diff --git a/README.md b/README.md
index cad224a..b5e2cb0 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 Set up infrastructure for all things e-mail
 
-## Prep
+# Prep
 
 On your Ansible controller make sure the `sshpass` binary exists if Ansible has to connect to target machines via SSH username-password authentication instead of SSH key authentication. The binary usually comes with a package of the same name.
 
@@ -16,7 +16,7 @@ We're also assuming that secrets are stored in a HashiCorp Vault instance to whi
 pip install hvac
 ```
 
-## Vars
+# Vars
 
 * For default variables copy [ansible/roles/20-common-20-ssh/defaults/main.yml.example](ansible/roles/20-common-20-ssh/defaults/main.yml.example) to a proper `ansible/roles/20-common-20-ssh/defaults/main.yml`, adjust as needed.
 
@@ -26,7 +26,7 @@ pip install hvac
 
 * In [ansible/roles/20-common-20-ssh/files/root/.ssh](ansible/roles/20-common-20-ssh/files/root/.ssh) copy both [authorized_keys.example](ansible/roles/20-common-20-ssh/files/root/.ssh/authorized_keys.example) and [known_hosts.example](ansible/roles/20-common-20-ssh/files/root/.ssh/known_hosts.example) to proper files. They contain SSH authorized_keys and public SSH host keys you want installed on target machines.
 
-## Vault structure
+# Vault structure
 
 In Vault we're assuming that every host in your inventory has a secret stored that contains at least the following keys:
 
@@ -36,7 +36,7 @@ In Vault we're assuming that every host in your inventory has a secret stored th
 
 For an example server `fully.qualified.domain.name` and example user `root` Vault secrets are located at `name/domain/qualified/fully/os/root/creds`. Per [ansible/group_vars/all/vars.yml.example](ansible/group_vars/all/vars.yml.example) the default secrets engine mount point is `kv` where this playbook expects a kv secrets engine.
 
-## Run it
+# Run it
 
 On first run execute it like so:
 ```