diff --git a/playbooks/group_vars/locals/main.yml.example b/playbooks/group_vars/locals/main.yml.example
new file mode 100644
index 0000000..4677dd1
--- /dev/null
+++ b/playbooks/group_vars/locals/main.yml.example
@@ -0,0 +1,6 @@
+---
+passwords:
+  - username: admin
+    password: "{{ vaulted_passwords.admin.password }}"
+local_ssh_private_key_files: [] # @NOTE list paths to SSH private keys
+chosen_local_ssh_private_key_file: "{{ local_ssh_private_key_files | random }}"
diff --git a/playbooks/group_vars/locals/vault.yml.example b/playbooks/group_vars/locals/vault.yml.example
new file mode 100644
index 0000000..8946153
--- /dev/null
+++ b/playbooks/group_vars/locals/vault.yml.example
@@ -0,0 +1,7 @@
+---
+# @TODO encrypt as vault
+# @NOTE see https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module
+# Specifically, section for hashing using python passlib library
+vaulted_passwords:
+  admin:
+    password: ~
\ No newline at end of file