diff --git a/infrastructure/ansible/deploy.yml b/infrastructure/ansible/deploy.yml
index 0417113..355483c 100644
--- a/infrastructure/ansible/deploy.yml
+++ b/infrastructure/ansible/deploy.yml
@@ -18,6 +18,8 @@
   roles:
     # Stelle sicher, dass jeder Host Docker & Co hat
     - common
+    # User Management
+    - users
 
   tasks:
     # --- 1. Identifikation (Lokal prüfen, was der Host bekommen soll) ---
diff --git a/infrastructure/ansible/group_vars/all/users.yml b/infrastructure/ansible/group_vars/all/users.yml
new file mode 100644
index 0000000..4e054d2
--- /dev/null
+++ b/infrastructure/ansible/group_vars/all/users.yml
@@ -0,0 +1,12 @@
+users_list:
+  - username: nick
+    state: present
+    groups: [sudo, docker]
+    ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDNhzTnunFTn0aUL9BLdUFCrNreNBC6LmB0Vn/K4Jnv nick@pc"
+    shell: /bin/bash
+
+#  - username: admin
+#    state: present
+#    ssh_key: "ssh-ed25519 BBBB..." # Weiterer Key
+#    groups: [sudo, docker]
+
diff --git a/infrastructure/ansible/pull_deploy.yml b/infrastructure/ansible/pull_deploy.yml
index 5576cb2..e8a9007 100644
--- a/infrastructure/ansible/pull_deploy.yml
+++ b/infrastructure/ansible/pull_deploy.yml
@@ -72,7 +72,15 @@
       # Sicherheitshalber: Lösche nichts, was 'vault' heißt, falls Config kaputt ist
       when: app_name_to_remove != 'vault' 
 
-    # 5. Deploy Apps (Update/Install)
+    # 5. Rollen ausführen (Common & Users auch im Pull-Mode aktuell halten)
+    - name: "Führe Rollen aus"
+      include_role:
+        name: "{{ item }}"
+      loop:
+        - common
+        - users
+
+    # 6. Deploy Apps (Update/Install)
     - name: "Deploy Apps Loop"
       include_tasks: deploy_logic_pull.yml
       loop: "{{ wanted_apps }}"
diff --git a/infrastructure/ansible/roles/users/defaults/main.yml b/infrastructure/ansible/roles/users/defaults/main.yml
new file mode 100644
index 0000000..d6f4858
--- /dev/null
+++ b/infrastructure/ansible/roles/users/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+# Default configuration for users role
+# Can be overridden in host_vars or group_vars
+
+users_list: []
+# Example structure:
+# users_list:
+#   - username: nick
+#     state: present # or absent
+#     groups: [sudo, docker]
+#     ssh_key: "ssh-ed25519 AAAA..."
+#     shell: /bin/bash
+
diff --git a/infrastructure/ansible/roles/users/tasks/main.yml b/infrastructure/ansible/roles/users/tasks/main.yml
new file mode 100644
index 0000000..d0f48f0
--- /dev/null
+++ b/infrastructure/ansible/roles/users/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: "Erstelle Gruppen"
+  group:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ users_list | map(attribute='groups') | flatten | unique | default([]) }}"
+
+- name: "Verwalte Benutzer"
+  user:
+    name: "{{ item.username }}"
+    state: "{{ item.state | default('present') }}"
+    groups: "{{ item.groups | default([]) }}"
+    shell: "{{ item.shell | default('/bin/bash') }}"
+    append: true # Keep existing groups
+    create_home: true
+  loop: "{{ users_list }}"
+  when: item.state | default('present') == 'present'
+
+- name: "Setze SSH Authorized Keys"
+  authorized_key:
+    user: "{{ item.username }}"
+    state: present
+    key: "{{ item.ssh_key }}"
+  loop: "{{ users_list }}"
+  when: item.state | default('present') == 'present' and item.ssh_key is defined
+
+- name: "Entferne Benutzer (falls state=absent)"
+  user:
+    name: "{{ item.username }}"
+    state: absent
+    remove: true # Delete home directory
+  loop: "{{ users_list }}"
+  when: item.state | default('present') == 'absent'
+