---
- name: "Expire an existing user account"
  block:
    - name: Show which user account is being handled
      debug:
        msg: "Attempting to expire account for {{ user.username }}..."

    - name: Check if the user accounts already exists
      getent:
        database: passwd
        key: "{{ user.username }}"
      register: user_exists
      ignore_errors: true


    - name: Expire the account and blank the password
      user:
        name: "{{ user.username }}"
        expires: 0
        password: '!'
      when: user_exists is succeeded

    - name: Remove user's .ssh/authorized_keys file
      file:
        path: "/home/{{ user.username }}/.ssh/authorized_keys"
        state: absent

    - name: Remove password store entry
       become: false
       delegate_to: localhost
       command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
       when: user_exists is succeeded

          #TODO:    - name: "Remove username from the SSH AllowUsers configuration"
          #      replace:
          #        backup: true
          #        dest: /etc/ssh/sshd_config
          #        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
          #        replace: '\1 {{ user.username }}' # this is also in need of change
          #      notify: Restart SSH