diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000000000000000000000000000000000000..5f1bb03f5d7e6736afe240895bfc09473536d894
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,9 @@
+parseable: true
+quiet: true
+use_default_rules: true
+skip_list:
+  - '204'  # line length is checked by yamllint
+  - '401'  # git checkout must contain explicit version
+  - '701'  # 7xx is about ansible galaxy guidelines
+  - '702'
+  - '703'
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3f69d9404ecee38bb9494572d2ac4e1f52dee3c
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,27 @@
+---
+
+image: registry.git.fsmpi.rwth-aachen.de/infra/ci-containers/fsmpi-ansible:buster
+
+variables:
+  GIT_SUBMODULE_STRATEGY: recursive
+
+before_script:
+  - export LANG=en_US.UTF-8
+  - chmod o-w .
+  - apt-get -qq update && apt-get -qq install -y ansible-lint ripgrep
+  - ansible --version
+  - ansible-lint --version
+  - yamllint --version
+
+stages:
+  - test
+
+test:
+  stage: test
+  script:
+    - yamllint .
+    # TODO remove exclude, remove skip list entry 206
+    # yamllint disable-line rule:line-length
+    - ansible-lint --exclude webserver/tasks/zabbix.yml -x 206 ./*/
+    # yamllint disable-line rule:line-length
+    - "! rg --fixed-strings 'passwordstore' ./*/templates"
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000000000000000000000000000000000000..734b455b7699514d0588d4806d83d5abefca95d8
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,23 @@
+---
+
+extends: default
+
+rules:
+  comments-indentation:
+    level: warning
+  document-start:
+    level: error
+  empty-lines:
+    max: 1
+  empty-values:
+    forbid-in-flow-mappings: true
+    forbid-in-block-mappings: true
+  line-length:
+    level: warning
+    allow-non-breakable-inline-mappings: true
+  octal-values:
+    forbid-implicit-octal: true
+    level: error
+  # quoted-strings: enable
+  truthy:
+    level: error
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000000000000000000000000000000000..8fa06708c3480db97a634cdbd2afad3c44377463
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    webservices
+    Copyright (C) 2021  infra / ansible-shared
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    webservices  Copyright (C) 2021  infra / ansible-shared
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..6e4672e17595a2f4dc7af2a6e4f2e0e6d3809c80
--- /dev/null
+++ b/README.md
@@ -0,0 +1,257 @@
+# Webservices 
+
+
+## Roles
+
+- `acmetool`, manages let's encrypt certificates via acmetool
+- `debian-repository`, installs the software reprepro (very basic)
+- `mediawiki`, setups mediawiki with php-fpm
+- `php-fpm`, setups php-fpm pools
+- `sentry`, error collection api and web app
+- `shibboleth`, configures a shibboleth-authenticated nginx resource
+- `uwsgi-python`, unified web app deployment role for python-based web apps 
+- `webserver`, configures nginx 
+- `wordpress`, setups wordpresses via an overlayfs technology 
+
+*Note:* Some roles are still undocumented. Some previously available roles have been merged into `uwsgi-python`.
+
+## uwsgi-python
+
+The idea of this role is to have only one role for all the python-based web apps. Instead of a role (and group) for every single app. 
+We distinguish between apps and instances. An app is the actual program, which can be instaciated more than once, which we call the instance.
+
+The role iterates over the list `webapps` (in the host vars) and imports app and instance specific variable files.
+An app specific task snippet is imported if it is configured in the variable files (see below). 
+
+We place the instance specific variable file under `<inventory_dir>/vars/<instance>.yml`. The app specific variable file is `<role_dir>/vars/<app>.yml`. 
+In the latter file there should be sensible defaults for _every_ variable used within the role. 
+Before the app specific variable file the file `<role_dir>/vars/default.yml` is included.
+
+This role needs the patch from this [pull-request](https://github.com/ansible/ansible/pull/39762) or ansible 2.6 or later.
+
+### Variables
+
+- `app_name`: the name of the app
+- `app_user`: the user which runs the app---will be created
+- `app_group`: the user's group which runs the app---will be created
+- `app_home`: home directory of the user, usually `/var/www/<app_user>`
+- `app_path`: the path where the program can be found, usually same as `app_home`
+- `app_python_version`: the app's python version as number (2|3)
+- `app_venv`: the absolut path to the virtualenv, which shall be used for the app
+- `app_program`: the python executable, which lies in `app_path`
+- `app_callable`: uwsgi variable <callable>, mostly app
+- `app_command`: commandline arguments for the app
+- `app_mountpoint`: the path in the URI, if the app shall be reachable under https://www.example.com/app, usually /
+- `app_db_name`: name of the db for the app, can be `""` if not any database is needed, usally same as `app_user`
+- `app_db_type`: db type: (postgres|mysql|sqlite) 
+- `app_additional_software`: list of software, which is additionally needed by the app e.g. LaTeX. If no additional software is needed it is `[]`
+- `app_deploy_key`: path to a ssh-key which is needed to get the software usually, `{{ inventory_dir }}/files/deploy-keys/<app_name>`.
+- `app_git_url`: git url of the project 
+- `app_git_version`: git version usually `HEAD`
+- `app_config_file`: config file, usally `config.py`
+- `app_secret_config`: it might be useful to have the cookie's key in seperate config (true|false)
+
+*Note:* Due to the heterogenous nature of our supported web apps, there are additional variables available for fine tuning. See `<role_dir>/vars/default.yml` for details.
+
+### How to create a new app
+
+Create `<role_dir>/vars/<app_name>.yml`. Define the variables from above in it and the variables that you need for you config file.
+We recommend to define them as defaults (and as documentation).
+
+Next, if you need to deploy a config file, create `<role_dir>/templates/apps/<app_name>.j2`. Note, that you can enable `app_secret_config` and import generated secrets from there.
+If you need some additional tasks, you can define them in `uwsgi-python/tasks/apps/<app_name>.j2`.
+
+If you have done this, you can create an instance of the app. Note, that you have to define an instance for every app you use, even if you only want to deploy it once.
+
+### How to create a new app's instance
+
+Create for every instance `<inventory_dir>/vars/<instance_name>.yml`, in which you can override the defaults from `uwsgi-python/vars/<app_name>.yml`.
+Define in your `<host_vars>/<host>` the dictionary `webapps` as follows:
+
+```
+webapps:
+  - instance: <instance_name>
+    app: <app_name>
+    app_vars: <instance_name>.yml
+```
+
+It is very important to add an handler to `<role_dir>/handlers/main.yml` to allow the role to restart the uwsgi instance.
+
+```
+- name: restart uwsgi instance <instance_name>
+  service: name="uwsgi@<instance_name>" state=restarted
+```
+
+## webserver
+
+This role manages the nginx configuration for a host based on the variable `webservers`.
+
+### Structure
+
+Every host (e.g. `web`) has a list of servers, corresponding to a configuration file which can be enabled or disabled.
+Each server has a list of sites, corresponding to a `server` block in the configuration file.
+Each site has a `type`, general information about the proxy and how to link it to the internal application, and depending on the site type a list of `locations`.
+
+Configuration files are generated in `/etc/nginx/(proxy-)?sites-available/` and - if enabled - linked in `/etc/nginx/(proxy-)?sites-enabled/`.
+Two nginx configuration files (`/etc/nginx/nginx.conf` and `/etc/nginx/nginx-proxy.conf`) are generated with their corresponding systemd units.
+
+If no servers are configured (i.e. the `webservers` variables missing), example config files are deployed and all files in the `-enabled` directories are included.
+If servers are configured, the generated configuration files end with `.conf` and only those are included.
+
+### Variables
+
+#### General
+
+Those variables are not part of the `webservers` variable, but rather single, per-host variables.
+
+* `webserver_resolver`: list of nameservers, defaults to global configuration
+* `webserver_enable_ipv6`: enables ipv6 for internal resolver requests, default `true`
+* `webserver_enable_acme_default`: adds a separate default server serving only acme requests for unconfigured sites, default `true`
+* `cipher_strength`: selects available tls ciphers and protocol versions, `modern` (default) or `intermediate`
+
+#### Server
+
+* `name`: an identifier, unique
+* `enabled`: `yes` or `no`
+* `servers`: list of `sites`
+
+#### Site
+
+* `type`: `webapp` or special, e.g. `mediawiki`, determines template in `webserver/templates/sites/`
+* one of (used for nginx-proxy-communication):
+  - `port`: ip port (e.g. 62000)
+  - `socket`: path to unix socket
+* one of:
+  - `server_name`: domain name of the website
+  - `server_names`: list of domain names of the website
+* `root`: path to website root directory
+* `indices`: list of index file names
+* `forward_http`: if `yes`, the proxy redirects HTTP requests to HTTPS (cf. `sites/httprewrite.conf`, optional), default `true`
+* `forward_ip`: if `yes`, the proxy redirects requests to the hosts IP to the hosts domain name (cf. `sites/iprewrite.conf`, optional)
+  - only useful on one server per host
+* `forward_hostnames`: one of (optional)
+  - list of hostnames to redirect to this servers domain
+  - dict:
+    - `path`: path under this domain to redirect the hostnames to
+    - `hostnames`: list of hostnames to redirect to this domain
+* `no_ssl`: if `yes`, the proxy listens to HTTP, not HTTPS
+* `certificate`: path to the TLS certificate file (defaults to acmetool path)
+* `private_key`: path to the TLS private key file (defaults to acmetool path)
+* `cipher_strength`: `modern` or `intermediate` (cf. `vars/main.yml`, optional)
+* `xss_protect`: if `true`, enables browser-side XSS mitigation, default `true`
+* `no_sniff`: if `true`, disallows browser-side MIME type sniffing, default `true`
+* `referrer_policy`: if `true`, only sends HTTP Referrer header for same origin requests, default `true`, alternativly you may pass any policy string yourself (e.g. `strict-origin-when-cross-origin`, `no-referrer`, `strict-origin`)
+* `expect_ct`: if `true`, tells the browser to check the certificate via public CertificateTransparency logs, alternatively you may pass a policy string directly, default `true`
+* `cors`: for APIs only, sets allowed request origin, `true` == `*`, default `false`, enforces API-compatible restrictions for MIME sniffing, framing and CSP
+* `csp`: set to `true` for a lax default Content Security Policy, `self` for a stricter version without inline code, default `true`, set to a dict containing directives as keys for a custom policy
+* `use_sso`: include single sign on for this server
+* `sso_protect_all`: if `no`, proxy locations do not automatically require single sign on auth if `use_sso` is set (default `yes`, optional)
+* `include_acme`: if `no`, the acmetool snippet is not included (optional, default `true`)
+* `include_snippets`: list of snippets files (in `/etc/nginx/snippets/`) to include (optional)
+* `internal_locations`: list of internal locations
+  - *required* to generate internal config (empty list != omitted)
+  - used by site type `webapp`
+* `public_locations`:
+  - list of public locations
+  - required to generate proxy config
+
+#### Location
+
+* `type`: location block type (cf. `templates/locations/`)
+* `path`: which path this location maps to
+* `exact`: if `yes`, the path matches exactly, without matching subdirectories (cf. `location =`, optional)
+* `prefer_to_regex`: if `yes`, if this location is the longest prefix match, regexes are not matched (cf. `location ^~`, optional)
+* `regex`: if yes, the path specification is a regular expression (cf. `location ~`, optional)
+* `case_insensitive`: if `yes`, the path regex is case insensitive (cf. `location ~*`, optional)
+  - only with `regex: yes`
+* `locations`: list of locations, nested in this location (optional)
+* `root`: the root directory of this location (optional)
+* `indices`: the index pages of this location (optional)
+* `expires`: expiry time for the content (optional)
+* `error_page`: the error page of this location (optional)
+* `params`: dictionary of parameters passed through to the nginx config (optional)
+* `conditions`: list of condition dictionaries passed for this location (optional)
+  - `condition`: the part inbetween `if` and `{`
+  - `actions`: list of lines inbetween `{` and `}`
+* `pam_auth`: if set, this location requires PAM authentication
+  - `name`: the name to show the user (default `FSMPI`, optional)
+  - `service`: the PAM service required (default `nginx`, optional)
+* `basic_auth`: if set, this location requires basic auth
+  - `name` the name to show to the user (default `FSMPI`, optional)
+  - `file`: the file to get users and passwords from
+* `allow_only_networks`: list of dictionaries this location is limited to (optional)
+  - `network`: IP/CIDR notation allowed to access this site
+  - `comment`: comment explaining this location (for config readability, required)
+
+##### fastcgi
+
+To be used with a fastcgi application, e.g. `php-fpm`.
+
+* `socket`: fastcgi socket (either host:port or unix:path)
+* `script_name`: `SCRIPT_FILENAME` without `$document_root` (optional)
+* `pass_real_ip`: if `yes`, `$http_x_real_ip` is passed as `REMOTE_ADDR` (optional, usually not needed for passing the correct IP)
+* `index`: filename appended to paths ending with `/` (optional, defaults to standard index setting)
+* `pass_user`: `$remote_user` is passed as `REMOTE_USER` (optional, default `true`)
+
+##### proxy
+
+Passes this request to a HTTP(S) proxy, used e.g. in the nginx-proxy.
+
+* `sso_protect`: if `yes`, this location requires single sign on authentication
+  - by default `sso_protect_all` is `yes`, therefore this is only required if only some locations should be protected
+* ony of (optional):
+  - `proxy_host`: domain to pass the request to
+  - `proxy_port`: port (on localhost) to pass this request to
+  - `proxy_unix`: path to unix socket to pass this request to
+  - if none of these, `server.port` or `server.socket` is used
+* `proxy_relative`: if `yes`, the request path is passed to the proxy (default: `no`, optional), otherwise all requests are passed to `/`
+* `proxy_cookie`: if `true`, proxies cookies at path `/` and adds the options `secure`, `httponly` and `SameSite=lax`, set to `strict` for the corresponding `SameSite` option, default `false`
+* `proxy_headers`: list of headers to pass along the request (optional)
+  - `key`: header name
+  - `value`: header value
+
+##### uwsgi
+
+Passes requests to an uwsgi socket.
+
+* `socket`: unix (with `unix:` prefix) or ip socket uwsgi listens on
+* `pass_real_ip`: if `yes`, remote address from `real_ip` are passed (optional, usually not needed for passing the correct IP)
+
+##### static
+
+Server static files from a directory.
+
+* `alias`: filesstem directory equivalent to this location (optional)
+  - otherwise, `root` from the location of server is used
+* `try_uri`: which URIs should be searched by `try_files`, default `$uri $uri/`
+* `try_default`: which location to select if `try_files` did not find the URI, default `=404`
+
+##### redirect
+
+Redirects the request to another location.
+
+* `target`: URL (with or without host) to redirect to
+* `temporary`: if `yes`, a temporary redirect (302) is used, otherwise a permanent (301) (optional, default `no`)
+
+##### rewrite
+
+* `rewrites`: list of rewrites to apply (cf. nginx rewrite syntax)
+
+##### named
+
+Passes this request to a hidden `@location` if the file is not found.
+
+* `name`: the name of the named location to pass this request to (without `@`)
+
+##### param-only
+
+Sets parameters (c.f. `params` above) for this location, does nothing special.
+
+##### deny
+
+Disallows to see this page (cf. `deny all`).
+
+##### gone
+
+Tells the user that the content has disappeared, i.e. HTTP 410.
+
diff --git a/acmebot/defaults/main.yml b/acmebot/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5a3661320bd4ac87e1b2324c123d1106569028e0
--- /dev/null
+++ b/acmebot/defaults/main.yml
@@ -0,0 +1,196 @@
+---
+
+acmebot_account_mail: "{{ adminaddr }}"
+acmebot_version: "v2.7.0"
+acmebot_enable_update_check: true
+
+acmebot_settings: {}
+acmebot_default_settings:
+  log_level: "detail"
+  color_output: true
+
+  acme_directory_url: "https://acme-v02.api.letsencrypt.org/directory"
+  public_suffix_list_url: "https://publicsuffix.org/list/public_suffix_list.dat"
+  ocsp_responder_urls:
+    - "http://ocsp.int-x3.letsencrypt.org"
+  reload_zone_command: null
+  nsupdate_command: null
+  hpkp_report_uri: null
+  ct_submit_logs:
+    - "google_argon"
+    - "google_xenon"
+
+  file_user: root
+  file_group: root
+
+  key_size: 4096  # null to turn off RSA certificates
+  key_curve: "secp384r1"  # null to turn off ECDSA certificates
+  key_cipher: null
+  key_passphrase: null  # null to turn off private key encryption
+  dhparam_size: 2048  # null to turn off custom dhparams
+  ecparam_curve: "secp384r1"  # null to turn off custom EC params
+
+  follower_mode: false
+  ocsp_must_staple: false  # application support isn't good enough
+  auto_rollover: true  # must be false on followers
+  pin_subdomains: false
+  verify: null  # e.g. [443]
+  services: null  # e.g. [nginx-proxy]
+
+  hpkp_days: 60
+  renewal_days: 30
+  expiration_days: 730
+  max_dns_lookup_attempts: 60
+  dns_lookup_delay: 10
+  max_domains_per_order: 100
+  max_authorization_attempts: 30
+  authorization_delay: 10
+  cert_poll_time: 30
+  max_ocsp_verify_attempts: 10
+  ocsp_verify_retry_delay: 5
+  min_run_delay: 300
+  max_run_delay: 3600
+
+# can be empty string, e.g. when using only one key type
+acmebot_key_suffixes: {}
+acmebot_default_key_suffixes:
+  rsa: ".rsa"
+  ecdsa: ".ecdsa"
+
