Update to 2022-03-04 18:00

2025-10-30 18:31:28 +01:00 · 2022-03-04 18:00:06 +01:00
parent f8eb615f1a
commit 6918bfc1ce
17 changed files with 190 additions and 22 deletions
--- a/roles/sftpgo/tasks/conf.yml
+++ b/roles/sftpgo/tasks/conf.yml
@@ -1,10 +1,81 @@
 ---

+# When you configure Let's Encrypt certificate, sftpgo can't directly read the cert and key from /var/lib/dehydrated
+# so a deploy_cert hook will copy them under {{ sftpgo_root_dir }}/etc/ssl
+# But we still need to know the Let's Encrypt cert to use so the deploy hook will know which one to copy
+# We do so by configuring certificate_file: letsencrypt:foo.example.org in SFTPGo configuration
+- name: Handle Let's Encrypt cert
+  set_fact:
+    sftpgo_conf: "{{ sftpgo_conf | combine({ item: {'certificate_file': sftpgo_root_dir ~ '/etc/ssl/' ~ item ~ '.crt', 'certificate_key_file': sftpgo_root_dir ~ '/etc/ssl/' ~ item ~ '.key'}}, recursive=True) }}"
+  loop:
+    - ftpd
+    - webdavd
+    - httpd
+    - telemetry
+  when:
+    - sftpgo_conf[item].certificate_file is defined
+    - sftpgo_conf[item].certificate_file is search('^letsencrypt:')
+  tags: sftpgo
+
 - name: Deploy sftpgo config
  template: src=sftpgo.yml.j2 dest={{ sftpgo_root_dir }}/etc/sftpgo.yml group={{ sftpgo_user }} mode=640
  notify: restart sftpgo
  tags: sftpgo

+- name: Generate self-signed certificate for ftpd
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.crt"
+    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.key"
+    cert_group: "{{ sftpgo_user }}"
+    cert_mode: 640
+  tags: sftpgo
+
+- name: Generate self-signed certificate for webdavd
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.crt"
+    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.key"
+    cert_group: "{{ sftpgo_user }}"
+    cert_mode: 640
+  tags: sftpgo
+
+- name: Generate self-signed certificate for httpd
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.crt"
+    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.key"
+    cert_group: "{{ sftpgo_user }}"
+    cert_mode: 640
+  tags: sftpgo
+
+- name: Generate self-signed certificate for telemetry
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.crt"
+    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.key"
+    cert_group: "{{ sftpgo_user }}"
+    cert_mode: 640
+  tags: sftpgo
+
+- name: Set permissions on certificates
+  file: path={{ sftpgo_root_dir }}/etc/ssl/{{ item }}.crt owner=root group={{ sftpgo_user }} mode=644
+  loop:
+    - ftpd
+    - webdavd
+    - httpd
+    - telemetry
+  tags: sftpgo
+
+- name: Set permissions on private keys
+  file: path={{ sftpgo_root_dir }}/etc/ssl/{{ item }}.key owner=root group={{ sftpgo_user }} mode=640
+  loop:
+    - ftpd
+    - webdavd
+    - httpd
+    - telemetry
+  tags: sftpgo
+
 - name: Init or upgrade the database
  command: "{{ sftpgo_root_dir }}/app/sftpgo --config-file {{ sftpgo_root_dir }}/etc/sftpgo.yml initprovider"
  become_user: "{{ sftpgo_user }}"
--- a/roles/sftpgo/tasks/directories.yml
+++ b/roles/sftpgo/tasks/directories.yml
@@ -16,6 +16,9 @@
    - dir: etc
      owner: "{{ sftpgo_user }}"
      mode: 700
+    - dir: etc/ssl
+      owner: "{{ sftpgo_user }}"
+      mode: 700
    - dir: bin
    - dir: data
      owner: "{{ sftpgo_user }}"
--- a/roles/sftpgo/tasks/install.yml
+++ b/roles/sftpgo/tasks/install.yml
@@ -62,6 +62,7 @@
    - db_server: "{{ sftpgo_db_server }}"
    - db_port: "{{ sftpgo_db_port }}"
    - db_pass: "{{ sftpgo_db_pass }}"
+  when: sftpgo_db_engine == 'mysql'
  tags: sftpgo

 - name: Install backups hooks
@@ -70,3 +71,11 @@
    - pre
    - post
  tags: sftpgo
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/sftpgo mode=755
+  tags: sftpgo
+
+- name: Install SFTPGo hooks
+  copy: src=hooks/ dest={{ sftpgo_root_dir }}/bin/ mode=755
+  tags: sftpgo
--- a/roles/sftpgo/tasks/iptables.yml
+++ b/roles/sftpgo/tasks/iptables.yml
@@ -3,19 +3,22 @@
 - name:  Handle sftpgo ports in the firewall
  iptables_raw:
    name: "{{ item.name }}"
-    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    state: "{{ (item.src_ip | length > 0 and (item.port is not string or item.port != '0')) | ternary('present','absent') }}"
    rules: "-A INPUT -m state --state NEW -p tcp {{ item.port is string | ternary('--dport ' ~ item.port, '-m multiport --dports ' ~ item.port | join(',')) }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
  with_items:
    - port: "{{ sftpgo_conf.sftpd.bindings.port }}"
      name: sftpgo_sftp_port
-      src_ip: "{{ sftpgo_sftp_src_ip }}"
+      src_ip: "{{ sftpgo_sftpd_src_ip }}"
    - port: "{{ [sftpgo_conf.ftpd.bindings.port,sftpgo_conf.ftpd.passive_port_range.start ~ ':' ~ sftpgo_conf.ftpd.passive_port_range.end] }}"
      name: sftpgo_ftp_port
-      src_ip: "{{ sftpgo_ftp_src_ip }}"
+      src_ip: "{{ sftpgo_ftpd_src_ip }}"
    - port: "{{ sftpgo_conf.webdavd.bindings.port }}"
      name: sftpgo_webdav_port
-      src_ip: "{{ sftpgo_webdav_src_ip }}"
+      src_ip: "{{ sftpgo_webdavd_src_ip }}"
    - port: "{{ sftpgo_conf.httpd.bindings.port }}"
      name: sftpgo_http_port
-      src_ip: "{{ sftpgo_http_src_ip }}"
+      src_ip: "{{ sftpgo_httpd_src_ip }}"
+    - port: "{{ sftpgo_conf.telemetry.bind_port }}"
+      name: sftpgo_metrics_port
+      src_ip: "{{ sftpgo_telemetry_src_ip }}"
  tags: firewall,sftpgo