I am not a lawyer, and I am not licensed to practice law in your jurisdiction. This post contains my personal layman’s interpretation of the laws based on my own experience and knowledge. I am not going to warrant that this information is correct enough to create a legal obligatoin; if you need that assurance level, pay someone to give you advice (aka the job description of a lawyer).
Correct - in my view, 90% of GDPR compliance is writing things down: such as your procedures of what to do when receiving such a request.
You can keep around minimal records to prevent them from ban-evading / creating new accounts, as that is an overriding legitimate interest [over their right to privacy].
Posts are not inherently personal data, and must be considered on a case-by-case basis. Tell the requester that either they must identify specific posts with personal information to be removed or pay you to do the search. (Or live with the idea that there might be trace identifiers on the forum, which were going to exist anyways.)
Once the posts have been identified, edit them to remove the personal information and purge the revisions.
Those are not public records and have an overriding legitimate interest of keeping a complete and accurate log of moderator activity & posts that other people, who have not requested anonymization, made. The user ID references on flags will be stripped of their name. Post excerpts are not necessarily subject to deletion (see above; posts are licensed CC-BY-SA with the amendment that the author has requested that attribution be removed).
IPs get deleted when you anonymize a user.
You can’t erase memories. The fact that the official warning is no longer tied in the database to the natural person’s chosen alias is enough.
You can keep minimal records about the person that requested deletion to ensure you don’t collect more records in the future about them.
In this case, I would recommend placing their IP address on a list of “If you ever see an account get created from this IP, delete their account immediately as requested.”
I see that you d the post I made about this: