diff --git a/setup/modules/FreeipaAnsible/ansible/deploy-baseuser-sync.yml b/setup/modules/FreeipaAnsible/ansible/deploy-baseuser-sync.yml
new file mode 100644
index 0000000..19ddb09
--- /dev/null
+++ b/setup/modules/FreeipaAnsible/ansible/deploy-baseuser-sync.yml
@@ -0,0 +1,48 @@
+---
+- name: Deploy BaseUser auto-group sync
+  hosts: all
+  become: yes
+
+  tasks:
+
+    - name: Install script
+      copy:
+        src: auto-add-baseuser.sh
+        dest: /usr/local/bin/auto-add-baseuser.sh
+        mode: '0755'
+
+    - name: Install systemd service
+      copy:
+        dest: /etc/systemd/system/baseuser-sync.service
+        mode: '0644'
+        content: |
+          [Unit]
+          Description=Sync FreeIPA BaseUser membership to local group
+          After=sssd.service
+
+          [Service]
+          Type=oneshot
+          ExecStart=/usr/local/bin/auto-add-baseuser.sh
+
+    - name: Install systemd path unit
+      copy:
+        dest: /etc/systemd/system/baseuser-sync.path
+        mode: '0644'
+        content: |
+          [Unit]
+          Description=Trigger BaseUser sync on login
+
+          [Path]
+          PathExistsGlob=/run/user/*
+
+          [Install]
+          WantedBy=multi-user.target
+
+    - name: Reload systemd
+      command: systemctl daemon-reload
+
+    - name: Enable and start path unit
+      systemd:
+        name: baseuser-sync.path
+        enabled: yes
+        state: started