diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 673595d..8c36234 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -9,6 +9,12 @@ hdd_mount_point: /opt/{{ hdd_name }}
 ssd_name: pi-ssd
 ssd_mount_point: /opt/{{ ssd_name }}
 
-ssh_keys:
-  - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
-  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
+users:
+  - name: ubuntu
+    comment: System Administration
+    password: $6$YitakVLuUxjnPfDd$aFnEDcc98y6MlRYxLPAhb.eHsKqSIz385i4VrHW1Q8b986IqUhtu62gaOIALzM4FAU3dnWaHNUTGxY0zgA6jC0
+    groups:
+      - sudo
+    ssh_keys:
+      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
diff --git a/provision.sh b/provision.sh
index 9801e78..7ad4caf 100755
--- a/provision.sh
+++ b/provision.sh
@@ -1,14 +1,15 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 set -e
 
 usage() {
     printf '%s\n'   "Usage:"
     printf '$ %s\n' "$0 [-h|--help]"
-    printf '$ %s\n' "$0 os"
-    printf '$ %s\n' "$0 docker"
-    printf '$ %s\n' "$0 reboot [-f|--force]"
-    printf '$ %s\n' "$0 services [SINGLE_SERVICE]"
+    printf '$ %s\n' "$0 [--dry] os"
+    printf '$ %s\n' "$0 [--dry] docker"
+    printf '$ %s\n' "$0 [--dry] users [-i|--init]"
+    printf '$ %s\n' "$0 [--dry] reboot [-f|--force]"
+    printf '$ %s\n' "$0 [--dry] services [-d|--down] [SINGLE_SERVICE]"
 }
 
 install_modules() {
@@ -18,28 +19,57 @@ install_modules() {
 }
 
 cd "$(dirname "$0")" || exit 255
-BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass --ask-become-pass"
+if [ "$1" = "--dry" ]; then
+    EXEC="echo"
+    shift
+else
+    EXEC="eval"
+fi
 
-case $1 in
+BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass --ask-become-pass"
+TAG="$1"
+shift
+
+case $TAG in
     "")
         install_modules; $BASE_CMD ;;
     os|docker)
-        install_modules; $BASE_CMD --tags "$1" ;;
+        install_modules; $BASE_CMD --tags "$TAG" ;;
+    users)
+        install_modules
+
+        if [ "$1" = "-i" ] || [ "$1" = "--init" ]; then
+            $EXEC "$BASE_CMD --user root --tags '$TAG'"
+        else
+            $EXEC "$BASE_CMD --tags '$TAG'"
+        fi
+        ;;
     reboot)
         install_modules
-        if [ "$2" = "-f" ] || [ "$2" = "--force" ]; then
-            $BASE_CMD --tags "$1" --extra-vars "force_reboot=true"
+
+        if [ "$1" = "-f" ] || [ "$1" = "--force" ]; then
+            $EXEC "$BASE_CMD --tags '$TAG' --extra-vars 'force_reboot=true'"
         else
-            $BASE_CMD --tags "$1" --extra-vars "reboot=true"
+            $EXEC "$BASE_CMD --tags '$TAG' --extra-vars 'reboot=true'"
         fi
         ;;
     services)
         install_modules
-        if [ -z "$2" ]; then
-            $BASE_CMD --tags "$1"
-        else
-            $BASE_CMD --tags "$1" --extra-vars "single_service=$2"
+
+        if [ "$1" = "-d" ] || [ "$1" = "--down" ]; then
+            DOWN=1
+            shift
         fi
+
+        if [ -z "$DOWN" ] && [ -n "$1" ]; then
+            VARS="single_service=$1"
+        elif [ -n "$DOWN" ] && [ -z "$1" ]; then
+            VARS="stop=true"
+        elif [ -n "$DOWN" ] && [ -n "$1" ]; then
+            VARS='{"stop": true, "single_service": "'$1'"}'
+        fi
+
+        $EXEC "$BASE_CMD --tags '$TAG' $(test -z "$VARS" || echo "--extra-vars '$VARS'")"
         ;;
     -h|--help)
         usage ;;
diff --git a/roles/os_config/tasks/main.yml b/roles/os_config/tasks/main.yml
index d2b82d7..43d76a0 100644
--- a/roles/os_config/tasks/main.yml
+++ b/roles/os_config/tasks/main.yml
@@ -1,5 +1,10 @@
 # vim: ft=yaml.ansible
 ---
+- name: Configure user accounts
+  ansible.builtin.import_tasks: users.yml
+  tags:
+    - users
+
 - name: Configure system base
   ansible.builtin.import_tasks: base.yml
 
diff --git a/roles/os_config/tasks/ssh.yml b/roles/os_config/tasks/ssh.yml
index 0e08b33..236d04a 100644
--- a/roles/os_config/tasks/ssh.yml
+++ b/roles/os_config/tasks/ssh.yml
@@ -1,11 +1,5 @@
 # vim: ft=yaml.ansible
 ---
-- name: Add public SSH key to default user
-  ansible.posix.authorized_key:
-    user: "{{ ansible_user }}"
-    key: "{{ ssh_keys | join('\n') }}"
-    exclusive: true
-
 - name: Allow SSH login with public keys
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
diff --git a/roles/os_config/tasks/users.yml b/roles/os_config/tasks/users.yml
new file mode 100644
index 0000000..d6eb208
--- /dev/null
+++ b/roles/os_config/tasks/users.yml
@@ -0,0 +1,18 @@
+# vim: ft=yaml.ansible
+---
+- name: Add users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    comment: "{{ item.comment }}"
+    password: "{{ item.password }}"
+    groups: "{{ item.groups }}"
+    shell: /bin/bash
+    update_password: always
+  loop: "{{ users }}"
+
+- name: Add ssh authorized_keys
+  ansible.posix.authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.ssh_keys | join('\n') }}"
+    exclusive: true
+  loop: "{{ users }}"