Add systemd backed vsftpd service

diff --git a/modules/vsftpd/manifests/site_systemd.pp b/modules/vsftpd/manifests/site_systemd.pp
new file mode 100644 (file)
index 0000000..ced51d4
--- /dev/null
+++ b/modules/vsftpd/manifests/site_systemd.pp
@@ -0,0 +1,93 @@
+define vsftpd::site_systemd (
+       $root,
+       $binds=['[::]'],
+       $chown_user='',
+       $writable=false,
+       $writable_other=false,
+       $banner="${name} FTP Server",
+       $max_clients=100,
+       $logfile="/var/log/ftp/vsftpd-${name}.debian.org.log",
+       $ensure=present,
+) {
+       include vsftpd
+
+       case $ensure {
+               present,absent: {}
+               default: { fail ( "Invald ensure `$ensure' for $name" ) }
+       }
+
+       $ensure_service = $ensure ? {
+               present => running,
+               absent  => stopped,
+       }
+
+       $ensure_enable = $ensure ? {
+               present => true,
+               absent  => false,
+       }
+
+       $fname = "/etc/vsftpd-${name}.conf"
+
+       file { $fname:
+               ensure  => $ensure,
+               content => template('vsftpd/vsftpd.conf.erb'),
+               owner   => 'root',
+               group   => 'root',
+               mode    => '0444',
+       }
+
+       file { "/etc/logrotate.d/vsftpd-${name}":
+               ensure => absent
+       }
+
+       file { "/etc/systemd/system/vsftpd-${name}@.service":
+               ensure  => $ensure,
+               content => template('vsftpd/systemd-vsftpd.service.erb'),
+               owner   => 'root',
+               group   => 'root',
+               mode    => '0444',
+               require => File[$fname],
+               notify  => Exec['systemctl daemon-reload'],
+       }
+
+       file { "/etc/systemd/system/vsftpd-${name}.socket":
+               ensure  => $ensure,
+               content => template('vsftpd/systemd-vsftpd.socket.erb'),
+               owner   => 'root',
+               group   => 'root',
+               mode    => '0444',
+               notify  => [
+                       Exec['systemctl daemon-reload'],
+                       Service["vsftpd-${name}.socket"],
+               ],
+       }
+
+       service { "vsftpd-${name}.socket":
+               ensure   => $ensure_service,
+               enable   => $ensure_enable,
+               require  => [
+                       Exec['systemctl daemon-reload'],
+                       File["/etc/systemd/system/vsftpd-${name}@.service"],
+                       File["/etc/systemd/system/vsftpd-${name}.socket"],
+               ],
+               provider => systemd,
+       }
+
+       xinetd::service { [ "vsftpd-${name}", "vsftpd-${name}6", "vsftpd-${name}-v6" ]:
+               ensure  => absent,
+               id      => 'unused',
+               server  => 'unused',
+               service => 'unused',
+               ferm    => false,
+               before  => Service["vsftpd-${name}.socket"],
+       }
+
+       munin::check { "vsftpd-${name}":
+               ensure => $ensure,
+               script => 'vsftpd'
+       }
+       munin::conf { "vsftpd-${name}":
+               ensure  => $ensure,
+               content => template('vsftpd/munin.erb')
+       }
+}

diff --git a/modules/vsftpd/templates/systemd-vsftpd.service.erb b/modules/vsftpd/templates/systemd-vsftpd.service.erb
new file mode 100644 (file)
index 0000000..16060e2
--- /dev/null
+++ b/modules/vsftpd/templates/systemd-vsftpd.service.erb
@@ -0,0 +1,11 @@
+[Unit]
+Description=vsftpd <%= @name %>
+
+[Service]
+ExecStart=-/usr/sbin/vsftpd <%= @fname %>
+StandardInput=socket
+StandardError=journal
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full

diff --git a/modules/vsftpd/templates/systemd-vsftpd.socket.erb b/modules/vsftpd/templates/systemd-vsftpd.socket.erb
new file mode 100644 (file)
index 0000000..ea4cdc5
--- /dev/null
+++ b/modules/vsftpd/templates/systemd-vsftpd.socket.erb
@@ -0,0 +1,13 @@
+[Unit]
+Description=vsftpd <%= @name %> (socket)
+
+[Socket]
+<% @binds.each do |bind| -%>
+ListenStream=<%= bind %>:21
+<% end -%>
+Accept=true
+FreeBind=true
+MaxConnections=<%= @max_clients %>
+
+[Install]
+WantedBy=sockets.target