---
- name: "create group {{ user }}"
  group:
    name: "{{ user }}"
    system: true

- name: "create user {{ user }}"
  user:
    name: "{{ user }}"
    comment: "Service {{ user }}"
    createhome: false
    group: "{{ user }}"
    home: /var/empty
    shell: /sbin/nologin
    system: true

- name: "create authorized_keys for {{ user }}"
  copy:
    dest: "/etc/ssh/authorized_keys.{{ user }}"
    content: "{{ publickeys | join('\n') + '\n'}}"
    mode: 0640
    owner: root
    group: "{{ user }}"

- name: configure sshd chroot
  blockinfile:
    path: /etc/ssh/sshd_config
    block: |
      Match User {{ user }}
        ChrootDirectory {{ chroot }}
        ForceCommand internal-sftp
        AuthorizedKeysFile /etc/ssh/authorized_keys.{{ user }}
    marker: "# {mark} ANSIBLE MANAGED BLOCK (user {{ user }})"
    validate: "sshd -t -f %s"
  notify: restart sshd