---
- name: "Create group {{ user }}"
  ansible.builtin.group:
    name: "{{ user }}"
    system: true

- name: "Create user {{ user }}"
  ansible.builtin.user:
    name: "{{ user }}"
    comment: "Service {{ user }}"
    createhome: false
    group: "{{ user }}"
    home: /var/empty
    shell: /sbin/nologin
    system: true

- name: "Create authorized_keys for {{ user }}"
  ansible.builtin.copy:
    dest: "/etc/ssh/authorized_keys.{{ user }}"
    content: "{{ publickeys | join('\n') + '\n'}}"
    mode: 0640
    owner: root
    group: "{{ user }}"

- name: Configure sshd chroot
  ansible.builtin.blockinfile:
    path: /etc/ssh/sshd_config
    block: |
      Match User {{ user }}
        ChrootDirectory {{ chroot }}
        ForceCommand internal-sftp
        AuthorizedKeysFile /etc/ssh/authorized_keys.{{ user }}
    marker: "# {mark} ANSIBLE MANAGED BLOCK (user {{ user }})"
    validate: "sshd -t -f %s"
  notify: Restart sshd