diff --git a/roles/sftpuser/meta/main.yml b/roles/sftpuser/meta/main.yml
new file mode 100644
index 0000000..bc03e65
--- /dev/null
+++ b/roles/sftpuser/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: sshd}
diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml
new file mode 100644
index 0000000..06d4625
--- /dev/null
+++ b/roles/sftpuser/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: "create group {{ user }}"
+  group:
+    name: "{{ user }}"
+    system: true
+
+- name: "create user {{ user }}"
+  user:
+    name: "{{ user }}"
+    comment: "Service {{ user }}"
+    createhome: false
+    group: "{{ user }}"
+    home: /var/empty
+    shell: /sbin/nologin
+    system: true
+
+- name: "create authorized_keys for {{ user }}"
+  copy:
+    dest: "/etc/ssh/authorized_keys.{{ user }}"
+    content: "{{ publickeys | join('\n') + '\n'}}"
+    mode: 0640
+    owner: root
+    group: "{{ user }}"
+
+- name: configure sshd chroot
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User {{ user }}
+        ChrootDirectory {{ chroot }}
+        ForceCommand internal-sftp
+        AuthorizedKeysFile /etc/ssh/authorized_keys.{{ user }}
+    validate: "sshd -t -f %s"
+  notify: restart sshd