r/fileserver: Restrict non-administrators to SFTP

Normal users do not need shell access to the file server, and certainly
should not be allowed to e.g. forward ports through it.  Using a `Match`
block, we can apply restrictions to users who do not need administrative
functionality.  In this case, we restrict everyone who is not a member
of the *Server Admins* group in the PYROCUFFLINK AD domain.

roles/fileserver/defaults/main.yml

@@ -1,2 +1,4 @@
 file_shares: []
 samba_use_smbd: true
+
+fileserver_sftp_only_match: 'User !root,*'