diff --git a/tasks/deploy-ssh-keys.yml b/tasks/deploy-ssh-keys.yml
new file mode 100644
index 0000000..b1f23de
--- /dev/null
+++ b/tasks/deploy-ssh-keys.yml
@@ -0,0 +1,19 @@
+---
+- name: Create SSH directory
+  become: true
+  file:
+    path: /home/{{ item.name }}/.ssh
+    state: directory
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+    mode: 0644
+  loop: "{{ _users_local }}"
+
+- name: Update authorized keys
+  become: true
+  authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.sshkeys | join('\n') }}"
+    state: present
+    exclusive: true
+  loop: "{{ _users_local }}"
diff --git a/tasks/preprocess-users.yml b/tasks/preprocess-users.yml
index fbe3bb6..74a6f69 100644
--- a/tasks/preprocess-users.yml
+++ b/tasks/preprocess-users.yml
@@ -5,35 +5,35 @@
 
 - name: Reconcile user targets with host targets to get host users
   set_fact:
-    users_local: >-
+    _users_local: >-
       {{
-      users_local | default([]) + ([item] if item.targets | intersect(local_targets) else [])
+      _users_local | default([]) + ([item] if item.targets | intersect(omni_local_targets) else [])
       }}
   loop: "{{ omni_users }}"
 
 - name: Determine local user names
   set_fact:
-    users_local_names: "{{ users_local_names | default([]) + [item.name] }}"
-  loop: "{{ users_local }}"
+    _users_local_names: "{{ _users_local_names | default([]) + [item.name] }}"
+  loop: "{{ _users_local }}"
 
 - name: Determine administrative users
   set_fact:
-    users_local_admin: >-
+    _users_local_admin: >-
       {{
-      users_local_admin | default([]) + ([item] if item.admin | default(False) else [])
+      _users_local_admin | default([]) + ([item] if item.admin | default(False) else [])
       }}
-  loop: "{{ users_local }}"
+  loop: "{{ _users_local }}"
 
 - name: Determine existing users
   shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
   changed_when: false
-  register: users_local_existing
+  register: _users_local_existing
 
 - name: Determine removed users
   set_fact:
-    users_local_removed: >-
+    _users_local_removed: >-
       {{
-      users_local_removed | default([]) +
-      ([item] if item not in users_local_names else [])
+      _users_local_removed | default([]) +
+      ([item] if item not in _users_local_names else [])
       }}
-  loop: "{{ users_local_existing.stdout_lines }}"
+  loop: "{{ _users_local_existing.stdout_lines }}"