Chrooted SFTP in CentOS
No need to go into depth about this because it's all in the Ansible repo.
I prefer this method over other methods because it uses
pam_exec to bootstrap directories with a script. Avoiding the need for a large and complex /etc/fstab file with many bind mounts.
As far as I could tell bind mounting a users home directory under a new root was necessary. So ChrootDirectory is set to /var/sftp/%u and users home directory remains under /home/%u.
That means users that login have /home/sftpuser as $HOME set and will attempt to cd into there automatically. So I mount their actual home under /var/sftp/sftpuser/home/sftpuser to simulate this path in the chroot.
This was a vast improvement to my previous setup, which of course had a previous VsFTPD server I had to work around.