diff --git a/roles/pve_auth/defaults/main.yml b/roles/pve_auth/defaults/main.yml
new file mode 100644
index 0000000..c0fa651
--- /dev/null
+++ b/roles/pve_auth/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+pve_auth__groups: {}
+pve_auth__users: {}
+...
diff --git a/roles/pve_auth/tasks/main.yml b/roles/pve_auth/tasks/main.yml
new file mode 100644
index 0000000..68c23c0
--- /dev/null
+++ b/roles/pve_auth/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: Configure PVE users
+  template:
+    src: user.cfg.j2
+    dest: /etc/pve/user.cfg
+    owner: root
+    group: www-data
+    mode: u=rw,g=r,o=
+
+- name: Configure PVE passwords
+  template:
+    src: shadow.cfg.j2
+    dest: /etc/pve/priv/shadow.cfg
+    owner: root
+    group: www-data
+    mode: u=rw,g=,o=
+...
diff --git a/roles/pve_auth/templates/shadow.cfg.j2 b/roles/pve_auth/templates/shadow.cfg.j2
new file mode 100644
index 0000000..b45c40d
--- /dev/null
+++ b/roles/pve_auth/templates/shadow.cfg.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+{% for name, user in pve_auth__users.items() %}
+{% if user.enabled | default(True) %}
+{{ name }}:{{ user.password }}:
+{% endif %}
+{% endfor %}
diff --git a/roles/pve_auth/templates/user.cfg.j2 b/roles/pve_auth/templates/user.cfg.j2
new file mode 100644
index 0000000..5bb9da7
--- /dev/null
+++ b/roles/pve_auth/templates/user.cfg.j2
@@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+{% for name, user in pve_auth__users.items() %}
+{% if user.enabled | default(True) %}
+user:{{ name }}@pve:1:0::::::
+{% endif %}
+{% endfor %}
+
+{% for group in pve_auth__groups.keys() %}
+{% set users = pve_auth__users
+               | selectattr("groups", "defined")
+	       | selectattr("groups", "contains", group) %}
+group:{{ group }}:{{ users | join(",") }}::
+{% endfor %}
+
+{% for group, roles in pve_auth__groups.items() %}
+acl:1:/:@{{ group }}:{{ roles | join(",") }}:
+{% endfor %}