diff --git a/deployment/ansible/inventory/production.yml b/deployment/ansible/inventory/production.yml
index 5288443a..c3d53deb 100644
--- a/deployment/ansible/inventory/production.yml
+++ b/deployment/ansible/inventory/production.yml
@@ -12,8 +12,9 @@ all:
     docker_registry: git.michaelschiemer.de:5000
     docker_registry_url: git.michaelschiemer.de:5000
     # Registry credentials (can be overridden via -e or vault)
-    docker_registry_username: "{{ docker_registry_username | default('admin') }}"
-    docker_registry_password: "{{ docker_registry_password | default('registry-secure-password-2025') }}"
+    # Defaults are set here, can be overridden by extra vars or vault
+    docker_registry_username_default: 'admin'
+    docker_registry_password_default: 'registry-secure-password-2025'
 
     # Application Configuration
     app_name: framework
diff --git a/deployment/ansible/playbooks/deploy-update.yml b/deployment/ansible/playbooks/deploy-update.yml
index ace0659b..342e6c98 100644
--- a/deployment/ansible/playbooks/deploy-update.yml
+++ b/deployment/ansible/playbooks/deploy-update.yml
@@ -22,8 +22,8 @@
 
     - name: Derive docker registry credentials from vault when not provided
       set_fact:
-        docker_registry_username: "{{ docker_registry_username | default(vault_docker_registry_username | default(omit)) }}"
-        docker_registry_password: "{{ docker_registry_password | default(vault_docker_registry_password | default(omit)) }}"
+        docker_registry_username: "{{ docker_registry_username | default(vault_docker_registry_username | default(docker_registry_username_default | default('admin'))) }}"
+        docker_registry_password: "{{ docker_registry_password | default(vault_docker_registry_password | default(docker_registry_password_default | default('registry-secure-password-2025'))) }}"
 
     - name: Verify Docker is running
       systemd:
@@ -102,9 +102,13 @@
         username: "{{ docker_registry_username }}"
         password: "{{ docker_registry_password }}"
       no_log: yes
+      ignore_errors: yes
       when:
         - docker_registry_username is defined
         - docker_registry_password is defined
+        - docker_registry_username | length > 0
+        - docker_registry_password | length > 0
+      register: registry_login
 
     - name: Pull new Docker image
       community.docker.docker_image:
diff --git a/deployment/ansible/playbooks/rollback.yml b/deployment/ansible/playbooks/rollback.yml
index 7dd2bad8..09eba3de 100644
--- a/deployment/ansible/playbooks/rollback.yml
+++ b/deployment/ansible/playbooks/rollback.yml
@@ -19,8 +19,8 @@
 
     - name: Derive docker registry credentials from vault when not provided
       set_fact:
-        docker_registry_username: "{{ docker_registry_username | default(vault_docker_registry_username | default(omit)) }}"
-        docker_registry_password: "{{ docker_registry_password | default(vault_docker_registry_password | default(omit)) }}"
+        docker_registry_username: "{{ docker_registry_username | default(vault_docker_registry_username | default(docker_registry_username_default | default('admin'))) }}"
+        docker_registry_password: "{{ docker_registry_password | default(vault_docker_registry_password | default(docker_registry_password_default | default('registry-secure-password-2025'))) }}"
 
     - name: Check Docker service
       systemd: