diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
new file mode 100644
index 0000000..5613d29
--- /dev/null
+++ b/roles/users/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Ensure group "admins" exists
+# include_tasks: create_groups.yml
+  ansible.builtin.group:
+    name: admins
+    state: present
+    tags: groups
+
+- name: Grant sudo without PW to admins group
+  ansible.builtin.file:
+    src: roles/users/files/sudo_group_admins
+    path: /etc/sudoers.d/admins
+    owner: root
+    group: root
+    mode: '0440'
+
+- name: Ensure user "rulrich" exists
+  ansible.builtin.user:
+    name: rulrich
+    shell: /bin/bash
+    groups: admins
+    append: yes
+    ssh_public_key: "'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEecPevXnWu9Rs7QhDFAdeKl/E6cBPwUno+nEd4qoUAK rulrich@rabbit'\n"