From 2b28c91c760c50ddb666f1d563ae9c6b2ef8b487 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Bed=C5=99ich?= <ja@tbedrich.cz>
Date: Tue, 27 Dec 2016 11:13:06 +0100
Subject: [PATCH 1/2] Disable SSH login for SFTP users

---
 tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index d0f4cb5..b1235fa 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -50,6 +50,7 @@
     name: "{{ item.name }}"
     groups: "{{ sftp_group_name }}"
     home: "{{ sftp_home_partition }}/{{ item.name }}"
+    shell: "/sbin/nologin"
     state: present
   with_items: "{{ sftp_users }}"
 

From 09c21f9c02e89ed481443451a58d066ac37640ab Mon Sep 17 00:00:00 2001
From: Tomas Bedrich <ja@tbedrich.cz>
Date: Wed, 1 Mar 2017 00:24:18 +0100
Subject: [PATCH 2/2] Change nologin shell to per-user option

+ optional SSH keys array
---
 README.md      | 5 +++--
 tasks/main.yml | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 74eba64..74602ef 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,8 @@ The following role variables are relevant:
 * `sftp_users`: A list of users, in map form, containing the following elements:
   * `name`: The Unix name of the user that requires SFTP access.
   * `password`: A password hash for the user to login with.  Blank passwords can be set with `password: ""`.  NOTE: It appears that `UsePAM yes` and `PermitEmptyPassword yes` need to be set in `sshd_config` in order for blank passwords to work properly.  Making those changes currently falls outside the scope of this role and will need to be done externally.
-  * `authorized`: A list of files placed in `files/` which contain valid public keys for the SFTP user.
+  * `shell`: Boolean indicating if the user should have a shell access (default to `True`).
+  * `authorized`: An optional list of files placed in `files/` which contain valid public keys for the SFTP user.
 
 
 ## Example Playbook
@@ -44,7 +45,7 @@ The following role variables are relevant:
     - sftp_users:
       - name: peter
         password: "$1$salty$li5TXAa2G6oxHTDkqx3Dz/" # passpass
-        authorized: []
+        shell: False
       - name: sally
         password: ""
         authorized: [sally.pub]
diff --git a/tasks/main.yml b/tasks/main.yml
index b1235fa..d990b86 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -50,7 +50,8 @@
     name: "{{ item.name }}"
     groups: "{{ sftp_group_name }}"
     home: "{{ sftp_home_partition }}/{{ item.name }}"
-    shell: "/sbin/nologin"
+    # `None` means default value -> default is to have a shell
+    shell: "{{ None if (item.shell | default(True)) else '/sbin/nologin' }}"
     state: present
   with_items: "{{ sftp_users }}"
 
@@ -71,6 +72,8 @@
   with_subelements:
     - "{{ sftp_users }}"
     - authorized
+    - flags:
+      skip_missing: True
 
 # Update user passwords, if they were specified.
 - name: SFTP-Server | Update user passwords