diff --git a/docs/30_Usage.md b/docs/30_Usage.md
index 716e49d589505d2e9376a3485e458855423f9296..e998df73f32eb3eb9d25c9a85a96c14588dc955d 100644
--- a/docs/30_Usage.md
+++ b/docs/30_Usage.md
@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f
 
 creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
 
+This ensure action handles the logic if a certificate must be
+
+* created (if it does not exist) or
+* renewed (it already exists) or
+* re-created (the list of dns names in the certificate was changed)
+
+It detects if a domain in the certificate can use a txt record or needs dns auth mode.
+
 ## Show certificate data
 
 Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`
diff --git a/docs/50_Automation_with_Ansible.md b/docs/50_Automation_with_Ansible.md
new file mode 100644
index 0000000000000000000000000000000000000000..1eaa50768df382cef015788be3e037756ac9ff11
--- /dev/null
+++ b/docs/50_Automation_with_Ansible.md
@@ -0,0 +1,67 @@
+# Automation with Ansible
+
+This is an example how our own installation works.
+
+Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
+"central server" that manages and holds all certifiactes.
+
+In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
+calls of cm.sh - from multiple machines or becaus of parallel tasks in your
+playbook are no problem.
+
+![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)
+
+The following snippets give you an idea how it is done. Even if it is not
+a comlete source with all values of the variables.
+
+## 1. Execute cm.sh
+
+The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
+renew of a certificate - whatever is needed.
+
+```yaml
+- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
+  shell: | 
+    ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
+  become_user: "{{ lookup('env','USER') }}"
+  delegate_to: localhost
+  # maybe you need to set
+  # become: true|false
+```
+
+## 2. Rsync certs locally
+
+With rsync it syncs the certificate folder locally to the Ansible machine.
+
+```yaml
+- name: "sync certs locally"
+  shell: | 
+    rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
+  become_user: "{{ lookup('env','USER') }}"
+  delegate_to: localhost
+  # maybe you need to set
+  # become: true|false
+```
+
+## 3. Deploy files
+
+Now we can use normal Ansible copy mechanisms to brin these files to the target system.
+
+```yaml
+- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
+  copy:
+    src:  '{{ item[0] }}'
+    dest: '{{ item[1] }}'
+    mode: '{{ item[2] }}'
+    backup: true
+  notify: "{{ ssl_change_notify | default([]) }}"
+  loop:
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer',       '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer'      , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer',  '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem',        '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem'       , '0400']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem',    '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem'   , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer',         '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer'        , '0444']
+    #                              ^
+    #                              |
+    #                              filestructure after ACME.SH dump
+```
diff --git a/docs/_index.md b/docs/_index.md
index e348829dc7cbb1d9d2c577187f595052dc3ed5d3..2547f634d00af4afbc3410068b4a03cee678669a 100644
--- a/docs/_index.md
+++ b/docs/_index.md
@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
 Automation is wonderful. You create systems and certificates for them on the fly.
 And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
 anymore and are older 90 days.
+
+## Overview
+
+This is an overview of the components for issuing a certificate that take part:
+
+![Components](images/cert-manager-components.png)
\ No newline at end of file
diff --git a/docs/images/cert-manager-components.png b/docs/images/cert-manager-components.png
new file mode 100644
index 0000000000000000000000000000000000000000..f5e94ab958a0d5f1f01cab9c8ca3a1b8c45162bc
Binary files /dev/null and b/docs/images/cert-manager-components.png differ
diff --git a/docs/images/lets-encrypt-workflow-ansible.png b/docs/images/lets-encrypt-workflow-ansible.png
new file mode 100644
index 0000000000000000000000000000000000000000..9456d3652b24c3768401f7b5ccdf7b763bdd529e
Binary files /dev/null and b/docs/images/lets-encrypt-workflow-ansible.png differ
diff --git a/docs/style.css b/docs/style.css
index 02b2415b02181d56d377762e0cac369c011c03d4..769d8afc46240d8134626cab1fbe010b62f85569 100644
--- a/docs/style.css
+++ b/docs/style.css
@@ -34,7 +34,17 @@
 
 /* ---------- tags ---------- */
 
-body, *{color: var(--color); }
+a.Brand::before {
+	background: rgb(255,0,51);
+	color: #fff;
+    font-family: arial;
+	font-weight: bold;
+	padding: 0.5em 0.3em;
+	content: 'IML';
+    margin-right: 0.4em;
+}
+
+body, *{color: var(--color);}
 body{background: var(--bg-body);}