diff --git a/authorized_keys/lub b/authorized_keys/lub
new file mode 100644
index 0000000..bfb7b05
--- /dev/null
+++ b/authorized_keys/lub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoCfs2IBe/6bzJs7eD6+a6jLpWt3PtfLiwd/nqsN9h4fc15qws2LlTg3rPwjxNJfGdYXB2CJHSMMIzvsNK3HBEagt/iBc8hV9qRHT6jLZqBJ0B2tXTQkawHizC0LP0gKGbH9aXPFaY29W/Xa+igNxsjDv9rZh0QaSa/3Z2nxzjJT4kwIXdwonREULtthsY5PnfyV/Qwe8pgbMPrSxq+rlsriGtU9Yr5qck5myK9/O+q8gQBTkbjGstPLRlDX37DDgHh9haQJ4yvGEy8p0akSdloQ9SgbISsZx+tdq9cB0TzRDY+YB2hVUrtBVhdcZ0HpDDv8J1GtkrUTfClnI6GNrkoBiJ6p2VgB0dzNQBIeuhvvzJPVmEAsi84FjwktdMx3IrrUJ1xgWftTOcZ2rxX4+vDCdr4NH1sAn9jqEUE28D1ouRwvMkyyPSictJ22CWaG4fSPfDlzylKRWFLkEPcKi06CAF8B9cGsoFGjEyiQ08lhHPHqQc1Gi2SBSXYE509wFNi385om61JY94izXAXAPx+n4OcpksEQangkBIYl0ZLyBRplQgqgzF/pCl59uosdGXjtEmOXxsYrdDmGnXCLInkA8N/bx6jZ6svGiaSXtKI/P6hY3MALuF37KzsMSNhnX6fG/a3l3WV4QYGgTtEPuYoYPpLnElMzM/MqHGEqcE/Q== lub
diff --git a/authorized_keys/pandro b/authorized_keys/pandro
new file mode 100644
index 0000000..bb506a9
--- /dev/null
+++ b/authorized_keys/pandro
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrSVrM7EpI0u+mHBCbarl7S82H6gcXIvYpQkbtOYsw3IDDbNHmc+KIEDdBgG65D32jR7sLYudUEv3cPb33pOBjeqWAer9cKBp+c/nKU74qkcnqk9YTNGucXn6aFhNRNKMbs88KGFfKD2aHHPsq1fdJy9fou5Z3oyWFyy+AAbDtn9WxWfdCaNxWRhqJcKuIe9u2/cs/sYlB+Nj3q9d4kS7mLdwzVA0JjxnHwNYoKLEJ2JEhXeJXhxi99ydA1YUUAl+jneFLNq78FPNQYVElr/evn0lyvwAagpmyucCqS11v8rX40eiMoQ3rH7nHrfdi1vbauf9+jvYQb3XQ9Rca0kCL peery@N3WDAWN
diff --git a/post-debootstrap-installer.sh b/post-debootstrap-installer.sh
index 9311ce2..f505b32 100755
--- a/post-debootstrap-installer.sh
+++ b/post-debootstrap-installer.sh
@@ -15,11 +15,14 @@ apt-get -y install locales
 
 ### boot
 
-apt-get -y install mdadm cryptsetup btrfs-tools
+apt-get -y install mdadm cryptsetup btrfs-tools systemd systemd-sysv dropbear
 
-# replace rescue system hostname with real hostname
+# generate minimal mdadm.conf
 mdadm --examine --scan | perl -pe 's/.*\/dev\/md\/?([0-9]+) .*UUID\=(.+?) .*/ARRAY \/dev\/md$1 UUID=$2/' > /etc/mdadm/mdadm.conf
 
+# concat user keys for cryptsetup unlocking at boot
+cat /authorized_keys/* > /etc/dropbear/authorized_keys
+
 # after cryptsetup, mdadm, ... because of update-initramfs
 apt-get -y install linux-image-amd64
 
@@ -27,6 +30,21 @@ DEBIAN_FRONTEND=noninteractive apt-get -y install grub-pc
 /grub.sh
 update-grub
 
+### users
+
+apt-get -y install sudo
+
+for key in /authorized_keys/*; do
+    user=$(basename "$key")
+    
+    adduser --gecos '' --disabled-password "$user"
+    
+    mkdir -p /home/"$user"/.ssh
+    cp "$key" /home/"$user"/.ssh/authorized_keys
+    chown "$user": /home/"$user"/.ssh/authorized_keys
+    
+    adduser "$user" sudo
+done
 
 ### Docker
 
@@ -44,8 +62,5 @@ apt-get -y install docker-ce
 ### tbd
 
 apt-get -y install \
-    systemd \
-    systemd-sysv \
-    dropbear \
     man-db \
     vim
diff --git a/setup.sh b/setup.sh
index 72e90a6..9bcc4aa 100755
--- a/setup.sh
+++ b/setup.sh
@@ -53,6 +53,7 @@ cd ../..
 # copy a couple of other files
 cp -a docker.key \
       post-debootstrap-installer.sh \
+      authorized_keys
       "$chroot"
 
 # set hostname
@@ -60,5 +61,6 @@ echo "$2" > "$chroot/etc/hostname"
 
 chroot "$chroot" /post-debootstrap-installer.sh
 
-rm "$chroot/docker.key" \
-   "$chroot/post-debootstrap-installer.sh"
+rm -r "$chroot/docker.key" \
+      "$chroot/post-debootstrap-installer.sh" \
+      "$chroot/authorized_keys"