diff --git a/pillar/role/web_static.sls b/pillar/role/web_static.sls
index 6b70551..aacaa38 100644
--- a/pillar/role/web_static.sls
+++ b/pillar/role/web_static.sls
@@ -53,3 +53,8 @@ nginx:
                     - root: /srv/www/htdocs
           enabled: True
         {% endfor %}
+
+profile:
+  web_static:
+    ssh_pubkey: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIJnMpF8wUQ57rhnipQYisbRh8t34Y7HHLdJN5uCK3Y web_static@salt'
+    websites: {{ websites }}
diff --git a/salt/profile/static/docroot.sls b/salt/profile/static/docroot.sls
new file mode 100644
index 0000000..410239a
--- /dev/null
+++ b/salt/profile/static/docroot.sls
@@ -0,0 +1,10 @@
+{% set websites = salt['pillar.get']('profile:web_static:websites') %}
+
+/srv/www/vhosts/:
+  file.directory
+
+{% for website in websites %}
+/srv/www/vhosts/{{ website }}.opensuse.org:
+  file.directory:
+    - user: web_static
+{% endfor %}
diff --git a/salt/profile/static/user.sls b/salt/profile/static/user.sls
new file mode 100644
index 0000000..9c052f3
--- /dev/null
+++ b/salt/profile/static/user.sls
@@ -0,0 +1,26 @@
+{% set roles = salt['grains.get']('roles', []) %}
+
+web_static:
+    user.present:
+    - createhome: False
+    - home: /home/web_static
+    - shell: /bin/bash
+
+/home/web_static:
+  file.directory:
+    - user: root
+
+/home/web_static/.ssh:
+  file.directory:
+    - user: root
+
+{% if 'web_static' in roles %}
+/home/web_static/.ssh/authorized_keys:
+  file.managed:
+    - contents_pillar: profile:web_static:ssh_pubkey
+    - mode: 644
+    - user: root
+{% endif %}
+
+rsync:
+  pkg.installed
diff --git a/salt/role/web_static.sls b/salt/role/web_static.sls
index a5b1924..0b708d1 100644
--- a/salt/role/web_static.sls
+++ b/salt/role/web_static.sls
@@ -1,2 +1,4 @@
 include:
   - profile.web.server.nginx
+  - profile.static.user
+  - profile.static.docroot