diff --git a/.gitignore b/.gitignore
index b891b16..adbcad1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,7 @@
 
 serguzim.net.png
 diagram_assets/
+
+# services already handled by ansible
+acme-dns/
+umami/
diff --git a/_ansible/inventory/group_vars/all/compose_defaults.yml b/_ansible/inventory/group_vars/all/compose_defaults.yml
index 1dd72b7..ef2157d 100644
--- a/_ansible/inventory/group_vars/all/compose_defaults.yml
+++ b/_ansible/inventory/group_vars/all/compose_defaults.yml
@@ -8,7 +8,13 @@ compose_default_file:
       networks:
         apps:
           aliases:
-            - "{{ service.name }}"
+            - "{{ svc.name }}"
   networks:
     apps:
       external: true
+
+compose_env_file:
+  services:
+    app:
+      env_file:
+        - service.env
diff --git a/_ansible/local-dev.yml b/_ansible/local-dev.yml
index 299e2bb..c69e82b 100644
--- a/_ansible/local-dev.yml
+++ b/_ansible/local-dev.yml
@@ -8,3 +8,4 @@
   hosts: local-dev
   roles:
     - acme-dns
+    - umami
diff --git a/_ansible/main.yml b/_ansible/main.yml
deleted file mode 100644
index e69de29..0000000
diff --git a/_ansible/node002.yml b/_ansible/node002.yml
index 553088c..8dc321f 100644
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@@ -3,3 +3,4 @@
   hosts: node002
   roles:
     - acme-dns
+    - umami
diff --git a/_ansible/roles/acme-dns/tasks/main.yml b/_ansible/roles/acme-dns/tasks/main.yml
index ed055a2..a14feef 100644
--- a/_ansible/roles/acme-dns/tasks/main.yml
+++ b/_ansible/roles/acme-dns/tasks/main.yml
@@ -2,31 +2,31 @@
 - name: Deploy acme-dns
   tags: acme-dns
   vars:
-    service_path: "{{ (services_path, 'acme-dns') | path_join }}"
+    service_path: "{{ (services_path, svc.name) | path_join }}"
     config_path: "{{ (service_path, 'config') | path_join }}"
   block:
-    - name: Create a service directory
+    - name: Create a service directory for {{ svc.name }}
       ansible.builtin.file:
         path: "{{ service_path }}"
         state: directory
         mode: "0755"
-    - name: Create a service-config directory
+    - name: Create a service-config directory for {{ svc.name }}
       ansible.builtin.file:
         path: "{{ config_path }}"
         state: directory
         mode: "0755"
 
-    - name: Template acme-dns docker-compose
+    - name: Template {{ svc.name }} docker-compose
       ansible.builtin.template:
         src: docker-compose.yml.j2
         dest: "{{ (service_path, 'docker-compose.yml') | path_join }}"
 
-    - name: Template acme-dns config
+    - name: Template {{ svc.name }} config
       ansible.builtin.template:
         src: config.cfg.j2
         dest: "{{ (config_path, 'config.cfg') | path_join }}"
 
-    - name: Template acme-dns caddy config
+    - name: Template {{ svc.name }} caddy config
       ansible.builtin.template:
         src: caddy_site.conf.j2
-        dest: "{{ (caddy_config_path, service.domain + '.conf') | path_join }}"
+        dest: "{{ (caddy_config_path, svc.domain + '.conf') | path_join }}"
diff --git a/_ansible/roles/acme-dns/templates/config.cfg.j2 b/_ansible/roles/acme-dns/templates/config.cfg.j2
index 7c4767f..31dbf10 100644
--- a/_ansible/roles/acme-dns/templates/config.cfg.j2
+++ b/_ansible/roles/acme-dns/templates/config.cfg.j2
@@ -1,23 +1,23 @@
 [general]
 listen = "0.0.0.0:53"
 protocol = "both"
-domain = "{{ acme_dns.domain }}"
-nsname = "{{ acme_dns.domain }}"
-nsadmin = "{{ acme_dns.nsadmin }}"
+domain = "{{ svc.domain }}"
+nsname = "{{ svc.domain }}"
+nsadmin = "{{ svc.nsadmin }}"
 records = [
-    "{{ acme_dns.domain }}. A {{ acme_dns.records.a }}",
-    "{{ acme_dns.domain }}. NS {{ acme_dns.domain }}.",
+    "{{ svc.domain }}. A {{ svc.records.a }}",
+    "{{ svc.domain }}. NS {{ svc.domain }}.",
 ]
 debug = false
 
 [database]
 engine = "postgres"
-connection = "postgres://{{ acme_dns.db.user }}:{{ acme_dns.db.pass }}@{{ acme_dns.db.host }}/{{ acme_dns.db.db }}"
+connection = "postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}/{{ svc.db.db }}"
 
