- name: disable default chroot for local users
  lineinfile:
    dest: /etc/vsftpd.conf
    line: 'chroot_local_user=NO'
    regexp: '#? *chroot_local_user=.*'
  become: yes
  notify: reload vsftpd
- name: enable chroot for explicitly listed users
  lineinfile:
    dest: /etc/vsftpd.conf
    # option only takes effect if chroot_local_user is activated
    line: 'chroot_list_enable=YES'
    regexp: '#? *chroot_list_enable=.*'
  become: yes
  notify: reload vsftpd
- name: set path to chroot list
  lineinfile:
    dest: /etc/vsftpd.conf
    # vsftpd default: /etc/vsftpd.user_list
    line: 'chroot_list_file=/etc/vsftpd.chroot_list'
    regexp: '#? *chroot_list_file=.*'
  become: yes
  notify: reload vsftpd
- name: restrict write permissions on home of chrooted user
  file:
    path: '~{{item}}'
    owner: root
    mode: u=rw,g-w,o-w
  become: yes
  with_items: '{{vsftpd_allowed_users}}'
- name: create chroot list
  copy:
    # changes in chroot list do not require a reload of the vsftpd service
    dest: /etc/vsftpd.chroot_list
    content: |
      {% for user in vsftpd_allowed_users %}
      {{user}}
      {% endfor %}
    mode: u=rw,g=,o=
  become: yes