diff --git a/README.md b/README.md
index 9c82a88..c5a4e85 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,20 @@ It is implemented via [Ansible](https://docs.ansible.com/projects/ansible/latest
 
 To set up the server just run:
 ```shell
-ansible-playbook playbooks/setup.yaml --diff --check # to verify what would be changed
+ansible-playbook playbooks/setup.yaml --check # to verify what would be changed
 ansible-playbook playbooks/setup.yaml # to apply the changes
 ```
+
+## Secrets
+
+There are some secrets that need to be configured, but they must not be commited.
+
+To provide these secrets you can choose one of multiple options:
+
+* set them via `-e` / `--extra-vars`
+* put them into `inventory/group_vars/all/secrets.yaml`
+* put them in a secure file outside the project directory and provide the file via `-e @path/to/file.yaml`
+
+For the file-based variants you can use [Ansible vault](https://docs.ansible.com/projects/ansible/latest/vault_guide/index.html) to encrypt the secrets locally.
+
+To skip all tasks that require secrets you can use `--skip-tags secret-required`
diff --git a/ansible.cfg b/ansible.cfg
index b0a369a..e99458f 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,4 +1,8 @@
 [defaults]
 inventory = inventory
 roles_path = roles
+playbook_dir = playbooks
 interpreter_python = auto_silent
+
+[diff]
+always = true
diff --git a/inventory/group_vars/.gitignore b/inventory/group_vars/.gitignore
new file mode 100644
index 0000000..a55e57b
--- /dev/null
+++ b/inventory/group_vars/.gitignore
@@ -0,0 +1,3 @@
+# protect some file names for usage with secrets
+secret*.yaml
+*.local.*
diff --git a/roles/base/tasks/dependencies.yaml b/roles/base/tasks/dependencies.yaml
new file mode 100644
index 0000000..77b5460
--- /dev/null
+++ b/roles/base/tasks/dependencies.yaml
@@ -0,0 +1,5 @@
+---
+- name: Install Ansible tasks dependencies
+  community.general.pacman:
+    name: python-github3py
+    state: present
diff --git a/roles/base/tasks/main.yaml b/roles/base/tasks/main.yaml
index bef1395..22b70ee 100644
--- a/roles/base/tasks/main.yaml
+++ b/roles/base/tasks/main.yaml
@@ -2,3 +2,4 @@
 - ansible.builtin.import_tasks: groups.yaml
 - ansible.builtin.import_tasks: sudo.yaml
 - ansible.builtin.import_tasks: directories.yaml
+- ansible.builtin.import_tasks: dependencies.yaml
diff --git a/roles/base/tasks/sudo.yaml b/roles/base/tasks/sudo.yaml
index aece388..c53614d 100644
--- a/roles/base/tasks/sudo.yaml
+++ b/roles/base/tasks/sudo.yaml
@@ -3,4 +3,3 @@
   ansible.builtin.template:
     src: admin.j2
     dest: /etc/sudoers.d/admin
-
diff --git a/roles/reposilite/tasks/base.yaml b/roles/reposilite/tasks/base.yaml
index afcc824..4810104 100644
--- a/roles/reposilite/tasks/base.yaml
+++ b/roles/reposilite/tasks/base.yaml
@@ -1,9 +1,4 @@
 ---
-- name: Install required packages
-  community.general.pacman:
-    name: python-github3py
-    state: present
-
 - name: Create reposilite user
   ansible.builtin.user:
     name: reposilite
diff --git a/roles/reposilite/tasks/main.yaml b/roles/reposilite/tasks/main.yaml
index f6a1fb3..90385cb 100644
--- a/roles/reposilite/tasks/main.yaml
+++ b/roles/reposilite/tasks/main.yaml
@@ -2,4 +2,3 @@
 - ansible.builtin.import_tasks: base.yaml
 - ansible.builtin.import_tasks: service.yaml
 - ansible.builtin.import_tasks: nginx.yaml
-