+# format strings with: name (of privkey or cert), key_type, suffix, server
+# http_challenge uses: zone, host (without zone, "." if fqdn == zone), fqdn
+# if http_challenge is set, defaults to http-01
+#   set to null for specified certs to use dns-01 for those
+acmebot_directories: {}
+acmebot_default_directories:
+  pid: "/run/acmebot"
+  log: "/var/log/acmebot"
+  resource: "/var/lib/acmebot"
+  temp: null
+
+  private_key: /etc/ssl/acmebot/privkey
+  backup_key: /etc/ssl/acmebot/backup_privkey
+  previous_key: null
+  full_key: /etc/ssl/acmebot/full_privkey  # maybe null to turn off
+  certificate: /etc/ssl/acmebot/cert
+  full_certificate: /etc/ssl/acmebot/full_cert  # maybe null
+  chain: /etc/ssl/acmebot/chain  # maybe null
+  param: /etc/ssl/acmebot/params  # maybe null
+  challenge: /etc/ssl/acmebot/challenges  # for dns-01 only
+  http_challenge: "/var/run/acme/acme-challenge"  # maybe null
+  hpkp: /etc/ssl/acmebot/hpkp  # maybe null
+  ocsp: /etc/ssl/acmebot/ocsp  # maybe null
+  sct: "/etc/ssl/acmebot/scts/{name}/{key_type}"  # maybe null
+  update_key: /etc/ssl/acmebot/update_keys
+  archive: /etc/ssl/acmebot/archive
+
+# format strings with: name (of privkey or cert), key_type, suffix, server
+acmebot_file_names: {}
+acmebot_default_file_names:
+  log: "acmebot.log"
+
+  private_key: "{name}{suffix}.pem"
+  backup_key: "{name}_backup{suffix}.pem"
+  previous_key: "{name}_previous{suffix}.pem"
+  full_key: "{name}_full{suffix}.pem"
+  certificate: "{name}{suffix}.pem"
+  full_certificate: "{name}{suffix}.pem"
+  chain: "{name}_chain{suffix}.pem"
+  param: "{name}_param.pem"
+  challenge: "{name}"
+  hpkp: "{name}.{server}"
+  ocsp: "{name}{suffix}.ocsp"
+  sct: "{ct_log_name}.sct"
+
+# override with null
+acmebot_hpkp_headers: {}
+acmebot_default_hpkp_headers:
+  apache: "Header always set Public-Key-Pins \"{header}\"\n"
+  nginx: "add_header Public-Key-Pins \"{header}\" always;\n"
+
+acmebot_services: {}
+acmebot_default_services:
+  dovecot: "systemctl restart dovecot"
+  mysql: "systemctl reload mysql"
+  nginx: "systemctl reload nginx"
+  nginx-proxy: "systemctl reload nginx-proxy"
+  postfix: "systemctl reload postfix"
+  postgresql: "systemctl reload postgresql"
+  prosody: "systemctl restart prosody"
+
+# authorizations to maintain without certficates (e.g. for master/follower)
+acmebot_authorizations: {}
+#   <zone-name>:
+#     - <host-name>
+#     - <host-name>
+
+# when global http_challenges directory set: use null to revert back to dns-01
+# else: override dns-01 default with http-01 per domain
+acmebot_http_challenges: {}
+#   <domain-name>: <challenge-directory>
+
+# for doing DNSSEC manually, specify TSIG keys
+acmebot_zone_update_keys: {}
+
+# when using HPKP it may be beneficial to share private keys between certs
+# this dict contains multiple certificate sections per private key,
+#   all key-specific config moved up
+acmebot_private_keys: {}
+
+acmebot_certificates: {}
+#   <certificate-name>:
+#     common_name: <common-name>
+#     alt_names:
+#       <zone-name>:
+#         - "@",
+#         - <host-name>
+#     services:
+#       - <service-name>
+#     tlsa_records:
+#       <zone-name>:
+#         - <host-name>
+#         - host: <host-name>
+#           port: <port-number>
+#           usage: pkix-ee
+#           selector: spki
+#           protocol: tcp
+#           ttl: 300
+#     dhparam_size: 2048
+#     ecparam_curve: secp384r1
+#     key_types:
+#       - rsa
+#       - ecdsa
+#     key_size: 4096
+#     key_curve: secp384r1
+#     key_cipher: blowfish
+#     key_passphrase:
+#     expiration_days: 730
+#     auto_rollover: false
+#     hpkp_days: 30
+#     pin_subdomains: true
+#     hpkp_report_uri:
+#     ocsp_must_staple: false
+#     ocsp_responder_urls:
+#       - "http://ocsp.int-x3.letsencrypt.org"
+#     ct_submit_logs:
+#       - google_icarus
+#       - google_pilot
+#     verify:
+#       - 443,
+#       - port: 25
+#         hosts:
+#           - <domain-name>
+#           - <domain-name>
+#         starttls: smtp
+#         key_types:
+#           - rsa
+# 					- ecdsa
+
+# all empty per default, see README for possible hook names
+acmebot_hooks: {}
+
+# This variable will override the built-in defaults. If you need to set it,
+# you can grab an up-to-date copy of those defaults from the official
+# repository to merge them manually.
+# see also: https://www.certificate-transparency.org/known-logs
+acmebot_ct_logs: {}
diff --git a/acmebot/files/acmebot.service b/acmebot/files/acmebot.service
new file mode 100644
index 0000000000000000000000000000000000000000..8ba466a125cd0a880db8176db4235146dc5da4a4
--- /dev/null
+++ b/acmebot/files/acmebot.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=Reconcile Let's Encrypt certificates
+Documentation=file:/usr/share/doc/acmebot/README.rst.gz
+After=nss-lookup.target
+After=apache2.service nginx.service bind9.service nginx-proxy.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/acmebot --accept
+TimeoutStartSec=5min
+CapabilityBoundingSet=CAP_CHOWN
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ReadWritePaths=/etc/ssl
+ConfigurationDirectory=acmebot
+RuntimeDirectory=acmebot acme/acme-challenge
+StateDirectory=acmebot
+LogsDirectory=acmebot
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
diff --git a/acmebot/files/acmebot.timer b/acmebot/files/acmebot.timer
new file mode 100644
index 0000000000000000000000000000000000000000..02c80b10717fd691b3ac907e02a27482122e2ad1
--- /dev/null
+++ b/acmebot/files/acmebot.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Reconcile Let's Encrypt certificates twice daily
+
+[Timer]
+OnCalendar=*-*-* 00,12:00:00
+RandomizedDelaySec=1h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target
+
diff --git a/acmebot/handlers/main.yml b/acmebot/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..109aa69fe24fa659bfe116cdc86cc8a5b0ed44fb
--- /dev/null
+++ b/acmebot/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: reload systemd service files
+  systemd: daemon_reload=yes
+
+- name: update certificates
+  systemd: name=acmebot.service state=restarted
diff --git a/acmebot/tasks/main.yml b/acmebot/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3ff71781c7dde05e576402569893d7b4af53d577
--- /dev/null
+++ b/acmebot/tasks/main.yml
@@ -0,0 +1,97 @@
+---
+
+- name: ensure requirements for acmebot are installed
+  apt:
+    name:
+      - python3-appdirs
+      - python3-pyparsing
+      - python3-packaging
+      - python3-openssl
+      - python3-dns
+      - python3-cryptography
+      - python3-asn1crypto
+      - python3-acme
+      - python3-yaml
+    state: present
+
+- name: get the acmebot repository
+  git:
+    repo: https://github.com/plinss/acmebot.git
+    dest: /opt/acmebot
+    version: "{{acmebot_version}}"
+  environment:
+    TMPDIR: /root/.ansible/tmp
+
+- name: add acmebot to path
+  file:
+    src: /opt/acmebot/acmebot
+    dest: /usr/local/sbin/acmebot
+    state: link
+
+- name: install systemd units
+  copy:
+    src: "{{item}}"
+    dest: /etc/systemd/system/
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - "acmebot.service"
+    - "acmebot.timer"
+  notify:
+    - reload systemd service files
+
+- name: create the acmebot config directory
+  file:
+    path: /etc/acmebot
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: ensure the acmebot is configured
+  template:
+    src: acmebot.yaml.j2
+    dest: /etc/acmebot/acmebot.yaml
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - update certificates
+
+- name: ensure the LE root certificates are linked
+  file:
+    # yamllint disable-line rule:line-length
+    path: "/etc/acmebot/root_cert{{ (acmebot_default_key_suffixes|combine(acmebot_key_suffixes))[item] }}.pem"
+    src: /etc/ssl/certs/ISRG_Root_X1.pem
+    state: link
+  with_items:
+    - rsa
+    - ecdsa
+  notify:
+    - update certificates
+
+- name: ensure certificates are updated regularly
+  systemd:
+    name: acmebot.timer
+    enabled: true
+    state: started
+
+- name: check for updates daily
+  file:
+    src: /opt/acmebot/update-check.sh
+    dest: /etc/cron.daily/acmebot-update-check.sh
+    state: link
+  when: acmebot_enable_update_check
+
+- name: don't check for updates daily
+  file:
+    path: /etc/cron.daily/acmebot-update-check.sh
+    state: absent
+  when: not acmebot_enable_update_check
+
+- name: rotate acmebot logs
+  file:
+    src: /opt/acmebot/logrotate.d/acmebot
+    dest: /etc/logrotate.d/acmebot
+    state: link
diff --git a/acmebot/templates/acmebot.yaml.j2 b/acmebot/templates/acmebot.yaml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cbd6d5d130329695a013d6a30a5c6d1f179b15fa
--- /dev/null
+++ b/acmebot/templates/acmebot.yaml.j2
@@ -0,0 +1,45 @@
+---
+
+{% set certificates = dict(certificates=acmebot_certificates) %}
+{{ certificates|to_nice_yaml }}
+
+{% set private_keys = dict(private_keys=acmebot_private_keys) %}
+{{ private_keys|to_nice_yaml }}
+
+account:
+  email: "{{ acmebot_account_mail }}"
+
+{% set settings = dict(settings=acmebot_default_settings|combine(acmebot_settings, recursive=True)) %}
+{{ settings|to_nice_yaml }}
+
+{% set directories = dict(directories=acmebot_default_directories|combine(acmebot_directories)) %}
+{{ directories|to_nice_yaml }}
+
+{% set key_type_suffixes = dict(key_type_suffixes=acmebot_default_key_suffixes|combine(acmebot_key_suffixes)) %}
+{{ key_type_suffixes|to_nice_yaml }}
+
+{% set file_names = dict(file_names=acmebot_default_file_names|combine(acmebot_file_names)) %}
+{{ file_names|to_nice_yaml }}
+
+{% set hpkp_headers = dict(hpkp_headers=acmebot_default_hpkp_headers|combine(acmebot_hpkp_headers)) %}
+{{ hpkp_headers|to_nice_yaml }}
+
+{% set services = dict(services=acmebot_default_services|combine(acmebot_services)) %}
+{{ services|to_nice_yaml }}
+
+{% set authorizations = dict(authorizations=acmebot_authorizations) %}
+{{ authorizations|to_nice_yaml }}
+
+{% set http_challenges = dict(http_challenges=acmebot_http_challenges) %}
+{{ http_challenges|to_nice_yaml }}
+
+{% set zone_update_keys = dict(zone_update_keys=acmebot_zone_update_keys) %}
+{{ zone_update_keys|to_nice_yaml }}
+
+{% set hooks = dict(hooks=acmebot_hooks) %}
+{{ hooks|to_nice_yaml }}
+
+{% if acmebot_ct_logs|length > 0 %}
+{% set ct_logs = dict(ct_logs=acmebot_ct_logs) %}
+{{ ct_logs|to_nice_yaml }}
+{% endif %}
diff --git a/acmetool/defaults/main.yml b/acmetool/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..30bd4da898cb362f11d61cdb3e61c86c5192c362
--- /dev/null
+++ b/acmetool/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+# file: acmetool/defaults/main.yml
+
+acmetool_endpoint: "https://acme-v01.api.letsencrypt.org/directory"
+acmetool_key_type: rsa
+acmetool_rsa_key_size: 4096
+
+acmetool_mail: "{{ adminaddr }}"
+acmetool_services: ["nginx-proxy"]
diff --git a/acmetool/files/service-after.conf b/acmetool/files/service-after.conf
new file mode 100644
index 0000000000000000000000000000000000000000..a54ec72b702a5b82200d813310d1f8f5fc2fe5e0
--- /dev/null
+++ b/acmetool/files/service-after.conf
@@ -0,0 +1,2 @@
+[Unit]
+After=nginx-proxy.service
diff --git a/acmetool/handlers/main.yml b/acmetool/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..77446560d0582e1529f59e0aa4ce58cac8e721eb
--- /dev/null
+++ b/acmetool/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+# file: acmetool/handlers/main.yml
+
+- name: reload systemd service files
+  systemd: daemon_reload=yes
+
+- name: update certificates
+  systemd: name=acmetool.service state=started
diff --git a/acmetool/tasks/main.yml b/acmetool/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8f67244ea93caabb12cb819f839e7d78ff592c25
--- /dev/null
+++ b/acmetool/tasks/main.yml
@@ -0,0 +1,135 @@
+---
+# file: acmetool/tasks/main.yml
+
+- name: ensure acmetool is installed
+  apt:
+    name: acmetool
+    state: present
+  tags:
+    - acmetool
+    - packages
+
+- name: ensure we have our response file
+  template:
+    src: response-file.yml.j2
+    dest: /var/lib/acme/quickstart-reponses.yml
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - acmetool
+    - config
+
+- name: check if acmetool is configured
+  command: acmetool status
+  register: acmetool_status
+  changed_when: false
+  tags:
+    - acmetool
+    - config
+
+- name: initially configure acmetool
+  # yamllint disable-line rule:line-length
+  command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
+  when: not acmetool_status.stdout is search(acmetool_endpoint)
+  tags:
+    - acmetool
+    - config
+
+- name: ensure acmetool reloads the right service
+  template:
+    src: reload-config.j2
+    dest: /etc/default/acme-reload
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - acmetool
+    - config
+
+- name: ensure we can modify the systemd unit
+  file:
+    path: /etc/systemd/system/acmetool.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  notify:
+    - reload systemd service files
+  when: "'nginx-proxy' in acmetool_services"
+  tags:
+    - acmetool
+    - services
+
+- name: ensure systemd waits for the right service
+  copy:
+    src: service-after.conf
+    dest: /etc/systemd/system/acmetool.service.d/nginx-proxy.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload systemd service files
+  when: "'nginx-proxy' in acmetool_services"
+  tags:
+    - acmetool
+    - services
+
+- name: ensure the desired certificates are configured
+  template:
+    src: desired.conf
+    dest: "/var/lib/acme/desired/{{item.hostnames[0]}}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items: "{{acmetool_certificates}}"
+  notify:
+    - update certificates
+  tags:
+    - acmetool
+    - certificates
+
+- name: get activated certificates
+  find:
+    paths: /var/lib/acme/desired
+    pattern: "*"
+    file_type: file
+  register: active_certificates
+  tags:
+    - acmetool
+    - certificates
+
+- name: deactivate unconfigured certificates
+  file:
+    path: "/var/lib/acme/desired/{{item}}"
+    state: absent
+  # yamllint disable-line rule:line-length
+  loop: "{{active_certificates.files|map(attribute='path')|map('basename')|difference(acmetool_certificates|map(attribute='hostnames')|map('first'))|list}}"
+  loop_control:
+    label: "{{item}}"
+  notify:
+    - update certificates
+  tags:
+    - acmetool
+    - certificates
+
+- name: test if the desired certificates are present
+  stat:
+    path: "/var/lib/acme/live/{{item.hostnames[0]}}"
+  register: live_stat
+  changed_when: not live_stat.stat.exists
+  with_items: "{{acmetool_certificates}}"
+  notify:
+    - update certificates
+  tags:
+    - acmetool
+    - certificates
+
+- name: ensure certificates are updated regularly
+  systemd:
+    name: acmetool.timer
+    enabled: true
+    state: started
+  tags:
+    - acmetool
+    - services
diff --git a/acmetool/templates/desired.conf b/acmetool/templates/desired.conf
new file mode 100644
index 0000000000000000000000000000000000000000..eae3c4032c524081e03e7ca5b2491882d6fbd120
--- /dev/null
+++ b/acmetool/templates/desired.conf
@@ -0,0 +1,6 @@
+satisfy:
+  names:
+{% for hostname in item.hostnames %}
+    - {{hostname}}
+{% endfor %}
+    
diff --git a/acmetool/templates/reload-config.j2 b/acmetool/templates/reload-config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3271bdf82b976ae73f453c1d843e1d334e891c5d
--- /dev/null
+++ b/acmetool/templates/reload-config.j2
@@ -0,0 +1 @@
+SERVICES="{{acmetool_services|join(" ")}}"
diff --git a/acmetool/templates/response-file.yml.j2 b/acmetool/templates/response-file.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..914708fd2a79f85e8fb29fb68f884ad8bd7882d9
--- /dev/null
+++ b/acmetool/templates/response-file.yml.j2
@@ -0,0 +1,14 @@
+"acme-enter-email": "{{acmetool_mail}}"
+"acme-agreement:{{(lookup('url', acmetool_endpoint, split_lines=False)|from_json)['meta']['terms-of-service']}}": true
+"acmetool-quickstart-choose-server": "{{acmetool_endpoint}}"
+"acmetool-quickstart-choose-method": webroot
+"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge"
+"acmetool-quickstart-key-type": {{acmetool_key_type}}
+{% if acmetool_key_type == "rsa" %}
+"acmetool-quickstart-rsa-key-size": {{acmetool_rsa_key_size}}
+{% endif %}
+"acmetool-quickstart-install-haproxy-script": false
+# systemd does that
+"acmetool-quickstart-install-cronjob": false
+# we use webroot
+"acmetool-quickstart-install-redirector-systemd": false
diff --git a/cdn/tasks/main.yml b/cdn/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9a91efb9e2c3b0353b6276b18bcfc7760bb40fde
--- /dev/null
+++ b/cdn/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: include debian version specific vars
+  include_vars:
+    file: "{{debian_version|default('fallback')}}.yml"
+
+- name: install commonly used web libraries
+  apt:
+    name: "{{cdn_packages}}"
+    state: present
diff --git a/cdn/vars/buster.yml b/cdn/vars/buster.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a32ea8ee35e9eb6999c3f446591021a36615af05
--- /dev/null
+++ b/cdn/vars/buster.yml
@@ -0,0 +1,9 @@
+---
+
+cdn_packages:
+  - libjs-bootstrap
+  - libjs-bootstrap4
+  - libjs-chart.js
+  - libjs-jquery
+  - libjs-jquery-datatables
+  - libjs-jquery-ui
diff --git a/cdn/vars/fallback.yml b/cdn/vars/fallback.yml
new file mode 100644
index 0000000000000000000000000000000000000000..92dcc4750c8061a756b3e2a626e596a108104b7d
--- /dev/null
+++ b/cdn/vars/fallback.yml
@@ -0,0 +1,7 @@
+---
+
+cdn_packages:
+  - libjs-jquery
+  - libjs-bootstrap
+  - libjs-jquery-datatables
+  - libjs-jquery-ui
diff --git a/debian-repository/tasks/main.yml b/debian-repository/tasks/main.yml
index 35bd3ff2a0e1c4fd885bf0c27241bb7d9f6435e6..2c0d9bcfd05138ee41292333d7f343eab3d17f59 100644
--- a/debian-repository/tasks/main.yml
+++ b/debian-repository/tasks/main.yml
@@ -1,25 +1,24 @@
 ---
-# file: roles/repository/tasks/main.yml
-
-- name: ensure we have a group
-  group: name=repo system=yes state=present
-  tags:
-    - group
-    - config
-    - repository
-
-- name: ensure we have a user
-  user: name=repo group=repo system=yes home=/srv/repo shell=/usr/bin/nologin createhome=no state=present
-  tags:
-    - user
-    - config
-    - repository
 
