diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6822007289663535881abe6596eb83ed4066a019
--- /dev/null
+++ b/ansible/group_vars/all.yml
@@ -0,0 +1,12 @@
+# Use python3 on cluster nodes for ansible
+ansible_python_interpreter: "/usr/bin/env python3"
+
+# Nextcloud administrator password. If you do not change this value, it gets
+# generated and stored in `secrets/nextcloud_admin_password`. You can also choose
+# your own password and fill it in here instead.
+nextcloud_password: "{{ lookup('password', './secrets/nextcloud_admin_password chars=ascii_letters') }}"
+
+# git repo versions
+git_helmfiles_version: 'dbf2283b61fdb0009d64829d17692fb8a88e2176'
+git_charts_version: 'HEAD'
+git_local_storage_version: 'HEAD'
diff --git a/ansible/group_vars/cluster/settings.yml.example b/ansible/group_vars/cluster/settings.yml.example
index 6fce66e6983d29a9def8249681984d176a1e2e8f..c4a99652afd434d1b95f2cb9fa83447d2cee5fbb 100644
--- a/ansible/group_vars/cluster/settings.yml.example
+++ b/ansible/group_vars/cluster/settings.yml.example
@@ -1,5 +1,3 @@
-# Use python3 on cluster nodes for ansible
-ansible_python_interpreter: "/usr/bin/env python3"
 # External ip address of the cluster.
 ip_address: "203.0.113.6"
 # Main domain name of the cluster services.
@@ -8,10 +6,6 @@ domain: "example.com"
 admin_email: "admin@example.com"
 # Label of this deployment.
 release_name: "test"
-# Nextcloud administrator password. If you do not change this value, it gets
-# generated and stored in `secrets/nextcloud_admin_password`. You can also choose
-# your own password and fill it in here instead.
-nextcloud_password: "{{ lookup('password', './secrets/nextcloud_admin_password chars=ascii_letters') }}"
 # If this is "true" TLS certificates will be requested at the Let's Encrypt
 # staging server. If this is "false", you use Let's Encrypt's production server.
 # Note that LE's production server has stricter rate limits, so set this to
diff --git a/ansible/roles/setup/tasks/main.yml b/ansible/roles/setup/tasks/main.yml
index a4dabb93848b01f682dd153f65ba230224d555fa..e267e2b70b2ae22c87c5ae934ddfae6db240be2d 100644
--- a/ansible/roles/setup/tasks/main.yml
+++ b/ansible/roles/setup/tasks/main.yml
@@ -156,7 +156,7 @@
   git:
     repo: 'https://code.greenhost.net/openappstack/helmfiles'
     dest: '/oas/source/repos/helmfiles'
-    version: "master"
+    version: '{{ git_helmfiles_version }}'
 
 - name: Clone charts repo
   tags:
@@ -164,6 +164,7 @@
   git:
     repo: 'https://code.greenhost.net/openappstack/charts'
     dest: '/oas/source/repos/charts'
+    version: '{{ git_charts_version }}'
 
 - name: Clone local-storage repo
   tags:
@@ -171,6 +172,7 @@
   git:
     repo: 'https://code.greenhost.net/openappstack/local-storage'
     dest: '/oas/source/repos/local-storage'
+    version: '{{ git_local_storage_version }}'
 
 - name: Create OAS namespaces
   tags: