diff --git a/ansible/roles/deploy/files/lard_ingestion.service b/ansible/roles/deploy/files/lard_ingestion.service
index 1589b2bb..275b8180 100644
--- a/ansible/roles/deploy/files/lard_ingestion.service
+++ b/ansible/roles/deploy/files/lard_ingestion.service
@@ -5,9 +5,7 @@ Description=lard ingestion service
 User=lard
 Group=lard
 WorkingDirectory=/usr/local/bin
-ExecStart=/usr/local/bin/lard_ingestion ${DBHOST} lard_user lard ${DBPASS}
-; Maybe not the safest option
-EnvironmentFile=/etc/default/lard
+ExecStart=/usr/local/bin/lard_ingestion lard
 
 [Install]
 WantedBy=multi-user.target
diff --git a/ansible/roles/deploy/tasks/main.yml b/ansible/roles/deploy/tasks/main.yml
index cc6c3072..71695b0d 100644
--- a/ansible/roles/deploy/tasks/main.yml
+++ b/ansible/roles/deploy/tasks/main.yml
@@ -33,19 +33,25 @@
         dest: /usr/local/bin
         mode: "0755"
 
-      # TODO: encrypt? And probably wrong permissions
-      - src: .env
-        dest: /etc/default/lard
-        mode: preserve
+  # - name: Clean logs
+  #   ansible.builtin.command: journalctl {{ item }}
+  #   with_items:
+  #     - "--rotate"
+  #     - "--vacuum-time=1s"
+  # become: yes
 
-  # notify:
-  #   - Start LARD ingestion service
+- name: Import environment variables
+  ansible.builtin.command: systemctl import-environment LARD_STRING STINFO_STRING
+  environment: "{{ envars }}"
+  become: yes
 
-# handlers:
-# TODO: Do we need to reload first and then restart?
 - name: Start LARD ingestion service
   ansible.builtin.systemd:
     daemon_reload: true
     name: lard_ingestion
     state: restarted
     enabled: yes
+
+- name: Unset environment variables
+  ansible.builtin.command: systemctl unset-environment LARD_STRING STINFO_STRING
+  become: yes
diff --git a/ansible/roles/deploy/vars/main.yml b/ansible/roles/deploy/vars/main.yml
new file mode 100644
index 00000000..00e55fec
--- /dev/null
+++ b/ansible/roles/deploy/vars/main.yml
@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+61333466376333396639343730393564613264363833373037396236343863303930333130373132
+3730343739363230643539363066643364383766666233310a616537323535386561616365633239
+65353638373465653865373935356638623562383264663934336466623232363234383763303230
+3462366337373131330a666266323661383837376163396661383161643063663966616239626431
+35356534343665656638363166613364326565386565353165646536666630333635376531303930
+39646431373637363336643930316632623461633038323937646635303931623932356338633534
+61656166623337643266663631653939636334306234613465346165616632383936376439383134
+39653833636130663564356637663662386430363364393231626235313039333433616232376433
+36373964373462396530353230386166643937353637323534643337356236366566373237303439
+39363564376238303632313539373537646232313439393539633862633266363730386439373465
+64386430383963313035393732633139363135646162616162386166613862363437376136343161
+65616461303632333335663366633662633265333035393934643964323865656562616663313766
+3235
diff --git a/deploy.sh b/deploy.sh
index c07510dd..31eb548e 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -9,6 +9,6 @@ pushd ansible || exit
 cp ../target/release/lard_ingestion roles/deploy/files/.
 cp -r ../ingestion/resources roles/deploy/files/.
 
-ansible-playbook -i inventory.yml deploy.yml
+ansible-playbook -i inventory.yml deploy.yml --ask-vault-pass
 
 popd || exit