diff --git a/README.md b/README.md
index b5e2cb0..ef92914 100644
--- a/README.md
+++ b/README.md
@@ -49,3 +49,24 @@ On subsequent runs like so:
 ```
 ansible-playbook --inventory hosts.yml playbook.yml
 ```
+
+## first_run
+
+To make sure a `first_run` correctly runs all regular tasks plus `first_run`-specific tasks [ansible/roles/20-common-20-ssh/tasks/main.yml](ansible/roles/20-common-20-ssh/tasks/main.yml) has its `import_tasks` tagged as `first_run`.
+
+```
+- import_tasks: '20-ssh.yml'
+  tags:
+    - 'first_run'
+```
+
+As a result all tasks in that import inherit `first_run`. Two of them, however, must only run during `first_run` and never during normal operation. They get:
+
+```
+- name: '...'
+  tags:
+    - 'first_run'
+    - 'never'
+```
+
+This overrides the single `first_run` inherited tag. Ansible special tag `never` ensures that these particular tasks are _**never**_ executed unless `first_run` is called. Tasks outside of `20-common-20-ssh` role are not tagged with `first_run` at all so are ignored during a `first_run`.