diff --git a/README.md b/README.md
index 8750d29..bd91ea2 100644
--- a/README.md
+++ b/README.md
@@ -33,80 +33,7 @@ ansible-galaxy install ansibleguy.infra_apache --roles-path ./roles
 ansible-galaxy install -r requirements.yml
 ```
 
-## Functionality
-
-* **Package installation**
-  * Ansible dependencies (_minimal_)
-  * Apache2
-
-
-* **Configuration**
-  * Support for multiple sites/servers
-  * Two **config-modes**:
-    * serve (_default_)
-    * redirect
-  * Support for specific configurations using the 'config' and 'config_additions' parameters
-
-
-  * **Default config**:
-    * Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
-    * Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
-    * Limits to prevent DDoS
-    * Using a Self-Signed certificate
-    * Modules: +ssl, +http2, headers, rewrite; -autoindex
-    * HTTP2 enabled with fallback to HTTP1.1
-    * IPv6 support disabled (*at least one ipv6 address MUST EXIST*)
-
-
-  * **SSL modes** (_for more info see: [CERT ROLE](https://github.com/ansibleguy/infra_certs)_)
-    * **selfsigned** => Generate self-signed ones
-    * **ca** => Generate a minimal Certificate Authority and certificate signed by it
-    * **letsencrypt** => Uses the LetsEncrypt certbot
-    * **existing** => Copy certificate files or use existing ones
-
-
-  * **Default opt-ins**:
-    * restricting methods to POST/GET/HEAD
-    * status-page listener on localhost
-    * Logging to syslog
-    * http2
-
-
-  * **Default opt-outs**:
-    * Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage
-
-
-Options to provide module config will be added in the future!<br>
-Also some basic mods will get a pre-config added. (_prefork, evasive_)
-
-## Info
-
-* **Note:** Most of the role's functionality can be opted in or out.
-
-  For all available options - see the default-config located in the main/site defaults-file!
-
-
-* **Note:** this role currently only supports debian-based systems
-
-
-* **Note:** This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
-
-
-* **Note:** If you want any requested domain to get handled by a site/server you need to add a **wildcard** '*' as alias!<br>
-
-   BUT: You still have to provide a main domain!
-
-
-* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
-
-
-* **Info:** To disable default settings and headers => just set their value to: ''
-
-
-* **Info:** For LetsEncrypt renewal to work, you must allow outgoing connections to:
-
-  80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (_debug mode_) and r3.o.lencr.org
-
+----
 
 ## Usage
 
@@ -172,3 +99,81 @@ To debug errors - you can set the 'debug' variable at runtime:
 ```bash
 ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
 ```
+
+----
+
+## Functionality
+
+* **Package installation**
+  * Ansible dependencies (_minimal_)
+  * Apache2
+
+
+* **Configuration**
+  * Support for multiple sites/servers
+  * Two **config-modes**:
+    * serve (_default_)
+    * redirect
+  * Support for specific configurations using the 'config' and 'config_additions' parameters
+
+
+  * **Default config**:
+    * Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
+    * Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
+    * Limits to prevent DDoS
+    * Using a Self-Signed certificate
+    * Modules: +ssl, +http2, headers, rewrite; -autoindex
+    * HTTP2 enabled with fallback to HTTP1.1
+    * IPv6 support disabled (*at least one ipv6 address MUST EXIST*)
+
+
+  * **SSL modes** (_for more info see: [CERT ROLE](https://github.com/ansibleguy/infra_certs)_)
+    * **selfsigned** => Generate self-signed ones
+    * **ca** => Generate a minimal Certificate Authority and certificate signed by it
+    * **letsencrypt** => Uses the LetsEncrypt certbot
+    * **existing** => Copy certificate files or use existing ones
+
+
+  * **Default opt-ins**:
+    * restricting methods to POST/GET/HEAD
+    * status-page listener on localhost
+    * Logging to syslog
+    * http2
+
+
+  * **Default opt-outs**:
+    * Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage
+
+
+Options to provide module config will be added in the future!<br>
+Also some basic mods will get a pre-config added. (_prefork, evasive_)
+
+----
+
+## Info
+
+* **Note:** Most of the role's functionality can be opted in or out.
+
+  For all available options - see the default-config located in the main/site defaults-file!
+
+
+* **Note:** this role currently only supports debian-based systems
+
+
+* **Note:** This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
+
+
+* **Note:** If you want any requested domain to get handled by a site/server you need to add a **wildcard** '*' as alias!<br>
+
+   BUT: You still have to provide a main domain!
+
+
+* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
+
+
+* **Info:** To disable default settings and headers => just set their value to: ''
+
+
+* **Info:** For LetsEncrypt renewal to work, you must allow outgoing connections to:
+
+  80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (_debug mode_) and r3.o.lencr.org