diff --git a/.gitignore b/.gitignore
index c74bdfb..6d26e0c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 cloudflare_token.ini
 .vscode/settings.json
 .vault_pass
+.ansible_facts.json
diff --git a/playbook.yml b/playbook.yml
index 6aad9c5..af84958 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -4,6 +4,8 @@
 # For a purely reproducible build this would be a good suggestion but I'm willing to take the risk with the Pi.
 - name: Install raspberry pi
   hosts: raspberry_pis
+  vars_files:
+    - vault.yml
   roles:
     # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
     # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
@@ -11,7 +13,8 @@
     #   become: true
     # - role: devsec.hardening.ssh_hardening
     #   become: true
-    - role: zsh
+    # - role: zsh
+    - role: pi-hole
   vars:
     # devsec.hardening.os_hardening vars:
     os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
@@ -23,6 +26,13 @@
     ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
     ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
   tasks:
+    # This task can be handy for debugging gathered facts, uncomment it if necessary:
+    # - name: Store gathered facts in local file
+    #   delegate_to: localhost
+    #   ansible.builtin.copy:
+    #     dest: './.ansible_facts.json'
+    #     content: "{{ ansible_facts }}"
+    #     mode: "0600"
     # TODO: Replace this with setup that sets up unnattended updates on the machine itself.
     - name: Update all packages to their latest version # noqa: package-latest
       become: true
diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml
new file mode 100644
index 0000000..311fbde
--- /dev/null
+++ b/roles/pi-hole/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Install Podman
+  become: true
+  ansible.builtin.apt:
+    name: podman
+    state: present
+# TODO: I'll have to come back to this configuration, it appears there's a problem.
+#       We're going to need to reuse web ports in order to serve multiple websites from
+#       the Raspberry Pi, this will probably necesitate installing Nginx or another reverse proxy.
diff --git a/vault.yml b/vault.yml
new file mode 100644
index 0000000..cdaa296
--- /dev/null
+++ b/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+62623739323861346233393436396635393933303232646636383335663033623863646637383762
+6466613363613136626237383830373535336138643539660a313731313738636133646236386237
+64346565353630393639653766386137386132633362336432633664383165663665363562626131
+3337646464383465330a666638373130353234353532333830353265643063313365616361333834
+37656661343561303564383963656532633364303863616234633437346338653563623030393065
+36336630636133393831363361396239353761653039316533613239633234326161616663636335
+323335343265396264356563373664643264