first working version

molecule/default/converge.yml

@@ -0,0 +1,8 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    add_users_user_accounts: files/members.yml
+    - name: Include resource variables
+      include_vars: "{{ add_users_user_accounts }}"
+

tasks/main.yml

@@ -13,6 +13,43 @@
     - molecule-notest
 
 # Note(d1): Done in this way because https://stackoverflow.com/a/39041069
-- name: Include user addition tasks
+- name: "Expire an existing user account"
-  include: users.yml user={{ item }}
+  block:
-  with_items: "{{ members }}"
+    - name: Show which user account is being handled
+      debug:
+        msg: "Attempting to expire account for {{ username }}..."
+
+    - name: Check if the user accounts already exists
+      getent:
+        database: passwd
+        key: "{{ username }}"
+      register: user_exists
+      ignore_errors: true
+
+
+    - name: Expire the account and blank the password
+      user:
+        name: "{{ username }}"
+        expires: 0
+        password: '!'
+      when: user_exists is succeeded
+
+    - name: Remove user's .ssh/authorized_keys file
+      file:
+        path: "/home/{{ username }}/.ssh/authorized_keys"
+        state: absent
+
+    - name: Remove password store entry
+      become: false
+      delegate_to: localhost
+      command: "pass rm -r users/{{ username }}/sudo/{{ inventory_hostname }}"
+      when: user_exists is succeeded
+
+    - name: "Remove username from the SSH AllowUsers configuration"
+      replace:
+        backup: true
+        dest: /etc/ssh/sshd_config
+        regexp: '{{ username }}' 
+        after: 'AllowUsers'
+        replace: '' 
+      notify: Restart SSH

tasks/users.yml

@@ -1,40 +0,0 @@
----
-- name: "Expire an existing user account"
-  block:
-    - name: Show which user account is being handled
-      debug:
-        msg: "Attempting to expire account for {{ user.username }}..."
-
-    - name: Check if the user accounts already exists
-      getent:
-        database: passwd
-        key: "{{ user.username }}"
-      register: user_exists
-      ignore_errors: true
-
-
-    - name: Expire the account and blank the password
-      user:
-        name: "{{ user.username }}"
-        expires: 0
-        password: '!'
-      when: user_exists is succeeded
-
-    - name: Remove user's .ssh/authorized_keys file
-      file:
-        path: "/home/{{ user.username }}/.ssh/authorized_keys"
-        state: absent
-
-    - name: Remove password store entry
-       become: false
-       delegate_to: localhost
-       command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
-       when: user_exists is succeeded
-
-          #TODO:    - name: "Remove username from the SSH AllowUsers configuration"
-          #      replace:
-          #        backup: true
-          #        dest: /etc/ssh/sshd_config
-          #        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
-          #        replace: '\1 {{ user.username }}' # this is also in need of change
-          #      notify: Restart SSH