From ddd56657608da3edbbaba7c4f9cfb4cdf980898e Mon Sep 17 00:00:00 2001
From: Niklas Seyfarth <niklas@seyfarth.de>
Date: Thu, 8 Jan 2026 10:52:34 +0100
Subject: [PATCH 1/3] Move python-github3py package installation into base
 role.

---
 roles/base/tasks/dependencies.yaml | 5 +++++
 roles/base/tasks/main.yaml         | 1 +
 roles/base/tasks/sudo.yaml         | 1 -
 roles/reposilite/tasks/base.yaml   | 5 -----
 roles/reposilite/tasks/main.yaml   | 1 -
 5 files changed, 6 insertions(+), 7 deletions(-)
 create mode 100644 roles/base/tasks/dependencies.yaml

diff --git a/roles/base/tasks/dependencies.yaml b/roles/base/tasks/dependencies.yaml
new file mode 100644
index 0000000..77b5460
--- /dev/null
+++ b/roles/base/tasks/dependencies.yaml
@@ -0,0 +1,5 @@
+---
+- name: Install Ansible tasks dependencies
+  community.general.pacman:
+    name: python-github3py
+    state: present
diff --git a/roles/base/tasks/main.yaml b/roles/base/tasks/main.yaml
index bef1395..22b70ee 100644
--- a/roles/base/tasks/main.yaml
+++ b/roles/base/tasks/main.yaml
@@ -2,3 +2,4 @@
 - ansible.builtin.import_tasks: groups.yaml
 - ansible.builtin.import_tasks: sudo.yaml
 - ansible.builtin.import_tasks: directories.yaml
+- ansible.builtin.import_tasks: dependencies.yaml
diff --git a/roles/base/tasks/sudo.yaml b/roles/base/tasks/sudo.yaml
index aece388..c53614d 100644
--- a/roles/base/tasks/sudo.yaml
+++ b/roles/base/tasks/sudo.yaml
@@ -3,4 +3,3 @@
   ansible.builtin.template:
     src: admin.j2
     dest: /etc/sudoers.d/admin
-
diff --git a/roles/reposilite/tasks/base.yaml b/roles/reposilite/tasks/base.yaml
index afcc824..4810104 100644
--- a/roles/reposilite/tasks/base.yaml
+++ b/roles/reposilite/tasks/base.yaml
@@ -1,9 +1,4 @@
 ---
-- name: Install required packages
-  community.general.pacman:
-    name: python-github3py
-    state: present
-
 - name: Create reposilite user
   ansible.builtin.user:
     name: reposilite
diff --git a/roles/reposilite/tasks/main.yaml b/roles/reposilite/tasks/main.yaml
index f6a1fb3..90385cb 100644
--- a/roles/reposilite/tasks/main.yaml
+++ b/roles/reposilite/tasks/main.yaml
@@ -2,4 +2,3 @@
 - ansible.builtin.import_tasks: base.yaml
 - ansible.builtin.import_tasks: service.yaml
 - ansible.builtin.import_tasks: nginx.yaml
-

From 3b2af2e5ea1907125574fa8d595b5302dde72439 Mon Sep 17 00:00:00 2001
From: Niklas Seyfarth <niklas@seyfarth.de>
Date: Thu, 8 Jan 2026 20:38:21 +0100
Subject: [PATCH 2/3] Show diff by default.

---
 README.md   | 2 +-
 ansible.cfg | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9c82a88..438591f 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,6 @@ It is implemented via [Ansible](https://docs.ansible.com/projects/ansible/latest
 
 To set up the server just run:
 ```shell
-ansible-playbook playbooks/setup.yaml --diff --check # to verify what would be changed
+ansible-playbook playbooks/setup.yaml --check # to verify what would be changed
 ansible-playbook playbooks/setup.yaml # to apply the changes
 ```
diff --git a/ansible.cfg b/ansible.cfg
index b0a369a..e99458f 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,4 +1,8 @@
 [defaults]
 inventory = inventory
 roles_path = roles
+playbook_dir = playbooks
 interpreter_python = auto_silent
+
+[diff]
+always = true

From c74f1978f3dae8682f17c580a5a3bb1ee1557d7b Mon Sep 17 00:00:00 2001
From: Niklas Seyfarth <niklas@seyfarth.de>
Date: Sun, 11 Jan 2026 12:25:54 +0100
Subject: [PATCH 3/3] Document how secrets are to be provided.

---
 README.md                       | 14 ++++++++++++++
 inventory/group_vars/.gitignore |  3 +++
 2 files changed, 17 insertions(+)
 create mode 100644 inventory/group_vars/.gitignore

diff --git a/README.md b/README.md
index 438591f..c5a4e85 100644
--- a/README.md
+++ b/README.md
@@ -9,3 +9,17 @@ To set up the server just run:
 ansible-playbook playbooks/setup.yaml --check # to verify what would be changed
 ansible-playbook playbooks/setup.yaml # to apply the changes
 ```
+
+## Secrets
+
+There are some secrets that need to be configured, but they must not be commited.
+
+To provide these secrets you can choose one of multiple options:
+
+* set them via `-e` / `--extra-vars`
+* put them into `inventory/group_vars/all/secrets.yaml`
+* put them in a secure file outside the project directory and provide the file via `-e @path/to/file.yaml`
+
+For the file-based variants you can use [Ansible vault](https://docs.ansible.com/projects/ansible/latest/vault_guide/index.html) to encrypt the secrets locally.
+
+To skip all tasks that require secrets you can use `--skip-tags secret-required`
diff --git a/inventory/group_vars/.gitignore b/inventory/group_vars/.gitignore
new file mode 100644
index 0000000..a55e57b
--- /dev/null
+++ b/inventory/group_vars/.gitignore
@@ -0,0 +1,3 @@
+# protect some file names for usage with secrets
+secret*.yaml
+*.local.*