An Ansible role for installing and managing proftpd servers. This role is designed to facilitate the installation of ProFTPD for Galaxy servers, and can configure ProFTPD to authenticate users against the Galaxy PostgreSQL database. It can also configure TLS for FTPS (note: NOT SFTP).
This role installs ProFTPD from APT on Debian systems, EPEL on Enterprise Linux systems. Other systems and installation methods are not supported.
Variables required if proftpd_galaxy_auth
is set:
proftpd_sql_db
: Database name to connect to for authentication info. Can include host information, see the ProFTPD SQLConnectInfo documentation for the "connection-info" parameter for details.galaxy_user
: The name of the user running the Galaxy server.galaxy_ftp_upload_dir
: Path to the Galaxy FTP upload directory, should matchftp_upload_dir
in your Galaxy config.proftpd_create_ftp_upload_dir
can be used to allow the role to create this with ownergalaxy_user
- Additionally, you should set
User
andGroup
inproftpd_options
to the user and group names of your Galaxy user.
Configuration
proftpd_options
: Set arbitrary options in the server config context ofproftpd.conf
(they will actually be set in an included config file). This is a list of hashes (dictionaries) where keys are ProFTPD config options and values are the option's value. Block tags such as<IfModule>
are not supported. Options set inproftpd_options
will cause matching options in the baseproftpd.conf
file to be commented out.proftpd_global_options
: Set arbitrary options in the<Global>
context, same format asproftpd_options
. Options set inproftpd_global_options
will NOT cause matching options in the baseproftpd.conf
file to be commented out.
Enabling/disabling optional features
proftpd_galaxy_auth
: Attempt to authenticate users against a Galaxy database.proftpd_conf_ssl_certificate
andproftpd_conf_ssl_certificate_key
: If set, enables TLS autoconfiguration. See FTP over SSL/TLS below.
Display-on-connect message
proftpd_display_connect
: Message to display when users connect to the FTP server. This should be the message, not the path to a file (this role will create the file and set DisplayConnect accordingly.proftpd_display_connect_context
(default:server
): If set toglobal
, place theServerConnect
directive into a<Global>
block. If set toserver
, it is placed in the server context.
FTP over SSL/TLS
These variables control the use of TLS. If unset, TLS will not be enabled. See mod_tls documentation and Example Playbook for usage.
proftpd_deploy_ssl
: Enable/disable copying local SSL keys to the remote hostproftpd_ssl_src_dir
: Where to copy SSL certificates from.proftpd_conf_ssl_certificate
: Path on the remote host where the SSL certificate file should be placed.proftpd_conf_ssl_certificate_key
: Path on the remote host where the SSL private key file should be placed.proftpd_conf_ssl_ca_certificate
: Path on the remote host where the SSL CA certificate chain should be placed. See the TLSCertificateChainFile documentation for the format of this file.sslkeys
: A hash (dictionary) containing private keys. Keys are the filenames (without leading path elements) matchingproftpd_conf_ssl_certificate_key
.proftpd_tls_protocol
(default:TLSv1.1 TLSv1.2
): SetTlSProtocol
.proftpd_tls_cipher_suite
(default:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
): SetTLSCipherSuite
proftpd_tls_context
(default:server
): If set toglobal
, place TLS configuration directives that are valid in the<Global>
context into a<Global>
block. If set toserver
, they are placed in the server context.proftpd_tls_sesscache_path
(default:/run/proftpd/sesscache
): Path to ProFTPD shm TLS session cache.proftpd_tls_sesscache_timeout
(default:300
): TLS session cache timeout (in seconds).proftpd_tls_renegotiate
: (default: unset): TLS renegotation time (in seconds).
Galaxy authentication options
These options are used if proftpd_galaxy_auth
is set.
proftpd_galaxy_options
: Additional options to set in the Galaxy authentication include file. Options set inproftpd_galaxy_options
will cause matching options in the baseproftpd.conf
file to be commented out.proftpd_galaxy_default_options
: Default options set in the Galaxy authentication include file, you should only need to explicitly set this if you need to remove items from the defaults. Matching options set inproftpd_galaxy_options
override the defaults. The defaults can be found indefaults/main.yml
.proftpd_sql_user
(default: the value ofgalaxy_user
): Value of theusername
parameter to SQLConnectInfo.proftpd_sql_password
(default: empty): Value of thepassword
parameter to SQLConnectInfo.galaxy_user_uid
(default: looked up automatically): UID of the user running the Galaxy server.galaxy_user_gid
(default: looked up automatically): GID of the user running the Galaxy server.proftpd_galaxy_modules
: Default list of modules that will be loaded (uncommented in the baseproftpd.conf
) to support Galaxy authentication, you should only need to explicitly set this if you need to change the default list. The defaults can be found indefaults/main.yml
.proftpd_galaxy_auth_context
(default:server
): If set toglobal
, place Galaxy authentication directives into a<Global>
block. If set toserver
, they are placed in the server context.
Virtual servers/hosts
proftpd_virtualhosts
: Defines ProFTPD virtual servers/hosts. If set, this should be a list where each item is a hash (dict) with keysid
(used in the vhost config file name),address
(used in<VirtualHost ADDRESS>
) andoptions
, a list in the same format asproftpd_options
below. Block tags such as<IfModule>
are not supported.
It may be helpful to set Port: 0
in proftpd_options
to disable the server context when using virtual servers.
Although not a requirement, geerlingguy.repo-epel can be used to enable EPEL with Ansible.
Install ProFTPD for Galaxy with TLS:
- name: Install and configure ProFTPD
hosts: ftpservers
remote_user: root
vars:
galaxy_user: galaxy
galaxy_ftp_upload: /srv/galaxy/ftp
proftpd_display_connect: |
example.org FTP server
Unauthorized access is prohibited
proftpd_galaxy_auth: yes
proftpd_options:
- User: galaxy
- Group: galaxy
proftpd_sql_db: galaxy@/var/run/postgresql
proftpd_sql_user: galaxy
sslkeys:
'snakeoil_privatekey.pem': |
-----BEGIN PRIVATE KEY-----
MIIE...
-----END PRIVATE KEY-----
proftpd_conf_ssl_certificate: snakeoil_cert.pem
proftpd_conf_ssl_certificate_key: snakeoil_privatekey.pem
proftpd_ssl_src_dir: files/ssl
roles:
- galaxyprojectdotorg.proftpd
If using virtual servers in conjunction with Galaxy authentication, DefaultRoot's chroot(2)
will fail when used inside of a <VirtualHost>
. In this case, mod_vroot should be used (you may
find that it's already enabled for the server config context anyway). The following variables accomplish this:
proftpd_galaxy_auth_context: global
proftpd_galaxy_modules:
- mod_sql.c
- mod_sql_passwd.c
- mod_sql_postgres.c
- mod_vroot.c
proftpd_galaxy_options:
- VRootEngine: 'on'