diff --git a/initial_install/roles/users/tasks/main.yml b/initial_install/roles/users/tasks/main.yml
new file mode 100644
index 0000000..5df013d
--- /dev/null
+++ b/initial_install/roles/users/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Define users
+  ansible.builtin.set_fact:
+    users:
+      - name: automation
+        shell: /bin/bash
+        sudo_nopasswd: true
+        ssh_keys:
+          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@internet-master.cz"
+
+      - name: hellsos
+        shell: /bin/bash
+        sudo_nopasswd: true
+        ssh_keys:
+          - "ssh-ed25519 AAAAC3..."
+
+      - name: jim
+        shell: /bin/bash
+        sudo_nopasswd: true
+        ssh_keys:
+          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"
+
+- name: Pick sudo group per distro
+  ansible.builtin.set_fact:
+    sudo_group: >-
+      {{ 'wheel'
+         if ansible_facts.os_family in
+         ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+         else 'sudo' }}
+
+- name: Ensure users exist
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    shell: "{{ item.shell }}"
+    groups: "{{ sudo_group }}"
+    append: true
+    create_home: true
+  loop: "{{ users }}"
+
+- name: Install authorized SSH keys
+  ansible.builtin.authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.ssh_keys | join('\n') }}"
+    exclusive: true
+  loop: "{{ users }}"
+
+- name: Configure passwordless sudo
+  ansible.builtin.copy:
+    dest: "/etc/sudoers.d/{{ item.name }}"
+    mode: '0440'
+    content: "{{ item.name }} ALL=(ALL:ALL) NOPASSWD:ALL\n"
+    validate: 'visudo -cf %s'
+  loop: "{{ users }}"
+  when: item.sudo_nopasswd
\ No newline at end of file