diff --git a/.gitea/workflows/write-new-template.yml b/.gitea/workflows/write-new-template.yml
new file mode 100644
index 0000000..844457e
--- /dev/null
+++ b/.gitea/workflows/write-new-template.yml
@@ -0,0 +1,33 @@
+name: Create New Secrets Template
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "host_vars/**"
+  workflow_dispatch:
+
+jobs:
+  create-pr:
+    name: Extract updated template
+    runs-on: runner
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run extraction script
+        run: |
+          echo "${{ secrets.VAULT_PASS }}" > ~/.vault_pass.txt
+          rm host_vars/all.template.yml
+          python3 scripts/extract_to_template.py
+
+      - name: Create PR
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.TOKEN }}
+          commit-message: "Extract new template"
+          branch: "template-extraction"
+          title: "Automated Template Extraction"
+          body: "PR to update the template as new secrets were added"
+          base: main
diff --git a/group_vars/all.template.yml b/group_vars/all.template.yml
deleted file mode 100644
index 2a0fcfb..0000000
--- a/group_vars/all.template.yml
+++ /dev/null
@@ -1,112 +0,0 @@
-# global
-data_dir:
-docker_network_name:
-PUID:
-PGID:
-TZ:
-
-# glance
-GLANCE_PIHOLE_TOKEN:
-GLANCE_VIDEO_MACHINE:
-GLANCE_JELLYFIN_URL:
-GLANCE_JELLYFIN_TOKEN:
-
-# tinyauth
-TINYAUTH_USERS:
-TINYAUTH_SECRET:
-TINYAUTH_APP_URL:
-TINYAUTH_GENERIC_CLIENT_ID:
-TINYAUTH_GENERIC_CLIENT_SECRET:
-TINYAUTH_GENERIC_AUTH_URL:
-TINYAUTH_GENERIC_TOKEN_URL:
-TINYAUTH_GENERIC_USER_URL:
-TINYAUTH_GENERIC_SCOPES:
-TINYAUTH_GENERIC_NAME:
-TINYAUTH_OAUTH_WHITELIST:
-TINYAUTH_APP_TITLE:
-TINYAUTH_BACKGROUND_IMAGE:
-
-# code-server
-CODE_PROXY_DOMAIN:
-CODE_DEFAULT_WORKSPACE:
-
-# dozzle
-DOZZLE_ACTIONS:
-DOZZLE_SHELL:
-
-# gluetun
-GLUETUN_VPN_SERVICE_PROVIDER:
-GLUETUN_VPN_TYPE:
-GLUETUN_WIREGUARD_PRIVATE_KEY:
-GLUETUN_WIREGUARD_ADDRESSES:
-GLUETUN_SERVER_COUNTRIES:
-GLUETUN_SERVER_CITIES:
-GLUETUN_SERVER_HOSTNAMES:
-
-# immich
-IMMICH_UPLOAD_LOCATION:
-IMMICH_DB_DATA_LOCATION: /postgres
-IMMICH_VERSION: release
-IMMICH_DB_PASSWORD: postgres
-IMMICH_DB_USERNAME: postgres
-IMMICH_DB_DATABASE_NAME: postgres
-
-# jellyfin
-JELLYFIN_TV_PATH:
-JELLYFIN_MOVIE_PATH:
-JELLYFIN_MUSIC_PATH:
-
-# navidrome
-NAVIDROME_MUSIC_PATH:
-
-# nextcloud
-NEXTCLOUD_POSTGRES_PASSWORD:
-NEXTCLOUD_POSTGRES_DATABASE:
-NEXTCLOUD_POSTGRES_USER:
-NEXTCLOUD_POSTGRES_HOST:
-
-# ntfy
-NTFY_UPSTREAM_BASE_URL: https://ntfy.sh
-NTFY_BASE_URL:
-
-# nzbget
-NZBGET_USER:
-NZBGET_PASS:
-NZBGET_DOWNLOADS_PATH:
-
-# pihole
-PIHOLE_FTLCONF_WEBSERVER_API_PASSWORD:
-
-# pocketid
-POCKETID_APP_URL:
-POCKETID_TRUST_PROXY:
-
-# romm
-ROMM_AUTH_SECRET_KEY:
-ROMM_LIBRARY_PATH:
-ROMM_IGDB_CLIENT_ID:
-ROMM_IGDB_CLIENT_SECRET:
-ROMM_OIDC_ENABLED:
-ROMM_OIDC_PROVIDER:
-ROMM_OIDC_CLIENT_ID:
-ROMM_OIDC_CLIENT_SECRET:
-ROMM_OIDC_REDIRECT_URL:
-ROMM_SERVER_APPLICATION_URL:
-
-# servarr
-SERVARR_MEDIA_PATH:
-
-# syncthing
-SYNCTHING_DATA_PATH:
-
-# vaultwarden
-VAULTWARDEN_DOMAIN:
-
-# gitea runner
-GITEA_INSTANCE_URL:
-GITEA_RUNNER_REGISTRATION_TOKEN:
-GITEA_RUNNER_NAME:
-GITEA_RUNNER_LABELS:
-
-# grafana
-GRAFANA_AUTH_ANONYMOUS_ENABLED:
diff --git a/scripts/extract_to_template.py b/scripts/extract_to_template.py
new file mode 100644
index 0000000..d8e3009
--- /dev/null
+++ b/scripts/extract_to_template.py
@@ -0,0 +1,29 @@
+import os
+import subprocess
+
+host_vars_path = os.path.abspath('host_vars')
+file_contents = ""
+
+if os.path.exists(host_vars_path):
+  vaults = os.listdir(host_vars_path)
+
+  print(vaults)
+  for vault in vaults:
+    vault_path = os.path.join(host_vars_path, vault)
+    print(f'ansible-vault decrypt "{vault_path}" --vault-password-file ~/.vault_pass.txt')
+    vault_contents = subprocess.run(f'ansible-vault decrypt "{vault_path}" --vault-password-file ~/.vault_pass.txt --output -', shell=True, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+    stdout = vault_contents.stdout.strip().splitlines()
+
+    for line in stdout:
+      if line.startswith("#") and line not in file_contents:
+        file_contents += f"\n{line}\n"
+
+      if ":" in line:
+        if line.split(":")[0] not in file_contents:
+          file_contents += f'{line.split(":")[0]}:\n'
+
+    with open(os.path.join(host_vars_path, 'all.template.yml'), 'w', encoding="utf8") as template_file:
+      template_file.write(file_contents)
+      template_file.close()
+
+    print("Written to disk!")
\ No newline at end of file