diff --git a/.gitignore b/.gitignore
index 6b8d42e..623fede 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,5 @@
 # Ansible run reports (generated per-run)
 reports/*.txt
+
+# Per-host credentials — contains passwords, never commit
+host_credentials.yml
diff --git a/host_credentials.yml.example b/host_credentials.yml.example
new file mode 100644
index 0000000..72e5a15
--- /dev/null
+++ b/host_credentials.yml.example
@@ -0,0 +1,46 @@
+# host_credentials.yml — per-host SSH credentials
+#
+# Copy this file to host_credentials.yml and fill in your credentials.
+# This file is gitignored — never commit the real version.
+#
+# Match by IP address (most reliable) or by NetBox/UniFi hostname slug.
+# Entries are checked in order; first match wins.
+#
+# Fields (all optional — omit to fall back to the Semaphore template key):
+#   user     : SSH username
+#   password : SSH password
+#   port     : SSH port (default 22)
+#   become   : true/false — sudo after login (default true)
+
+# --- Default fallback for all hosts (lowest priority) ---
+defaults:
+  user: ubuntu
+  password: changeme
+  become: true
+
+# --- Per-subnet defaults ---
+subnets:
+  - cidr: 10.40.40.0/24
+    user: ubuntu
+    password: changeme
+
+  - cidr: 192.168.1.0/24
+    user: admin
+    password: changeme
+
+  - cidr: 10.10.20.0/24
+    user: cisco
+    password: changeme
+
+# --- Per-host overrides (highest priority) ---
+# Keyed by IP address
+hosts:
+  10.40.40.2:
+    user: ubuntu
+    password: changeme
+  192.168.1.190:
+    user: root
+    password: changeme
+  10.40.40.119:
+    user: semaphore
+    password: changeme
diff --git a/inventory/hosts.yml b/inventory/hosts.yml
index 905da95..b61ed9e 100644
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@@ -1,5 +1,5 @@
 # Auto-generated by semaphore/generate_inventory.py
-# Generated: 2026-03-01 05:09 UTC
+# Generated: 2026-03-01 05:34 UTC
 # NetBox: http://172.19.77.160:8000  (31 hosts)
 # UniFi unmanaged supplement: 135 hosts
 #