diff --git a/infrastructure/ansible/deploy_logic_push.yml b/infrastructure/ansible/deploy_logic_push.yml
index e9d5705..6d12e7b 100644
--- a/infrastructure/ansible/deploy_logic_push.yml
+++ b/infrastructure/ansible/deploy_logic_push.yml
@@ -25,6 +25,22 @@
     path: "{{ target_dir }}"
     state: directory
     mode: '0755'
+    owner: root
+    group: root
+
+- name: "Erstelle Unterverzeichnisse (falls nötig)"
+  file:
+    path: "{{ target_dir }}/{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+  loop:
+    - config
+    - file
+    - logs
+    - certs
+  when: app_item.name == 'vault'  # Nur für Vault
 
 # 3. Secrets aus Vault (Lokal lookup)
 - name: "Lade Secrets aus Vault (Lokal lookup)"
@@ -99,8 +115,13 @@
     compress: yes
     rsync_opts:
       - "--chmod=Du=rwx,Dgo=rx,Fu=rw,Fgo=r"  # directory_mode='0755', mode='0644'
+      # Für Vault: Exkludiere Container-verwaltete Verzeichnisse
+      - "--exclude=file/"  # Vault-Daten (werden vom Container verwaltet)
+      - "--exclude=logs/"  # Vault-Logs (werden vom Container verwaltet)
+      - "--exclude=certs/"  # Vault-Zertifikate (werden vom Container generiert)
   delegate_to: localhost  # rsync läuft von localhost (Source) zu remote (Destination)
-  become: false  # Kein sudo für rsync
+  become: true  # Benötigt sudo für Schreibrechte in /opt/vault/
+  become_user: root
   register: file_sync_result
 
 # 7. Docker Compose Deployment