diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index cd95abf..9cd24c3 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -96,6 +96,31 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v4
 
+      - name: Configure CI Ansible (no vault, localhost inventory)
+        run: |
+          set -e
+          cat > /tmp/ci-inventory.ini <<'EOF'
+          [all]
+          localhost ansible_connection=local
+          EOF
+
+          cat > /tmp/ci-ansible.cfg <<'EOF'
+          [defaults]
+          inventory = /tmp/ci-inventory.ini
+          roles_path = roles
+          host_key_checking = False
+          stdout_callback = yaml
+          bin_ansible_callbacks = True
+          retry_files_enabled = False
+          interpreter_python = auto_silent
+          forks = 10
+          pipelining = True
+          EOF
+
+          echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV"
+          echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
+          echo "ANSIBLE_VAULT_PASSWORD_FILE=/dev/null" >> "$GITHUB_ENV"
+
       - name: Install Python and dependencies
         run: |
           apt-get update && apt-get install -y python3 python3-pip
@@ -304,21 +329,9 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v4
 
-      - name: Install Python and dependencies
-        run: |
-          apt-get update && apt-get install -y python3 python3-pip
-
-      - name: Install Ansible
-        run: pip3 install --no-cache-dir ansible
-
-      - name: Install Ansible collections
-        run: |
-          ansible-galaxy collection install -r collections/requirements.yml
-
-      - name: Validate playbooks (CI inventory, no vault)
+      - name: Configure CI Ansible (no vault, localhost inventory)
         run: |
           set -e
-          echo "Validating playbooks against a CI-only localhost inventory (no vault required)..."
           cat > /tmp/ci-inventory.ini <<'EOF'
           [dev]
           localhost ansible_connection=local
@@ -342,6 +355,38 @@ jobs:
           localhost ansible_connection=local
           EOF
 
+          cat > /tmp/ci-ansible.cfg <<'EOF'
+          [defaults]
+          inventory = /tmp/ci-inventory.ini
+          roles_path = roles
+          host_key_checking = False
+          stdout_callback = yaml
+          bin_ansible_callbacks = True
+          retry_files_enabled = False
+          interpreter_python = auto_silent
+          forks = 10
+          pipelining = True
+          EOF
+
+          echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV"
+          echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
+          echo "ANSIBLE_VAULT_PASSWORD_FILE=/dev/null" >> "$GITHUB_ENV"
+
+      - name: Install Python and dependencies
+        run: |
+          apt-get update && apt-get install -y python3 python3-pip
+
+      - name: Install Ansible
+        run: pip3 install --no-cache-dir ansible
+
+      - name: Install Ansible collections
+        run: |
+          ansible-galaxy collection install -r collections/requirements.yml
+
+      - name: Validate playbooks (CI inventory, no vault)
+        run: |
+          set -e
+          echo "Validating playbooks against a CI-only localhost inventory (no vault required)..."
           failed=0
           for playbook in playbooks/*.yml site.yml configure_app.yml provision_vms.yml; do
             [ -f "$playbook" ] || continue