-All secrets are stored inside encrypted ansible vault files which live
-inside the secrets directory. Access to the vault files is controlled via
-GPG keys. Anybody who uses this ansible repository needs to have a GPG key.
+All secrets are stored inside encrypted ansible vault files which live in
+`host_vars`, `group_vars` or inside the `secrets` directory.
+Access to the vault files is controlled via GPG keys. Anybody who uses this
+ansible repository needs to have a GPG key.