system-config/playbooks/roles/backup-server/tasks/user.yaml

# note bup_user is the parent loop variable name; this works on each
# element from the bup_users global.
- name: Set variables
  set_fact:
    user_name: '{{ bup_user[0] }}'
    user_key: '{{ bup_user[1] }}'

- name: Create bup user
  user:
    name: '{{ user_name }}'
    comment: 'Backup user'
    shell: /bin/bash
    home: '/opt/backups/{{ user_name }}'
    create_home: yes
  register: homedir

- name: Create bup user authorized key
  authorized_key:
    user: '{{ user_name }}'
    state: present
    key: '{{ user_key }}'
    key_options: 'command="BUP_DEBUG=0 BUP_FORCE_TTY=3 bup server",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'

# ansible-lint wants this in a handler, it should be done here and
# now; this isn't like a service restart where multiple things might
# call it.
- name: Initalise bup  # noqa 503
  shell: |
    BUP_DIR=/opt/backups/{{ user_name }}/.bup bup init    
  become: yes
  become_user: '{{ user_name }}'
  when: homedir.changed