 - name: ensure we have the packaging software installed
-  apt: name={{item}} state=present
-  with_items:
-    - mini-dinstall
-  tags:
-    - packages
-    - repository
+  apt:
+    name:
+      - reprepro
+      - unzip
+    state: present
+
+- name: ensure we have a repo group
+  group:
+    name: repo
+    system: true
+    state: present
 
+- name: ensure we have a repo user
+  user:
+    name: repo
+    group: repo
+    system: true
+    home: /srv/repo
+    shell: /usr/bin/nologin
+    createhome: false
+    state: present
diff --git a/deployable-website/defaults/main.yml b/deployable-website/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c23af32ed334066e969ff39750192610cb949aae
--- /dev/null
+++ b/deployable-website/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+
+deployable_websites: []
+# - name: "name"
+#   pubkey: "ssh-…"
+#   subdirs: []
diff --git a/deployable-website/tasks/main.yml b/deployable-website/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f734f684f841d68fb126cbedb71f27f785085ddb
--- /dev/null
+++ b/deployable-website/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+
+- include_tasks: website.yml
+  with_items: "{{deployable_websites}}"
+  loop_control:
+    loop_var: website
+    label: "{{website.name}}"
diff --git a/deployable-website/tasks/website.yml b/deployable-website/tasks/website.yml
new file mode 100644
index 0000000000000000000000000000000000000000..43b641c73ca194f6fe516c682e30ae7dadb82c31
--- /dev/null
+++ b/deployable-website/tasks/website.yml
@@ -0,0 +1,60 @@
+---
+
+- name: create a group
+  group:
+    name: "{{website.name}}"
+    system: true
+    state: present
+
+- name: create a user
+  user:
+    name: "{{website.name}}"
+    group: "{{website.name}}"
+    system: true
+    home: "/var/www/{{website.name}}"
+    shell: /bin/bash
+    createhome: false
+    state: present
+
+- name: create a home directory
+  file:
+    path: "/var/www/{{website.name}}"
+    state: "directory"
+    owner: "{{website.name}}"
+    group: "{{website.group|default(website.name)}}"
+    mode: "0775"
+
+- name: create an ssh directory
+  file:
+    path: "/var/www/{{website.name}}/.ssh"
+    state: "directory"
+    owner: "{{website.name}}"
+    group: "{{website.name}}"
+    mode: "0755"
+  when: website.pubkey is defined
+
+- name: create a deploy directory
+  file:
+    path: "/var/www/{{website.name}}/deploy"
+    state: "directory"
+    owner: "{{website.name}}"
+    group: "{{website.group|default(website.name)}}"
+    mode: "0775"
+
+- name: authorize the deploy key
+  template:
+    src: "authorized_keys"
+    dest: "/var/www/{{website.name}}/.ssh/authorized_keys"
+    owner: "{{website.name}}"
+    group: "{{website.name}}"
+    mode: "0644"
+  when: website.pubkey is defined
+
+- name: create deploy subdirectories
+  file:
+    path: "/var/www/{{website.name}}/deploy/{{item}}"
+    state: "directory"
+    owner: "{{website.name}}"
+    group: "{{website.group|default(website.name)}}"
+    mode: "0775"
+  with_items: "{{website.subdirs|default([])}}"
diff --git a/deployable-website/templates/authorized_keys b/deployable-website/templates/authorized_keys
new file mode 100644
index 0000000000000000000000000000000000000000..090be19b98ff9202d05e19e9e5edbcf6ede5cd3d
--- /dev/null
+++ b/deployable-website/templates/authorized_keys
@@ -0,0 +1 @@
+{{website.pubkey}}
diff --git a/dokuwiki/defaults/main.yml b/dokuwiki/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ccfca50a80da004a1535a0f6fc86caadd24c73e7
--- /dev/null
+++ b/dokuwiki/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+
+dokuwiki:
+  - path: /var/www/dokuwiki
+    user: dokuwiki
+    group: dokuwiki
+    version: 2018-04-22a
+    ad: false
+    ad_domain: example.com
+    ad_basedn: dc=example,dc=com
+    ad_controller: ad.example.com
+    ad_user: user
+    ad_password: password
+    ad_superuser: '@admins'
+    ad_manager: '@admins'
+    mail: 'it@example.com'
diff --git a/dokuwiki/handlers/main.yml b/dokuwiki/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8e0d7fdea6659ac33b8a9c91e5e68d6d6fc21416
--- /dev/null
+++ b/dokuwiki/handlers/main.yml
@@ -0,0 +1,31 @@
+---
+
+- name: delete unused files
+  command: "{{ item.path }}/bin/delete_old_files.py"
+  args:
+    chdir: "{{ item.path }}"
+  become: true
+  become_user: "{{ item.user }}"
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+
+- name: drop caches
+  file:
+    path: "{{ item.path }}/conf/local.php"
+    state: touch
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: '0664'
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+
+- name: reindex search
+  command: /usr/local/sbin/dokuwiki-indexer.sh
+
+- name: update blacklist
+  command: /usr/local/sbin/dokuwiki-blacklist.sh
+
+- name: backup on update
+  command: rsnapshot -c /etc/rsnapshot-dokuwiki.conf daily
diff --git a/dokuwiki/tasks/main.yml b/dokuwiki/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f2a81a77ab487a40fd4d51cb5166d3d261d365e4
--- /dev/null
+++ b/dokuwiki/tasks/main.yml
@@ -0,0 +1,232 @@
+---
+
+- name: ensure php packages are installed
+  apt:
+    name:
+      - php
+      - php-mbstring
+      - php-gd
+      - php-zip
+      - php-xml
+      - php-ldap
+    state: present
+
+- name: ensure groups for dokuwiki exist
+  group:
+    name: "{{ item.group }}"
+    state: present
+    system: true
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure users for dokuwiki exist
+  user:
+    name: "{{ item.user }}"
+    group: "{{ item.group }}"
+    state: present
+    system: true
+    shell: /usr/bin/nologin
+    home: "{{ item.path }}"
+    createhome: false
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure directories for dokuwiki exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: '0755'
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure a backup configuration is present
+  template:
+    src: rsnapshot.conf.j2
+    dest: /etc/rsnapshot-dokuwiki.conf
+    owner: root
+    group: root
+    mode: '0664'
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: check if dokuwiki is installed
+  stat:
+    path: "{{item.path}}/VERSION"
+  register: version_file
+  with_items: "{{dokuwiki}}"
+  loop_control:
+    label: "{{item.path}}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: gather installed versions
+  command: "cat {{ item.path }}/VERSION"
+  ignore_errors: true
+  changed_when: false
+  register: versions
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: backup dokuwiki data on update
+  command: /bin/true
+  # yamllint disable-line rule:line-length
+  changed_when: item.2.stat.exists and (item.1 is failed or item.1 is skipped or item.0.version != item.1.stdout|regex_replace(' .*'))
+  with_together:
+    - "{{ dokuwiki }}"
+    - "{{ versions.results }}"
+    - "{{ version_file.results }}"
+  loop_control:
+    label: "{{item.0.path}}"
+  notify:
+    - backup on update
+  tags:
+    - dokuwiki
+    - webservices
+
+- meta: flush_handlers
+
+- name: ensure dokuwiki files are in place
+  unarchive:
+    # yamllint disable-line rule:line-length
+    src: "https://download.dokuwiki.org/src/dokuwiki/dokuwiki-{{ item.0.version }}.tgz"
+    remote_src: true
+    dest: "{{ item.0.path }}"
+    owner: "{{ item.0.user }}"
+    group: "{{ item.0.group }}"
+    extra_opts:
+      - --strip-components=1
+      - --overwrite
+      - -p
+  # yamllint disable-line rule:line-length
+  when: item.1 is failed or item.1 is skipped or item.0.version != item.1.stdout|regex_replace(' .*')
+  with_together:
+    - "{{ dokuwiki }}"
+    - "{{ versions.results }}"
+  loop_control:
+    label: "{{item.0.path}}"
+  notify:
+    - delete unused files
+    - update blacklist
+    - reindex search
+    - drop caches
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure the unused file deletion utility is available
+  template:
+    src: delete_old_files.py.j2
+    dest: "{{ item.path }}/bin/delete_old_files.py"
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: '0774'
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  notify:
+    - delete unused files
+  tags:
+    - dokuwiki
+    - webservices
+
+# TODO this needs sendfile disabled as nginx cannot access the data
+- name: ensure correct permissions on config and data directories
+  file:
+    path: "{{ item[0].path }}/{{ item[1] }}"
+    state: directory
+    owner: "{{ item[0].user }}"
+    group: "{{ item[0].group }}"
+    mode: '0750'
+  with_nested:
+    - "{{ dokuwiki }}"
+    - ['conf', 'data']
+  loop_control:
+    label: "{{item[0].path}}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure some protected config is present
+  template:
+    src: local.protected.php.j2
+    dest: "{{ item.path }}/conf/local.protected.php"
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: '0664'
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  notify:
+    - reindex search
+    - drop caches
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure some plugin config is present
+  template:
+    src: plugins.local.php.j2
+    dest: "{{ item.path }}/conf/plugins.local.php"
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: '0664'
+    force: false
+  with_items: "{{ dokuwiki }}"
+  loop_control:
+    label: "{{item.path}}"
+  notify:
+    - reindex search
+    - drop caches
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure some maintenance scripts are available
+  template:
+    src: "{{ item }}.sh.j2"
+    dest: "/usr/local/sbin/dokuwiki-{{ item }}.sh"
+    owner: root
+    group: root
+    mode: '0775'
+  with_items:
+    - update
+    - indexer
+    - cleanup
+    - blacklist
+    - update_extensions
+  notify:
+    - update blacklist
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure we have cronjobs for the maintenance
+  template:
+    src: crontab.j2
+    dest: /etc/cron.d/dokuwiki
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - dokuwiki
+    - webservices
diff --git a/dokuwiki/templates/blacklist.sh.j2 b/dokuwiki/templates/blacklist.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cd571bd2686b700a4e5a1974fde3c7ed71c86e62
--- /dev/null
+++ b/dokuwiki/templates/blacklist.sh.j2
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# taken from https://www.dokuwiki.org/blacklist
+# under CC BY-SA 4.0 International https://creativecommons.org/licenses/by-sa/4.0/deed.en
+# for authors see https://www.dokuwiki.org/blacklist?do=revisions
+
+blacklist="https://meta.wikimedia.org/wiki/Spam_blacklist?action=raw"
+
+{% for dw in dokuwiki %}
+curl --silent ${blacklist} | grep -E -v '<?pre>' > {{ dw.path }}/conf/wordblock.local.conf
+{% endfor %}
diff --git a/dokuwiki/templates/cleanup.sh.j2 b/dokuwiki/templates/cleanup.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ef2ec1c734314226ce2919bf5b413e99a6fa8015
--- /dev/null
+++ b/dokuwiki/templates/cleanup.sh.j2
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# taken from https://www.dokuwiki.org/tips:maintenance#automatic_cleanup_script
+# under CC BY-SA 4.0 International https://creativecommons.org/licenses/by-sa/4.0/deed.en
+# for authors see https://www.dokuwiki.org/tips:maintenance#automatic_cleanup_script?do=revisions
+
+function cleanup()
+{
+    local data_path="$1"        # full path to data directory of wiki
+    local retention_days="$2"   # number of days after which old files are to be removed
+
+    # purge files older than ${retention_days} days from attic and media_attic (old revisions)
+    find "${data_path}"/{media_,}attic/ -type f -mtime +${retention_days} -delete
+
+    # remove stale lock files (files which are 1-2 days old)
+    find "${data_path}"/locks/ -name '*.lock' -type f -mtime +1 -delete
+
+    # remove empty directories
+    find "${data_path}"/{attic,cache,index,locks,media,media_attic,media_meta,meta,pages,tmp}/ \
+        -mindepth 1 -type d -empty -delete
+
+    # remove files older than ${retention_days} days from the cache
+    if [ -e "${data_path}/cache/?/" ]
+    then
+        find "${data_path}"/cache/?/ -type f -mtime +${retention_days} -delete
+    fi
+}
+
+# Cleanup DokuWiki installations (path to datadir, number of days)
+{% for dw in dokuwiki %}
+cleanup {{ dw.path }}/data 180
+{% endfor %}
diff --git a/dokuwiki/templates/crontab.j2 b/dokuwiki/templates/crontab.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2a7d7c7f5731b228be6b9f49d1c125749b984b8d
--- /dev/null
+++ b/dokuwiki/templates/crontab.j2
@@ -0,0 +1,6 @@
+27 0 * * * root rsnapshot -c /etc/rsnapshot-dokuwiki.conf daily
+39 2 * * * root /usr/local/sbin/dokuwiki-update.sh
+39 3 * * * root /usr/local/sbin/dokuwiki-cleanup.sh
+39 4 * * * root /usr/local/sbin/dokuwiki-blacklist.sh
+39 5 * * * root /usr/local/sbin/dokuwiki-indexer.sh
+39 5 * * * root /usr/local/sbin/dokuwiki-update_extensions.sh
diff --git a/dokuwiki/templates/delete_old_files.py.j2 b/dokuwiki/templates/delete_old_files.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e24867a559988b6c24a6e50bfabf6d80f5e62cff
--- /dev/null
+++ b/dokuwiki/templates/delete_old_files.py.j2
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+# taken from https://www.dokuwiki.org/install:unused_files
+# under CC BY-SA 4.0 International https://creativecommons.org/licenses/by-sa/4.0/deed.en
+# for authors see https://www.dokuwiki.org/install:unused_files?do=revisions
+
+import os
+import os.path
+import shutil
+
+def exists_casesensitive(path):
+    if not os.path.exists(path):
+        return False
+    directory, filename = os.path.split(path)
+    return filename in os.listdir(directory)
+
+cwd = os.getcwd()
+os.chdir("{{ item.path }}")
+with open("{{ item.path }}/data/deleted.files") as file:
+    for line in file:
+        line = line.strip()
+        if line and not line.startswith('#'):
+            path = line.rstrip(os.linesep)
+            if exists_casesensitive(path):
+                if os.path.isdir(path):
+                    shutil.rmtree(path)
+                    print('Directory removed =>  ' + path)
+                else:
+                    os.remove(path)
+                    print('File removed =>  ' + path)
+os.chdir(cwd)
diff --git a/dokuwiki/templates/indexer.sh.j2 b/dokuwiki/templates/indexer.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4afaaf027e9609b57a31703a5f2a8d86b6e80666
--- /dev/null
+++ b/dokuwiki/templates/indexer.sh.j2
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+cwd=$PWD
+
+{% for dw in dokuwiki %}
+cd {{ dw.path }}
+sudo -u {{ dw.user }} php {{ dw.path }}/bin/indexer.php -c -q
+{% endfor %}
+
+cd ${cwd}
diff --git a/dokuwiki/templates/local.protected.php.j2 b/dokuwiki/templates/local.protected.php.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c86bce04dc96818b19692ac266b1fa77a8ecce6b
--- /dev/null
+++ b/dokuwiki/templates/local.protected.php.j2
@@ -0,0 +1,32 @@
+<?php
+
+{% if item.ad %}
+$conf['authtype'] = 'authad';
+$conf['plugin']['authad']['account_suffix'] = '@{{ item.ad_domain }}';
+$conf['plugin']['authad']['base_dn'] = '{{ item.ad_basedn }}';
+$conf['plugin']['authad']['domain_controllers'] = '{{ item.ad_controller }}';
+$conf['plugin']['authad']['admin_username'] = '{{ item.ad_user }}';
+$conf['plugin']['authad']['admin_password'] = '{{ item.ad_password }}';
+$conf['plugin']['authad']['use_tls'] = 1;
+$conf['plugin']['authad']['recursive_groups'] = '1';
+$conf['plugin']['authad']['update_mail'] = 0;
+$conf['disableactions'] = 'register,profile_delete,resendpwd';
+$conf['superuser'] = '{{ item.ad_superuser }}';
+$conf['manager'] = '{{ item.ad_manager }}';
+$conf['passcrypt'] = 'ssha';
+{% else %}
+$conf['passcrypt'] = 'bcrypt';
+{% endif %}
+
+$conf['mailfrom'] = '{{ item.mail }}';
+$conf['htmlmail'] = 0;
+$conf['userewrite'] = '1';
+$conf['gzip_output'] = 1;
+$conf['xsendfile'] = 0;
+$conf['updatecheck'] = 0;
+$conf['useacl'] = 1;
+$conf['phpok'] = 0;
+{% if item.mail_host is defined %}
+$conf['plugin']['smtp']['smtp_host'] = '{{item.mail_host}}';
+$conf['plugin']['smtp']['smtp_ssl'] = 'tls';
+{% endif %}
diff --git a/dokuwiki/templates/plugins.local.php.j2 b/dokuwiki/templates/plugins.local.php.j2
new file mode 100644
index 0000000000000000000000000000000000000000..48cf056e220153447af24744b49e2b663802a401
--- /dev/null
+++ b/dokuwiki/templates/plugins.local.php.j2
@@ -0,0 +1,7 @@
+<?php
+
+$plugins['authldap'] = 0;
+$plugins['authmysql'] = 0;
+$plugins['authpdo'] = 0;
+$plugins['authpgsql'] = 0;
+$plugins['popularity'] = 0;
diff --git a/dokuwiki/templates/rsnapshot.conf.j2 b/dokuwiki/templates/rsnapshot.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4c32b51312f5db7f81c744f8dced919346311505
--- /dev/null
+++ b/dokuwiki/templates/rsnapshot.conf.j2
@@ -0,0 +1,231 @@
+#################################################
+# rsnapshot.conf - rsnapshot configuration file #
+#################################################
+#                                               #
+# PLEASE BE AWARE OF THE FOLLOWING RULE:        #
+#                                               #
+# This file requires tabs between elements      #
+#                                               #
+#################################################
+
+#######################
+# CONFIG FILE VERSION #
+#######################
+
+config_version	1.2
+
+###########################
+# SNAPSHOT ROOT DIRECTORY #
+###########################
+
+# All snapshots will be stored under this root directory.
+#
+snapshot_root	/var/backups/
+
+# If no_create_root is enabled, rsnapshot will not automatically create the
+# snapshot_root directory. This is particularly useful if you are backing
+# up to removable media, such as a FireWire or USB drive.
+#
+#no_create_root	1
+
+#################################
+# EXTERNAL PROGRAM DEPENDENCIES #
+#################################
+
+# LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
+# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
+#
+# See the README file or the man page for more details.
+#
+cmd_cp		/bin/cp
+
+# uncomment this to use the rm program instead of the built-in perl routine.
+#
+cmd_rm		/bin/rm
+
+# rsync must be enabled for anything to work. This is the only command that
+# must be enabled.
+#
+cmd_rsync	/usr/bin/rsync
+
+# Uncomment this to enable remote ssh backups over rsync.
+#
+#cmd_ssh	/usr/bin/ssh
+
+# Comment this out to disable syslog support.
+#
+cmd_logger	/usr/bin/logger
+
+# Uncomment this to specify the path to "du" for disk usage checks.
+# If you have an older version of "du", you may also want to check the
+# "du_args" parameter below.
+#
+#cmd_du		/usr/bin/du
+
+# Uncomment this to specify the path to rsnapshot-diff.
+#
+#cmd_rsnapshot_diff	/usr/bin/rsnapshot-diff
+
+# Specify the path to a script (and any optional arguments) to run right
+# before rsnapshot syncs files
+#
+#cmd_preexec	/path/to/preexec/script
+
+# Specify the path to a script (and any optional arguments) to run right
+# after rsnapshot syncs files
+#
+#cmd_postexec	/path/to/postexec/script
+
+# Paths to lvcreate, lvremove, mount and umount commands, for use with
+# Linux LVMs.
+#
+#linux_lvm_cmd_lvcreate	/sbin/lvcreate
+#linux_lvm_cmd_lvremove	/sbin/lvremove
+#linux_lvm_cmd_mount	/bin/mount
+#linux_lvm_cmd_umount	/bin/umount
+
+#########################################
+#     BACKUP LEVELS / INTERVALS         #
+# Must be unique and in ascending order #
+# e.g. alpha, beta, gamma, etc.         #
+#########################################
+
+retain	daily	7
+
+############################################
+#              GLOBAL OPTIONS              #
+# All are optional, with sensible defaults #
+############################################
+
+# Verbose level, 1 through 5.
+# 1     Quiet           Print fatal errors only
+# 2     Default         Print errors and warnings only
+# 3     Verbose         Show equivalent shell commands being executed
+# 4     Extra Verbose   Show extra verbose information
+# 5     Debug mode      Everything
+#
+verbose		2
+
+# Same as "verbose" above, but controls the amount of data sent to the
+# logfile, if one is being used. The default is 3.
+# If you want the rsync output, you have to set it to 4
+#
+loglevel	3
+
+# If you enable this, data will be written to the file you specify. The
+# amount of data written is controlled by the "loglevel" parameter.
+#
+#logfile	/var/log/rsnapshot.log
+
+# If enabled, rsnapshot will write a lockfile to prevent two instances
+# from running simultaneously (and messing up the snapshot_root).
+# If you enable this, make sure the lockfile directory is not world
+# writable. Otherwise anyone can prevent the program from running.
+#
+lockfile	/var/run/rsnapshot.pid
+
+# By default, rsnapshot check lockfile, check if PID is running
+# and if not, consider lockfile as stale, then start
+# Enabling this stop rsnapshot if PID in lockfile is not running
+#
+#stop_on_stale_lockfile		0
+
+# Default rsync args. All rsync commands have at least these options set.
+#
+#rsync_short_args	-a
+#rsync_long_args	--delete --numeric-ids --relative --delete-excluded
+
+# ssh has no args passed by default, but you can specify some here.
+#
+#ssh_args	-p 22
+
+# Default arguments for the "du" program (for disk space reporting).
+# The GNU version of "du" is preferred. See the man page for more details.
+# If your version of "du" doesn't support the -h flag, try -k flag instead.
+#
+#du_args	-csh
+
+# If this is enabled, rsync won't span filesystem partitions within a
+# backup point. This essentially passes the -x option to rsync.
+# The default is 0 (off).
+#
+#one_fs		0
+
+# The include and exclude parameters, if enabled, simply get passed directly
+# to rsync. If you have multiple include/exclude patterns, put each one on a
+# separate line. Please look up the --include and --exclude options in the
+# rsync man page for more details on how to specify file name patterns. 
+# 
+#include	???
+#include	???
+#exclude	???
+#exclude	???
+
+# The include_file and exclude_file parameters, if enabled, simply get
+# passed directly to rsync. Please look up the --include-from and
+# --exclude-from options in the rsync man page for more details.
+#
+#include_file	/path/to/include/file
+#exclude_file	/path/to/exclude/file
+
+# If your version of rsync supports --link-dest, consider enabling this.
+# This is the best way to support special files (FIFOs, etc) cross-platform.
+# The default is 0 (off).
+#
+#link_dest	0
+
+# When sync_first is enabled, it changes the default behaviour of rsnapshot.
+# Normally, when rsnapshot is called with its lowest interval
+# (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
+# intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
+# and all interval calls simply rotate files. See the man page for more
+# details. The default is 0 (off).
+#
+#sync_first	0
+
+# If enabled, rsnapshot will move the oldest directory for each interval
+# to [interval_name].delete, then it will remove the lockfile and delete
+# that directory just before it exits. The default is 0 (off).
+#
+#use_lazy_deletes	0
+
+# Number of rsync re-tries. If you experience any network problems or
+# network card issues that tend to cause ssh to fail with errors like
+# "Corrupted MAC on input", for example, set this to a non-zero value
+# to have the rsync operation re-tried.
+#
+#rsync_numtries 0
+
+# LVM parameters. Used to backup with creating lvm snapshot before backup
+# and removing it after. This should ensure consistency of data in some special
+# cases
+#
+# LVM snapshot(s) size (lvcreate --size option).
+#
+#linux_lvm_snapshotsize	100M
+
+# Name to be used when creating the LVM logical volume snapshot(s).
+#
+#linux_lvm_snapshotname	rsnapshot
+
+# Path to the LVM Volume Groups.
+#
+#linux_lvm_vgpath	/dev
+
+# Mount point to use to temporarily mount the snapshot(s).
+#
+#linux_lvm_mountpath	/path/to/mount/lvm/snapshot/during/backup
+
+###############################
+### BACKUP POINTS / SCRIPTS ###
+###############################
+
+{% for dw in dokuwiki %}
+backup	{{ dw.path }}/conf		dokuwiki/
+backup	{{ dw.path }}/data/pages	dokuwiki/
+backup	{{ dw.path }}/data/meta		dokuwiki/
+backup	{{ dw.path }}/data/media	dokuwiki/
+backup	{{ dw.path }}/data/media_meta	dokuwiki/
+backup	{{ dw.path }}/data/attic	dokuwiki/
+backup	{{ dw.path }}/data/media_attic	dokuwiki/
+{% endfor %}
diff --git a/dokuwiki/templates/update.sh.j2 b/dokuwiki/templates/update.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f0844a3dc4a303433e356fc5b0e506f206863acc
--- /dev/null
+++ b/dokuwiki/templates/update.sh.j2
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+{% for dw in dokuwiki %}
+curl -s https://update.dokuwiki.org/check/"$(sed -n -E '/updateVersion/ { s/\$updateVersion = "(.*)";/\1/g; p; q }' "{{ dw.path }}"/doku.php)"
+{% endfor %}
diff --git a/dokuwiki/templates/update_extensions.sh.j2 b/dokuwiki/templates/update_extensions.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ee00c80373d10eaa4bb66ef8c43e0231f0c8bf0e
--- /dev/null
+++ b/dokuwiki/templates/update_extensions.sh.j2
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+{% for dw in dokuwiki %}
+sudo -u {{ dw.user }} php {{ dw.path }}/bin/plugin.php extension upgrade
+{% endfor %}
diff --git a/etherpad/defaults/main.yml b/etherpad/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bc8f5b041605529c98c7cd941493ee86dcf59359
--- /dev/null
+++ b/etherpad/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+
+etherpad_web_root: "/opt/etherpad"
+etherpad_version: "HEAD"
+
+etherpads: []
+
+# etherpads:
+#   - name: identifier
+#     db_type: mysql
+#     db_name: etherpad
+#     db_user: etherpad
+#     db_password: {{…}}
+#     apikey: {{…}}
+#     edit_only: false
+#     require_auth: false
+#
diff --git a/etherpad/handlers/main.yml b/etherpad/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..968e986a3b040a1fabbf0feb98be378ffe3d718a
--- /dev/null
+++ b/etherpad/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+
+- name: create tmpfiles
+  command: systemd-tmpfiles --create
+
+- name: reload systemd daemons
+  systemd:
+    daemon_reload: true
+
+- name: restart etherpad
+  debug:
+    var: item
+  when: item.value.changed
+  with_items: "{{ etherpad_config.results }}"
diff --git a/etherpad/tasks/main.yml b/etherpad/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d23bdf640088584412452f1b0e42e903025dd42b
--- /dev/null
+++ b/etherpad/tasks/main.yml
@@ -0,0 +1,121 @@
+---
+
+- name: ensure nodejs is installed
+  apt:
+    name:
+      - nodejs
+      - npm
+    state: present
+
+- name: ensure we have a group for etherpads
+  group:
+    name: etherpad
+    state: present
+    system: true
+
+- name: ensure we have a user for etherpads
+  user:
+    name: etherpad
+    group: etherpad
+    state: present
+    system: true
+    shell: /usr/bin/nologin
+    home: "{{etherpad_web_root}}"
+    createhome: false
+
+- name: ensure we have a directory for the etherpad software
+  file:
+    path: "{{etherpad_web_root}}/repository"
+    state: directory
+    owner: etherpad
+    group: etherpad
+    mode: '0755'
+
+- name: ensure we have the etherpad software
+  git:
+    repo: https://github.com/ether/etherpad-lite.git
+    dest: "{{etherpad_web_root}}/repository"
+    version: "{{etherpad_version|default('HEAD')}}"
+  become: true
+  become_user: etherpad
+
+- name: ensure we have a directory for etherpad configuration files
+  file:
+    path: /etc/etherpad
+    state: directory
+    owner: root
+    group: etherpad
+    mode: '0750'
+
+- name: ensure we have a mysql database for the etherpad
+  mysql_db:
+    name: "{{item.db_name}}"
+    state: present
+    login_user: root
+    login_password: "{{mysql_root_password}}"
+  with_items: "{{etherpads}}"
+  when: item.db_type == 'mysql'
+  no_log: true
+
+- name: ensure we have a mysql database user for the etherpad
+  mysql_user:
+    name: "{{item.db_user}}"
+    password: "{{item.db_password}}"
+    state: present
+    login_user: root
+    login_password: "{{mysql_root_password}}"
+    priv: "{{item.db_name}}.*:ALL"
+  with_items: "{{etherpads}}"
+  when: item.db_type == 'mysql'
+  no_log: true
+
+- name: ensure we have a settings file
+  template:
+    src: settings.json.j2
+    dest: "/etc/etherpad/{{item.name}}-settings.json"
+    owner: root
+    group: etherpad
+    mode: '0640'
+  register: etherpad_config
+  with_items: "{{etherpads}}"
+  notify: restart etherpad
+  no_log: true
+
+- name: ensure we have a directory for the socket
+  template:
+    src: tmpfiles.conf.j2
+    dest: /etc/tmpfiles.d/10-etherpad.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: create tmpfiles
+
+- name: ensure we have an apikey file
+  template:
+    src: apikey.txt.j2
+    dest: /etc/etherpad/{{item.name}}-apikey.txt
+    owner: root
+    group: etherpad
+    mode: '0640'
+    force: false
+  with_items: "{{etherpads}}"
+  no_log: true
+
+- name: ensure we have a systemd unit
+  template:
+    src: etherpad@.service.j2
+    dest: /etc/systemd/system/etherpad@.service
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload systemd daemons
+
+- meta: flush_handlers
+
+- name: make sure the unit is running
+  systemd:
+    name: "etherpad@{{item.name}}"
+    state: started
+    enabled: true
+  with_items: "{{etherpads}}"
+  no_log: true
diff --git a/etherpad/templates/apikey.txt.j2 b/etherpad/templates/apikey.txt.j2
new file mode 100644
index 0000000000000000000000000000000000000000..557d7ad400646826477df22ff35471abc106990f
--- /dev/null
+++ b/etherpad/templates/apikey.txt.j2
@@ -0,0 +1 @@
+{{item.apikey}}
diff --git a/etherpad/templates/etherpad@.service.j2 b/etherpad/templates/etherpad@.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..daca6b1ac26315f1edd020d3b91dd658eeb1dbcc
--- /dev/null
+++ b/etherpad/templates/etherpad@.service.j2
@@ -0,0 +1,28 @@
+[Unit]
+Description=Etherpad Lite
+After=syslog.target network.target
+After=network-online.target mysql.service
+Wants=network-online.target mysql.service
+
+[Service]
+Type=simple
+User=etherpad
+Group=etherpad
+UMask=0002
+ExecStartPre={{etherpad_web_root}}/repository/bin/installDeps.sh
+ExecStart={{etherpad_web_root}}/repository/node_modules/ep_etherpad-lite/node/server.js --settings /etc/etherpad/%i-settings.json --apikey /etc/etherpad/%i-apikey.txt
+ExecStopPost=rm -f /run/etherpad/%i.socket
+WorkingDirectory={{etherpad_web_root}}/repository
+Restart=always
+RestartSec=3
+Environment="NODE_ENV=production"
+StandardError=syslog
+KillSignal=SIGINT
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/etherpad/templates/settings.json.j2 b/etherpad/templates/settings.json.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7df90387fe2b9fa78e69d709cc0987160eb7daef
--- /dev/null
+++ b/etherpad/templates/settings.json.j2
@@ -0,0 +1,154 @@
+{
+  "title": "{{item.name}}",
+
+  "favicon": "favicon.ico",
+
+  "skinName": "colibris",
+
+  "skinVariants": "super-light-toolbar super-light-editor light-background",
+
+  "ip": "",
+  "port": "/run/etherpad/{{item.name}}.socket",
+
+  "showSettingsInAdminPage": true,
+
+  "dbType": "{{item.db_type}}",
+  "dbSettings": {
+    "user": "{{item.db_user}}",
+    "host": "localhost",
+    "port": 3306,
+    "password": "{{item.db_password}}",
+    "database": "{{item.name}}",
+    "charset": "utf8mb4"
+  },
+
+  "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at https:\/\/etherpad.org\n",
+
+  "padOptions": {
+    "noColors":         false,
+    "showControls":     true,
+    "showChat":         true,
+    "showLineNumbers":  true,
+    "useMonospaceFont": false,
+    "userName":         false,
+    "userColor":        false,
+    "rtl":              false,
+    "alwaysShowChat":   false,
+    "chatAndUsers":     false,
+    "lang":             "en-gb"
+  },
+
+  "padShortcutEnabled" : {
+    "altF9":     true, /* focus on the File Menu and/or editbar */
+    "altC":      true, /* focus on the Chat window */
+    "cmdShift2": true, /* shows a gritter popup showing a line author */
+    "delete":    true,
+    "return":    true,
+    "esc":       true, /* in mozilla versions 14-19 avoid reconnecting pad */
+    "cmdS":      true, /* save a revision */
+    "tab":       true, /* indent */
+    "cmdZ":      true, /* undo/redo */
+    "cmdY":      true, /* redo */
+    "cmdI":      true, /* italic */
+    "cmdB":      true, /* bold */
+    "cmdU":      true, /* underline */
+    "cmd5":      true, /* strike through */
+    "cmdShiftL": true, /* unordered list */
+    "cmdShiftN": true, /* ordered list */
+    "cmdShift1": true, /* ordered list */
+    "cmdShiftC": true, /* clear authorship */
+    "cmdH":      true, /* backspace */
+    "ctrlHome":  true, /* scroll to top of pad */
+    "pageUp":    true,
+    "pageDown":  true
+  },
+
+  "suppressErrorsInPadText": false,
+
+  "requireSession": false,
+
+  "editOnly": {{item.edit_only|default(false)|lower}},
+
+  "sessionNoPassword": false,
+
+  "minify": true,
+
+  "maxAge": 21600, // 60 * 60 * 6 = 6 hours
+
+  "abiword": null,
+
+  "soffice": null,
+
+  "tidyHtml": null,
+
+  "allowUnknownFileEnds": true,
+
+  "requireAuthentication": {{item.require_auth|default(false)|lower}},
+
+  "requireAuthorization": false,
+
+  "trustProxy": true,
+
+  "disableIPlogging": false,
+
+  "automaticReconnectionTimeout": 0,
+
+  "scrollWhenFocusLineIsOutOfViewport": {
+
+    "percentage": {
+      "editionAboveViewport": 0,
+      "editionBelowViewport": 0
+    },
+
+    "duration": 0,
+
+    "scrollWhenCaretIsInTheLastLineOfViewport": false,
+
+    "percentageToScrollWhenUserPressesArrowUp": 0
+  },
+
+  "loadTest": false,
+
+  "importExportRateLimiting": {
+    // duration of the rate limit window (milliseconds)
+    "windowMs": 900,
+
+    // maximum number of requests per IP to allow during the rate limit window
+    "max": 100
+  },
+
+  "importMaxFileSize": 52428800, // 50 * 1024 * 1024
+
+  "exposeVersion": false,
+
+  /*
+   * The log level we are using.
+   *
+   * Valid values: DEBUG, INFO, WARN, ERROR
+   */
+  "loglevel": "INFO",
+
+  /*
+   * Logging configuration. See log4js documentation for further information:
+   * https://github.com/nomiddlename/log4js-node
+   *
+   * You can add as many appenders as you want here.
+   */
+  "logconfig" :
+    { "appenders": [
+        { "type": "console"
+        //, "category": "access"// only logs pad access
+        }
+
+      /*
+      , { "type": "file"
+      , "filename": "your-log-file-here.log"
+      , "maxLogSize": 1024
+      , "backups": 3 // how many log files there're gonna be at max
+      //, "category": "test" // only log a specific category
+        }
+      */
+
+      ]
+    } // logconfig
+}
diff --git a/etherpad/templates/tmpfiles.conf.j2 b/etherpad/templates/tmpfiles.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2dce14b7a620d88704d83d65614c1a386edababa
--- /dev/null
+++ b/etherpad/templates/tmpfiles.conf.j2
@@ -0,0 +1 @@
+d /run/etherpad 2775 etherpad nginx-proxy - -
diff --git a/mediawiki/defaults/main.yml b/mediawiki/defaults/main.yml
index 9c04cacfb90edae6130d401b2a1ad1c5ff878fce..d479b3c24a64d2db20b626d80f0469ab59d3a483 100644
--- a/mediawiki/defaults/main.yml
+++ b/mediawiki/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-# file: roles/mediawiki/defaults/main.yml
+# file: mediawiki/defaults/main.yml
 
