diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
index e0ca561..4b1f2da 100644
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -81,3 +81,43 @@ proxmox_lxc_ct_ids:
   - 202
   - 203
   - 204
+
+# Only enable this if you have set up your own container registry to act as a mirror / pull-through cache
+# (harbor / nexus / docker's official registry / etc).
+# Can be beneficial for larger dev/test environments (for example if you're getting rate limited by docker hub),
+# or air-gapped environments where your nodes don't have internet access after the initial setup
+# (which is still needed for downloading the k3s binary and such).
+# k3s's documentation about private registries here: https://docs.k3s.io/installation/private-registry
+custom_registries: false
+# The registries can be authenticated or anonymous, depending on your registry server configuration.
+# If they allow anonymous access, simply remove the following bit from custom_registries_yaml
+#   configs:
+#     "registry.domain.com":
+#       auth:
+#         username: yourusername
+#         password: yourpassword
+# The following is an example that pulls all images used in this playbook through your private registries.
+# It also allows you to pull your own images from your private registry, without having to use imagePullSecrets
+# in your deployments.
+# If all you need is your own images and you don't care about caching the docker/quay/ghcr.io images,
+# you can just remove those from the mirrors: section.
+custom_registries_yaml: |
+  mirrors:
+    docker.io:
+      endpoint:
+        - "https://registry.domain.com/v2/dockerhub"
+    quay.io:
+      endpoint:
+        - "https://registry.domain.com/v2/quayio"
+    ghcr.io:
+      endpoint:
+        - "https://registry.domain.com/v2/ghcrio"
+    registry.domain.com:
+      endpoint:
+        - "https://registry.domain.com"
+
+  configs:
+    "registry.domain.com":
+      auth:
+        username: yourusername
+        password: yourpassword
diff --git a/roles/k3s_custom_registries/defaults/main.yml b/roles/k3s_custom_registries/defaults/main.yml
new file mode 100644
index 0000000..704aec7
--- /dev/null
+++ b/roles/k3s_custom_registries/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# Indicates whether custom registries for k3s should be configured
+# Possible values:
+#   - present
+#   - absent
+state: present
diff --git a/roles/k3s_custom_registries/tasks/main.yml b/roles/k3s_custom_registries/tasks/main.yml
new file mode 100644
index 0000000..dfe48c2
--- /dev/null
+++ b/roles/k3s_custom_registries/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Create directory /etc/rancher/k3s
+  file:
+    path: "/etc/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - rancher
+    - rancher/k3s
+
+- name: Insert registries into /etc/rancher/k3s/registries.yaml
+  blockinfile:
+    path: /etc/rancher/k3s/registries.yaml
+    block: "{{ custom_registries_yaml }}"
+    mode: '0600'
+    create: true
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
index 0a8c4b5..a1796ac 100644
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -17,6 +17,7 @@
 
 - name: Deploy metallb manifest
   include_tasks: metallb.yml
+  tags: metallb
 
 - name: Init cluster inside the transient k3s-init service
   command:
diff --git a/roles/k3s_server_post/tasks/main.yml b/roles/k3s_server_post/tasks/main.yml
index 84a79db..f88dc08 100644
--- a/roles/k3s_server_post/tasks/main.yml
+++ b/roles/k3s_server_post/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: Deploy metallb pool
   include_tasks: metallb.yml
+  tags: metallb
 
 - name: Remove tmp directory used for manifests
   file:
diff --git a/roles/prereq/defaults/main.yml b/roles/prereq/defaults/main.yml
new file mode 100644
index 0000000..e469b0b
--- /dev/null
+++ b/roles/prereq/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+secure_path:
+  RedHat: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
+  Suse: '/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin'
diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml
index 2afb28c..2fffe06 100644
--- a/roles/prereq/tasks/main.yml
+++ b/roles/prereq/tasks/main.yml
@@ -60,10 +60,10 @@
 
 - name: Add /usr/local/bin to sudo secure_path
   lineinfile:
-    line: 'Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
+    line: 'Defaults    secure_path = {{ secure_path[ansible_os_family] }}'
     regexp: "Defaults(\\s)*secure_path(\\s)*="
     state: present
     insertafter: EOF
     path: /etc/sudoers
     validate: 'visudo -cf %s'
-  when: ansible_os_family == "RedHat"
+  when: ansible_os_family in [ "RedHat", "Suse" ]
diff --git a/site.yml b/site.yml
index 8f24982..33653a9 100644
--- a/site.yml
+++ b/site.yml
@@ -20,6 +20,9 @@
       become: true
     - role: raspberrypi
       become: true
+    - role: k3s_custom_registries
+      become: true
+      when: custom_registries
 
 - name: Setup k3s servers
   hosts: master