diff --git a/.gitea/workflows/dag-config-check.yml b/.gitea/workflows/dag-config-check.yml
index 48980ae..7c7f991 100644
--- a/.gitea/workflows/dag-config-check.yml
+++ b/.gitea/workflows/dag-config-check.yml
@@ -1,4 +1,3 @@
-# .github/workflows/validate-dags.yml
 name: Validate DAGs
 
 on:
@@ -38,19 +37,7 @@ jobs:
           directory: .
           vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
           requirements: collections/requirements.yml
-          playbook: |
-            - hosts: localhost
-              gather_facts: false
-              vars:
-                vault_addr: ${{ env.VAULT_ADDR }}
-                vault_token: ${{ env.VAULT_TOKEN }}
-                dags_path: ${{ env.DAGS_PATH }}
-              tasks:
-                - name: Render DAG templates
-                  template:
-                    src: "{{ item }}"
-                    dest: "{{ item | regex_replace('\\.j2$', '') }}"
-                  loop: "{{ lookup('fileglob', dags_path ~ '/*.yaml.j2', wantlist=True) }}"
+          playbook: playbooks/rinoa-render-dags.yml
 
       - name: Install dagu
         uses: jaxxstorm/action-install-gh-release@v1
diff --git a/.gitea/workflows/gitea_tar-valon_ansible_deploy.yml b/.gitea/workflows/gitea_tar-valon_ansible_deploy.yml
index 05e3b58..e574e12 100644
--- a/.gitea/workflows/gitea_tar-valon_ansible_deploy.yml
+++ b/.gitea/workflows/gitea_tar-valon_ansible_deploy.yml
@@ -3,7 +3,7 @@ name: Gitea Branch PR & Ansible Deployment
 on:
   workflow_dispatch:
   workflow_run:
-    workflows: [Home Assistant Config Check, Validate DAs]
+    workflows: [Home Assistant Config Check, Validate DAGs]
     types:
       - completed
     branches: main
@@ -11,13 +11,9 @@ on:
     branches-ignore:
       - 'main'
     paths:
-      - 'app-configs/**'
-      - 'inventory/hosts.yml'
-      - 'host_vars/**'
-      - 'group_vars/**'
-      - '**/tar-valon_config_deploy.yml'
-      - '**/gitea_tar-valon_ansible_deploy.yml'
       - '!app-configs/rikku/homeassistant/**'
+      - '!app-configs/rinoa/dagu/dags/**'
+      - 'app-configs/**'
 
 env:
   VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
@@ -120,7 +116,7 @@ jobs:
         uses: dawidd6/action-ansible-playbook@v3
         with:
           directory: .
-          playbook: tar-valon_config_deploy.yml
+          playbook: playbooks/tar-valon_config_deploy.yml
           vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
           key: ${{ secrets.ANSIBLE_PRIVATE_KEY }}
           requirements: collections/requirements.yml
diff --git a/playbooks/rinoa-render-dags.yml b/playbooks/rinoa-render-dags.yml
new file mode 100644
index 0000000..82fdb32
--- /dev/null
+++ b/playbooks/rinoa-render-dags.yml
@@ -0,0 +1,51 @@
+---
+- name: Render DAG .yaml.j2 templates safely
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  vars:
+    dags_path: "{{ lookup('env', 'DAGS_PATH') }}"
+    vault_addr: "{{ lookup('env', 'VAULT_ADDR') }}"
+    vault_token: "{{ lookup('env', 'VAULT_TOKEN') }}"
+
+  tasks:
+    - name: Build list of DAG template files
+      ansible.builtin.set_fact:
+        dag_templates: "{{ lookup('fileglob', dags_path ~ '/*.yaml.j2', wantlist=True) }}"
+
+    - name: Pre-check Vault secrets in templates
+      when: dag_templates | length > 0
+      block:
+        - name: Find all Vault lookup expressions in templates
+          ansible.builtin.set_fact:
+            vault_keys: >-
+              {{
+                dag_templates
+                | map('lookup', 'file', wantlist=True)
+                | map('regex_findall',
+                      "lookup\\('community.hashi_vault.vault_kv2_get',\\s*'[^']+',\\s*engine_mount_point='[^']+',\\s*url=[^,]+,\\s*token=[^\\)]+\\)\\['secret'\\]\\['([^']+)'\\]")
+                | sum(start=[])
+              }}
+
+        - name: Warn if any Vault keys might be missing
+          loop: "{{ vault_keys }}"
+          ansible.builtin.debug:
+            msg: "Vault key '{{ item }}' will be required by templates"
+
+    - name: Render DAG templates in-place (guarded)
+      when: dag_templates | length > 0
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ item | regex_replace('\\.j2$', '') }}"
+        mode: '0644'
+      loop: "{{ dag_templates }}"
+      vars:
+        ansible_jinja2_native: true
+      ignore_errors: false
+
+    - name: Log rendered files
+      when: dag_templates | length > 0
+      loop: "{{ dag_templates }}"
+      ansible.builtin.debug:
+        msg: "Rendered {{ item }} -> {{ item | regex_replace('\\.j2$', '') }}"
diff --git a/tar-valon_config_deploy.yml b/playbooks/tar-valon_config_deploy.yml
similarity index 92%
rename from tar-valon_config_deploy.yml
rename to playbooks/tar-valon_config_deploy.yml
index 986e9ef..b7eb516 100644
--- a/tar-valon_config_deploy.yml
+++ b/playbooks/tar-valon_config_deploy.yml
@@ -6,10 +6,6 @@
     - benedikta
   gather_facts: false
 
-  vars:
-    # template_base_path and vault_addr from group_vars/all.yml
-    # appdata_base_path, secrets_path, vault_token_cleaned from host_vars/<host>.yml
-
   pre_tasks:
     - name: Find all files for this host
       ansible.builtin.find: