diff --git a/deployment/ansible/playbooks/deploy-image.yml b/deployment/ansible/playbooks/deploy-image.yml
index 64ae45e2..4bca8b2e 100644
--- a/deployment/ansible/playbooks/deploy-image.yml
+++ b/deployment/ansible/playbooks/deploy-image.yml
@@ -21,6 +21,22 @@
     deployment_environment: "{{ deployment_environment | default('production') }}"
 
   tasks:
+    - name: Check if vault file exists locally
+      stat:
+        path: "{{ playbook_dir }}/../secrets/{{ deployment_environment }}.vault.yml"
+      delegate_to: localhost
+      register: vault_file_stat
+      become: no
+
+    - name: Load secrets from vault file if exists
+      include_vars:
+        file: "{{ playbook_dir }}/../secrets/{{ deployment_environment }}.vault.yml"
+      when: vault_file_stat.stat.exists
+      no_log: yes
+      ignore_errors: yes
+      delegate_to: localhost
+      become: no
+
     - name: Set app_name from provided value or default
       ansible.builtin.set_fact:
         app_name: "{{ app_name if (app_name is defined and app_name != '') else app_name_default }}"
@@ -29,6 +45,15 @@
       ansible.builtin.set_fact:
         deploy_image: "{{ docker_registry }}/{{ app_name }}:{{ image_tag }}"
 
+    - name: Set database and MinIO variables from vault or defaults
+      ansible.builtin.set_fact:
+        db_username: "{{ db_username | default(vault_db_user | default('postgres')) }}"
+        db_password: "{{ db_password | default(vault_db_password | default('')) }}"
+        minio_root_user: "{{ minio_root_user | default(vault_minio_root_user | default('minioadmin')) }}"
+        minio_root_password: "{{ minio_root_password | default(vault_minio_root_password | default('')) }}"
+        secrets_dir: "{{ secrets_dir | default('./secrets') }}"
+      no_log: yes
+
     - name: Determine Docker registry password from vault or extra vars
       ansible.builtin.set_fact:
         registry_password: >-
@@ -79,7 +104,7 @@
         name: "{{ deploy_image }}"
         source: pull
         pull: true
-      when: registry_accessible | bool
+      when: registry_accessible is defined and registry_accessible | bool
       register: image_pull_result
       ignore_errors: yes
       failed_when: false
@@ -118,12 +143,38 @@
         - app-internal
       ignore_errors: yes
 
+    - name: Check if .env file exists
+      stat:
+        path: "{{ application_code_dest }}/.env"
+      register: env_file_exists
+
+    - name: Create minimal .env file if it doesn't exist
+      copy:
+        dest: "{{ application_code_dest }}/.env"
+        content: |
+          # Minimal .env file for Docker Compose
+          # This file should be properly configured by the application setup playbook
+          DB_USERNAME={{ db_username | default('postgres') }}
+          DB_PASSWORD={{ db_password | default('') }}
+          MINIO_ROOT_USER={{ minio_root_user | default('minioadmin') }}
+          MINIO_ROOT_PASSWORD={{ minio_root_password | default('') }}
+          SECRETS_DIR={{ secrets_dir | default('./secrets') }}
+        mode: '0600'
+      when: not env_file_exists.stat.exists
+      become: yes
+
     - name: Deploy application stack with new image
       shell: |
         cd {{ application_code_dest }}
         docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} up -d --pull missing --force-recreate --remove-orphans
       register: compose_deploy_result
       changed_when: true
+      environment:
+        DB_USERNAME: "{{ db_username | default('postgres') }}"
+        DB_PASSWORD: "{{ db_password | default('') }}"
+        MINIO_ROOT_USER: "{{ minio_root_user | default('minioadmin') }}"
+        MINIO_ROOT_PASSWORD: "{{ minio_root_password | default('') }}"
+        SECRETS_DIR: "{{ secrets_dir | default('./secrets') }}"
 
     - name: Wait for containers to start
       ansible.builtin.pause: