fix: fixes for problems encountered during deployment

README.md

@@ -2,7 +2,7 @@
 
 Going for an Esperanto naming theme.
 
-Portable Ansible provisioning for Twirre infrastructure. The current layout is built around Debian-family hosts, `/srv` for deployed services, `/etc` for config, and systemd-managed apps.
+Portable Ansible provisioning for Twirre infrastructure. The current layout uses Ubuntu 24.04 package names, `/srv` for deployed services, `/etc` for config, and systemd-managed apps, so it will not work on Debian without adjustment.
 
 ## What this provisions
 
@@ -55,7 +55,7 @@ ansible-playbook --syntax-check site.yml
 Run the playbook:
 
 ```bash
-ansible-playbook site.yml
+ansible-playbook site.yml --ask-vault-pass
 ```
 
 ## Notes
@@ -64,6 +64,11 @@ ansible-playbook site.yml
 - If you enable `certbot_manage_certificates`, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically.
 - ACME issuance is disabled by default through `certbot_manage_certificates: false` so the first provisioning run can complete before DNS and public reachability are finalized.
 
+## Manual post-provisioning steps
+
+- Set up ACME DNS records for the domains and enable `certbot_manage_certificates: true` before the next playbook run.
+- Restore backups for Gitea and Mailserver data.
+
 ## Future plans
 
 - [ ] Encryption for non-boot files with LUKS (/home, /srv, /var/lib/<my-services>).