diff --git a/ansible/playbooks/ipaclient.yml b/ansible/playbooks/ipaclient.yml
new file mode 100644
index 0000000..3ded04c
--- /dev/null
+++ b/ansible/playbooks/ipaclient.yml
@@ -0,0 +1,7 @@
+---
+
+ipaclient_domain = rockylinux.org
+ipaclient_realm = ROCKYLINUX.ORG
+ipaadmin_principal = admin
+ipaclient_no_ntp = true
+ipaclient_mkhomedir = true
diff --git a/ansible/playbooks/role-rocky-ipa-client.yml b/ansible/playbooks/role-rocky-ipa-client.yml
index 44b83f1..3307275 100644
--- a/ansible/playbooks/role-rocky-ipa-client.yml
+++ b/ansible/playbooks/role-rocky-ipa-client.yml
@@ -6,6 +6,7 @@
   become: true
   vars_files:
   - vars/encpass.yml
+  - vars/ipaclient.yml
 
   pre_tasks:
     - name: Check if ansible cannot be run here
diff --git a/ansible/playbooks/vars/encpass.yml b/ansible/playbooks/vars/encpass.yml
index fdceed4..b4e2d15 100644
--- a/ansible/playbooks/vars/encpass.yml
+++ b/ansible/playbooks/vars/encpass.yml
@@ -1,5 +1,9 @@
 ---
-# You must set this up using ansible-vault
+# You must set this up using ansible-vault. Note that each var of a particular
+# group (eg ipa) should have its own vault password separate from the rest. The
+# passwords here should not be unlockable by one single password. It may be
+# beneficial instead to split out the various passwords into separate vars
+# files.
 ipaadmin_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           REDACTED