diff --git a/roles/bitwarden_rs/defaults/main.yml b/roles/bitwarden_rs/defaults/main.yml
index fa1226a..9980dc1 100644
--- a/roles/bitwarden_rs/defaults/main.yml
+++ b/roles/bitwarden_rs/defaults/main.yml
@@ -43,3 +43,7 @@ bitwarden_domains_whitelist:
 
 # Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy)
 bitwarden_disable_admin_token: False
+
+# YubiKey settings
+# bitwarden_yubico_client_id: XXXX
+# bitwarden_yubico_secret_key: XXXX
diff --git a/roles/bitwarden_rs/templates/bitwarden_rs.conf.j2 b/roles/bitwarden_rs/templates/bitwarden_rs.conf.j2
index 698df67..d162e77 100644
--- a/roles/bitwarden_rs/templates/bitwarden_rs.conf.j2
+++ b/roles/bitwarden_rs/templates/bitwarden_rs.conf.j2
@@ -22,4 +22,7 @@ ENABLE_DB_WAL=false
 {% else %}
 DATABASE_URL=data/db.sqlite3
 {% endif %}
-# vim: syntax=ini
+{% if bitwarden_yubico_client_id is defined and bitwarden_yubico_secret_key is defined %}
+YUBICO_CLIENT_ID={{ bitwarden_yubico_client_id }}
+YUBICO_SECRET_KEY={{ bitwarden_yubico_secret_key }}
+{% endif %}
diff --git a/roles/gitea/tasks/directories.yml b/roles/gitea/tasks/directories.yml
index ab75b7b..2ef5297 100644
--- a/roles/gitea/tasks/directories.yml
+++ b/roles/gitea/tasks/directories.yml
@@ -7,6 +7,9 @@
     group: "{{ item.group | default('gitea') }}"
     mode: "{{ item.mode | default('750') }}"
   loop:
+    - dir: /
+      owner: gitea
+      group: gitea
     - dir: data
     - dir: data/repositories
     - dir: custom
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index 2f8b4c6..3479657 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
 
-- include: facts.yml
 - include: user.yml
 - include: directories.yml
+- include: facts.yml
 - include: archive_pre.yml
   when: gitea_install_mode == 'upgrade'
 - include: install.yml