diff --git a/.gitignore b/.gitignore
index 596e8ea..808ca97 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 *.html
 *.pdf
 group_vars/*/local.config.yml
+password.txt
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,intellij
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,intellij
diff --git a/README.adoc b/README.adoc
index 1d17456..60d25b9 100644
--- a/README.adoc
+++ b/README.adoc
@@ -22,6 +22,13 @@ sudo apt install ansible git
 brew install ansible git
 ----
 
+=== password.txt
+To execute the playbook we need a password for the vault.
+This password has to be stored in a `password.txt` containing exactly one line with only the password as content.
+
+[NOTE]
+Use a secure password and keep it in a password-manager.
+
 == Setup
 Make sure to configure the local environment:
 This is done by copying `global_vars/localhost/local.config.yml.tpl` to `global_vars/localhost/local.config.yml` and adjust it to the local conditions.
@@ -41,5 +48,7 @@ After the configuration the setup is very simple:
 ----
 git clone git@gitea.nehrke.info:nemoinho/dev-machine.git ~/Development/nemoinho/dev-machine
 cd $_
+# make sure that we're on the latest requirements
+ansible-galaxy install -r requirements.yml --upgrade
 ansible-playbook main.yml
 ----
diff --git a/ansible.cfg b/ansible.cfg
index becf46c..41fb4f8 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,3 +5,4 @@ become = True
 ask-become-pass = True
 display_skipped_hosts = False
 error_on_undefined_vars = True
+vault_password_file = password.txt
diff --git a/group_vars/localhost/common.config.yml b/group_vars/localhost/common.config.yml
index 234b291..4d67f42 100644
--- a/group_vars/localhost/common.config.yml
+++ b/group_vars/localhost/common.config.yml
@@ -2,3 +2,6 @@ fly_url_linux: https://ci.nehrke.info/api/v1/cli?arch=amd64&platform=linux
 fly_url_darwin: https://ci.nehrke.info/api/v1/cli?arch=amd64&platform=darwin
 fly_url: "{{ fly_url_darwin if ansible_os_family == 'Darwin' else fly_url_linux }}"
 
+gitea_token: "{{ vault_gitea_token }}"
+gitea_api_url: "https://gitea.nehrke.info/api/v1"
+github_token: "{{ vault_github_token }}"
diff --git a/group_vars/localhost/vault.yml b/group_vars/localhost/vault.yml
new file mode 100644
index 0000000..3b2a826
--- /dev/null
+++ b/group_vars/localhost/vault.yml
@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+36303961316363323737363930613137366635656164656466303862643236376434643736333933
+3934303637643266363561626265383065623835623062380a393962346661333165323762613535
+33386434643533646638383931306633636139356638333863306631333263353262613563613532
+3164383666303539310a396631313065633661626332316231346135643363306337303136373037
+63323937363233656463323135663461383361616331366164666633623435333732636636303135
+37373866613933313432393763636530333436333232383866313332356134666430383564376266
+33313036623634396463656666633531643061393932333062383734393632653463623636616664
+66653461373261303964393531396138356461623536643738303262393461643566313339303866
+33366365316131643435643236653262363363633438633265366266646530666238373131623361
+30626634613435323531636632306164346161363339396663323163333362373436373234666436
+62623336396633393930623437353136376138343861613833336530636237343033623839333064
+37313633366330646232366162336639383737663636306463663736323966613839343737613531
+39363033366539303537643834616436616231396138323330333338623839336530333432633230
+36313535356664633232633438376162613333653663356637323736363866373038353732386435
+663935633462666536336332356435323539
diff --git a/main.yml b/main.yml
index 194d5ae..f9cf29a 100644
--- a/main.yml
+++ b/main.yml
@@ -18,3 +18,25 @@
       url: "{{ fly_url }}"
       dest: "{{ lookup('env', 'HOME') }}/.local/bin/fly"
       mode: "u=rwx,g=rx,o=rx"
+
+  - name: Ensure ssh keypair
+    tags: [ssh]
+    openssh_keypair:
+      path: "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519"
+      type: ed25519
+      regenerate: full_idempotence
+
+  - name: Ensure ssh key on github
+    tags: [ssh,git]
+    github_key:
+      name: "{{ lookup('env', 'USER') }}@{{ hostname }}"
+      token: "{{ github_token }}"
+      pubkey: "{{ lookup('file', lookup('env', 'HOME') ~ '/.ssh/id_ed25519.pub') }}"
+
+  - name: Ensure ssh key on gitea
+    tags: [ssh, git]
+    github_key:
+      name: "{{ lookup('env', 'USER') }}@{{ hostname }}"
+      token: "{{ gitea_token }}"
+      pubkey: "{{ lookup('file', lookup('env', 'HOME') ~ '/.ssh/id_ed25519.pub') }}"
+      api_url: "{{ gitea_api_url }}"
diff --git a/requirements.yml b/requirements.yml
new file mode 100644
index 0000000..dc56ccb
--- /dev/null
+++ b/requirements.yml
@@ -0,0 +1,2 @@
+collections:
+- community.general