 mediawiki_web_root: /var/www
 
@@ -12,6 +12,6 @@ mediawiki_dbtype: postgres
 mediawiki_dbhost: localhost
 mediawiki_dbname: "{{ mediawiki_name }}"
 mediawiki_dbuser: "{{ mediawiki_name }}"
-mediawiki_dbpassword: 
+mediawiki_dbpassword: ""
 
-mediawiki_use_ldap: yes
+mediawiki_use_ldap: true
diff --git a/mediawiki/handlers/main.yml b/mediawiki/handlers/main.yml
index 0de5dcd788a2759ebedff7197a6df1eef31c304f..59ad80809e7fbad7b7080c49ec84cace9ad1a090 100644
--- a/mediawiki/handlers/main.yml
+++ b/mediawiki/handlers/main.yml
@@ -1,11 +1,15 @@
 ---
-# file: roles/mediawiki/handlers/main.yml
+# file: mediawiki/handlers/main.yml
 
 - name: reload systemd service files
-  command: systemctl daemon-reload
+  systemd:
+    daemon_reload: true
 
 - name: "restart uwsgi for {{ mediawiki_name }}"
-  service: "name=mediawiki-{{ mediawiki_name }} state=restarted enabled=yes"
+  service:
+    name: "mediawiki-{{ mediawiki_name }}"
+    state: restarted
+    enabled: true
 
 - name: create tmpfiles
-  shell: systemd-tmpfiles --create
+  command: systemd-tmpfiles --create
diff --git a/mediawiki/meta/main.yml b/mediawiki/meta/main.yml
deleted file mode 100644
index 8c99dfce25159796ead9633182a9326f9238bb19..0000000000000000000000000000000000000000
--- a/mediawiki/meta/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-# file: roles/mediawiki/meta/main.yml
-dependencies:
-  - { role: php-fpm, fpm_pool: "{{mediawiki_name}}", fpm_user: "{{mediawiki_user}}", fpm_group: "{{mediawiki_group}}", fpm_socket_user: "{{mediawiki_user}}", fpm_socket_group: www-data }
-  - { role: postgres }
diff --git a/mediawiki/tasks/ldap.yml b/mediawiki/tasks/ldap.yml
index f1998a474068c168e77ec34e84615441c6eac53b..501c3096aba92a38e83ee3c5c5b558b5c9b3e207 100644
--- a/mediawiki/tasks/ldap.yml
+++ b/mediawiki/tasks/ldap.yml
@@ -1,11 +1,11 @@
 ---
-# file: roles/mediawiki/tasks/ldap.yml
+# file: mediawiki/tasks/ldap.yml
 
 - name: ensure we have the auth extension
   git:
     repo: https://git.fsmpi.rwth-aachen.de/robin/mediawiki-remoteuser.git
     dest: "/var/lib/mediawiki/extensions/AuthRemoteuser"
+    version: HEAD
   tags:
-    - git
-    - packages
     - mediawiki
+    - webservices
diff --git a/mediawiki/tasks/main.yml b/mediawiki/tasks/main.yml
index 670f897c4c4ee9ba06fd8310aa4b472f045c4e2e..d1f5d410484584d826a5f8085ff919b86eb64091 100644
--- a/mediawiki/tasks/main.yml
+++ b/mediawiki/tasks/main.yml
@@ -1,48 +1,35 @@
 ---
-# file: roles/mediawiki/tasks/main.yml
+# file: mediawiki/tasks/main.yml
 
-- name: ensure packages for mediawiki are installed on jessie
-  apt: name={{ item }} state=latest install_recommends=no
-  with_items:
-    - mediawiki
-    - mediawiki-extensions
-  when: debian_version == "jessie"
-  tags:
-    - packages
-    - mediawiki
-
-- name: ensure packages for mediawiki are installed on stretch
-  apt: name={{ item }} state=present
-  with_items:
-    - mediawiki
-  when: debian_version == "stretch"
+- name: ensure packages for mediawiki are installed
+  apt:
+    name: mediawiki
+    state: present
   tags:
-    - packages
     - mediawiki
+    - webservices
 
 - name: "ensure group for {{ mediawiki_name }} exists"
   group:
     name: "{{ mediawiki_group }}"
     state: present
-    system: yes
+    system: true
   tags:
-    - users
-    - config
     - mediawiki
+    - webservices
 
