---
- name: Ensure mandatory variables are configured
  assert:
    that: "{{ item }} is defined"
    fail_msg: "You must define the '{{ item }}' variable"
  with_items:
    - add_users_user_accounts

- name: Include resource variables
  include_vars: "{{ add_users_user_accounts }}"
  tags:
    # Note(d1): we already load in converge.yml so skip here
    - molecule-notest

# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
- name: "Expire an existing user account"
  block:
    - name: Show which user account is being handled
      debug:
        msg: "Attempting to expire account for {{ username }}..."

    - name: Check if the user accounts already exists
      getent:
        database: passwd
        key: "{{ username }}"
      register: user_exists
      ignore_errors: true


    - name: Expire the account and blank the password
      user:
        name: "{{ username }}"
        expires: 0
        password: '!'
      when: user_exists is succeeded

    - name: Remove user's .ssh/authorized_keys file
      file:
        path: "/home/{{ username }}/.ssh/authorized_keys"
        state: absent

    - name: Remove password store entry
      become: false
      delegate_to: localhost
      command: "pass rm -r users/{{ username }}/sudo/{{ inventory_hostname }}"
      when: user_exists is succeeded

    - name: "Remove username from the SSH AllowUsers configuration"
      replace:
        backup: true
        dest: /etc/ssh/sshd_config
        regexp: '{{ username }}' 
        after: 'AllowUsers'
        replace: '' 
      notify: Restart SSH