 [api]
 ip = "0.0.0.0"
 disable_registration = false
-port = "80"
+port = "{{ svc.port }}"
 tls = "none"
 corsorigins = [
     "*"
diff --git a/_ansible/roles/acme-dns/vars/main.yml b/_ansible/roles/acme-dns/vars/main.yml
index 4873f28..dee3738 100644
--- a/_ansible/roles/acme-dns/vars/main.yml
+++ b/_ansible/roles/acme-dns/vars/main.yml
@@ -1,6 +1,8 @@
-acme_dns:
-  nsadmin: "{{ admin_email | regex_replace('@', '.') }}"
+svc:
   domain: "acme.serguzim.me"
+  name: acme-dns
+  port: 80
+  nsadmin: "{{ admin_email | regex_replace('@', '.') }}"
   records:
     a: "{{ ansible_facts.default_ipv4.address }}"
   db:
@@ -9,13 +11,7 @@ acme_dns:
     user: "{{ vault_acmedns.db.user }}"
     pass: "{{ vault_acmedns.db.pass }}"
     db: acme_dns
-  api:
-    port: 80
 
-service:
-  domain: "{{ acme_dns.domain }}"
-  name: acme-dns
-  port: "{{ acme_dns.api.port }}"
 
 compose:
   watchtower: true
diff --git a/_ansible/roles/umami/tasks/main.yml b/_ansible/roles/umami/tasks/main.yml
new file mode 100644
index 0000000..d35baa3
--- /dev/null
+++ b/_ansible/roles/umami/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- name: Deploy umami
+  tags:
+    - analytics
+    - umami
+  vars:
+    service_path: "{{ (services_path, svc.name) | path_join }}"
+  block:
+    - name: Create a service directory for {{ svc.name }}
+      ansible.builtin.file:
+        path: "{{ service_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template {{ svc.name }} docker-compose
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ (service_path, 'docker-compose.yml') | path_join }}"
+
+    - name: Template {{ svc.name }} service.env file
+      ansible.builtin.template:
+        src: service.env.j2
+        dest: "{{ (service_path, 'service.env') | path_join }}"
+
+    - name: Template {{ svc.name }} caddy config
+      ansible.builtin.template:
+        src: caddy_site.conf.j2
+        dest: "{{ (caddy_config_path, svc.domain + '.conf') | path_join }}"
diff --git a/_ansible/roles/umami/vars/main.yml b/_ansible/roles/umami/vars/main.yml
new file mode 100644
index 0000000..abbb01c
--- /dev/null
+++ b/_ansible/roles/umami/vars/main.yml
@@ -0,0 +1,21 @@
+svc:
+  domain: "analytics.serguzim.me"
+  name: umami
+  port: 3000
+  db:
+    host: "{{ postgres.host }}"
+    user: "{{ vault_umami.db.user }}"
+    pass: "{{ vault_umami.db.pass }}"
+    db: umami
+
+svc_env:
+  DATABASE_URL: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}/{{ svc.db.db }}
+  DATABASE_TYPE: postgresql
+  FORCE_SSL: 1
+  HOSTNAME: "{{ svc.domain }}"
+  HASH_SALT: "{{ vault_umami.hash_salt }}"
+
+compose:
+  watchtower: true
+  image: docker.umami.dev/umami-software/umami:postgresql-latest
+  env: true
diff --git a/_ansible/templates/caddy_site.conf.j2 b/_ansible/templates/caddy_site.conf.j2
index ac90d24..782eddd 100644
--- a/_ansible/templates/caddy_site.conf.j2
+++ b/_ansible/templates/caddy_site.conf.j2
@@ -1,4 +1,4 @@
-{{ service.domain }} {
+{{ svc.domain }} {
 	import default
-	reverse_proxy {{ service.name }}:{{ service.port }}
+	reverse_proxy {{ svc.name }}:{{ svc.port }}
 }
diff --git a/_ansible/templates/docker-compose.yml.j2 b/_ansible/templates/docker-compose.yml.j2
index a56f24d..f81226b 100644
--- a/_ansible/templates/docker-compose.yml.j2
+++ b/_ansible/templates/docker-compose.yml.j2
@@ -1 +1,6 @@
-{{ compose_default_file | combine(compose_file, recursive=True) | to_nice_yaml }}
+{% set compose_file = compose_file | default({}) %}
+{% set compose_file = compose_default_file | combine(compose_file, recursive=True) %}
+{% if compose.env | default(False) %}
+	{% set compose_file = compose_file | combine(compose_env_file, recursive=True) %}
+{% endif %}
+{{ compose_file | to_nice_yaml }}
diff --git a/_ansible/templates/service.env.j2 b/_ansible/templates/service.env.j2
new file mode 100644
index 0000000..2a594f4
--- /dev/null
+++ b/_ansible/templates/service.env.j2
@@ -0,0 +1,3 @@
+{% for key, value in svc_env.items() %}
+{{ key }}={{ value }}
+{% endfor %}
diff --git a/umami/.env b/umami/.env
deleted file mode 100644
index 53bfcca..0000000
--- a/umami/.env
+++ /dev/null
@@ -1,5 +0,0 @@
-DATABASE_URL=""
-DATABASE_TYPE="postgresql"
-HASH_SALT=""
-FORCE_SSL="1"
-HOSTNAME="analytics.serguzim.me"
diff --git a/umami/docker-compose.yml b/umami/docker-compose.yml
deleted file mode 100644
index 83b4bba..0000000
--- a/umami/docker-compose.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-version: '3'
-services:
-  app:
-    image: docker.umami.dev/umami-software/umami:postgresql-latest
-    restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-    env_file:
-      - .env
-      - .secret.env
-    networks:
-      apps:
-        aliases:
-          - umami
-
-networks:
-  apps:
-    external: true