From b6131534f68b8a237a9a8ae281bc7f57ffbf3115 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 24 Jan 2025 12:47:18 +0000
Subject: [PATCH] nginx_logsync: Initial version of role

---
 roles/nginx_logsync/tasks/main.yml | 34 ++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 roles/nginx_logsync/tasks/main.yml

diff --git a/roles/nginx_logsync/tasks/main.yml b/roles/nginx_logsync/tasks/main.yml
new file mode 100644
index 0000000..0d7c9ff
--- /dev/null
+++ b/roles/nginx_logsync/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: Create group
+  ansible.builtin.group:
+    name: logsync
+    system: true
+
+- name: Create user
+  ansible.builtin.user:
+    name: logsync
+    comment: Service logsync
+    create_home: false
+    group: logsync
+    home: /var/empty
+    shell: /sbin/nologin
+
+- name: Create authorized_keys
+  ansible.builtin.copy:
+    dest: /etc/ssh/authorized_keys.logsync
+    src: ../files/ssh/logsync.pub
+    mode: "0640"
+    owner: root
+    group: logsync
+
+- name: Configure sshd chroot
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User logsync
+        ChrootDirectory /var/www/logs
+        ForceCommand internal-sftp
+        AuthorizedKeysFile /etc/ssh/authorized_keys.logsync
+    marker: "# {mark} ANSIBLE MANAGED BLOCK (user logsync)"
+    validate: "sshd -t -f %s"
+  notify: Restart sshd