---
- name: Create group
  ansible.builtin.group:
    name: logsync
    system: true

- name: Create user
  ansible.builtin.user:
    name: logsync
    comment: Service logsync
    create_home: false
    group: logsync
    home: /var/empty
    shell: /sbin/nologin

- name: Create authorized_keys
  ansible.builtin.copy:
    dest: /etc/ssh/authorized_keys.logsync
    src: ../files/ssh/logsync.pub
    mode: "0640"
    owner: root
    group: logsync

- name: Configure sshd chroot
  ansible.builtin.blockinfile:
    path: /etc/ssh/sshd_config
    block: |
      Match User logsync
        ChrootDirectory /var/www/logs
        ForceCommand internal-sftp
        AuthorizedKeysFile /etc/ssh/authorized_keys.logsync
    marker: "# {mark} ANSIBLE MANAGED BLOCK (user logsync)"
    validate: "sshd -t -f %s"
  notify: Restart sshd