diff --git a/ansible/host_vars/infrahost/firewall.yml.example b/ansible/host_vars/infrahost/firewall.yml.example
new file mode 100644
index 0000000..d371b70
--- /dev/null
+++ b/ansible/host_vars/infrahost/firewall.yml.example
@@ -0,0 +1 @@
+firewall:
diff --git a/ansible/host_vars/infrahost/users.yml.example b/ansible/host_vars/infrahost/users.yml.example
new file mode 100644
index 0000000..cd28be2
--- /dev/null
+++ b/ansible/host_vars/infrahost/users.yml.example
@@ -0,0 +1,5 @@
+---
+
+users:
+  auth:
+  matrix:
diff --git a/ansible/roles/auth-server/tasks/keycloak.yml b/ansible/roles/auth-server/tasks/keycloak.yml
index 20cc722..8541d78 100644
--- a/ansible/roles/auth-server/tasks/keycloak.yml
+++ b/ansible/roles/auth-server/tasks/keycloak.yml
@@ -3,7 +3,7 @@
 - name: Check parameters
   ansible.builtin.assert:
     that:
-      - keycloak.podman.user is defined
+      - keycloak.podman_user is defined
       - keycloak.db.password is defined
 
 - name: Create PostgreSQL database
@@ -21,9 +21,7 @@
   ansible.builtin.include_role:
     name: container-user
   vars:
-    user: "{{ keycloak.podman.user }}"
-    home: "{{ keycloak.podman.home | default(omit) }}"
-    uid: "{{ keycloak.podman.uid | default(omit) }}"
+    user: "{{ keycloak.podman_user }}"
 
 - name: Create data directories
   ansible.builtin.file:
@@ -39,7 +37,7 @@
     dest: ~/.config/containers/systemd/sso-keycloak.container
     mode: "644"
   become: true
-  become_user: "{{ keycloak.podman.user }}"
+  become_user: "{{ keycloak.podman_user }}"
 
 - name: Set up podman secrets
   containers.podman.podman_secret:
@@ -60,7 +58,7 @@
   no_log: true
 
   become: true
-  become_user: "{{ keycloak.podman.user }}"
+  become_user: "{{ keycloak.podman_user }}"
 
 # Note: enabled in the unit file
 - name: Start Keycloak
@@ -70,7 +68,7 @@
     daemon_reload: true
     state: started
   become: true
-  become_user: "{{ keycloak.podman.user }}"
+  become_user: "{{ keycloak.podman_user }}"
 
 - name: Set up reverse proxy
   ansible.builtin.include_tasks: tasks/create_vhost.yml
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index 9440094..28622b1 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -11,3 +11,13 @@
 - name: Setup firewall
   ansible.builtin.include_tasks: firewall.yml
   when: firewall is defined
+
+- name: Provision users
+  ansible.builtin.include_role:
+    name: user
+  vars:
+    user: "{{ user_item.key }}"  # noqa:var-naming[no-role-prefix]
+  loop_control:
+    loop_var: user_item
+  with_items:
+    - "{{ users | dict2items }}"
diff --git a/ansible/roles/container-user/tasks/main.yml b/ansible/roles/container-user/tasks/main.yml
index a9207a3..cd59e24 100644
--- a/ansible/roles/container-user/tasks/main.yml
+++ b/ansible/roles/container-user/tasks/main.yml
@@ -10,19 +10,8 @@
     name: container-host
 
 - name: Create user
-  ansible.builtin.user:
-    name: "{{ user }}"
-    home: "{{ home | default(omit) }}"
-    uid: "{{ uid | default(omit) }}"
-    state: present
-
-- name: Add public keys for user '{{ user }}'
-  ansible.posix.authorized_key:
-    user: "{{ user }}"
-    key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
-    state: present  # Note: we don't remove other/existing keys
-  with_items: "{{ global_ssh_keys + (ssh_keys[user] | default([])) + (ssh_keys['*'] | default([])) }}"
-
+  ansible.builtin.include_role:
+    name: user
 
 - name: Create unit files dir
   ansible.builtin.file:
diff --git a/ansible/roles/user/tasks/main.yml b/ansible/roles/user/tasks/main.yml
new file mode 100644
index 0000000..177a611
--- /dev/null
+++ b/ansible/roles/user/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+
+- name: Check if required parameters are set
+  ansible.builtin.assert:
+    that:
+      - user is defined
+
+- name: Create user
+  ansible.builtin.user:
+    name: "{{ user }}"
+    home: "{{ users[user].home | default(omit) }}"
+    uid: "{{ users[user].uid | default(omit) }}"
+    state: present
+
+- name: Add public keys for user '{{ user }}'
+  ansible.posix.authorized_key:
+    user: "{{ user }}"
+    key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
+    state: present  # Note: we don't remove other/existing keys
+  with_items: >-
+    {{ global_ssh_keys +
+        (ssh_keys[user] | default([])) +
+        (ssh_keys['*'] | default([])) }}