diff --git a/README.rst b/README.rst
index 7ef1620e845324433bd31e6184192f856e9b9a0c..23f8510047f35d9a788edbe70a80ca1d1368e6fc 100644
--- a/README.rst
+++ b/README.rst
@@ -5,17 +5,17 @@ Users
     :target: https://travis-ci.org/adarnimrod/users
 
 An Ansible role to create users, groups, email aliases, configure sudo and lock
-down root account. The intended use case is to replace setting up an LDAP or
-NIS server. The role also installs sudo and creates a sudoers group that can use
-sudo with a password. A password is also set if provided. For generating the
-password hash needed, under Debian run: :code:`echo MyPassword | mkpasswd -m
-sha-512 -s` and under OpenBSD run: :code:`echo MyPassword | encrypt`. If
-provided, email alias and SSH authorized keys are set. If
-:code:`users_lock_root` is set to :code:`True` (by default it is) then local and
-SSH root login is disabled. Another use case is to manage system users, for
-example to disable the local root login add root to the :code:`users` variable
-with the password :code:`*************`, setting an email address will also
-set mail forwarding.
+down root account SSH access. The intended use case is to replace setting up
+an LDAP or NIS server. The role also installs sudo and creates a sudoers group
+that can use sudo with a password. A password is also set if provided. For
+generating the password hash needed, under Debian run: :code:`echo MyPassword
+| mkpasswd -m sha-512 -s` and under OpenBSD run: :code:`echo MyPassword |
+encrypt`. If provided, email alias and SSH authorized keys are set. If
+:code:`users_lock_root_ssh` is set to :code:`True` (by default it is) then SSH
+root login is disabled. Another use case is to manage system users, for example
+to disable the local root login add root to the :code:`users` variable with the
+password :code:`*************`, setting an email address will also set mail
+forwarding.
 
 Requirements
 ------------
diff --git a/defaults/main.yml b/defaults/main.yml
index f064fa29682ad9c21b5d2d72248d0fcde980004d..297d863d06c44adf281199958330f23c68c0d41f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 # defaults file for users
-users_lock_root: True
-
+users_lock_root_ssh: True
+users_use_sudo: True
 users:
     - name: root
       password: '*************'
diff --git a/tasks/lock_root_ssh.yml b/tasks/lock_root_ssh.yml
new file mode 100644
index 0000000000000000000000000000000000000000..095d4802c32e8c4fb53b4c42e080cc51f7278b8f
--- /dev/null
+++ b/tasks/lock_root_ssh.yml
@@ -0,0 +1,18 @@
+---
+# tasks file for locking root ssh
+- name: Create ssh directory in case SSH isn't installed
+  file:
+      path: /etc/ssh
+      owner: root
+      group: 0
+      mode: 0o0755
+      state: directory
+
+- name: Disable root login via SSH
+  lineinfile:
+      create: yes
+      dest: /etc/ssh/sshd_config
+      line: 'PermitRootLogin no'
+      regexp: '^PermitRootLogin '
+  notify:
+      - Restart ssh
diff --git a/tasks/main.yml b/tasks/main.yml
index b92c3a6e3b8b965af367ee8e9a0e63f7c11c7fc1..5a378a989c696a991dc5a262bb012377fb4e46a2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -4,53 +4,25 @@
   assert:
     that:
         - ansible_os_family in [ 'OpenBSD', 'Debian' ]
-        - users is defined
-
-- name: APT install sudo
-  when: ansible_pkg_mgr == 'apt'
-  apt:
-      name: sudo
-      state: present
-      update_cache: yes
-      cache_valid_time: 3600
-
-- name: Pkg install sudo
-  when: ansible_pkg_mgr == 'openbsd_pkg' and ansible_distribution_release | version_compare('5.8', '>=')
-  openbsd_pkg:
-      name: '{{ users_sudo_pkg[ansible_distribution_release] }}'
-      state: present
+        - users is iterable
+        - users_lock_root_ssh in [ True, False ]
+        - users_use_sudo in [ True, False ]
+        # OpenBSD 5.7 was the last version that came with sudo installed.
+        - >
+            ansible_os_family != 'OpenBSD' or
+            ansible_distribution_release|version_compare('5.7', '<=') or
+            ansible_distribution_release in users_sudo_pkg or
+            not users_use_sudo
+
+- include: sudo.yml
+  when: users_use_sudo
 
 - name: Create groups
-  with_items: '{{ users_unique_groups|union(["sudoers"]) }}'
+  with_items: '{{ users_unique_groups }}'
   group:
       name: '{{ item }}'
       state: present
 
-- name: Create sudoers.d directory
-  file:
-      path: /etc/sudoers.d
-      state: directory
-      owner: root
-      group: 0
-      mode: '0755'
-
-- name: Include sudoers.d/*
-  lineinfile:
-      dest: /etc/sudoers
-      line: '#includedir /etc/sudoers.d'
-      state: present
-
-- name: Allow sudo without password to sudoers
-  lineinfile:
-      dest: '/etc/sudoers.d/50_sudoers'
-      line: '%sudoers ALL=(ALL) NOPASSWD: ALL'
-      regexp: '^%sudoers'
-      state: present
-      create: yes
-      owner: root
-      group: 0
-      mode: 0o0440
-
 - name: Create users
   with_items: '{{ users }}'
   user:
@@ -82,21 +54,5 @@
   notify:
       - Update SMTPd database
 
-- name: Create ssh directory in case SSH isn't installed
-  when: users_lock_root
-  file:
-      path: /etc/ssh
-      owner: root
-      group: 0
-      mode: 0o0755
-      state: directory
-
-- name: Disable root login via SSH
-  when: users_lock_root
-  lineinfile:
-      create: yes
-      dest: /etc/ssh/sshd_config
-      line: 'PermitRootLogin no'
-      regexp: '^PermitRootLogin '
-  notify:
-      - Restart ssh
+- include: lock_root_ssh.yml
+  when: users_lock_root_ssh
diff --git a/tasks/sudo.yml b/tasks/sudo.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d0539aedbd58e1db05f6c555185900109cf790c1
--- /dev/null
+++ b/tasks/sudo.yml
@@ -0,0 +1,45 @@
+---
+# tasks file for sudoers
+- name: APT install sudo
+  when: ansible_pkg_mgr == 'apt'
+  apt:
+      name: sudo
+      state: present
+      update_cache: yes
+      cache_valid_time: 3600
+
+- name: pkg install sudo
+  when: ansible_pkg_mgr == 'openbsd_pkg' and ansible_distribution_release|version_compare('5.7', '>')
+  openbsd_pkg:
+      name: '{{ users_sudo_pkg[ansible_distribution_release] }}'
+      state: present
+
+- name: Create sudoers.d directory
+  file:
+      path: /etc/sudoers.d
+      state: directory
+      owner: root
+      group: 0
+      mode: 0o0755
+
+- name: Include sudoers.d/*
+  lineinfile:
+      dest: /etc/sudoers
+      line: '#includedir /etc/sudoers.d'
+      state: present
+
+- name: Allow sudo without password to the sudoers group
+  lineinfile:
+      dest: '/etc/sudoers.d/50_sudoers'
+      line: '%sudoers ALL=(ALL) NOPASSWD: ALL'
+      regexp: '^%sudoers'
+      state: present
+      create: yes
+      owner: root
+      group: 0
+      mode: 0o0440
+
+- name: Create sudoers group
+  group:
+      name: sudoers
+      state: present