diff --git a/bundles/sudo/files/bwusers b/bundles/sudo/files/bwusers
index 36a9248..6c47ecd 100644
--- a/bundles/sudo/files/bwusers
+++ b/bundles/sudo/files/bwusers
@@ -1,5 +1,9 @@
 % for user, config in sorted(node.metadata['users'].items()):
+%   if config.get('is_admin', False):
+${user} ALL=(ALL) NOPASSWD:ALL
+%   else:
 %     for p in sorted(config.get('sudo_commands', [])):
 ${user} ALL=(ALL) NOPASSWD:${p}
 %     endfor
+%   endif
 % endfor
diff --git a/bundles/users/items.py b/bundles/users/items.py
index 4d6a381..40e57ce 100644
--- a/bundles/users/items.py
+++ b/bundles/users/items.py
@@ -30,7 +30,11 @@ for username, attrs in node.metadata['users'].items():
 
         user['home'] = home
         user['shell'] = '/bin/bash'
-        user['password_hash'] = 'x'
+
+        if 'password' in attrs:
+            user['password'] = attrs['password']
+        else:
+            user['password_hash'] = 'x' if node.use_shadow_passwords else '*'
 
         if 'groups' in attrs:
             user['groups'] = attrs['groups']
diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py
index 384ff39..8640121 100644
--- a/bundles/users/metadata.py
+++ b/bundles/users/metadata.py
@@ -1,3 +1,6 @@
+from json import loads
+from os.path import join
+
 defaults = {
     'apt': {
         'packages': {
@@ -13,3 +16,29 @@ defaults = {
         },
     },
 }
+
+
+@metadata_reactor
+def add_users_from_json(metadata):
+    with open(join(repo.path, 'users.json'), 'r') as f:
+        json = loads(f.read())
+
+    users = {}
+    # First, add all admin users
+    for uname, config in json.items():
+        if config.get('is_admin', False):
+            users[uname] = {
+                'ssh_pubkey': set(config['ssh_pubkey']),
+                'is_admin': True,
+            }
+
+    # Then, run again to get all 'to be deleted' users
+    for uname, config in json.items():
+        if uname not in metadata.get('users', {}):
+            users.setdefault(uname, {
+                'delete': True,
+            })
+
+    return {
+        'users': users,
+    }
diff --git a/groups/all.py b/groups/all.py
index aff1bf1..51eb6b9 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -19,24 +19,6 @@ groups['all'] = {
                 'mail': 'hostmaster@kunsmann.eu',
             },
         },
-        'users': {
-            'kunsi': {
-                'ssh_pubkey': [
-                    'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971',
-                ],
-                'sudo_commands': {
-                    'ALL',
-                },
-            },
-            'sophie': {
-                'ssh_pubkey': [
-                    'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7 sophie@ejgwmobile',
-                ],
-                'sudo_commands': {
-                    'ALL',
-                },
-            },
-        },
     },
     'pip_command': 'pip3',
 }
diff --git a/users.json b/users.json
new file mode 100644
index 0000000..08ffcf5
--- /dev/null
+++ b/users.json
@@ -0,0 +1,14 @@
+{
+    "kunsi": {
+        "ssh_pubkey": [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971"
+        ],
+        "is_admin": true
+    },
+    "sophie": {
+        "ssh_pubkey": [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7 sophie@ejgwmobile"
+        ],
+        "is_admin": true
+    }
+}