diff --git a/roles/users/files/public_keys/woodpecker b/roles/users/files/public_keys/woodpecker
new file mode 100644
index 0000000..4bbf350
--- /dev/null
+++ b/roles/users/files/public_keys/woodpecker
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl+gVOUm8Tiy8rZfYgNs/K5FCcc8euD07ZZjzv0HgDxbvsV8NkXg8L0yktLqJwN0xSfjpX3lratPBak4fC0O5DEnRfnQVoKI1pWAvfE1WQsl5+a5w1rhHseMb7iiTOwxiFTbChflo7TFLC5sH1brYzb4wsyoioBfd0u2EWITnCeg3PnEw71f6xyP0cCexXmWcAjPuNSyoEOSGfip0+rkyaTp+0uQle0QU6NWcxhDhl/sUGyAn1wK681tMeek3rG4ec5nK0i6Z61SBSp4rFLcLpIIfOYxf89J+s25ldfGPrWHxn5RrTmwQHYZtI9mR9EnDa+gZ7PFxtp5rg18gdBhY+9ZEBgVFCSOjJ9rbtVB/eA+8/Hc/8YlI+64yW8PJ8QSWzmd53EA/27pbred2MyqxAuu+w8LbrUAKaHEDmMjw5R+zcDTlOJuuOoaN7ivwi1HPHcur7LBiMUzfmXRPDXt6uqfsjM9bwYQt6VsOldr6ftkdVZomx4YH3jsGRogR42LE= woodpecker ci
diff --git a/roles/users/tasks/alpine.yml b/roles/users/tasks/alpine.yml
index da0643e..9a3f2d9 100644
--- a/roles/users/tasks/alpine.yml
+++ b/roles/users/tasks/alpine.yml
@@ -14,3 +14,11 @@
     exclude:
       - /var/lib/ansible/.ansible
       - /var/lib/ansible/.ash_history
+
+- name: commit woodpecker's home to lbu
+  lbu:
+    include:
+      - /var/lib/woodpecker
+      - /var/lib/woodpecker/.ssh/authorized_keys
+    exclude:
+      - /var/lib/woodpecker/.ash_history
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index 018496e..23fa275 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -4,6 +4,9 @@
 - name: setup user 'ansible'
   include_tasks: ansible.yml
 
+- name: setup user 'woodpecker'
+  include_tasks: ansible.yml
+
 - name: commit user's home to alpine lbu
   include_tasks: alpine.yml
   when: ansible_distribution == "Alpine"
diff --git a/roles/users/tasks/woodpecker.yml b/roles/users/tasks/woodpecker.yml
new file mode 100644
index 0000000..f2ec5a4
--- /dev/null
+++ b/roles/users/tasks/woodpecker.yml
@@ -0,0 +1,32 @@
+- name: create group 'woodpecker'
+  group:
+    name: woodpecker
+    gid: 502
+
+- name: create user 'woodpecker'
+  user:
+    name: woodpecker
+    uid: 501
+    group: woodpecker
+    home: /var/lib/woodpecker
+    password: "*"  # disabled password but can be accessed with SSH
+    groups:
+      - woodpecker
+
+- name: make sure woodpecker owns its home
+  file:
+    state: directory
+    path: /var/lib/woodpecker
+    owner: woodpecker
+    group: woodpecker
+    mode: '2755'
+
+- name: set woodpecker's authorized keys
+  authorized_key:
+    user: woodpecker
+    key: '{{ item }}'
+    path: /var/lib/woodpecker/.ssh/authorized_keys
+  with_file:
+    - public_keys/yubikey
+    - public_keys/woodpecker
+  register: woodpecker_keys