diff --git a/deploy.yml b/deploy.yml
index eef58ea..6c3d4fc 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -4,6 +4,7 @@
   become_method: doas
   roles:
     - basic
+    - users
     - sshd
   post_tasks:
     - name: lbu commit
diff --git a/roles/basic/tasks/main.yml b/roles/basic/tasks/main.yml
index 2dd327c..78a68b9 100644
--- a/roles/basic/tasks/main.yml
+++ b/roles/basic/tasks/main.yml
@@ -1,59 +1,3 @@
 - name: install python3
   apk:
     name: python3
-
-- name: create group 'rilla'
-  group:
-    name: rilla
-    gid: 1000
-
-- name: create user 'rilla'
-  user:
-    name: rilla
-    uid: 1000
-    group: rilla
-    home: /home/rilla
-    groups:
-      - rilla
-      - wheel
-
-- name: commit ansible's home to lbu
-  lbu:
-    include:
-      - /home/rilla
-    exclude:
-      - /home/rilla/.ash_history
-  when: ansible_distribution == "Alpine"
-
-- name: create group 'ansible'
-  group:
-    name: ansible
-    gid: 501
-
-- name: create user 'ansible'
-  user:
-    name: ansible
-    uid: 501
-    group: ansible
-    home: /var/lib/ansible
-    password: "*"  # disabled password but can be accessed with SSH
-    groups:
-      - ansible
-      - wheel
-
-- name: make sure ansible owns its home
-  file:
-    state: directory
-    path: /var/lib/ansible
-    owner: ansible
-    group: ansible
-    mode: '2755'
-
-- name: commit ansible's home to lbu
-  lbu:
-    include:
-      - /var/lib/ansible
-    exclude:
-      - /var/lib/ansible/.ansible
-      - /var/lib/ansible/.ash_history
-  when: ansible_distribution == "Alpine"
diff --git a/roles/sshd/tasks/alpine.yml b/roles/sshd/tasks/alpine.yml
index 9568518..2305ea8 100644
--- a/roles/sshd/tasks/alpine.yml
+++ b/roles/sshd/tasks/alpine.yml
@@ -1,15 +1,3 @@
-- name: commit rilla's authorized ssh keys
-  lbu:
-    include:
-      - /home/rilla/.ssh/authorized_keys
-  when: rilla_keys.changed
-
-- name: commit ansible's authorized ssh keys
-  lbu:
-    include:
-      - /var/lib/ansible/.ssh/authorized_keys
-  when: ansible_keys.changed
-
 - name: install openssh
   apk:
     name: openssh
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 075ca81..57eb65c 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,22 +1,3 @@
-- name: set rilla's authorized key
-  authorized_key:
-    user: rilla
-    key: '{{ item }}'
-    path: /home/rilla/.ssh/authorized_keys
-  with_file:
-    - public_keys/yubikey
-  register: rilla_keys
-
-- name: set ansible's authorized keys
-  authorized_key:
-    user: ansible
-    key: '{{ item }}'
-    path: /var/lib/ansible/.ssh/authorized_keys
-  with_file:
-    - public_keys/yubikey
-    - public_keys/ansible
-  register: ansible_keys
-
 - name: set sshd config
   template:
     src: sshd_config.j2
diff --git a/roles/sshd/files/public_keys/ansible b/roles/users/files/public_keys/ansible
similarity index 100%
rename from roles/sshd/files/public_keys/ansible
rename to roles/users/files/public_keys/ansible
diff --git a/roles/sshd/files/public_keys/yubikey b/roles/users/files/public_keys/yubikey
similarity index 100%
rename from roles/sshd/files/public_keys/yubikey
rename to roles/users/files/public_keys/yubikey
diff --git a/roles/basic/meta/main.yml b/roles/users/meta/main.yml
similarity index 100%
rename from roles/basic/meta/main.yml
rename to roles/users/meta/main.yml
diff --git a/roles/users/tasks/alpine.yml b/roles/users/tasks/alpine.yml
new file mode 100644
index 0000000..da0643e
--- /dev/null
+++ b/roles/users/tasks/alpine.yml
@@ -0,0 +1,16 @@
+- name: commit ansible's home to lbu
+  lbu:
+    include:
+      - /home/rilla
+      - /home/rilla/.ssh/authorized_keys
+    exclude:
+      - /home/rilla/.ash_history
+
+- name: commit ansible's home to lbu
+  lbu:
+    include:
+      - /var/lib/ansible
+      - /var/lib/ansible/.ssh/authorized_keys
+    exclude:
+      - /var/lib/ansible/.ansible
+      - /var/lib/ansible/.ash_history
diff --git a/roles/users/tasks/ansible.yml b/roles/users/tasks/ansible.yml
new file mode 100644
index 0000000..e4ad76d
--- /dev/null
+++ b/roles/users/tasks/ansible.yml
@@ -0,0 +1,33 @@
+- name: create group 'ansible'
+  group:
+    name: ansible
+    gid: 501
+
+- name: create user 'ansible'
+  user:
+    name: ansible
+    uid: 501
+    group: ansible
+    home: /var/lib/ansible
+    password: "*"  # disabled password but can be accessed with SSH
+    groups:
+      - ansible
+      - wheel
+
+- name: make sure ansible owns its home
+  file:
+    state: directory
+    path: /var/lib/ansible
+    owner: ansible
+    group: ansible
+    mode: '2755'
+
+- name: set ansible's authorized keys
+  authorized_key:
+    user: ansible
+    key: '{{ item }}'
+    path: /var/lib/ansible/.ssh/authorized_keys
+  with_file:
+    - public_keys/yubikey
+    - public_keys/ansible
+  register: ansible_keys
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
new file mode 100644
index 0000000..018496e
--- /dev/null
+++ b/roles/users/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: setup user 'rilla'
+  include_tasks: rilla.yml
+
+- name: setup user 'ansible'
+  include_tasks: ansible.yml
+
+- name: commit user's home to alpine lbu
+  include_tasks: alpine.yml
+  when: ansible_distribution == "Alpine"
diff --git a/roles/users/tasks/rilla.yml b/roles/users/tasks/rilla.yml
new file mode 100644
index 0000000..af05c8c
--- /dev/null
+++ b/roles/users/tasks/rilla.yml
@@ -0,0 +1,31 @@
+- name: create group 'rilla'
+  group:
+    name: rilla
+    gid: 1000
+
+- name: create user 'rilla'
+  user:
+    name: rilla
+    uid: 1000
+    group: rilla
+    home: /home/rilla
+    groups:
+      - rilla
+      - wheel
+
+- name: make sure rilla owns its home
+  file:
+    state: directory
+    path: /home/rilla
+    owner: rilla
+    group: rilla
+    mode: '2755'
+
+- name: set rilla's authorized key
+  authorized_key:
+    user: rilla
+    key: '{{ item }}'
+    path: /home/rilla/.ssh/authorized_keys
+  with_file:
+    - public_keys/yubikey
+  register: rilla_keys