 - name: "ensure user for {{ mediawiki_name }} exists"
   user:
     name: "{{ mediawiki_user }}"
     group: "{{ mediawiki_group }}"
     state: present
-    system: yes
+    system: true
     shell: /usr/bin/nologin
     home: "{{ mediawiki_web_root }}"
-    createhome: no
+    createhome: false
   tags:
-    - users
-    - config
     - mediawiki
+    - webservices
 
 - name: "ensure the wiki folder for {{ mediawiki_name }} exists"
   file:
@@ -52,8 +39,8 @@
     group: "{{ mediawiki_group }}"
     path: "{{ mediawiki_web_root }}/{{ mediawiki_name }}"
   tags:
-    - config
     - mediawiki
+    - webservices
 
 - name: "ensure the wiki uploads folder for {{ mediawiki_name }} exists"
   file:
@@ -63,63 +50,56 @@
     group: "{{ mediawiki_group }}"
     path: "{{ mediawiki_web_root }}/{{ mediawiki_name }}/images"
   tags:
-    - config
     - mediawiki
+    - webservices
 
-- name: "get other mediawiki files for {{ mediawiki_name }}"
-  shell: ls --hide=LocalSettings.php --hide=images /usr/share/mediawiki
+- name: "get other mediawiki files for {{ mediawiki_name }}"  # noqa 301
+  command: ls --hide=LocalSettings.php --hide=images /usr/share/mediawiki
   register: mediawiki_other_files
   tags:
-    - config
     - mediawiki
+    - webservices
 
 - name: "ensure other mediawiki files for {{ mediawiki_name }} are linked"
   file:
     state: link
     src: "/usr/share/mediawiki/{{ item }}"
     dest: "{{ mediawiki_web_root }}/{{ mediawiki_name }}/{{ item }}"
-    force: yes
-  with_items: "{{mediawiki_other_files.stdout_lines}}"
+    force: true
+  with_items: "{{ mediawiki_other_files.stdout_lines }}"
   tags:
-    - config
     - mediawiki
+    - webservices
 
 - name: ensure we have a unique temporary cache directory
-  lineinfile:
-    dest: /etc/tmpfiles.d/10-mediawiki.conf
-    line: "d /tmp/{{mediawiki_name}} 0775 {{mediawiki_user}} {{mediawiki_group}} - -"
-    create: yes
+  template:
+    src: tmpfiles.j2
+    dest: "/etc/tmpfiles.d/10-mediawiki-{{ mediawiki_name }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
   notify:
     - create tmpfiles
   tags:
-    - config
     - mediawiki
-
-#- name: "ensure the library mediawiki uses for diffs is enabled"
-#  file:
-#    state: link
-#    src: "../../mods-available/wikidiff2.ini"
-#    dest: "/etc/php5/embed/conf.d/wikidiff2.ini"
-#  tags:
-#    - config
-#    - mediawiki
-#    - php
+    - webservices
 
 - include: postgres.yml
   when: mediawiki_dbtype == "postgres"
 
+- include: mysql.yml
+  when: mediawiki_dbtype == "mysql"
+
 - include: ldap.yml
   when: mediawiki_use_ldap
 
 - name: ensure we are running maintenance regularly
-  cron: 
-    name: "mediawiki maintenance"
-    hour: "0"
-    minute: "0"
-    job: "/usr/bin/php {{mediawiki_web_root}}/{{mediawiki_name}}/maintenance/runJobs.php --conf {{mediawiki_web_root}}/{{mediawiki_name}}/LocalSettings.php"
-  become: yes
-  become_user: "{{mediawiki_user}}"
+  template:
+    src: crontab.j2
+    dest: "/etc/cron.d/mediawiki-{{ mediawiki_name }}-maint"
+    owner: root
+    group: root
+    mode: '0644'
   tags:
-    - cron
-    - config
     - mediawiki
+    - webservices
diff --git a/mediawiki/tasks/mysql.yml b/mediawiki/tasks/mysql.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8f788d6c8083b5cd8d36c22d05f092e0e65b4d1d
--- /dev/null
+++ b/mediawiki/tasks/mysql.yml
@@ -0,0 +1,10 @@
+---
+# file: mediawiki/tasks/mysql.yml
+
+- name: ensure php can talk with mysql
+  apt:
+    name: php-mysql
+    state: present
+  tags:
+    - mediawiki
+    - webservices
diff --git a/mediawiki/tasks/postgres.yml b/mediawiki/tasks/postgres.yml
index af5775e813ac510f16a62da791354026c432e129..f4fd6d685f92b76e05016a0d51208a643fa32a09 100644
--- a/mediawiki/tasks/postgres.yml
+++ b/mediawiki/tasks/postgres.yml
@@ -1,46 +1,37 @@
 ---
-# file: roles/mediawiki/tasks/postgres.yml
+# file: mediawiki/tasks/postgres.yml
 
-- name: "ensure php can talk with postgres on jessie"
-  apt: name=php5-pgsql state=latest
-  when: debian_version == "jessie"
-  tags:
-    - packages
-    - postgresql
-    - mediawiki
-
-- name: "ensure php can talk with postgres on stretch"
-  apt: name=php-pgsql state=present
-  when: debian_version == "stretch"
+- name: ensure php can talk with postgres
+  apt:
+    name: php-pgsql
+    state: present
   tags:
-    - packages
-    - postgresql
     - mediawiki
+    - webservices
 
 - name: "ensure the database user for {{ mediawiki_name }} exists"
   postgresql_user:
     name: "{{ mediawiki_dbuser }}"
     password: "{{ mediawiki_dbpassword }}"
     state: present
-  become: yes
+  no_log: true
+  become: true
   become_user: postgres
   tags:
-    - postgresql
-    - config
     - mediawiki
+    - webservices
 
 - name: "ensure the database for {{ mediawiki_name }} exists"
-  postgresql_db: 
+  postgresql_db:
     name: "{{ mediawiki_dbname }}"
     owner: "{{ mediawiki_dbuser }}"
     state: present
-  become: yes
+  become: true
   become_user: postgres
   tags:
-    - postgresql
-    - config
     - mediawiki
-  
+    - webservices
+
 - name: "ensure the database user has priviliges for {{ mediawiki_name }}"
   postgresql_privs:
     database: "{{ mediawiki_dbname }}"
@@ -48,9 +39,8 @@
     privs: ALL
     state: present
     type: database
-  become: yes
+  become: true
   become_user: postgres
   tags:
-    - postgresql
-    - config
     - mediawiki
+    - webservices
diff --git a/mediawiki/templates/crontab.j2 b/mediawiki/templates/crontab.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d3a63cfe9e32781547745e759762db42cfd061cd
--- /dev/null
+++ b/mediawiki/templates/crontab.j2
@@ -0,0 +1 @@
+0 0 * * * {{ mediawiki_user }} /usr/bin/php {{ mediawiki_web_root }}/{{ mediawiki_name }}/maintenance/runJobs.php --conf {{ mediawiki_web_root }}/{{ mediawiki_name }}/LocalSettings.php
diff --git a/mediawiki/templates/mediawiki.ini.j2 b/mediawiki/templates/mediawiki.ini.j2
deleted file mode 100644
index 6684a59defbf81100fab9350cd0002deec024894..0000000000000000000000000000000000000000
--- a/mediawiki/templates/mediawiki.ini.j2
+++ /dev/null
@@ -1,23 +0,0 @@
-[uwsgi]
-uwsgi-socket = /run/uwsgi/app/mediawiki-{{ mediawiki_name }}/mediawiki-{{ mediawiki_name }}.sock
-chmod-socket = 660
-chown-socket = {{ mediawiki_user }}:www-data
-autoload = 
-master = 
-processes = 4
-workers = 4
-prio = -5
-harakiri = 5
-chdir = {{ mediawiki_web_root }}/{{ mediawiki_name }}
-uid = {{ mediawiki_user }}
-gid = {{ mediawiki_group }}
-logto = /var/log/uwsgi-mediawiki-{{ mediawiki_name }}.log
-logfile-chown = {{ mediawiki_user }}:{{ mediawiki_group }}
-logfile-chmod = 664
-log-date = 
-log-4xx = 
-log-5xx = 
-log-x-forwarded-for = 
-plugin = php
-php-index = index.php
-env = MW_INSTALL_PATH={{ mediawiki_web_root }}/{{ mediawiki_name }}
diff --git a/mediawiki/templates/mediawiki.service.j2 b/mediawiki/templates/mediawiki.service.j2
deleted file mode 100644
index 1dd799174a823a50bedd7cd4514e8d3c12643d93..0000000000000000000000000000000000000000
--- a/mediawiki/templates/mediawiki.service.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=MediaWiki {{ mediawiki_name }} forwarded by uwsgi
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/mediawiki-{{ mediawiki_name }}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/mediawiki/templates/tmpfiles.j2 b/mediawiki/templates/tmpfiles.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cd6225d2b1e2cdcb8c0cbe88ed91db317e00be4c
--- /dev/null
+++ b/mediawiki/templates/tmpfiles.j2
@@ -0,0 +1 @@
+d /tmp/{{ mediawiki_name }} 0775 {{ mediawiki_user }} {{ mediawiki_group }} - -
diff --git a/php-fpm/defaults/main.yml b/php-fpm/defaults/main.yml
index ad1acfff87a8e19e6f17457dc59230a169ff86a0..8108f3e2e5541aa5c4f93dda6fac8d21e38f8359 100644
--- a/php-fpm/defaults/main.yml
+++ b/php-fpm/defaults/main.yml
@@ -1,8 +1,11 @@
 ---
-# file: roles/php-fpm/defaults/mail.yml
 
-fpm_pool: www
-fpm_user: www-data
-fpm_group: www-data
-fpm_socket_user: www-data
-fpm_socket_group: www-data
+fpm_pools: []
+
+fpm_default_params:
+  intl.default_locale: en_US
+  date.timezone: "Europe/Berlin"
+fpm_default_flags:
+  session.cookie_secure: true
+  session.cookie_httponly: true
+fpm_default_env: {}
diff --git a/php-fpm/handlers/main.yml b/php-fpm/handlers/main.yml
index 6beae431516b9650ce55e0f93764bf61884a26a6..b580a0a0bed124fe56e451279f1b9ab63252836c 100644
--- a/php-fpm/handlers/main.yml
+++ b/php-fpm/handlers/main.yml
@@ -1,5 +1,11 @@
 ---
-# file: roles/php-fpm/handlers/main.yml
 
 - name: restart php-fpm
-  service: name=php7.0-fpm.service state=restart
+  systemd:
+    name: "php-fpm@{{ item.name }}"
+    state: restarted
+  with_items: "{{ fpm_pools|default([]) }}"
+
+- name: reload systemd service files
+  systemd:
+    daemon_reload: true
diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml
index 50f5bf47aed9ab13e46aadc9fda39289c0dd9a16..94d2c0db013ede0c3b0b42a578478eb67260ad12 100644
--- a/php-fpm/tasks/main.yml
+++ b/php-fpm/tasks/main.yml
@@ -1,42 +1,102 @@
 ---
-# file: roles/php-fpm/tasks/main.yml
 
-- name: ensure php-fpm is installed on stretch
-  apt: name="{{item}}" state=present
-  with_items:
-    - php
-    - php-fpm
-  when: debian_version == "stretch"
+- name: include debian version specific vars
+  include_vars: "{{ debian_version }}.yml"
+
+- name: ensure php-fpm is installed
+  apt:
+    name: "{{ php_fpm_pkgs }}"
+    state: present
   notify:
     - restart php-fpm
-  tags:
-    - packages
-    - php
-    - php-fpm
 
-- name: ensure php-fpm is installed on jessie
-  apt: name="{{item}}" state=present
-  with_items:
-    - php5
-    - php5-fpm
-  when: debian_version == "jessie"
-  tags:
-    - packages
-    - php
-    - php-fpm
-  
-- name: ensure we have the pool we want
+- name: ensure php-fpm is configured
+  template:
+    src: php-fpm.conf.j2
+    dest: "/etc/php/{{ php_version }}/fpm/php-fpm.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - restart php-fpm
+
+- name: create groups
+  group:
+    name: "{{ item.name }}"
+    system: true
+    state: present
+  with_items: "{{ fpm_pools|default([]) }}"
+
+- name: create users
+  user:
+    name: "{{ item.name }}"
+    group: "{{ item.name }}"
+    groups: "{{ item.groups|default([]) }}"
+    system: true
+    home: "{{ item.home|default('/var/www/' ~ item.name) }}"
+    shell: /usr/bin/nologin
+    createhome: false
+    state: present
+  with_items: "{{ fpm_pools|default([]) }}"
+  notify:
+    - restart php-fpm
+
+- name: ensure we have all the pools we want
+  template:
+    src: pool.conf.j2
+    dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items: "{{ fpm_pools|default([]) }}"
+  notify:
+    - restart php-fpm
+
+- name: ensure systemd can start php instances
   template:
-    src: pool.conf
-    dest: "/etc/php/7.0/fpm/pool.d/{{fpm_pool}}.conf"
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
     owner: root
     group: root
-    mode: 0644
-  when: debian_version == "stretch"
+    mode: '0644'
+  with_items:
+    - php-fpm@.socket
+    - php-fpm@.service
   notify:
+    - reload systemd service files
     - restart php-fpm
-  tags:
-   - config
-   - php
-   - php-fpm
 
+- name: disable standard service file
+  systemd:
+    name: "php{{ php_version }}-fpm"
+    enabled: false
+    state: stopped
+    masked: true
+
+- name: get remote active php pools
+  # yamllint disable rule:line-length
+  shell: |
+    set -o pipefail
+    systemctl show --state=loaded --type=service --property=Id --value php-fpm@\* | sed '/^$/d' | cut -d@ -f2 | cut -d. -f1
+  args:
+    executable: /bin/bash
+  # yamllint enable rule:line-length
+  changed_when: false
+  register: running_pools
+
+- name: deactivate inactive pools via systemd
+  systemd:
+    name: "php-fpm@{{ item }}"
+    enabled: false
+    state: stopped
+  # yamllint disable-line rule:line-length
+  with_items: "{{ running_pools.stdout_lines|difference(fpm_pools|map(attribute='name')|list) }}"
+
+- meta: flush_handlers
+
+- name: ensure active pools are enabled in systemd
+  systemd:
+    name: "php-fpm@{{ item.name }}"
+    enabled: true
+    state: started
+  with_items: "{{ fpm_pools|default([]) }}"
diff --git a/php-fpm/templates/php-fpm.conf.j2 b/php-fpm/templates/php-fpm.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4697c8a5f6f8b664afcf134eb322a17084591f8b
--- /dev/null
+++ b/php-fpm/templates/php-fpm.conf.j2
@@ -0,0 +1,146 @@
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix (/usr). This prefix can be dynamically changed by using the
+; '-p' argument from the command line.
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;;
+
+[global]
+; Pid file
+; Note: the default prefix is /var
+; Default Value: none
+;pid = /run/php/php{{ php_version }}-fpm.pid
+
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; into a local file.
+; Note: the default prefix is /var
+; Default Value: log/php-fpm.log
+;error_log = /var/log/php{{ php_version }}-fpm.log
+error_log = syslog
+
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon
+;syslog.facility = daemon
+
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm
+;syslog.ident = php-fpm
+
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice
+;log_level = notice
+
+; Log limit on number of characters in the single line (log entry). If the
+; line is over the limit, it is wrapped on multiple lines. The limit is for
+; all logged characters including message prefix and suffix if present. However
+; the new line character does not count into it as it is present only when
+; logging to a file descriptor. It means the new line character is not present
+; when logging to syslog.
+; Default Value: 1024
+;log_limit = 4096
+
+; Log buffering specifies if the log line is buffered which means that the
+; line is written in a single write operation. If the value is false, then the
+; data is written directly into the file descriptor. It is an experimental
+; option that can potentionaly improve logging performance and memory usage
+; for some heavy logging scenarios. This option is ignored if logging to syslog
+; as it has to be always buffered.
+; Default value: yes
+;log_buffering = no
+
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0
+;emergency_restart_threshold = 0
+
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated.  This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;emergency_restart_interval = 0
+
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;process_control_timeout = 0
+
+; The maximum number of processes FPM will fork. This has been designed to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0
+; process.max = 128
+
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lowest priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool process will inherit the master process priority
+;         unless specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+daemonize = no
+
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Specify the event mechanism FPM will use. The following is available:
+; - select     (any POSIX os)
+; - poll       (any POSIX os)
+; - epoll      (linux >= 2.5.44)
+; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
+; - /dev/poll  (Solaris >= 7)
+; - port       (Solaris >= 10)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll
+
+; When FPM is built with systemd integration, specify the interval,
+; in seconds, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10
+
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Multiple pools of child processes may be started with different listening
+; ports and different management options.  The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; Include one or more files. If glob(3) exists, it is used to include a bunch of
+; files from a glob(3) pattern. This directive can be used everywhere in the
+; file.
+; Relative path can also be used. They will be prefixed by:
+;  - the global prefix if it's been set (-p argument)
+;  - /usr otherwise
+
+; We do it the other way round.
+;include=/etc/php/{{ php_version }}/fpm/pool.d/*.conf
diff --git a/php-fpm/templates/php-fpm@.service.j2 b/php-fpm/templates/php-fpm@.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..94569de0f29080b81b75f3834cb6c2d8b1ef3f25
--- /dev/null
+++ b/php-fpm/templates/php-fpm@.service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=PHP-FPM service for %i
+After=syslog.target network.target
+After=mysqld.service postfix.service
+Requires=php-fpm@.socket
+
+[Service]
+Type=notify
+
+PrivateTmp=true
+NoNewPrivileges=true
+;PrivateNetwork=true
+PrivateDevices=true
+
+ProtectHome=true
+ProtectSystem=full
+InaccessiblePaths=-/var/lib/mysql
+
+MemoryAccounting=yes
+CPUAccounting=yes
+IOAccounting=yes
+
+User=%i
+Group=%i
+Environment="FPM_SOCKETS=/run/php/%i-fpm.sock=3"
+ExecStart=/usr/sbin/php-fpm{{ php_version }} --nodaemonize --fpm-config /etc/php/{{ php_version }}/fpm/pool.d/%i.conf
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/php-fpm/templates/php-fpm@.socket.j2 b/php-fpm/templates/php-fpm@.socket.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c3ab1c31f4bbfb6ed51a3c487b9e16530d020a56
--- /dev/null
+++ b/php-fpm/templates/php-fpm@.socket.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=PHP-FPM socket for %i
+
+[Socket]
+ListenStream=/run/php/%i-fpm.sock
+SocketMode=0660
+SocketUser=%i
+SocketGroup=www-data
+
+[Install] 
+WantedBy=sockets.target
diff --git a/php-fpm/templates/pool.conf b/php-fpm/templates/pool.conf
deleted file mode 100644
index f7f846fdf4ee68aa43bf7d6a24b97fb951bba3bd..0000000000000000000000000000000000000000
--- a/php-fpm/templates/pool.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-[{{fpm_pool}}]
-user = {{fpm_user}}
-group = {{fpm_group}}
-
-listen = /run/php/{{fpm_pool}}-fpm.sock
-
-listen.owner = {{fpm_socket_user}}
-listen.group = {{fpm_socket_group}}
-
-pm = dynamic
-pm.max_children = 5
-pm.start_servers = 2
-pm.min_spare_servers = 1
-pm.max_spare_servers = 3
diff --git a/php-fpm/templates/pool.conf.j2 b/php-fpm/templates/pool.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..372e9387457d916bd2834417b2f5666bd5c70082
--- /dev/null
+++ b/php-fpm/templates/pool.conf.j2
@@ -0,0 +1,40 @@
+include=/etc/php/{{ php_version }}/fpm/php-fpm.conf
+
+{% if item is not defined %}
+{% set item = {"name": fpm_pool, "params": fpm_params|default({})} %}
+{% endif %}
+[{{item.name}}]
+;user = {{item.name}}
+;group = {{item.name}}
+
+listen = /run/php/{{item.name}}-fpm.sock
+
+listen.owner = {{item.name}}
+listen.group = www-data
+
+pm = {{ item.pm|default('ondemand') }}
+{% if item.pm|default('ondemand') == 'static' %}
+pm.max_children = {{ item.pm_max_children|default(5) }}
+{% elif item.pm|default('ondemand') == 'dynamic' %}
+pm.max_children = {{ item.pm_max_children|default(5) }}
+{# start_servers = min_spare_servers + (max_spare_servers - min_spare_servers) / 2 #}
+pm.start_servers = {{ item.pm_start_servers|default(2) }}
+pm.min_spare_servers = {{ item.pm_min_spare_servers|default(1) }}
+pm.max_spare_servers = {{ item.pm_max_spare_servers|default(3) }}
+{% else %}
+pm.max_children = {{ item.pm_max_children|default(10) }}
+pm.process_idle_timeout = {{ item.pm_process_idle_timeout|default(15) }}s
+{% endif %}
+pm.max_requests = {{ item.pm_max_requests|default(500) }}
+
+{% for key, value in (fpm_default_params|combine(item.params|default({}))).items() %}
+php_admin_value[{{key}}] = {{value}}
+{% endfor %}
+
+{% for key, value in (fpm_default_flags|combine(item.flags|default({}))).items() %}
+php_admin_flag[{{key}}] = {{'on' if value else 'off'}}
+{% endfor %}
+
+{% for key, value in (fpm_default_env|combine(item.env|default({}))).items() %}
+env[{{key}}] = {{ value }}
+{% endfor %}
diff --git a/php-fpm/vars/buster.yml b/php-fpm/vars/buster.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ab784a0a0db25b5501c072d070bbd25f4c7b624e
--- /dev/null
+++ b/php-fpm/vars/buster.yml
@@ -0,0 +1,3 @@
+---
+php_fpm_pkgs: ["php-fpm"]
+php_version: "7.3"
diff --git a/php-fpm/vars/jessie.yml b/php-fpm/vars/jessie.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a1918259000478eee9cecc793ab40c44b1a85677
--- /dev/null
+++ b/php-fpm/vars/jessie.yml
@@ -0,0 +1,2 @@
+---
+php_fpm_pkgs: ["php-fpm5", "php5"]
diff --git a/php-fpm/vars/stretch.yml b/php-fpm/vars/stretch.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f072d5e6a68d135ae8ee6e71e8f32e930a462fa0
--- /dev/null
+++ b/php-fpm/vars/stretch.yml
@@ -0,0 +1,3 @@
+---
+php_fpm_pkgs: ["php-fpm"]
+php_version: "7.0"
diff --git a/phpwebapps/defaults/main.yml b/phpwebapps/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..63881e77bcdb6cc1484ae75c04a3716b804a2ff9
--- /dev/null
+++ b/phpwebapps/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+
+phpwebapps: []
+# yamllint disable-line rule:line-length
+mysql_root_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql create=true length=20') }}"
+
+# phpwebapps:
+#   - name: termine
+#     directory: /var/www/termine (default)
+#     packages: ["php-mbstring", "php-intl"]
+# yamllint disable-line rule:line-length
+#     mysql_password: "{{lookup('passwordstore', 'db/{{ansible_hostname}}-mysql-termine create=true length=20')}}"
+#     url: "https://example.com/download/genericphpsoftware.zip
+#     checksum: "sha256:abc123…"
diff --git a/phpwebapps/files/check-phpwebapp-update.sh b/phpwebapps/files/check-phpwebapp-update.sh
new file mode 100644
index 0000000000000000000000000000000000000000..eb49d8e465981aa3e73923e5789f8aa653b3618f
--- /dev/null
+++ b/phpwebapps/files/check-phpwebapp-update.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+if [ "$#" -ne 4 ]; then
+    echo "Usage: $0 Name URL pattern version" >&2
+    exit 1
+fi
+
+software=$1
+url=$2
+pattern=$3
+version=$4
+
+page=$(curl "$url" 2>/dev/null)
+if [[ $? -ne 0 ]]; then
+	echo "Querying ${url} (for ${software}) failed."
+	exit 1
+fi
+match=$(echo $page | grep -Po "${pattern}")
+if [[ $? -ne 0 ]]; then
+	echo "Version pattern '${pattern}' not found in ${url} (for ${software})."
+	exit 1
+fi
+echo $match | grep -qF $version
+if [[ $? -ne 0 ]]; then
+	echo "${software} requires update: \"${version}\" does not match \"${match}\"."
+	exit 0
+fi
+exit 0
diff --git a/phpwebapps/tasks/main.yml b/phpwebapps/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..71ebd6cdc4bf5a286bbbd9d902bc74fe9d7cccf2
--- /dev/null
+++ b/phpwebapps/tasks/main.yml
@@ -0,0 +1,126 @@
+---
+
+- name: install packages
+  apt:
+    name:
+      - php
+      - php-mbstring
+      - php-mysql
+      - php-intl
+      - composer
+
+- name: install additional packages for the php sites
+  apt:
+    name: "{{item.packages}}"
+  loop: "{{phpwebapps}}"
+  when: item.packages is defined
+  loop_control:
+    label: "{{item.name}}"
+
+- name: ensure groups for the php sites exist
+  group:
+    name: "{{item.name}}"
+    state: present
+    system: true
+  loop: "{{phpwebapps}}"
+  loop_control:
+    label: "{{item.name}}"
+
+- name: ensure groups for the php sites exist
+  user:
+    name: "{{item.name}}"
+    group: "{{item.name}}"
+    state: present
+    system: true
+    shell: /usr/bin/nologin
+    home: "{{item.directory|default('/var/www/' + item.name)}}"
+    createhome: false
+  loop: "{{phpwebapps}}"
+
+- name: ensure directories for the php sites exist
+  file:
+    path: "{{item.directory|default('/var/www/' + item.name)}}"
+    state: directory
+    owner: "{{item.directory_owner|default(item.name)}}"
+    group: "{{item.directory_group|default(item.name)}}"
+    mode: "{{item.directory_mode|default('0755')}}"
+  loop: "{{phpwebapps}}"
+  loop_control:
+    label: "{{item.name}}"
+
+- name: create the mysql database
+  mysql_db:
+    name: "{{item.name}}"
+    state: present
+    login_user: root
+    login_password: "{{mysql_root_password}}"
+  no_log: true
+  when:
+    - mysql_root_password is defined
+    - item.mysql_password is defined
+  loop: "{{phpwebapps}}"
+  loop_control:
+    label: "{{item.name}}"
+
+- name: create mysql db user
+  mysql_user:
+    name: "{{item.name}}"
+    password: "{{item.mysql_password}}"
+    state: present
+    login_user: root
+    login_password: "{{mysql_root_password}}"
+    priv: "{{item.name}}.*:ALL"
+  no_log: true
+  when:
+    - mysql_root_password is defined
+    - item.mysql_password is defined
+  loop: "{{phpwebapps}}"
+  loop_control:
+    label: "{{item.name}}"
+
+- name: download the software
+  get_url:
+    url: "{{item.url}}"
+    dest: "/tmp/{{item.name}}{{item.url|splitext|last}}"
+    checksum: "{{item.checksum}}"
+  loop: "{{phpwebapps}}"
+  when: item.url is defined and item.checksum is defined
+  loop_control:
+    label: "{{item.name}}"
+
+- name: unpack the software
+  unarchive:
+    src: "/tmp/{{item.name}}{{item.url|splitext|last}}"
+    dest: "{{item.directory|default('/var/www/' + item.name)}}"
+    remote_src: true
+    owner: "{{item.name}}"
+    group: "www-data"
+    mode: '0755'
+  loop: "{{phpwebapps}}"
+  when: item.url is defined and item.checksum is defined
+  loop_control:
+    label: "{{item.name}}"
+
+- name: install update-check-script
+  copy:
+    src: check-phpwebapp-update.sh
+    dest: /usr/local/bin/
+    owner: root
+    group: root
+    mode: '0755'
+  loop: "{{phpwebapps}}"
+  when: item.update_check is defined
+  loop_control:
+    label: "{{item.name}}"
+
+- name: regularly check for updates
+  template:
+    src: crontab.j2
+    dest: "/etc/cron.daily/phpwebapp-{{item.name}}"
+    owner: root
+    group: root
+    mode: '0755'
+  loop: "{{phpwebapps}}"
+  when: item.update_check is defined
+  loop_control:
+    label: "{{item.name}}"
diff --git a/phpwebapps/templates/crontab.j2 b/phpwebapps/templates/crontab.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f266bf1b7bde4465235889c6174ab3e2d9c0079d
--- /dev/null
+++ b/phpwebapps/templates/crontab.j2
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/bin/check-phpwebapp-update.sh '{{item.name}}' '{{item.update_check.url}}' '{{item.update_check.pattern}}' '{{item.update_check.current_version}}'
diff --git a/protokollsystem/defaults/main.yml b/protokollsystem/defaults/main.yml
deleted file mode 100644
index 4f5aec1ee5c4b97741c7bdd7efa053041f7b288e..0000000000000000000000000000000000000000
--- a/protokollsystem/defaults/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-# file: roles/protokollsystem/defaults/main.yml
-
-protokolle_web_root: /var/www/protokollsystem
-protokolle_name: protokollsystem
-protokolle_user: protokolle
-protokolle_group: protokolle
-protokolle_celery_concurrency: 4
diff --git a/protokollsystem/handlers/main.yml b/protokollsystem/handlers/main.yml
deleted file mode 100644
index a2a8db7cdb40321c7c44092bf3cc11b324e87b52..0000000000000000000000000000000000000000
--- a/protokollsystem/handlers/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-# file: roles/protokollsystem/handlers/main.yml
-
-- name: reload systemd service files
-  command: systemctl daemon-reload
-
-- name: restart uwsgi for protokollsystem
-  service: name="{{item}}" state=restarted enabled=yes
-  with_items:
-    - "{{protokolle_name}}"
-    - "{{protokolle_name}}-celery"
-
-- name: create tmpfiles
-  command: systemd-tmpfiles --create
diff --git a/protokollsystem/meta/main.yml b/protokollsystem/meta/main.yml
deleted file mode 100644
index 561292b67b6826174e507d8591fb9928bf64dc0c..0000000000000000000000000000000000000000
--- a/protokollsystem/meta/main.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-# file:roles/protokollsystem/meta/main.yml
-dependencies:
-  - { role: webserver }
-  - { role: redis-server }
-  - { role: postgres }
-  - { role: texlive }
-  - { role: cups-client }
-  - { role: uwsgi-python, uwsgi_name: "{{protokolle_name}}", uwsgi_user: "{{protokolle_user}}", uwsgi_group: "{{protokolle_group}}", uwsgi_path: "{{protokolle_web_root}}/program", uwsgi_home: "{{protokolle_web_root}}", uwsgi_program: "server.py", uwsgi_callable: "app", uwsgi_command: "runserver", uwsgi_db: "postgres", uwsgi_python: 3, uwsgi_mules: 1 }
diff --git a/protokollsystem/tasks/main.yml b/protokollsystem/tasks/main.yml
deleted file mode 100644
index 3ff8f512dfb35b86391b188af63c956f245ca3b4..0000000000000000000000000000000000000000
--- a/protokollsystem/tasks/main.yml
+++ /dev/null
@@ -1,119 +0,0 @@
----
-# file: roles/protokollsystem/tasks/main.yml
-
-- name: ensure we have the fonts
-  apt: name="{{item}}" state=present
-  with_items:
-    - fontconfig
-    - tex-gyre
-  tags:
-    - packages
-    - protokollsystem
-
-- name: ensure we have a folder for the program
-  file: path="{{protokolle_web_root}}" state=directory owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0755
-  tags:
-    - directory
-    - protokollsystem
-
-- name: ensure we have a .ssh directory
-  file: path="{{protokolle_web_root}}/.ssh" state=directory owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0755
-  tags:
-    - directory
-    - protokollsystem
-
-- name: ensure we have our deploy key
-  copy: src="{{item}}" dest="{{protokolle_web_root}}/.ssh/" owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0600
-  with_items:
-    - deploy-key
-    - deploy-key.pub
-  tags:
-    - ssh
-    - protokollsystem
-
-- name: ensure we have our .ssh config
-  template: src=config dest="{{protokolle_web_root}}/.ssh/config" owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0644
-  tags:
-    - ssh
-    - protokollsystem
-
-- name: ensure we have the program
-  git: repo=git@git.fsmpi.rwth-aachen.de:protokollsystem/proto3.git dest="{{protokolle_web_root}}/program"
-  become: yes
-  become_user: "{{protokolle_user}}"
-  notify:
-    - restart uwsgi for protokollsystem
-  tags:
-    - git
-    - protokollsystem
-
-- name: ensure we have a virtualenv
-  pip:
-    requirements: "{{protokolle_web_root}}/program/requirements.txt"
-    virtualenv: "{{protokolle_web_root}}/program"
-    virtualenv_python: python3
-  become: yes
-  become_user: "{{protokolle_user}}"
-  notify:
-    - restart uwsgi for protokollsystem
-  tags:
-    - pip
-    - python
-    - protokollsystem
-
-- name: ensure we have our config
-  template:
-    src: config.py
-    dest: "{{protokolle_web_root}}/program/config.py"
-    owner: "{{protokolle_user}}"
-    group: "{{protokolle_group}}"
-    mode: 0644
-  notify:
-    - restart uwsgi for protokollsystem
-  tags:
-    - config
-    - python
-    - protokollsystem
-
-- name: ensure the unit file exists
-  template:
-    src: protokollsystem.service
-    dest: "/etc/systemd/system/{{protokolle_name}}.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - reload systemd service files
-    - restart uwsgi for protokollsystem
-  tags:
-    - config
-    - systemd
-    - protokollsystem
-
-- name: ensure the celery unit file exists
-  template:
-    src: celery.service
-    dest: "/etc/systemd/system/{{protokolle_name}}-celery.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - reload systemd service files
-    - restart uwsgi for protokollsystem
-  tags:
-    - config
-    - systemd
-    - celery
-    - protokollsystem
-
-- meta: flush_handlers
-
-- name: ensure the services are enabled
-  service: name="{{item}}" enabled=yes
-  with_items:
-    - "{{protokolle_name}}"
-    - "{{protokolle_name}}-celery"
-  tags:
-    - config
-    - systemd
-    - protokollsystem
diff --git a/protokollsystem/templates/celery.service b/protokollsystem/templates/celery.service
deleted file mode 100644
index 360a975cf4fdf51d83d665ac76c8a1df9fc9d4af..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/celery.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Protokollsystem-Celery
-After=network.target
-
-[Service]
-User={{protokolle_user}}
-Group={{protokolle_group}}
-WorkingDirectory={{protokolle_web_root}}/program
-Environment=VIRTUAL_ENV="{{protokolle_web_root}}/program"
-ExecStart={{protokolle_web_root}}/program/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{protokolle_celery_concurrency}}
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
diff --git a/protokollsystem/templates/config b/protokollsystem/templates/config
deleted file mode 100644
index 0998e43d453f18d9fef362788acc1e9682a2e783..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{protokolle_web_root}}/.ssh/deploy-key
diff --git a/protokollsystem/templates/config.py b/protokollsystem/templates/config.py
deleted file mode 100644
index 5c9efabb2e1e5240b3426320da53e7f963ef2c8a..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/config.py
+++ /dev/null
@@ -1,122 +0,0 @@
-SQLALCHEMY_DATABASE_URI = "postgresql://{{protokolle_user}}:@/{{protokolle_name}}"
-SQLALCHEMY_TRACK_MODIFICATIONS = False
-
-SECRET_KEY = "{{protokolle_secret}}"
-
-DEBUG = False
-
-MAIL_ACTIVE = True
-MAIL_FROM = "Gustav Geier <protokolle@fsmpi.rwth-aachen.de>"
-MAIL_HOST = "mail.fsmpi.rwth-aachen.de:25"
-MAIL_USER = ""
-MAIL_PASSWORD = ""
-MAIL_USE_TLS = False
-
-CELERY_BROKER_URL = "redis://localhost:6379/0"
-CELERY_TASK_SERIALIZER = "pickle"
-CELERY_ACCEPT_CONTENT = ["pickle"]
-
-URL_ROOT = "protokolle.fsmpi.rwth-aachen.de"
-URL_PROTO = "https"
-URL_PATH = "/"
-URL_PARAMS = ""
-
-#LDAP_PROVIDER_URL = "ldap://rumo.fsmpi.rwth-aachen.de:389"
-LDAP_PROVIDER_URL = "ldaps://rumo.fsmpi.rwth-aachen.de:636" # needs LDAPTLS_CACERT env
-LDAP_BASE = "dc=fsmpi,dc=rwth-aachen,dc=de"
-LDAP_PROTOCOL_VERSION = 3
-
-PRINTING_ACTIVE = True
-PRINTING_SERVER = "printsrv.fsmpi.rwth-aachen.de:631"
-PRINTING_USER = "protokolle"
-PRINTING_PRINTERS = {
-    "kopierer": ["ColorModel=Gray", "KCStaple=Center", "KCPunch=2HoleEUR", "Duplex=DuplexNoTumble"],
-    "hoern_kopierer": ["Duplex=DuplexNoTumble"]
-}
-
-ETHERPAD_ACTIVE = True
-ETHERPAD_URL = "https://fachschaften.rwth-aachen.de/etherpad"
-EMPTY_ETHERPAD = """Welcome to Etherpad!
-
-This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!
-
-Get involved with Etherpad at http://etherpad.org
-
-"""
-
-WIKI_ACTIVE = True
-WIKI_API_URL = "https://www.fsmpi.rwth-aachen.de/wiki/api.php"
-WIKI_ANONYMOUS = False
-WIKI_USER = "protocolpusher"
-WIKI_PASSWORD = "0h3CjGju"
-WIKI_DOMAIN = "fsmpi"
-
-CALENDAR_ACTIVE = True
-CALENDAR_URL = ""
-CALENDAR_DEFAULT_DURATION = 3
-CALENDAR_MAX_REQUESTS = 10
-
-SESSION_PROTECTION = "strong"
-
-SECURITY_KEY = "{{protokolle_security_key}}"
-
-ERROR_CONTEXT_LINES = 3
-
-PAGE_LENGTH = 20
-PAGE_DIFF = 3
-
-MAX_INDEX_DAYS = 14
-
-ADMIN_MAIL = "admin@fsmpi.rwth-aachen.de"
-ADMIN_GROUP = "protokolladmin"
-
-PARSER_LAZY = False
-
-FUZZY_MIN_SCORE = 90
-
-FONTS = {
-    "main": {
-        "extension": ".pfb",
-        "path": "/usr/share/fonts/type1/gsfonts/",
-        "regular": "n019003l",
-        "bold": "n019004l",
-        "italic": "n019023l",
-        "bolditalic": "n019024l"
-    },
-    "roman": {
-        "extension": ".pfb",
-        "path": "/usr/share/fonts/type1/gsfonts/",
-        "regular": "n021003l",
-        "bold": "n021004l",
-        "italic": "n021023l",
-        "bolditalic": "n021024l"
-    },
-    "sans": {
-        "extension": ".pfb",
-        "path": "/usr/share/fonts/type1/gsfonts/",
-        "regular": "n019003l",
-        "bold": "n019004l",
-        "italic": "n019023l",
-        "bolditalic": "n019024l"
-    },
-    "mono": {
-        "extension": ".pfb",
-        "path": "/usr/share/fonts/type1/gsfonts/",
-        "regular": "n022003l",
-        "bold": "n022004l",
-        "italic": "n022023l",
-        "bolditalic": "n022024l"
-    }
-}
-
-
-DOCUMENTS_PATH = "documents"
-
-PRIVATE_KEYWORDS = ["private", "internal", "privat", "intern"]
-
-LATEX_BULLETPOINTS = [
-    r"\textbullet",
-    r"\normalfont \bfseries \textendash",
-    r"$\circ$",
-    r"\textperiodcentered"
-]
diff --git a/protokollsystem/templates/protokollsystem.service b/protokollsystem/templates/protokollsystem.service
deleted file mode 100644
index 3f5061807502b34fe6afd2c23884b9820030680a..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/protokollsystem.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Protokollsystem
-After=network.target
-Wants=protokollsystem-celery.service
-
-[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{protokolle_name}}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/schildergenerator/defaults/main.yml b/schildergenerator/defaults/main.yml
deleted file mode 100644
index 71b5b4161fa82337a6bd2e274f5411d6af7d90a0..0000000000000000000000000000000000000000
--- a/schildergenerator/defaults/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-# file: roles/schildergenerator/defaults/main.yml
-
-schilder_web_root: /var/www/schilder
-schilder_name: schilder
-schilder_user: schilder
-schilder_group: schilder
-schilder_printsrv: printsrv.fsmpi.rwth-aachen.de
-schilder_printers:
-  - description: "1 - Kopierer"
-    name: "Kopierer"
-schilder_lproptions:
-  - "-Fa4g"
-  - "-N1"
-  - "-o fitplot"
-schilder_templates_url: https://git.fsmpi.rwth-aachen.de/schilder/templates-fsmpi-schilder.git
diff --git a/schildergenerator/files/requirements.txt b/schildergenerator/files/requirements.txt
deleted file mode 100644
index 93aaf2a934547cd0236a8071ebd4ad1dce5a3c4f..0000000000000000000000000000000000000000
--- a/schildergenerator/files/requirements.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Flask
-Flask-Genshi
-Genshi
-docutils
diff --git a/schildergenerator/handlers/main.yml b/schildergenerator/handlers/main.yml
deleted file mode 100644
index 297692941bc67e0cd709d05dce0f96fd0014c8fc..0000000000000000000000000000000000000000
--- a/schildergenerator/handlers/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-# file: roles/schilder/handlers/main.yml
-
-- name: reload systemd service files
-  command: systemctl daemon-reload
-
-- name: restart uwsgi for schilder
-  service: name="{{schilder_name}}" state=restarted enabled=yes
-
-- name: create tmpfiles
-  command: systemd-tmpfiles --create
diff --git a/schildergenerator/meta/main.yml b/schildergenerator/meta/main.yml
deleted file mode 100644
index 891398649ba33ddeeb08c6b808f320402aede046..0000000000000000000000000000000000000000
--- a/schildergenerator/meta/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-# file: roles/schildergenerator/meta/main.yml
-
-dependencies:
-  - { role: webserver }
-  - { role: texlive }
-  - { role: cups-client }
-  - { role: uwsgi-python, uwsgi_name: "{{schilder_name}}", uwsgi_user: "{{schilder_user}}", uwsgi_group: "{{schilder_group}}", uwsgi_path: "{{schilder_web_root}}/program", uwsgi_home: "{{schilder_web_root}}", uwsgi_program: "schilder.py", uwsgi_callable: "app", uwsgi_command: "", uwsgi_db: "", uwsgi_python: 2, uwsgi_mules: 0 }
diff --git a/schildergenerator/tasks/main.yml b/schildergenerator/tasks/main.yml
deleted file mode 100644
index 3078080f479f8ac0ef3be00d84c1149c061e3509..0000000000000000000000000000000000000000
--- a/schildergenerator/tasks/main.yml
+++ /dev/null
@@ -1,116 +0,0 @@
----
-# file: roles/schildergenerator/tasks/main.yml
-
-- debug: var=schilder_web_root
-
-- name: ensure we have necessary software installed
-  apt: name="{{item}}" state=present
-  with_items:
-    - graphicsmagick
-    - python-pythonmagick
-  tags:
-    - packages
-    - schildergenerator
-
-- name: ensure we have the folders for the program
-  file:
-    path: "{{item}}"
-    state: directory
-    owner: "{{schilder_user}}"
-    group: "{{schilder_group}}"
-    mode: 0755
-  with_items:
-    - "{{schilder_web_root}}"
-    - "{{schilder_web_root}}/program"
-  tags:
-    - directory
-    - schildergenerator
-
-- name: ensure we have the program
-  git:
-    repo: "https://git.fsmpi.rwth-aachen.de/schilder/schildergenerator.git"
-    dest: "{{schilder_web_root}}/program"
-  become: yes
-  become_user: "{{schilder_user}}"
-  notify:
-    - restart uwsgi for schilder
-  tags:
-    - git
-    - schildergenerator
-
-- name: ensure we have our requirements
-  copy:
-    src: requirements.txt
-    dest: "{{schilder_web_root}}/requirements.txt"
-    owner: "{{schilder_user}}"
-    group: "{{schilder_group}}"
-    mode: 0644
-  tags:
-    - pip
-    - python
-    - schildergenerator
-
-- name: ensure we have a virtualenv
-  pip:
-    requirements: "{{schilder_web_root}}/requirements.txt"
-    virtualenv: "{{schilder_web_root}}/program"
-    virtualenv_python: python2
-    virtualenv_site_packages: yes
-  become: yes
-  become_user: "{{schilder_user}}"
-  notify:
-    - restart uwsgi for schilder
-  tags:
-    - pip
-    - python
-    - schildergenerator
-
-- name: ensure we have our config
-  template:
-    src: config.py
-    dest: "{{schilder_web_root}}/program/config.py"
-    owner: "{{schilder_user}}"
-    group: "{{schilder_group}}"
-    mode: 0644
-  notify:
-    - restart uwsgi for schilder
-  tags:
-    - config
-    - python
-    - schildergenerator
-
-- name: ensure we have out templates
-  git:
-    repo: "{{schilder_templates_url}}"
-    dest: "{{schilder_web_root}}/tex"
-  become: yes
-  become_user: "{{schilder_user}}"
-  notify:
-    - restart uwsgi for schilder
-  tags:
-    - git
-    - schildergenerator
-
-- name: ensure the unit file exists
-  template:
-    src: schilder.service
-    dest: "/etc/systemd/system/{{schilder_name}}.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - reload systemd service files
-    - restart uwsgi for schilder
-  tags:
-    - config
-    - systemd
-    - schildergenerator
-
-- meta: flush_handlers
-
-- name: ensure the service is enabled
-  service: name="{{schilder_name}}.service" enabled=yes
-  tags:
-    - config
-    - systemd
-    - schildergenerator
diff --git a/schildergenerator/templates/schilder.service b/schildergenerator/templates/schilder.service
deleted file mode 100644
index 7921cb7a5d4baa7a96052ff96306f3e06e46b1e2..0000000000000000000000000000000000000000
--- a/schildergenerator/templates/schilder.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=Protokollsystem
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{schilder_name}}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sentry/defaults/main.yml b/sentry/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..63d3c9203c4c845850c1ff9b1c9322de045d0860
--- /dev/null
+++ b/sentry/defaults/main.yml
@@ -0,0 +1,33 @@
+---
+# file: sentry/defaults/main.yml
+
+sentry_root_dir: /var/www/sentry
+sentry_user: sentry
+sentry_group: sentry
+sentry_db_name: sentry
+sentry_db_user: sentry
+# sentry_db_password: null
+# yamllint disable-line rule:line-length
+sentry_db_password: "{{ lookup('passwordstore', 'db/{{sentry_db_host}}-pgsql-sentry create=true length=20') }}"
+sentry_db_host: null
+sentry_redis_url: redis://localhost:6379/0
+sentry_web_host: localhost
+sentry_web_port: 9000
+sentry_mail_active: false
+sentry_mail_host: mail.example.com
+sentry_mail_user: null
+sentry_mail_password: null
+sentry_mail_use_tls: false
+sentry_mail_from: "sentry@example.com"
+sentry_storage_dir: "/tmp/sentry-files"
+sentry_default_user_mail: sentry@example.com
+sentry_default_user_password: null
+sentry_use_ldap: true
+sentry_ldap_uri: "ldaps://auth.example.com"
+sentry_ldap_distinguished_name: "dc=example,dc=com"
+sentry_ldap_deny_group: null
+sentry_ldap_require_group: null
+sentry_ldap_bind_dn: "cn=admin,cn=Users,dc=example,dc=com"
+sentry_ldap_bind_password_lookup: ""
+# yamllint disable-line rule:line-length
+sentry_ldap_bind_password: "{{ lookup('passwordstore', sentry_ldap_bind_password_lookup) }}"
diff --git a/sentry/handlers/main.yml b/sentry/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c28a48d9222c7b0cb69dbc01045368846ec5cb84
--- /dev/null
+++ b/sentry/handlers/main.yml
@@ -0,0 +1,32 @@
+---
+# sentry/handlers/main.yml
+
+- name: reload systemd service files
+  systemd: daemon_reload=yes
+
+- name: restart postgres
+  service: name=postgresql state=restarted
+  delegate_to: "{{sentry_db_host|default(omit)}}"
+
+- name: restart sentry
+  service: name="{{item}}" state=restarted
+  with_items:
+    - sentry-web
+    - sentry-worker
+    - sentry-cron
+
+- name: enable postgres citext extension
+  command: "psql {{sentry_db_name}} -c 'CREATE EXTENSION IF NOT EXISTS citext'"
+  become: true
+  become_user: postgres
+  delegate_to: "{{sentry_db_host|default(omit)}}"
+
+# if this fails with 137/kill -9, this might be OOM
+- name: upgrade sentry database
+  command: "{{sentry_root_dir}}/bin/sentry upgrade"
+  args:
+    stdin: n
+  environment:
+    SENTRY_CONF: "{{sentry_root_dir}}"
+  become: true
+  become_user: "{{sentry_user}}"
diff --git a/sentry/tasks/main.yml b/sentry/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..89b2b0d518b7b78c504d8552ae0c8ec1a8304c5d
--- /dev/null
+++ b/sentry/tasks/main.yml
@@ -0,0 +1,225 @@
+---
+# file: sentry/tasks/main.yml
+
+- name: ensure we have the necessary software
+  apt:
+    name:
+      - python-virtualenv
+      - libpq-dev
+      - python-dev
+      - python-psycopg2
+      - uwsgi
+      - uwsgi-core
+      - uwsgi-plugin-python
+      - libsasl2-dev
+      - libldap2-dev
+      - libssl-dev
+      - python-ldap
+      - libxmlsec1-dev
+      - pkg-config
+    state: present
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure we have the sentry group
+  group:
+    name: "{{sentry_group}}"
+    state: present
+    system: true
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure we have the sentry user
+  user:
+    name: "{{sentry_user}}"
+    group: "{{sentry_group}}"
+    state: present
+    system: true
+    shell: /usr/bin/nologin
+    home: "{{sentry_root_dir}}"
+    createhome: false
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure the sentry directory exists
+  file:
+    path: "{{sentry_root_dir}}"
+    state: directory
+    mode: '0750'
+    owner: root
+    group: sentry
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure we have a postgres database user
+  postgresql_user:
+    name: "{{sentry_db_user}}"
+    state: present
+    password: "{{ sentry_db_password }}"
+    role_attr_flags: NOSUPERUSER,NOCREATEDB
+  become: true
+  become_user: postgres
+  delegate_to: "{{sentry_db_host|default(omit)}}"
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - postgres
+
+- name: ensure we have a postgres database
+  postgresql_db:
+    name: "{{sentry_db_name}}"
+    owner: "{{sentry_db_user}}"
+    state: present
+  become: true
+  become_user: postgres
+  delegate_to: "{{sentry_db_host|default(omit)}}"
+  notify:
+    - enable postgres citext extension
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - postgres
+
+- name: ensure the database user has privileges
+  postgresql_privs:
+    database: "{{sentry_db_name}}"
+    roles: "{{sentry_db_user}}"
+    privs: ALL
+    state: present
+    type: database
+  become: true
+  become_user: postgres
+  delegate_to: "{{sentry_db_host|default(omit)}}"
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - postgres
+
+- name: ensure the user may login
+  lineinfile:
+    dest: /etc/postgresql/11/main/pg_hba.conf
+    # yamllint disable-line rule:line-length
+    insertafter: "host    all             all             127.0.0.1/32            md5"
+    # yamllint disable-line rule:line-length
+    line: "host    {{sentry_db_name}}          {{sentry_db_user}}          monitoring.fsmpi.rwth-aachen.de md5"
+  delegate_to: "{{sentry_db_host|default(omit)}}"
+  notify:
+    - restart postgres
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - postgres
+
+- meta: flush_handlers
+
+- name: ensure we have a virtualenv and all the packages  # noqa 403
+  pip:
+    name:
+      - sentry
+      - sentry-ldap-auth
+      - sentry-plugins
+    virtualenv: "{{sentry_root_dir}}"
+    virtualenv_python: python2
+    state: latest
+  notify:
+    - upgrade sentry database
+    - restart sentry
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure uwsgi is executable
+  file:
+    path: "{{sentry_root_dir}}/bin/uwsgi"
+    mode: "o+rx"
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure sentry has a config dir
+  file:
+    path: "{{sentry_root_dir}}/.sentry"
+    state: directory
+    owner: sentry
+    group: sentry
+    mode: '0640'
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure one can see that conf dir
+  file:
+    src: "{{sentry_root_dir}}/.sentry"
+    dest: "{{sentry_root_dir}}/conf"
+    state: link
+    owner: sentry
+    group: sentry
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+
+- name: ensure sentry is configured
+  template:
+    src: "{{item}}.j2"
+    dest: "{{sentry_root_dir}}/.sentry/{{item}}"
+    owner: root
+    group: "{{sentry_group}}"
+    mode: '0640'
+  with_items:
+    - config.yml
+    - sentry.conf.py
+  notify:
+    - upgrade sentry database
+    - restart sentry
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - config
+
+- name: ensure we have the sentry services
+  template:
+    src: "{{item}}"
+    dest: /etc/systemd/system
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - sentry-web.service
+    - sentry-cron.service
+    - sentry-worker.service
+  notify:
+    - reload systemd service files
+    - restart sentry
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - service
+
+- name: ensure sentry is activated
+  systemd:
+    name: sentry-web
+    state: started
+    enabled: true
+  tags:
+    - sentry
+    - webservices
+    - monitoring
+    - service
diff --git a/sentry/templates/config.yml.j2 b/sentry/templates/config.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..17fad2cde1acbebf1ccfc8748b54dd71270cc60f
--- /dev/null
+++ b/sentry/templates/config.yml.j2
@@ -0,0 +1,74 @@
+# While a lot of configuration in Sentry can be changed via the UI, for all
+# new-style config (as of 8.0) you can also declare values here in this file
+# to enforce defaults or to ensure they cannot be changed via the UI. For more
+# information see the Sentry documentation.
+
+###############
+# Mail Server #
+###############
+
+{% if sentry_mail_active %}
+mail.backend: 'smtp'  # Use dummy if you want to disable email entirely
+mail.host: '{{sentry_mail_host}}'
+mail.port: 25
+mail.username: '{{sentry_mail_user|default("", true)}}'
+mail.password: '{{sentry_mail_password|default("", true)}}'
+mail.use-tls: {{sentry_mail_use_tls|bool}}
+# The email address to send on behalf of
+mail.from: '{{sentry_mail_from}}'
+{% else %}
+mail.backend: 'dummy'
+{% endif %}
+
+# If you'd like to configure email replies, enable this.
+# mail.enable-replies: false
+
+# When email-replies are enabled, this value is used in the Reply-To header
+# mail.reply-hostname: ''
+
+# If you're using mailgun for inbound mail, set your API key and configure a
+# route to forward to /api/hooks/mailgun/inbound/
+# mail.mailgun-api-key: ''
+
+###################
+# System Settings #
+###################
+
+# If this file ever becomes compromised, it's important to regenerate your a new key
+# Changing this value will result in all current sessions being invalidated.
+# A new key can be generated with `$ sentry config generate-secret-key`
+system.secret-key: '{{ (2**2048)|random|hash("sha256") }}'
+
+# The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis
+# clusters. These clusters can be then referred to by name when configuring
+# backends such as the cache, digests, or TSDB backend.
+#
+# Two types of clusters are currently supported:
+#
+#   rb.Cluster
+#   A redis blaster cluster is the traditional cluster used by most services
+#   within sentry. This is the default type cluster type.
+#
+#   rediscluster.StrictRedisCluster
+#   An official Redis Cluster can be configured by marking the named group with
+#   the ``is_redis_cluster: True`` flag. In future versions of Sentry more
+#   services will require this type of cluster.
+#
+#redis.clusters:
+#  default:
+#    hosts:
+#      0:
+#        host: 127.0.0.1
+#        port: 6379
+
+################
+# File storage #
+################
+
+# Uploaded media uses these `filestore` settings. The available
+# backends are either `filesystem` or `s3`.
+
+filestore.backend: 'filesystem'
+filestore.options:
+  location: '{{sentry_storage_dir}}'
+
diff --git a/sentry/templates/sentry-cron.service b/sentry/templates/sentry-cron.service
new file mode 100644
index 0000000000000000000000000000000000000000..05bd2da71467deba29a782197b40faca652ebca7
--- /dev/null
+++ b/sentry/templates/sentry-cron.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Sentry Beat Service
+After=network.target
+
+[Service]
+Type=simple
+User={{sentry_user}}
+Group={{sentry_group}}
+WorkingDirectory={{sentry_root_dir}}
+Environment=SENTRY_CONF={{sentry_root_dir}}
+Environment=VIRTUAL_ENV={{sentry_root_dir}}
+ExecStart={{sentry_root_dir}}/bin/sentry run cron
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sentry/templates/sentry-web.service b/sentry/templates/sentry-web.service
new file mode 100644
index 0000000000000000000000000000000000000000..0910125d665ea1227f48e2c614adeca3bde35f2e
--- /dev/null
+++ b/sentry/templates/sentry-web.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Sentry Main Service
+After=network.target
+Requires=sentry-worker.service
+Requires=sentry-cron.service
+
+[Service]
+Type=simple
+User={{sentry_user}}
+Group={{sentry_group}}
+WorkingDirectory={{sentry_root_dir}}
+Environment=SENTRY_CONF={{sentry_root_dir}}
+Environment=VIRTUAL_ENV={{sentry_root_dir}}
+ExecStart={{sentry_root_dir}}/bin/sentry run web
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sentry/templates/sentry-worker.service b/sentry/templates/sentry-worker.service
new file mode 100644
index 0000000000000000000000000000000000000000..7eab4f83f9f0fd739ac0b290f056874bd31d327d
--- /dev/null
+++ b/sentry/templates/sentry-worker.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Sentry Background Worker
+After=network.target
+
+[Service]
+Type=simple
+User={{sentry_user}}
+Group={{sentry_group}}
+WorkingDirectory={{sentry_root_dir}}
+Environment=SENTRY_CONF={{sentry_root_dir}}
+Environment=VIRTUAL_ENV={{sentry_root_dir}}
+ExecStart={{sentry_root_dir}}/bin/sentry run worker
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sentry/templates/sentry.conf.py.j2 b/sentry/templates/sentry.conf.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..abee60dc41b7fdaab276a94defa53ad3f5ce1120
--- /dev/null
+++ b/sentry/templates/sentry.conf.py.j2
@@ -0,0 +1,190 @@
+# This file is just Python, with a touch of Django which means
+# you can inherit and tweak settings to your hearts content.
+from sentry.conf.server import *
+
+import os.path
+
