diff --git a/ansible/roles/devpi/defaults/main.yml b/ansible/roles/devpi/defaults/main.yml
index 358a6bc..0fc0569 100644
--- a/ansible/roles/devpi/defaults/main.yml
+++ b/ansible/roles/devpi/defaults/main.yml
@@ -3,3 +3,5 @@ devpi_port: 3141
 devpi_serverdir: /Users/erichblume/devpi
 devpi_log_dir: /Users/erichblume/Library/Logs
 devpi_host: 0.0.0.0  # Listen on all interfaces for Tailscale
+devpi_outside_url: https://pypi.tail8d86e.ts.net  # URL for Tailscale proxy
+devpi_secretfile: /Users/erichblume/devpi/.secret  # Persistent auth secret
diff --git a/ansible/roles/devpi/tasks/main.yml b/ansible/roles/devpi/tasks/main.yml
index cb25e0e..b35989c 100644
--- a/ansible/roles/devpi/tasks/main.yml
+++ b/ansible/roles/devpi/tasks/main.yml
@@ -1,13 +1,22 @@
 ---
 # Note: devpi is installed via mise (pipx/uvx), not managed here.
-# Add to ~/.config/mise/config.toml on indri:
 #
-#   [tools]
-#   "pipx:devpi-server" = { version = "latest", uvx = "true", uvx_args = "--with devpi-web" }
-#   "pipx:devpi-client" = { version = "latest", uvx = "true" }
+# ONE-TIME SETUP (before running ansible):
 #
-# Then run: mise install
-# Initialize: mise x -- devpi-init --serverdir {{ devpi_serverdir }}
+# 1. Add to ~/.config/mise/config.toml on indri:
+#
+#    [tools]
+#    "pipx:devpi-server" = { version = "latest", uvx = "true", uvx_args = "--with devpi-web" }
+#    "pipx:devpi-client" = { version = "latest", uvx = "true" }
+#
+# 2. Install: mise install
+#
+# 3. Initialize with root password (generate password in 1password):
+#    mise x -- devpi-init --serverdir {{ devpi_serverdir }} --root-passwd YOUR_PASSWORD
+#
+# 4. Run ansible to deploy LaunchAgent
+#
+# 5. Set up Tailscale service (see management log)
 
 - name: Ensure devpi data directory exists
   ansible.builtin.file:
@@ -15,6 +24,17 @@
     state: directory
     mode: '0755'
 
+- name: Generate devpi secret file if not exists
+  ansible.builtin.shell: |
+    openssl rand -hex 32 > "{{ devpi_secretfile }}"
+  args:
+    creates: "{{ devpi_secretfile }}"
+
+- name: Ensure devpi secret file has secure permissions
+  ansible.builtin.file:
+    path: "{{ devpi_secretfile }}"
+    mode: '0600'
+
 - name: Deploy devpi LaunchAgent plist
   ansible.builtin.template:
     src: devpi.plist.j2
diff --git a/ansible/roles/devpi/templates/devpi.plist.j2 b/ansible/roles/devpi/templates/devpi.plist.j2
index 3ab572f..b2ed6aa 100644
--- a/ansible/roles/devpi/templates/devpi.plist.j2
+++ b/ansible/roles/devpi/templates/devpi.plist.j2
@@ -24,6 +24,10 @@
 		<string>{{ devpi_host }}</string>
 		<string>--port</string>
 		<string>{{ devpi_port }}</string>
+		<string>--outside-url</string>
+		<string>{{ devpi_outside_url }}</string>
+		<string>--secretfile</string>
+		<string>{{ devpi_secretfile }}</string>
 	</array>
 	<key>RunAtLoad</key>
 	<true/>