diff --git a/defaults/main.yml b/defaults/main.yml
index 2595b94..dd1b14d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -16,9 +16,11 @@ mosquitto_password_auth_enabled: False
 mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
 # mosquitto_password_auth_users: (defaults to not set)
 #   - admin:
-#     password: mysecret
+#       password: mysecret
+#       state: present
 #   - user1:
-#     password: very_secure
+#       password: very_secure
+#       state: absent
 
 mosquitto_acl_enabled: False
 mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
diff --git a/tasks/config.yml b/tasks/config.yml
index 6624f8f..4cb4b53 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -15,7 +15,19 @@
   become_user: root
   when: not __mosquitto_passwd.stat.exists
 
+# TODO: ugly workaround, move this to a custom module
 - name: Add users to password file
-  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.name }} {{ item.value.password }}"
+  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
   with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
   notify: __mosquitto_restart
+  become: True
+  become_user: root
+  when: item.value.state == "present"
+
+- name: Remove unnecessary users from password file
+  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }}"
+  with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+  notify: __mosquitto_restart
+  become: True
+  become_user: root
+  when: item.value.state == "absent"