---
- name: Create backup group
  ansible.builtin.group:
    name: backup
    gid: 306

- name: Create backup user
  ansible.builtin.user:
    name: backup
    comment: Backup Service
    createhome: false
    group: backup
    home: /var/empty
    shell: /bin/sh
    uid: 306

- name: Create backup directory
  ansible.builtin.file:
    path: /export/backup
    state: directory
    mode: "0750"
    owner: root
    group: backup

- name: Link backup directory
  ansible.builtin.file:
    dest: /srv/backup
    src: /export/backup
    state: link
    owner: root
    group: "{{ ansible_wheel }}"
    follow: false

- name: Create authorized_keys
  ansible.builtin.copy:
    dest: /etc/ssh/authorized_keys.backup
    src: ../files/ssh/backup.pub
    mode: "0640"
    owner: root
    group: backup
  when: "'sftpbackup' in group_names"

- name: Configure sshd chroot
  ansible.builtin.blockinfile:
    path: /etc/ssh/sshd_config
    block: |
      Match User backup
        ChrootDirectory /srv/backup
        ForceCommand internal-sftp
        AuthorizedKeysFile /etc/ssh/authorized_keys.backup
    marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)"
    validate: "sshd -t -f %s"
  when: "'sftpbackup' in group_names"
  notify: Restart sshd