ansible-infra/roles/common/tasks/user.yml

---
# Create an user and add their SSH public keys
- name: Create user {{ user.name }} with no password
  user:
    name: "{{ user.name }}"
    shell: /bin/bash
    # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
    password: '*'
    groups: 
    - sudo
    append: yes
    state: present
    update_password: on_create

- name: Add SSH public keys for user {{ user.name }}
  authorized_key:
    user: "{{ user.name }}"
    state: present
    # we can pass multiple SSH keys, but they must be separated by newlines
    key: "{{ user.ssh_keys | join('\n') }}"
    # remove obsolete keys
    exclusive: yes