diff --git a/.gitignore b/.gitignore
index 5533d98..8012542 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,8 @@
-# Ansible artifacts
-*.retry
+# Ansible caches
+.ansible
+.ansible_facts_cache
 
-# Sensitive group vars
+# Secrets
 playbook/group_vars/vault.yml
-
-# Local facts/cache
-.ansible/
-.ansible_facts_cache/
-
-# Editor/OS
-.DS_Store
-*.swp
+.env
+*.retry
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/playbook/group_vars/vault.example.yml b/playbook/group_vars/vault.example.yml
new file mode 100644
index 0000000..59914f3
--- /dev/null
+++ b/playbook/group_vars/vault.example.yml
@@ -0,0 +1,10 @@
+# Beispiel für geheime Variablen (nicht committen als vault.yml)
+# Kopiere diese Datei nach vault.yml und fülle Werte aus.
+# Empfohlen: Verschlüsselung (Ansible Vault oder sops/age).
+---
+upgrade_api_token: "<token>"
+notification_webhook: "<url>"
+ssh_private_key: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  <key>
+  -----END OPENSSH PRIVATE KEY-----