diff --git a/bundles/users/items.py b/bundles/users/items.py
new file mode 100644
index 0000000..3557a34
--- /dev/null
+++ b/bundles/users/items.py
@@ -0,0 +1,36 @@
+directories = {}
+users = {}
+files = {}
+groups = {}
+
+pkg_apt = {
+    'fish': {},
+    'tmux': {},
+}
+
+for username, attrs in node.metadata['users'].items():
+    home = attrs.get('home', '/home/{}'.format(username))
+
+    if attrs.get('delete', False):
+        users[username] = {'delete': True}
+        directories[home] = {'delete': True}
+
+    else:
+        user = users.setdefault(username, {})
+
+        user['home'] = home
+        user['shell'] = attrs.get('shell', '/usr/bin/fish')
+        user['password'] = repo.vault.human_password_for('user {} on {}'.format(username, node.name))
+
+        directories[home] = {
+            'owner': username,
+            'mode': '0700',
+        }
+
+        if 'ssh_pubkey' in attrs:
+            files[home + '/.ssh/authorized_keys'] = {
+                'content': "\n".join(attrs['ssh_pubkey']),
+                'owner': username,
+                'mode': '0600',
+            }
+
diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py
new file mode 100644
index 0000000..3dd424f
--- /dev/null
+++ b/bundles/users/metadata.py
@@ -0,0 +1,11 @@
+@metadata_processor
+def root_user(metadata):
+    return {
+        'users': {
+            'root': {
+                'home': '/root',
+                'ssh_pubkey': [],
+                'shell': '/bin/bash',
+            },
+        },
+    }, DEFAULTS, DONE