ansible-role-sftpd/tasks/main.yml

- docker_container:
    name: '{{ sftpd_container_name }}'
    image: '{{ sftpd_container_image }}'
    env:
      SSH_CLIENT_PUBLIC_KEYS: "{{ sftpd_client_public_keys }}"
    read_only: yes
    mounts:
    - type: volume
      source: '{{ sftpd_container_name }}_host_keys'
      target: /etc/ssh/host_keys
      read_only: no
    - type: volume
      source: '{{ sftpd_data_volume_name }}'
      target: /data
      read_only: yes
    - type: tmpfs
      target: /home/nonroot/.ssh # authorized_keys
      tmpfs_size: 16k
      tmpfs_mode: '1777'
    published_ports: ['0.0.0.0:{{ sftpd_published_port }}:2200']
    cap_drop: [ALL]
    # ChrootDirectory
    capabilities: [SETUID, SETGID, SYS_CHROOT]
    security_opts: [no-new-privileges]
    cpus: 0.8
    memory: 64M
    restart_policy: unless-stopped
    state: started
  register:  _container
- name: wait for host keys
  wait_for:
    path: >-
      {{ (_container.container.Mounts
          | items2dict(key_name='Destination', value_name='Source'))
         ['/etc/ssh/host_keys'] }}/{{ item }}.pub
  loop: [rsa, ed25519]
  register: _host_keys_files
- name: read host keys
  slurp:
    src: '{{ item }}'
  loop: "{{ _host_keys_files.results | map(attribute='path') | list }}"
  register: _host_keys_base64
- name: decode host keys
  set_fact:
    sftpd_host_keys: >-
      {{ _host_keys_base64.results | map(attribute='content')
         | map('b64decode') | map('trim') | list }}