates/systemd-vsftpd.service.erb create mode 100644 modules/vsftpd/templates/systemd-vsftpd.socket.erb diff --git a/modules/vsftpd/manifests/site_systemd.pp b/modules/vsftpd/manifests/site_systemd.pp new file mode 100644 index 000000000..ced51d49f --- /dev/null +++ b/modules/vsftpd/manifests/site_systemd.pp @@ -0,0 +1,93 @@ +define vsftpd::site_systemd ( + $root, + $binds=['[::]'], + $chown_user='', + $writable=false, + $writable_other=false, + $banner="${name} FTP Server", + $max_clients=100, + $logfile="/var/log/ftp/vsftpd-${name}.debian.org.log", + $ensure=present, +) { + include vsftpd + + case $ensure { + present,absent: {} + default: { fail ( "Invald ensure `$ensure' for $name" ) } + } + + $ensure_service = $ensure ? { + present => running, + absent => stopped, + } + + $ensure_enable = $ensure ? { + present => true, + absent => false, + } + + $fname = "/etc/vsftpd-${name}.conf" + + file { $fname: + ensure => $ensure, + content => template('vsftpd/vsftpd.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + } + + file { "/etc/logrotate.d/vsftpd-${name}": + ensure => absent + } + + file { "/etc/systemd/system/vsftpd-${name}@.service": + ensure => $ensure, + content => template('vsftpd/systemd-vsftpd.service.erb'), + owner => 'root', + group => 'root', + mode => '0444', + require => File[$fname], + notify => Exec['systemctl daemon-reload'], + } + + file { "/etc/systemd/system/vsftpd-${name}.socket": + ensure => $ensure, + content => template('vsftpd/systemd-vsftpd.socket.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => [ + Exec['systemctl daemon-reload'], + Service["vsftpd-${name}.socket"], + ], + } + + service { "vsftpd-${name}.socket": + ensure => $ensure_service, + enable => $ensure_enable, + require => [ + Exec['systemctl daemon-reload'], + File["/etc/systemd/system/vsftpd-${name}@.service"], + File["/etc/systemd/system/vsftpd-${name}.socket"], + ], + provider => systemd, + } + + xinetd::service { [ "vsftpd-${name}", "vsftpd-${name}6", "vsftpd-${name}-v6" ]: + ensure => absent, + id => 'unused', + server => 'unused', + service => 'unused', + ferm => false, + before => Service["vsftpd-${name}.socket"], + } + + munin::check { "vsftpd-${name}": + ensure => $ensure, + script => 'vsftpd' + } + munin::conf { "vsftpd-${name}": + ensure => $ensure, + content => template('vsftpd/munin.erb') + } +} diff --git a/modules/vsftpd/templates/systemd-vsftpd.service.erb b/modules/vsftpd/templates/systemd-vsftpd.service.erb new file mode 100644 index 000000000..16060e26b --- /dev/null +++ b/modules/vsftpd/templates/systemd-vsftpd.service.erb @@ -0,0 +1,11 @@ +[Unit] +Description=vsftpd <%= @name %> + +[Service] +ExecStart=-/usr/sbin/vsftpd <%= @fname %> +StandardInput=socket +StandardError=journal +CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID +PrivateDevices=true +ProtectHome=true +ProtectSystem=full diff --git a/modules/vsftpd/templates/systemd-vsftpd.socket.erb b/modules/vsftpd/templates/systemd-vsftpd.socket.erb new file mode 100644 index 000000000..ea4cdc52c --- /dev/null +++ b/modules/vsftpd/templates/systemd-vsftpd.socket.erb @@ -0,0 +1,13 @@ +[Unit] +Description=vsftpd <%= @name %> (socket) + +[Socket] +<% @binds.each do |bind| -%> +ListenStream=<%= bind %>:21 +<% end -%> +Accept=true +FreeBind=true +MaxConnections=<%= @max_clients %> + +[Install] +WantedBy=sockets.target -- 2.20.1