diff --git a/users-ssh.yml b/users-ssh.yml
index a1dd5a0..564aa05 100644
--- a/users-ssh.yml
+++ b/users-ssh.yml
@@ -1,15 +1,12 @@
-# users-ssh-nopasswd.yml
+---
 - name: Ensure users, SSH keys, and passwordless sudo
   hosts: all
   become: true
-  become_user: root
-  become_method: sudo
 
   vars:
     users:
       - name: automation
         shell: /bin/bash
-        # optional extra groups besides sudo/wheel
         groups: []
         sudo_nopasswd: true
         keys:
@@ -30,33 +27,43 @@
           - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"
 
   tasks:
+
     - name: Pick sudo group per distro
       ansible.builtin.set_fact:
-        sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}"
+        sudo_group: >-
+          {{ 'wheel'
+             if ansible_facts.os_family in
+             ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+             else 'sudo' }}
 
     - name: Ensure user exists (creates home)
       ansible.builtin.user:
         name: "{{ item.name }}"
-        shell: "{{ item.shell | default('/bin/bash') }}"
+        shell: "{{ item.shell | default(omit) }}"
         groups: >-
           {{ (
-                (item.groups | default([]))
-                + ([sudo_group] if item.sudo_nopasswd | default(false) else [])
-              ) | unique | join(',') if
-              ((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false))
-              else omit }}
+               (item.groups | default([]))
+               + ([sudo_group] if item.sudo_nopasswd | default(false) else [])
+             ) | unique | join(',')
+             if (
+               (item.groups | default([]) | length > 0)
+               or item.sudo_nopasswd | default(false)
+             )
+             else omit }}
         append: true
         create_home: true
         state: present
       loop: "{{ users }}"
 
-    - name: Install authorized SSH keys
+    - name: Enforce authorized SSH keys
       ansible.builtin.authorized_key:
-        user: "{{ item.0.name }}"
-        key: "{{ item.1 }}"
+        user: "{{ item.name }}"
+        key: "{{ item.keys | join('\n') }}"
         state: present
         manage_dir: true
-      loop: "{{ users | subelements('keys', skip_missing=True) }}"
+        exclusive: true
+      loop: "{{ users }}"
+      when: item.keys is defined
 
     - name: Grant passwordless sudo via sudoers.d
       ansible.builtin.copy:
@@ -64,7 +71,9 @@
         owner: root
         group: root
         mode: '0440'
-        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
+        content: |
+          # Managed by Ansible
+          {{ item.name }} ALL=(ALL) NOPASSWD:ALL
         validate: 'visudo -cf %s'
       when: item.sudo_nopasswd | default(false)
-      loop: "{{ users }}"
+      loop: "{{ users }}"
\ No newline at end of file