diff --git a/roles/facts/tasks/main.yml b/roles/facts/tasks/main.yml
index 89fece7..914e128 100644
--- a/roles/facts/tasks/main.yml
+++ b/roles/facts/tasks/main.yml
@@ -19,3 +19,7 @@
           set_fact:
             cluster_services: '{{ (cluster_services|default([])) + query("netbox.netbox.nb_lookup", "services", raw_data=true, api_filter="id="+item) }}'
           loop: '{{ cluster.custom_fields.services | map(attribute="id") | map("string") }}'
+
+- name: Fetch passwords
+  set_fact:
+    password: '{{ lookup("passwordstore", ("vm/" if is_virtual else "host/")~inventory_hostname, returnall=true) | from_yaml }}'
diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
index 77f23c5..f5c4fd9 100644
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@@ -61,10 +61,6 @@
   become: yes
   become_user: forgejo
   block:
-    - name: Get passwords
-      set_fact:
-        password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
-
     - name: Create admin user
       command: |
         forgejo admin user create --admin
diff --git a/roles/friwall/tasks/main.yml b/roles/friwall/tasks/main.yml
index f8ef199..8ae3f8a 100644
--- a/roles/friwall/tasks/main.yml
+++ b/roles/friwall/tasks/main.yml
@@ -23,7 +23,7 @@
   become_method: su
   become_flags: "-s /bin/sh"
   git:
-    repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}'
+    repo: '{{ password.friwall_repo }}'
     dest: /srv/friwall/app
     force: yes
   notify: reload uwsgi
diff --git a/roles/friwall/templates/settings.json.j2 b/roles/friwall/templates/settings.json.j2
index 8d1be7b..3086ff3 100644
--- a/roles/friwall/templates/settings.json.j2
+++ b/roles/friwall/templates/settings.json.j2
@@ -1,10 +1,10 @@
 {
   "ldap_host": "{{ domain }}",
-  "ldap_user": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}",
-  "ldap_pass": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}",
+  "ldap_user": "{{ password.ldap_user }}",
+  "ldap_pass": "{{ password.ldap_pass }}",
   "ldap_base_dn": "{{ ldap_base_dn }}",
-  "oidc_server": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_server") }}",
-  "oidc_client_id": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_id") }}",
-  "oidc_client_secret": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_secret") }}",
+  "oidc_server": "{{ password.oidc_server }}",
+  "oidc_client_id": "{{ password.oidc_client_id }}",
+  "oidc_client_secret": "{{ password.oidc_client_secret }}",
   "wg_net": "{{ wg_net }}"
 }
diff --git a/roles/netbox/tasks/main.yml b/roles/netbox/tasks/main.yml
index 275a77d..cc8e41a 100644
--- a/roles/netbox/tasks/main.yml
+++ b/roles/netbox/tasks/main.yml
@@ -84,11 +84,11 @@
     - key: "^REMOTE_AUTH_BACKEND ="
       line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'"
     - key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT ="
-      line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_endpoint') }}'"
+      line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ password.oidc_endpoint }}'"
     - key: "^SOCIAL_AUTH_OIDC_KEY ="
-      line: "SOCIAL_AUTH_OIDC_KEY = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_id') }}'"
+      line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'"
     - key: "^SOCIAL_AUTH_OIDC_SECRET ="
-      line: "SOCIAL_AUTH_OIDC_SECRET = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_secret') }}'"
+      line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'"
     # TODO the key should really be upn but it doesn’t seem to work
     - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY ="
       line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'"
@@ -113,10 +113,10 @@
       import sys
       from users.models import User
       #from django.contrib.auth.models import User
-      username = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_user') }}'
+      username = '{{ password.admin_user }}'
       if not User.objects.filter(username=username):
           User.objects.create_superuser(username, '', # TODO email
-              '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_pass') }}')
+              '{{ password.admin_pass }}')
           sys.exit(1)
   register: result
   changed_when: result.rc != 0
diff --git a/roles/proxmox/templates/sync-ldap.py.j2 b/roles/proxmox/templates/sync-ldap.py.j2
index c653a8f..4448d90 100644
--- a/roles/proxmox/templates/sync-ldap.py.j2
+++ b/roles/proxmox/templates/sync-ldap.py.j2
@@ -6,11 +6,11 @@ import re
 
 import ldap3
 
-{% set password = lookup('passwordstore', "cluster/"+cluster.name, returnall=true) | from_yaml %}
+{% set cluster_password = lookup('passwordstore', "cluster/"+cluster.name, returnall=true) | from_yaml %}
 realm = '{{ hostvars[inventory_hostname]["sync-ldap"] }}'
 ldap_host = '{{ domain }}'
-ldap_user = '{{ password.ldap_user }}'
-ldap_pass = '{{ password.ldap_pass }}'
+ldap_user = '{{ cluster_password.ldap_user }}'
+ldap_pass = '{{ cluster_password.ldap_pass }}'
 ldap_base = '{{ domain | split(".") | map("regex_replace", "^", "dc=") | join(",") }}'
 
 # build LDAP query for users
diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml
index bda2a97..b96add5 100644
--- a/roles/synapse/tasks/main.yml
+++ b/roles/synapse/tasks/main.yml
@@ -1,6 +1,3 @@
-- set_fact:
-    password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
-
 - name: Install packages
   package:
     name: synapse