ansible-roles/roles/ssh/tasks/cleanup.yml

---

- name: List all authorized keys directories
  shell: ls -1 /etc/ssh/authorized_keys | xargs -n1 basename
  register: existing_ssh_keys
  changed_when: False
  failed_when: False # The task can fail if there's no key yet
  tags: ssh

- name: Remove unmanaged ssh keys
  file: path=/etc/ssh/authorized_keys/{{ item }} state=absent
  loop: "{{ existing_ssh_keys.stdout_lines | default([]) }}"
  when: item not in ssh_users | rejectattr('keys_file', 'defined') | map(attribute='name')
  tags: ssh