diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index 069bac4..70c930c 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -109,4 +109,17 @@ system_rc_local_shutdown_base_cmd: []
 system_rc_local_shutdown_extra_cmd: []
 system_rc_local_shutdown_cmd: "{{ system_rc_local_shutdown_base_cmd + system_rc_local_shutdown_extra_cmd }}"
 
+# Optional : if system_ansible_ssh_keys is set (to a list of public SSH keys)
+# it'll configure the keys for the ansible user. If not set, you have to configure it manually
+# or with the ssh_users / ssh_extra_users
+# system_ansible_ssh_keys: []
+
+# if set, will add the following options to the ssh keys for ansible
+system_ansible_ssh_keys_options:
+  - no-X11-forwarding
+  - no-agent-forwarding
+  - no-pty
+# If set, will restrict the ansible ssh keys to the configured IP.
+# An empty list means no restriction
+system_ansible_src_ip: []
 ...
diff --git a/roles/common/tasks/ansible.yml b/roles/common/tasks/ansible.yml
new file mode 100644
index 0000000..389a0f7
--- /dev/null
+++ b/roles/common/tasks/ansible.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Deploy SSH keys for the ansible account
+  authorized_key:
+    user: ansible
+    key: "{{ system_ansible_ssh_keys | join(\"\n\") }}"
+    key_options: "{{ system_ansible_ssh_keys_options | join(',') }}"
+    exclusive: True
+  when:
+    - system_ansible_ssh_keys is defined
+    - system_ansible_ssh_keys | length > 0
+    - system_ansible_src_ip is not defined or system_ansible_src_ip | length < 1
+  tags: system
+
+- name: Deploy SSH keys for the ansible account (with source IP restriction)
+  authorized_key:
+    user: ansible
+    key: "{{ system_ansible_ssh_keys | join(\"\n\") }}"
+    key_options: "from=\"{{ system_ansible_src_ip | join(',') }}\",{{ system_ansible_ssh_keys_options | join(',') }}"
+    exclusive: True
+  when:
+    - system_ansible_ssh_keys is defined
+    - system_ansible_ssh_keys | length > 0
+    - system_ansible_src_ip is defined
+    - system_ansible_src_ip | length > 0
+  tags: system
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7257859..63b1589 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -17,6 +17,7 @@
     - ansible_os_family == 'RedHat'
 - include_tasks: mail.yml
 - include_tasks: system.yml
+- include_tasks: ansible.yml
 - include_tasks: hardware.yml
   when: ansible_virtualization_role == 'host'
 - include_tasks: guest.yml
diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml
index a8b00dd..9ae39c9 100644
--- a/roles/ssh/defaults/main.yml
+++ b/roles/ssh/defaults/main.yml
@@ -34,6 +34,7 @@ sshd_password_auth: True
 #
 
 # User configuration
+ssh_users: []
 #ssh_users:
 #  - name: dani
 #    create_user: False
diff --git a/roles/ssh/tasks/conf.yml b/roles/ssh/tasks/conf.yml
index 5743f9f..13cad89 100644
--- a/roles/ssh/tasks/conf.yml
+++ b/roles/ssh/tasks/conf.yml
@@ -56,13 +56,12 @@
 - name: Deploy ssh user keys
   authorized_key:
     user: "{{ item.name }}"
-    key: "{{ item.ssh_keys| default([]) | join(\"\n\") }}"
+    key: "{{ item.ssh_keys | default([]) | flatten | join(\"\n\") }}"
     key_options: "{{ item.key_options | default([]) | join(',') }}"
     path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
     manage_dir: False
     exclusive: True
   ignore_errors: True # Needed eg, if LDAP isn't available on first run
-  #when: item.ssh_keys is defined
   loop: "{{ ssh_users }}"
   tags: ssh