diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml
index e87400a..9a28a8f 100644
--- a/roles/backup_base/tasks/main.yml
+++ b/roles/backup_base/tasks/main.yml
@@ -30,3 +30,25 @@
     owner: root
     group: "{{ ansible_wheel }}"
     follow: false
+
+- name: Create authorized_keys
+  ansible.builtin.copy:
+    dest: /etc/ssh/authorized_keys.backup
+    src: ../files/ssh/backup.pub
+    mode: "0640"
+    owner: root
+    group: backup
+  when: "'sftpbackup' in group_names"
+
+- name: Configure sshd chroot
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User backup
+        ChrootDirectory /srv/backup
+        ForceCommand internal-sftp
+        AuthorizedKeysFile /etc/ssh/authorized_keys.backup
+    marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)"
+    validate: "sshd -t -f %s"
+  when: "'sftpbackup' in group_names"
+  notify: Restart sshd