diff --git a/Makefile b/Makefile
index a5011d6..6cc2944 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,12 @@
+export BAO_ADDR=https://bao.digitalboard.ch
+
 install:
 	ansible-galaxy collection install -r requirements.yml -p collections
 
+bao:
+	bao login -method=oidc -path=Digitalboard role=default
+	$(eval export VAULT_TOKEN=$(shell bao print token))
+
 ping_demo:
 	echo "# pinging demo-gymburgdorf"
 	ansible all -i inventories/demo-gymburgdorf/hosts.yml -m ping || true
diff --git a/README.md b/README.md
index 346be0c..4bfdb6d 100644
--- a/README.md
+++ b/README.md
@@ -4,14 +4,11 @@
 
 ### Secrets
 Secrets are managed using [OpenBao](https://bao.digitalboard.ch).
-Download the CLI binary once (not checked in):
-```bash
-curl -L https://github.com/openbao/openbao/releases/latest/download/bao_linux_amd64 -o ./bao && chmod +x ./bao
-```
+The bao CLI needs to be installed. e.g `sudo pacman -S openbao python-hvac`
 
 Authenticate and export token before running playbooks:
 ```bash
 export BAO_ADDR=https://bao.digitalboard.ch
-./bao login -method=oidc -path=Digitalboard
-export VAULT_TOKEN=$(./bao print token)
+bao login -method=oidc -path=Digitalboard
+export VAULT_TOKEN=$(bao print token)
 ``` 
\ No newline at end of file
diff --git a/inventories/demo-gymburgdorf/group_vars/all/docker.yml b/inventories/demo-gymburgdorf/group_vars/all/docker.yml
new file mode 100644
index 0000000..e8e8350
--- /dev/null
+++ b/inventories/demo-gymburgdorf/group_vars/all/docker.yml
@@ -0,0 +1 @@
+docker_registry_mirrors: ["https://registry-mirror.wksbern.ch"]
\ No newline at end of file
diff --git a/inventories/demo-gymburgdorf/group_vars/all/vault.yml b/inventories/demo-gymburgdorf/group_vars/all/vault.yml
new file mode 100644
index 0000000..5575957
--- /dev/null
+++ b/inventories/demo-gymburgdorf/group_vars/all/vault.yml
@@ -0,0 +1,2 @@
+vault_addr: "https://bao.digitalboard.ch"
+vault_mount: "demo-gymburgdorf"
\ No newline at end of file
diff --git a/inventories/demo-gymburgdorf/group_vars/backend_servers/traefik.yml b/inventories/demo-gymburgdorf/group_vars/backend_servers/traefik.yml
new file mode 100644
index 0000000..42f49a8
--- /dev/null
+++ b/inventories/demo-gymburgdorf/group_vars/backend_servers/traefik.yml
@@ -0,0 +1 @@
+traefik_mode: backend
\ No newline at end of file
diff --git a/inventories/demo-gymburgdorf/group_vars/traefik_servers/traefik.yml b/inventories/demo-gymburgdorf/group_vars/traefik_servers/traefik.yml
new file mode 100644
index 0000000..a0f587e
--- /dev/null
+++ b/inventories/demo-gymburgdorf/group_vars/traefik_servers/traefik.yml
@@ -0,0 +1,13 @@
+_acme_tsig: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/acme-tsig', url=vault_addr ) }}"
+
+traefik_use_ssl: true
+traefik_cert_mode: "acme"
+traefik_log_level: DEBUG
+traefik_network: proxy
+
+traefik_acme_dns_zone: "gymb._acme.digitalboard.ch"
+traefik_acme_dns_nameserver: "{{ _acme_tsig.server }}"
+traefik_acme_tsig_algorithm: "hmac-sha256"
+traefik_acme_tsig_key: "{{ _acme_tsig.tsig_key }}"
+traefik_acme_tsig_secret: "{{ _acme_tsig.tsig_secret }}"
+
diff --git a/inventories/demo-gymburgdorf/host_vars/reverseproxy/traefik.yml b/inventories/demo-gymburgdorf/host_vars/reverseproxy/traefik.yml
new file mode 100644
index 0000000..35f8874
--- /dev/null
+++ b/inventories/demo-gymburgdorf/host_vars/reverseproxy/traefik.yml
@@ -0,0 +1 @@
+traefik_mode: dmz
\ No newline at end of file
diff --git a/inventories/demo-gymburgdorf/hosts.yml b/inventories/demo-gymburgdorf/hosts.yml
index 28fab11..648b2cf 100644
--- a/inventories/demo-gymburgdorf/hosts.yml
+++ b/inventories/demo-gymburgdorf/hosts.yml
@@ -22,6 +22,7 @@ all:
     backend_servers:
       hosts:
         application:
+        storage:
 
     garage_servers:
       hosts: