diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d4547ca
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+emails.txt
diff --git a/add-users-keycloak.py b/add-users-keycloak.py
new file mode 100755
index 0000000..d64dc51
--- /dev/null
+++ b/add-users-keycloak.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+
+# See https://www.keycloak.org/docs/latest/server_admin/#user-operations
+# The following command must be run beforehand to log into the keycloak:
+# /opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
+
+from os.path import exists
+from pathlib import Path
+from shlex import split
+from subprocess import run
+from sys import exit
+
+KCADM = "/opt/jboss/keycloak/bin/kcadm.sh"
+REALM = "lumbung-space"
+
+
+def confirm():
+    answer = ""
+    while answer not in ["y", "n"]:
+        answer = input("OK to create account [Y/N]? ").lower()
+    return answer == "y"
+
+
+if not exists(Path("emails.txt").absolute()):
+    print("Missing emails.txt!")
+    exit(1)
+
+with open("emails.txt") as handle:
+    emails = handle.readlines()
+
+for email in emails:
+    username = email.split("@")[0].strip()
+
+    print(f"processing {email} now...")
+    print(f"deriving {username} from {email} for account creation...")
+
+    create_command = split(
+        f"""
+        {KCADM} create users 
+        -r {REALM}
+        -s enabled=true
+        -s username={username}
+        -s 'requiredActions=["VERIFY_EMAIL","UPDATE_PROFILE","UPDATE_PASSWORD"]'
+    """
+    )
+
+    password_command = split(
+        f"""
+        {KCADM} set-password \
+        -r {REALM} \
+        --username {username}
+        --new-password lumbung
+        --temporary
+    """
+    )
+
+    print(f"Intending to run {create_command}...")
+    print(f"And then {password_command}...")
+
+    if not confirm():
+        print("Bailing out on request...")
+        exit(1)
+
+    run(create_command)
+    run(password_command)