diff --git a/roles/sftp_conf/README.md b/roles/sftp_conf/README.md
new file mode 100644
index 0000000..192157d
--- /dev/null
+++ b/roles/sftp_conf/README.md
@@ -0,0 +1,2 @@
+# sftp
+disables password auth for ssh, then creates a user for infuse and allows it to use sftp with password anyway
\ No newline at end of file
diff --git a/roles/sftp_conf/files/10-nopassword.conf b/roles/sftp_conf/files/10-nopassword.conf
new file mode 100644
index 0000000..5c936a3
--- /dev/null
+++ b/roles/sftp_conf/files/10-nopassword.conf
@@ -0,0 +1,3 @@
+# disable password auth
+PasswordAuthentication no
+ChallengeResponseAuthentication no
diff --git a/roles/sftp_conf/files/11-sftpaccess.conf b/roles/sftp_conf/files/11-sftpaccess.conf
new file mode 100644
index 0000000..70acd1f
--- /dev/null
+++ b/roles/sftp_conf/files/11-sftpaccess.conf
@@ -0,0 +1,4 @@
+# allow password only for infuse
+Match User infuse
+PasswordAuthentication yes
+ForceCommand internal-sftp
diff --git a/roles/sftp_conf/files/99-dropmatch.conf b/roles/sftp_conf/files/99-dropmatch.conf
new file mode 100644
index 0000000..d08aacb
--- /dev/null
+++ b/roles/sftp_conf/files/99-dropmatch.conf
@@ -0,0 +1,2 @@
+# drop user matches again
+Match all
diff --git a/roles/sftp_conf/tasks/main.yml b/roles/sftp_conf/tasks/main.yml
new file mode 100644
index 0000000..46b3763
--- /dev/null
+++ b/roles/sftp_conf/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Add infuse user
+  become: true
+  ansible.builtin.user:
+    name: infuse
+    uid: 1001
+    shell: /usr/sbin/nologin
+    password: $6$PsOR1shOjC3iPF17$RiSD0NjSHNbnfN.cf5xqeLfzR9M4ySq3fnBPQ6Ng/zznALcMdwLbZ.OBft6gXn2F6qf.HxTvo.i4NxwmVdIQE/
+
+- name: Add sftp-config
+  become: true
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: /etc/ssh/sshd_config.d/{{ item.src }}
+    mode: "0644"
+  loop:
+    - src: 10-nopassword.conf
+    - src: 11-sftpaccess.conf
+    - src: 99-dropmatch.conf