udate..

roles/common/tasks/sshd.yml

@@ -20,7 +20,7 @@
     owner: root
     group: root
     mode: 0644
-    validate: 'sshd -f %s -T'
+    validate: 'sshd -f %s -T -C user=sftp_users'
     #backup: yes
   notify: "Restart ssh"
   tags:

roles/common/tasks/users.yml

@@ -95,6 +95,38 @@
   tags:
     - authorized_key
 
+# ---
+# - extra system user
+# ---
+
+- name: (users.yml) extra system user exists?
+  user:
+    name: '{{ item.name }}'
+    state: present
+    system: yes
+    home: '{{ item.home }}'
+    shell: '{{ item.shell|d("/usr/sbin/nologin") }}'
+  loop: "{{ extra_system_user }}"
+  loop_control:
+    label: '{{ item.name }}'
+  when: extra_system_user is defined and extra_system_user|length > 0
+  tags:
+    - user-exists
+
+# ---
+# - extra system groups
+# ---
+
+- name: (users.yml) Extra system group sftp_users
+  group:
+    name: 'sftp_users'
+    state: present
+    system: yes
+  when: 
+    - create_sftp_group is defined and create_sftp_group > 0
+  tags:
+    - groups-exists
+
 
 # ---
 # - Take care backup host has rsa key to connect via ssh to the other hosts

roles/common/templates/etc/ssh/sshd_config.j2

@@ -343,7 +343,16 @@ PrintLastLog yes
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
+{% if ( create_sftp_group is defined) and create_sftp_group %}
 
+#-----------------------------
+# Match Blocks
+#-----------------------------
 
+Match group sftp_users
+  X11Forwarding no
+  AllowTcpForwarding no
+  ChrootDirectory %h
+  ForceCommand internal-sftp
 
-
+{% endif -%}