diff --git a/docs/roles/authentik.md b/docs/roles/authentik.md
new file mode 100644
index 0000000..b4ee629
--- /dev/null
+++ b/docs/roles/authentik.md
@@ -0,0 +1,46 @@
+# Authentik role
+SSO server
+
+## Notes 
+- Requires the podman and postgres roles to be enabled on the same host.
+- The server will be mostly unconfigured.
+
+## Options
+### `authentik.domain`
+The domain used by authentik.
+
+## Secrets
+### `authentik/db_pass`
+The password for the authentik postgres database. This should be the same as 
+`postgres/authentik` on the same host.
+
+### `authentik/secret_key`
+The secret key used by authentik. This value can not be changed without data
+loss and has to be kept secret at all times.
+
+### `authentik/email_host`
+The SMTP host for email. This is not necessarily secret, but here to keep all 
+email settings collocated.
+
+Example: `mail.example.com`
+
+### `authentik/email_port`
+The SMTP port for email. This is not necessarily secret, but here to keep all 
+email settings collocated. **Make sure to quote this value!**
+
+Example: `587`
+
+### `authentik/email_from`
+The from address used by authentik. This is not necessarily secret, but here to keep all 
+email settings collocated.
+
+Example: `git@example.com`
+
+### `authentik/email_username`
+The user used by authentik to authenticate to the SMTP server.
+
+Example: `git@example.com`
+
+### `authentik/email_password`
+The password used by authentik to authenticate to the SMTP server.
+
diff --git a/docs/roles/forgejo.md b/docs/roles/forgejo.md
index 70f3a57..3fd5a7c 100644
--- a/docs/roles/forgejo.md
+++ b/docs/roles/forgejo.md
@@ -1,13 +1,47 @@
 # Forgejo role
+Git server
 
-By default the forgejo server is installed without any users and without an
+## Notes 
+- Requires the postgres role to be enabled on the same host.
+- By default the forgejo server is installed without any users and without an
 external authentication provider. To create the first (admin) user ssh into the
-host and run 
-```bash
-forgejo-cli admin user create --username $username --email $email --admin
-```
-
-After this, you can log in with this new user and set up SSO through the
-[admin panel](https://$DOMAIN/admin/auths). After this is set up (and verified)
-you can change the initial user to use the new authentication source in the
+host and run `forgejo-cli admin user create --username $username --email $email --admin`
+- To set up SSO go to the [admin panel](https://$DOMAIN/admin/auths).
+- To change the initial user to use the new authentication source, go to the
 [admin panel](https://$DOMAIN/admin/users).
+
+## Options
+### `forgejo.domain`
+The domain used by forgejo.
+
+## Secrets
+### `forgejo/db_pass`
+The password for the forgejo postgres database. This should be the same as 
+`postgres/forgejo` on the same host.
+
+### `forgejo/email_host`
+The SMTP host for email. This is not necessarily secret, but here to keep all 
+email settings collocated.
+
+Example: `mail.example.com`
+
+### `forgejo/email_port`
+The SMTP port for email. This is not necessarily secret, but here to keep all 
+email settings collocated. **Make sure to quote this value!**
+
+Example: `587`
+
+### `forgejo/email_from`
+The from address used by forgejo. This is not necessarily secret, but here to keep all 
+email settings collocated.
+
+Example: `git@example.com`
+
+### `forgejo/email_username`
+The user used by forgejo to authenticate to the SMTP server.
+
+Example: `git@example.com`
+
+### `forgejo/email_password`
+The password used by forgejo to authenticate to the SMTP server.
+
diff --git a/docs/roles/podman.md b/docs/roles/podman.md
new file mode 100644
index 0000000..1a82f97
--- /dev/null
+++ b/docs/roles/podman.md
@@ -0,0 +1,24 @@
+# Podman role
+Allows the server to run podman/docker containers. Required for some services.
+
+## Options
+### `podman.containers`
+A set with all the same options as `virtualisation.oci-containers.containers`
+with the addition of a `imageMetadata` option on each container which can be
+used instead of the `image` option to cache an exact image into the nix store
+at build time.
+
+Example:
+```nix
+{
+  "example-container" = {
+    imageMetadata = {
+      imageName = "ghcr.io/goauthentik/server";
+      imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3
+      sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5";
+    };
+    # Other container options
+  };
+}
+```
+
diff --git a/docs/roles/postgres.md b/docs/roles/postgres.md
new file mode 100644
index 0000000..147271f
--- /dev/null
+++ b/docs/roles/postgres.md
@@ -0,0 +1,14 @@
+# Postgres role
+PostgreSQL database server.
+
+## Notes
+- Database user passwords are updated on every service restart through a script.
+
+## Options
+### `postgres.databases`
+A list of all databases to be created. Each database also gets a user by the
+same name with a password in the secret `postgres/$DB_NAME`.
+
+## Secrets
+### `postgres/$DB_NAME`
+The password for the user corresponding to the database $DB_NAME.
diff --git a/docs/roles/sonarr.md b/docs/roles/sonarr.md
new file mode 100644
index 0000000..ce3059b
--- /dev/null
+++ b/docs/roles/sonarr.md
@@ -0,0 +1,8 @@
+# Sonarr role
+
+## Notes
+- The server is completely unconfigured.
+
+## Options
+### `sonarr.domain`
+The domain used by sonarr.
diff --git a/docs/roles/traefik.md b/docs/roles/traefik.md
new file mode 100644
index 0000000..a478b1e
--- /dev/null
+++ b/docs/roles/traefik.md
@@ -0,0 +1,30 @@
+# Traefik role
+Reverse proxy for HTTP traffic.
+
+## Notes
+- Adds the `infra` tag to hosts that use it.
+- Routes are collected from all hosts in the entire configuration automatically.
+- To acquire wildcard certificates for a domain, its DNS must be at the
+cloudflare user specified in the secrets.
+
+## Options
+### `traefik.wildcardDomains`
+A list of all domains to acquire wildcard certificates for.
+
+## Secrets
+### `traefik/acmeEmail`
+Email given to Let's Encrypt for notification emails.
+
+Example: `email@example.com`
+
+### `traefik/CLOUDFLARE_EMAIL`
+Email used to authenticate to CloudFlare to set DNS for wildcard domain 
+certificate challenge.
+
+Example: `email@example.com`
+
+### `traefik/CLOUDFLARE_DNS_API_TOKEN`
+API key used to authenticate to CloudFlare to set DNS for wildcard domain
+certificate challenge.
+
+Example: AVeryLongAPIKeyHere