diff --git a/ansible/assets/basementpi/compose.yml.j2 b/ansible/assets/basementpi/compose.yml.j2
index 3343484..de9eead 100644
--- a/ansible/assets/basementpi/compose.yml.j2
+++ b/ansible/assets/basementpi/compose.yml.j2
@@ -13,7 +13,7 @@ services:
     ports:
       - '80:80'
     environment:
-      - DEFAULT_HOST: "{{ pihole_hostname }}.{{ pihole_domain }}"
+      DEFAULT_HOST: "{{ pihole_hostname }}.{{ pihole_domain }}"
     volumes:
       - '/var/run/docker.sock:/tmp/docker.sock'
     restart: always
diff --git a/ansible/assets/docker-ext/compose.yml.j2 b/ansible/assets/docker-ext/compose.yml.j2
index a37ada6..018f62a 100644
--- a/ansible/assets/docker-ext/compose.yml.j2
+++ b/ansible/assets/docker-ext/compose.yml.j2
@@ -43,9 +43,9 @@ services:
       - backend
       - docker_default
     labels:
-      - "traefik.http.middlewares.authtest.basicauth.users=user:$$apr1$$VKJibd3x$$SwY/BRH.QTeVEaRDnLKvv0"
+      - "traefik.http.middlewares.authtest.basicauth.users=user:{{ traefik_basicauth_password }}"
       - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdseclapikey=dTkMpqDs/ryjvw1tQaV3k0VtCFQUlh+hrdZMEWnxfXc"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdseclapikey={{ traefik_crowdsec_bouncer_lapi_key }}"
       - "traefik.http.middlewares.authchain.chain.middlewares=crowdsec@docker,authentik@docker"
       - "traefik.http.middlewares.internalOnly.ipallowlist.sourcerange=192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12"
       - "traefik.http.middlewares.internalOnlyWithAuth.chain.middlewares=internalOnly@docker,crowdsec@docker,authentik@docker"
@@ -178,13 +178,13 @@ services:
     environment:
       # - MYSQL_ROOT_PASSWORD=wallaroot
       - POSTGRES_USER=wallabag
-      - POSTGRES_PASSWORD=Mo8ntF92q5oWNV6TbS7t
+      - POSTGRES_PASSWORD="{{ wallabag_postgres_password }}"
       - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
       - SYMFONY__ENV__DATABASE_HOST=postgres.injust.us
       - SYMFONY__ENV__DATABASE_PORT=5432
       - SYMFONY__ENV__DATABASE_NAME=wallabag
       - SYMFONY__ENV__DATABASE_USER=wallabag
-      - SYMFONY__ENV__DATABASE_PASSWORD=Mo8ntF92q5oWNV6TbS7t
+      - SYMFONY__ENV__DATABASE_PASSWORD="{{ wallabag_postgres_password }}"
       - SYMFONY__ENV__DATABASE_TABLE_PREFIX="wallabag_"
       - SYMFONY__ENV__MAILER_DSN=smtp://127.0.0.1
       - SYMFONY__ENV__FROM_EMAIL=wallabag@example.com
@@ -511,7 +511,7 @@ services:
       - DB_HOST=bookstack_db
       - DB_PORT=3306
       - DB_USER=bookstack
-      - DB_PASS=Chn8i#ExmX@J1C
+      - DB_PASS="{{ bookstack_db_password }}"
       - DB_DATABASE=bookstackapp
     env_file:
       - .env-bookstack
@@ -529,16 +529,16 @@ services:
       - "traefik.http.routers.bookstack.tls.certresolver=myresolver"
       - "traefik.http.routers.bookstack.tls=true"
   bookstack_db:
-    image: lscr.io/linuxserver/mariadb:v24.10.1-ls173
+    image: lscr.io/linuxserver/mariadb:10.11.10-r0-ls161
     container_name: bookstack_db
     environment:
       - PUID=1000
       - PGID=1000
       - TZ=America/Thunder_Bay
-      - MYSQL_ROOT_PASSWORD=cSoO1dcaS5sI&t
+      - MYSQL_ROOT_PASSWORD="{{ bookstack_db_root_password }}"
       - MYSQL_DATABASE=bookstackapp
       - MYSQL_USER=bookstack
-      - MYSQL_PASSWORD=Chn8i#ExmX@J1C
+      - MYSQL_PASSWORD="{{ bookstack_db_password }}"
     volumes:
       - ./bookstack_db_data:/config
     restart: unless-stopped
@@ -550,7 +550,7 @@ services:
       DB_HOST: postgres.injust.us
       DB_PORT: 5432
       DB_USER: wikijs
-      DB_PASS: 3Jfr7nmY4KBauR3nuHno
+      DB_PASS: "{{ wikijs_postgres_password }}"
       DB_NAME: wikijs
     restart: unless-stopped
     labels:
diff --git a/ansible/assets/docker-int/compose.yml.j2 b/ansible/assets/docker-int/compose.yml.j2
index f5092b6..2862869 100644
--- a/ansible/assets/docker-int/compose.yml.j2
+++ b/ansible/assets/docker-int/compose.yml.j2
@@ -29,7 +29,7 @@ services:
             - "./letsencrypt:/letsencrypt"
             - "./logsTraefik:/var/log/traefik"
         environment:
-            - "CF_API_KEY=4fa4711ae24bd19c1c17a06ce2ec6b3fa7629"
+            - "CF_API_KEY={{ cf_api_key }}"
             - "CF_API_EMAIL=jg@justus.ws"
     # squid:
     #    container_name: squid
@@ -97,22 +97,22 @@ services:
             - "8081:8080"
         environment:
             WEBDAV_USERNAME: alice
-            WEBDAV_PASSWORD: secret1234
+            WEBDAV_PASSWORD: "{{ webdav_password }}"
             UID: 1001
         volumes:
             - ./consume:/media
-              # webdav:
-              #  container_name: webdav
-              #  image: bytemark/webdav
-              #  restart: unless-stopped
-              #  ports:
-              #    - "8081:80"
-              #  environment:
-              #    AUTH_TYPE: Digest
-              #    USERNAME: alice
-              #    PASSWORD: secret1234
-              #  volumes:
-              #    - consume:/var/lib/dav/data/ScannerPro
+            # webdav:
+            #  container_name: webdav
+            #  image: bytemark/webdav
+            #  restart: unless-stopped
+            #  ports:
+            #    - "8081:80"
+            #  environment:
+            #    AUTH_TYPE: Digest
+            #    USERNAME: alice
+            #    PASSWORD: secret1234
+            #  volumes:
+            #    - consume:/var/lib/dav/data/ScannerPro
         labels:
             - "traefik.http.routers.webdav.rule=Host(`webdav.injust.us`)"
     testweb:
diff --git a/ansible/inventory/host_vars/docker-ext/vars b/ansible/inventory/host_vars/docker-ext/vars
new file mode 100644
index 0000000..9428d86
--- /dev/null
+++ b/ansible/inventory/host_vars/docker-ext/vars
@@ -0,0 +1,7 @@
+---
+traefik_basicauth_password: "{{ vault_traefik_basicauth_password }}"
+traefik_crowdsec_bouncer_lapi_key: "{{ vault_traefik_crowdsec_bouncer_lapi_key }}"
+wallabag_postgres_password: "{{ vault_wallabag_postgres_password }}"
+bookstack_db_password: "{{ vault_bookstack_db_password }}"
+bookstack_db_root_password: "{{ vault_bookstack_db_root_password }}"
+wikijs_postgres_password: "{{ vault_wikijs_postgres_password }}"
diff --git a/ansible/inventory/host_vars/docker-ext/vault b/ansible/inventory/host_vars/docker-ext/vault
new file mode 100644
index 0000000..6f2a699
--- /dev/null
+++ b/ansible/inventory/host_vars/docker-ext/vault
@@ -0,0 +1,23 @@
+$ANSIBLE_VAULT;1.1;AES256
+32646563666534663266663566376431616161363333386234313761663134333734616233396133
+6563303763323332666264633964363366316136383332610a306365663331363737626664373234
+31346265613762636538353865613438386636643038303166303362616336323837323034333333
+6430646535656334360a633835343963623332633065323666346337396134316461376666363861
+33333465323366613837616134666139663162323035366162663466366261646661393262636133
+63663230353131363363313062323932643064386462646432613232643166386632626662336139
+66326238393733396337666430323265346635356562366432636635353938613033663562613934
+33376663623665323262396230313936343363333763393762373565303536666363326337316136
+31313262366538393362383762616166626561346339656466396331363338393663313361376163
+35386334623363353530373464663733616639313063386266626666663262616532373738386237
+32613136306463656433383035373737363735303538336462386461613664393635623463646434
+66366138333938646138643664643136663164613536626234663335643466396237373431393464
+63636132663436613465636239666533376666303235636235323838313830353936393563353235
+61336331356639623336643030393466336662383136386330636465613735633539636161323333
+39363932343235343838636265653830626161343032666331323362316533396366353131323736
+37663565343237613734353466343963363132306434306162346564303538623164613435623765
+32323062363833386364343939626535326562636465626131306534356165313566343237326632
+38393032656338313661333765326530353537366631653965303838393166393066653237323165
+38353538393536643361303665356631306166653162373763643137316362373536373162636364
+61646331326366363737663662656238393166366238636161343836376565346535653963663131
+33333539663330653663633033313832326334306634653833336133626234663739386632376630
+6230663035396165336139333439333461633534303766333934
diff --git a/ansible/inventory/host_vars/docker-int/vars b/ansible/inventory/host_vars/docker-int/vars
new file mode 100644
index 0000000..9039fb4
--- /dev/null
+++ b/ansible/inventory/host_vars/docker-int/vars
@@ -0,0 +1,3 @@
+---
+cf_api_key: "{{ vault_cf_api_key }}"
+webdav_password: "{{ vault_webdav_password }}"
diff --git a/ansible/inventory/host_vars/docker-int/vault b/ansible/inventory/host_vars/docker-int/vault
new file mode 100644
index 0000000..82293cd
--- /dev/null
+++ b/ansible/inventory/host_vars/docker-int/vault
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+35353935306336363466613765393230363230396162346665373961653631636464383737356331
+3835326264613564613034663166656333663464373835610a346239366162323935383362316263
+31346237376639376331616463306165643462633032366136626464313063373032646162336539
+3832653562376661610a386663313034326165336630333463333131343432613636613539643365
+39653238646535613962373234363732636539623262363361663038303930353965316535373262
+31306136336663643634376366396537653162376635303961643864613335653364316163386538
+37396531623265656431306635343230386365353364316264353431613138326264666561346439
+34373464653764303062353532333865666133373562313232613136383234306139633036386238
+30303430303334613735313534663935663266393036666262376635656536323230