restrict access to explicitly listed users

defaults/main.yml

@@ -0,0 +1 @@
+vsftpd_allowed_users: []

tasks/main.yml

@@ -10,10 +10,11 @@
     regexp: '#? *anonymous_enable=.*'
   become: yes
   notify: reload vsftpd
-- name: enable access for local users
+- name: grant access to local users
   lineinfile:
     dest: /etc/vsftpd.conf
     line: 'local_enable=YES'
     regexp: '#? *local_enable=.*'
   become: yes
   notify: reload vsftpd
+- include: userlist.yml

tasks/userlist.yml

@@ -0,0 +1,32 @@
+- name: activate userlist
+  lineinfile:
+    dest: /etc/vsftpd.conf
+    line: 'userlist_enable=YES'
+    regexp: '#? *userlist_enable=.*'
+  become: yes
+  notify: reload vsftpd
+- name: restrict access to explicitly listed users
+  lineinfile:
+    dest: /etc/vsftpd.conf
+    # option only examined if userlist_enable is activated
+    line: 'userlist_deny=NO'
+    regexp: '#? *userlist_deny=.*'
+  become: yes
+  notify: reload vsftpd
+- name: set path to userlist
+  lineinfile:
+    dest: /etc/vsftpd.conf
+    # vsftpd default: /etc/vsftpd.user_list
+    line: 'userlist_file=/etc/vsftpd.user_list'
+    regexp: '#? *userlist_file=.*'
+  become: yes
+  notify: reload vsftpd
+- name: create userlist
+  copy:
+    dest: /etc/vsftpd.user_list
+    content: |
+      {% for user in vsftpd_allowed_users %}
+      {{user}}
+      {% endfor %}
+    mode: u=rw,g=,o=
+  become: yes