diff --git a/ansible/roles/debops.apt/defaults/main.yml b/ansible/roles/debops.apt/defaults/main.yml
index 3e10a6a80f..e00ad3e923 100644
--- a/ansible/roles/debops.apt/defaults/main.yml
+++ b/ansible/roles/debops.apt/defaults/main.yml
@@ -355,6 +355,19 @@ apt__original_sources:
                              ansible_local.apt.original_mirrors_deb|d())
                          else "absent" }}'
 
+                                                                   # ]]]
+# .. envvar:: apt__default_sources_present [[[
+#
+# Define if the default APT package sources for specific distributions should
+# be used or not.
+# If package sources are defined in specific group, host or on all hosts in
+# Ansible inventory, the default sources will be disabled.
+apt__default_sources_present: '{{ "True"
+                                  if ( not apt__group_sources and
+                                       not apt__host_sources and
+                                       not apt__sources )
+                                    else "False" }}'
+
                                                                    # ]]]
 # .. envvar:: apt__default_sources [[[
 #
@@ -405,6 +418,32 @@ apt__default_sources:
     comment:      '{{ "Official " + apt__distribution + " repositories" }}'
     distribution: 'Devuan'
 
+                                                                   # ]]]
+# .. envvar:: apt__security_sources_state [[[
+#
+# Enable (if ``present``) or disable (if ``absent``) the default APT
+# repositories proving security updates.
+# If a local security mirror is defined in Ansible inventory group or host,
+# this will disable the default security repositories.
+apt__security_sources_state: '{{ "present"
+                                  if ( not apt__group_security_sources and
+                                       not apt__host_security_sources )
+                                  else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__group_security_sources [[[
+#
+# List of APT repositories that provide security updates for hosts in
+# specific Ansible inventory group.
+apt__group_security_sources: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_security_sources [[[
+#
+# List of APT repositories that provide security updates for hosts in
+# specific Ansible inventory host.
+apt__host_security_sources: []
+
                                                                    # ]]]
 # .. envvar:: apt__security_sources [[[
 #
@@ -419,7 +458,7 @@ apt__security_sources:
     suite:      '{{ apt__distribution_release + "/updates" }}'
     components: '{{ apt__distribution_components }}'
     distribution: 'Debian'
-    state:      '{{ "present"
+    state:      '{{ apt__security_sources_state
                     if (apt__distribution_release|d("unknown")
                         in apt__distribution_release_map[apt__distribution]|d([]))
                     else "absent" }}'
@@ -451,7 +490,7 @@ apt__security_sources:
     suite:      '{{ apt__distribution_release + "-security" }}'
     components: '{{ apt__distribution_components }}'
     distribution: 'Ubuntu'
-    state:      '{{ "present"
+    state:      '{{ apt__security_sources_state
                     if (apt__architecture in ["amd64", "i386"])
                     else "absent" }}'
 
@@ -461,7 +500,7 @@ apt__security_sources:
     suite:      '{{ apt__distribution_release + "-security" }}'
     components: '{{ apt__distribution_components }}'
     distribution: 'Ubuntu'
-    state:      '{{ "present"
+    state:      '{{ apt__security_sources_state
                     if (apt__architecture not in ["amd64", "i386"])
                     else "absent" }}'
 
@@ -471,7 +510,7 @@ apt__security_sources:
     suite:      '{{ apt__distribution_release + "-security" }}'
     components: '{{ apt__distribution_components }}'
     distribution: 'Devuan'
-    state:      '{{ "present"
+    state:      '{{ apt__security_sources_state
                     if (apt__distribution_release|d("unknown")
                         in apt__distribution_release_map[apt__distribution]|d([]))
                     else "absent" }}'
@@ -485,8 +524,10 @@ apt__security_sources:
 apt__combined_sources: '{{ apt__sources +
                            apt__group_sources +
                            apt__host_sources +
-                           apt__original_sources +
-                           apt__default_sources +
+                           apt__original_sources }} +
+                           {{ apt__default_sources if apt__default_sources_present else [] }} +
+                           {{ apt__host_security_sources +
+                           apt__group_security_sources +
                            apt__security_sources }}'
                                                                    # ]]]
                                                                    # ]]]
diff --git a/ansible/roles/debops.apt/templates/etc/ansible/facts.d/apt.fact.j2 b/ansible/roles/debops.apt/templates/etc/ansible/facts.d/apt.fact.j2
index e4b0bc4588..2234f43848 100644
--- a/ansible/roles/debops.apt/templates/etc/ansible/facts.d/apt.fact.j2
+++ b/ansible/roles/debops.apt/templates/etc/ansible/facts.d/apt.fact.j2
@@ -15,7 +15,7 @@ import os
 {% set apt__tpl_default_sources = [] %}
 {% set apt__tpl_default_sources_map = {} %}
 {% set apt__tpl_source_distributions = {} %}
-{% for repo in apt__security_sources %}
+{% for repo in ( apt__host_security_sources, apt__group_security_sources, apt__security_sources ) %}
 {%   set _ = apt__tpl_security_sources.extend(
                  debops__tpl_macros.flattened(
                      repo.uri, repo.uris) | from_json) %}