+CONF_ROOT = os.path.dirname(__file__)
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'sentry.db.postgres',
+        'NAME': '{{sentry_db_name}}',
+        'USER': '{{sentry_db_user}}',
+        'PASSWORD': '{{sentry_db_password.password|default(sentry_db_password)|default("", true)}}',
+        'HOST': '{{sentry_db_host|default("", true)}}',
+        'PORT': '',
+        'AUTOCOMMIT': True,
+        'ATOMIC_REQUESTS': False,
+    }
+}
+
+# You should not change this setting after your database has been created
+# unless you have altered all schemas first
+SENTRY_USE_BIG_INTS = True
+
+# If you're expecting any kind of real traffic on Sentry, we highly recommend
+# configuring the CACHES and Redis settings
+
+###########
+# General #
+###########
+
+# Instruct Sentry that this install intends to be run by a single organization
+# and thus various UI optimizations should be enabled.
+SENTRY_SINGLE_ORGANIZATION = False
+DEBUG = False
+
+# Do not send data to the Sentry Devs
+SENTRY_BEACON = False
+
+#########
+# Cache #
+#########
+
+# Sentry currently utilizes two separate mechanisms. While CACHES is not a
+# requirement, it will optimize several high throughput patterns.
+
+# If you wish to use memcached, install the dependencies and adjust the config
+# as shown:
+#
+#   pip install python-memcached
+#
+# CACHES = {
+#     'default': {
+#         'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+#         'LOCATION': ['127.0.0.1:11211'],
+#     }
+# }
+
+# A primary cache is required for things such as processing events
+SENTRY_CACHE = 'sentry.cache.redis.RedisCache'
+
+#########
+# Queue #
+#########
+
+# See https://docs.sentry.io/on-premise/server/queue/ for more
+# information on configuring your queue broker and workers. Sentry relies
+# on a Python framework called Celery to manage queues.
+
+BROKER_URL = '{{sentry_redis_url}}'
+
+###############
+# Rate Limits #
+###############
+
+# Rate limits apply to notification handlers and are enforced per-project
+# automatically.
+
+SENTRY_RATELIMITER = 'sentry.ratelimits.redis.RedisRateLimiter'
+
+##################
+# Update Buffers #
+##################
+
+# Buffers (combined with queueing) act as an intermediate layer between the
+# database and the storage API. They will greatly improve efficiency on large
+# numbers of the same events being sent to the API in a short amount of time.
+# (read: if you send any kind of real data to Sentry, you should enable buffers)
+
+SENTRY_BUFFER = 'sentry.buffer.redis.RedisBuffer'
+
+##########
+# Quotas #
+##########
+
+# Quotas allow you to rate limit individual projects or the Sentry install as
+# a whole.
+
+SENTRY_QUOTAS = 'sentry.quotas.redis.RedisQuota'
+
+########
+# TSDB #
+########
+
+# The TSDB is used for building charts as well as making things like per-rate
+# alerts possible.
+
+SENTRY_TSDB = 'sentry.tsdb.redis.RedisTSDB'
+
+###########
+# Digests #
+###########
+
+# The digest backend powers notification summaries.
+
+SENTRY_DIGESTS = 'sentry.digests.backends.redis.RedisBackend'
+
+##############
+# Web Server #
+##############
+
+# If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto
+# header and uncomment the following settings
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+
+SENTRY_WEB_HOST = '{{sentry_web_host}}'
+SENTRY_WEB_PORT = {{sentry_web_port}}
+SENTRY_WEB_OPTIONS = {
+    'workers': 3,  # the number of web workers
+#    'protocol': 'uwsgi',  # Enable uwsgi protocol instead of http
+}
+
+{% if sentry_use_ldap %}
+##################
+# AUTHENTICATION #
+##################
+import ldap
+from django_auth_ldap.config import LDAPSearch#, NestedActiveDirectoryGroupType
+
+AUTH_LDAP_SERVER_URI = "{{sentry_ldap_uri}}"
+AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
+AUTH_LDAP_BIND_DN = "{{sentry_ldap_bind_dn}}"
+AUTH_LDAP_BIND_PASSWORD = "{{ sentry_ldap_bind_password }}"
+#AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    "{{sentry_ldap_distinguished_name}}",
+    ldap.SCOPE_SUBTREE,
+    '(cn:=%(user)s)',
+)
+
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    "{{sentry_ldap_distinguished_name}}",
+    ldap.SCOPE_SUBTREE,
+    '(objectClass=group)',
+)
+
+{% if sentry_ldap_require_group is not none %}
+AUTH_LDAP_REQUIRE_GROUP = "{{sentry_ldap_require_group}}"
+{% endif %}
+{% if sentry_ldap_deny_group is not none %}
+AUTH_LDAP_DENY_GROUP = "{{sentry_ldap_deny_group}}"
+{% endif %}
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "name": "displayName",
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+}
+
+AUTH_LDAP_FIND_GROUP_PERMS = False
+AUTH_LDAP_CACHE_GROUPS = True
+AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
+
+AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
+    "sentry_ldap_auth.backend.SentryLdapBackend",
+)
+
+AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u"Sentry"
+AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = u'member'
+AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = False
+AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
+AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = u"{{domain}}"
+SENTRY_MANAGED_USER_FIELDS = ("email", "first_name", "last_name", "password")
+
+{% endif %}
diff --git a/shibboleth/defaults/main.yml b/shibboleth/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..55385badd610359b080e7ba37f4626f2a13b91fd
--- /dev/null
+++ b/shibboleth/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+# file: webservices/shibboleth/defaults/main.yml
+
+shibboleth_hostname: "www.example.com"
+shibboleth_url: "/shib/login"
+shibboleth_entity_id: "https://www.example.com/shibboleth"
+shibboleth_home_url: "https://www.example.com/"
+shibboleth_support_contact: "admin@example.com"
+shibboleth_key: "/etc/ssl/private/private-example.pem"
+shibboleth_certificate: "/etc/ssl/private/cert-example.pem"
diff --git a/shibboleth/files/attribute-map.xml b/shibboleth/files/attribute-map.xml
new file mode 100644
index 0000000000000000000000000000000000000000..d80c6b328f9e8aace18ec0807565a3ce369ca6fd
--- /dev/null
+++ b/shibboleth/files/attribute-map.xml
@@ -0,0 +1,175 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+    
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+    
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+    
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+    
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- https://doc.itc.rwth-aachen.de/display/SHI/RWTH+-+OID -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.1" id="ikz" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.4" id="rwthGender" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.5" id="rwthMatrikelnummer" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.39" id="rwthStudienfach" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.49" id="rwthDateOfBirth" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.50" id="rwthLocalityOfBirth" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.52" id="rwthCountry" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.64" id="rwthID" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.68" id="rwthPersonalNummer" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.89" id="rwthFachInfo2" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.94" id="rwthAssociate" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.96" id="rwthRufname" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.97" id="rwthSVAPersonStatus" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.113" id="rwthCampusAddress" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.114" id="rwthSystemIDs" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.100" id="rwthDienstEmail" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.99" id="rwthTelefonNummer" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.117" id="rwthStudienInfo" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.118" id="rwthEmploymentStart" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.119" id="rwthEmploymentEnd" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.120" id="rwthRetirementStart" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.121" id="rwthEntryDate" />
+    
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- SCHAC attributes, uncomment to use... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+    -->
+    
+    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+</Attributes>
diff --git a/shibboleth/files/nginx-snippet.conf b/shibboleth/files/nginx-snippet.conf
new file mode 100644
index 0000000000000000000000000000000000000000..df30d14ad0a4a19b3c6b8daff0cb8b1f573bb096
--- /dev/null
+++ b/shibboleth/files/nginx-snippet.conf
@@ -0,0 +1,24 @@
+more_clear_input_headers Rwthmatrikelnummer Shib-Session-Index Shib-Session-Id Shib-Identity-Provider Shib-Handler Shib-Application-Id Affiliation Shib-Authentication-Instant Shib-Authncontext-Class Entitlement; # add other headers here against spoofing
+
+location  / {
+    shib_request /shibauthorizer;
+    shib_request_use_headers on;
+    shib_request_set $shib_matrikelnr $upstream_http_Rwthmatrikelnummer;
+    proxy_set_header Host $host;
+    proxy_pass http://unix:/run/nginx/wahlsystem; # change this
+}
+
+location = /shibauthorizer {
+    internal;
+    include fastcgi_params;
+    fastcgi_pass unix:/run/shibboleth/shibauthorizer.sock;
+}
+
+location /Shibboleth.sso {
+    include fastcgi_params;
+    fastcgi_pass unix:/run/shibboleth/shibresponder.sock;
+}
+
+location /shibboleth-sp {
+    alias /etc/shibboleth/;
+}
diff --git a/shibboleth/files/shibauthorizer.conf b/shibboleth/files/shibauthorizer.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e7eef3a23ca5e72b0260d48e6033762a458b8dbc
--- /dev/null
+++ b/shibboleth/files/shibauthorizer.conf
@@ -0,0 +1,8 @@
+[fcgi-program:shibauthorizer]
+command=/usr/lib/x86_64-linux-gnu/shibboleth/shibauthorizer
+socket=unix:///run/shibboleth/shibauthorizer.sock
+socket_owner=_shibd:nginx-proxy
+socket_mode=0660
+user=_shibd
+stdout_logfile=/var/log/shibboleth/shibauthorizer.log
+stderr_logfile=/var/log/shibboleth/shibauthorizer.error.log
diff --git a/shibboleth/files/shibresponder.conf b/shibboleth/files/shibresponder.conf
new file mode 100644
index 0000000000000000000000000000000000000000..c35f1f10a726ff3c43e4ab9a3ab1868a0e142c28
--- /dev/null
+++ b/shibboleth/files/shibresponder.conf
@@ -0,0 +1,8 @@
+[fcgi-program:shibresponder]
+command=/usr/lib/x86_64-linux-gnu/shibboleth/shibresponder
+socket=unix:///run/shibboleth/shibresponder.sock
+socket_owner=_shibd:nginx-proxy
+socket_mode=0660
+user=_shibd
+stdout_logfile=/var/log/shibboleth/shibresponder.log
+stderr_logfile=/var/log/shibboleth/shibresponder.error.log
diff --git a/shibboleth/handlers/main.yml b/shibboleth/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..43308bb7925031e9392249816ef4dddfd40ff1ac
--- /dev/null
+++ b/shibboleth/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: update apt cache
+  apt: update_cache=yes
+
+- name: reload supervisor
+  systemd: name=supervisor state=reloaded
+
+- name: reload shibd
+  systemd: name=shibd state=restarted
diff --git a/shibboleth/tasks/main.yml b/shibboleth/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e5ae3781329b3fbfa82ef6b0da39bf4496acae17
--- /dev/null
+++ b/shibboleth/tasks/main.yml
@@ -0,0 +1,85 @@
+---
+
+- name: install the required packages for shibboleth
+  apt:
+    name:
+      - nginx-full
+      - libnginx-mod-http-shibboleth
+      - libnginx-mod-http-headers-more-filter
+      - supervisor
+      - shibboleth-sp2-utils
+      - shibboleth-sp2-common
+    state: present
+  notify:
+    - reload shibd
+  tags:
+    - shibboleth
+    - supervisor
+    - packages
+
+- name: install our configuration
+  template:
+    src: shibboleth2.xml
+    dest: /etc/shibboleth/shibboleth2.xml
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload shibd
+  tags:
+    - shibboleth
+    - config
+
+- name: configure the known attributes
+  copy:
+    src: attribute-map.xml
+    dest: /etc/shibboleth/attribute-map.xml
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload shibd
+  tags:
+    - shibboleth
+    - config
+
+- name: configure the supervisor tasks for authorizer/responder
+  copy:
+    src: "{{item}}"
+    dest: /etc/supervisor/conf.d/
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - shibauthorizer.conf
+    - shibresponder.conf
+  notify:
+    - reload supervisor
+  tags:
+    - shibboleth
+    - supervisor
+    - config
+
+- name: put the nginx example snippet there
+  copy:
+    src: nginx-snippet.conf
+    dest: /etc/nginx/snippets/shibd.conf
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - shibboleth
+    - nginx
+    - config
+
+- name: ensure the services are running
+  systemd:
+    name: "{{item}}"
+    enabled: true
+    state: started
+  with_items:
+    - supervisor
+    - shibd
+  tags:
+    - shibboleth
+    - services
diff --git a/shibboleth/templates/shibboleth2.xml b/shibboleth/templates/shibboleth2.xml
new file mode 100644
index 0000000000000000000000000000000000000000..c7443588f4860c9eecbe6779b08e354252c231f5
--- /dev/null
+++ b/shibboleth/templates/shibboleth2.xml
@@ -0,0 +1,193 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+
+   <OutOfProcess logger="shibd.logger">
+   </OutOfProcess>
+
+   <InProcess logger="native.logger">
+      <ISAPI normalizeRequest="true" safeHeaderNames="true">
+         <Site id="1" name="{{shibboleth_hostname}}"/>
+      </ISAPI>
+   </InProcess>
+  
+   <UnixListener address="shibd.sock"/>
+  
+   <RequestMapper type="Native">
+    <RequestMap applicationId="default" target="{{shibboleth_url}}">
+          <Host name="{{shibboleth_hostname}}">
+            <Path name="{{shibboleth_url}}" authType="shibboleth" requireSession="true" />
+          </Host>
+       </RequestMap>
+    </RequestMapper>
+  
+   <ApplicationDefaults entityID="{{shibboleth_entity_id}}"
+                        REMOTE_USER="eppn persistent-id targeted-id"
+                        homeURL="{{shibboleth_home_url}}"
+                        signing="false"
+                        encryption="false"
+                        id="default"
+                        policyId="default">
+  
+                          
+      <Sessions lifetime="28800"
+                timeout="3600"
+                checkAddress="false"
+                handlerURL="/Shibboleth.sso"
+                handlerSSL="true"
+                cookieProps="; path=/; secure; HttpOnly"
+                exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
+                exportACL="127.0.0.1"
+                idpHistory="false"
+                idpHistoryDays="7">
+  
+  
+         <SessionInitiator type="Chaining"
+                           Location="/Login"
+                           id="Intranet"
+                           relayState="cookie"
+                           entityID="https://login.rz.rwth-aachen.de/shibboleth"
+                           target="https://{{shibboleth_hostname}}/Shibboleth.sso/Session">
+        
+            <SessionInitiator type="SAML2"
+                              acsIndex="1"
+                              template="bindingTemplate.html"/>
+                             
+            <SessionInitiator type="Shib1"
+                              acsIndex="5"/>
+         </SessionInitiator>
+  
+         <md:AssertionConsumerService
+             Location="/SAML2/POST"
+             index="1"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+         <md:AssertionConsumerService
+             Location="/SAML2/POST-SimpleSign"
+             index="2"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+         <md:AssertionConsumerService
+             Location="/SAML2/Artifact"
+             index="3"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+         <md:AssertionConsumerService
+             Location="/SAML2/ECP"
+             index="4"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+         <md:AssertionConsumerService
+             Location="/SAML/POST"
+             index="5"
+             Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+         <md:AssertionConsumerService
+             Location="/SAML/Artifact"
+             index="6"
+             Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+  
+         <LogoutInitiator type="Chaining"
+                          Location="/Logout"
+                          relayState="cookie">
+            <LogoutInitiator type="SAML2"
+                             template="bindingTemplate.html"/>
+            <LogoutInitiator type="Local"/>
+         </LogoutInitiator>
+  
+         <md:SingleLogoutService
+             Location="/SLO/SOAP"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+         <md:SingleLogoutService
+             Location="/SLO/Redirect"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+         <md:SingleLogoutService
+             Location="/SLO/POST"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+         <md:SingleLogoutService
+             Location="/SLO/Artifact"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+  
+         <md:ManageNameIDService
+             Location="/NIM/SOAP"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+         <md:ManageNameIDService
+             Location="/NIM/Redirect"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+         <md:ManageNameIDService
+             Location="/NIM/POST"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+         <md:ManageNameIDService
+             Location="/NIM/Artifact"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+         <md:ArtifactResolutionService
+             Location="/Artifact/SOAP"
+             index="1"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+  
+         <Handler type="MetadataGenerator"
+                  Location="/Metadata"
+                  signing="false"/>
+  
+         <Handler type="Status"
+                  Location="/Status"
+                  acl="127.0.0.1 134.130.3.70"/>
+  
+         <Handler type="Session"
+                  Location="/Session"
+                  showAttributeValues="false"/>
+  
+         <Handler type="DiscoveryFeed"
+                  Location="/DiscoFeed"/>
+      </Sessions>
+
+  
+
+      <Errors supportContact="{{shibboleth_support_contact}}"
+              helpLocation="/about.html"
+              styleSheet="/shibboleth-sp/main.css"/>
+          
+      <MetadataProvider type="XML"
+                        uri="https://sso.rwth-aachen.de/metadata/rwth.metadata.xml"
+                        backingFilePath="rwth.metadata.xml"
+                        reloadInterval="7200">
+            <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> -->
+         <MetadataFilter type="Signature"
+                         certificate="sso.rwth-aachen.de.pem"/>
+      </MetadataProvider>
+
+      <TrustEngine type="Chaining">
+         <TrustEngine type="ExplicitKey"/>
+         <TrustEngine type="PKIX"/>
+      </TrustEngine>
+
+      <AttributeExtractor type="XML"
+                          reloadChanges="false"
+                          path="attribute-map.xml"/>
+          
+      <AttributeResolver type="Query"/>
+
+      <AttributeFilter type="XML"
+                       path="attribute-policy.xml"/>
+  
+      <CredentialResolver type="File"
+          key="{{shibboleth_key}}"
+          certificate="{{shibboleth_cert}}"/>
+  
+   </ApplicationDefaults>
+
+   <SecurityPolicyProvider type="XML"
+                           validate="true"
+                           path="security-policy.xml"/>
+  
+   <ProtocolProvider type="XML"
+                     validate="true"
+                     reloadChanges="false"
+                     path="protocols.xml"/>
+  
+</SPConfig>
diff --git a/static-website/defaults/main.yml b/static-website/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..42802b683bf6b1919895f05dfd4f61dc482c3e12
--- /dev/null
+++ b/static-website/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+
+static_websites: []
+#  - path: /var/www/website
+#    git_url: ''
+#    umask: 022
+#    git_version: HEAD
+#    deploy_key: "{{ inventory_dir }}/files/deploy-keys/website"
+#    deploy_key_name: website
+#    cron_interval: '@daily'  # only without deploy_key!
diff --git a/static-website/tasks/main.yml b/static-website/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3769a1ba73816dd26ab407ecb5c00cff8819ce49
--- /dev/null
+++ b/static-website/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+
+- name: ensure the deploy keys are available
+  copy:
+    src: "{{ item.deploy_key }}"
+    dest: "/root/.ssh/{{ item.deploy_key_name }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when:
+    - item.deploy_key is defined
+    - item.deploy_key|string != ''  # noqa 602
+    - item.deploy_key_name is defined
+    - item.deploy_key_name|string != ''  # noqa 602
+  with_items: "{{ static_websites }}"
+  tags:
+    - static-website
+
+# https://github.com/ansible/ansible/issues/27699
+# https://github.com/ansible/ansible/issues/30064#issuecomment-487149251
+- name: ensure we have up-to-date websites
+  git:
+    repo: "{{ item.git_url }}"
+    dest: "{{ item.path }}"
+    # yamllint disable-line rule:line-length
+    key_file: "/root/.ssh/{{ item.deploy_key_name|default(None, true) or omit }}"
+    version: "{{ item.git_version|default('HEAD') }}"
+    umask: "{{ item.umask|default('022') }}"
+  with_items: "{{ static_websites }}"
+  environment:
+    TMPDIR: /root/.ansible/tmp
+  tags:
+    - static-website
+
+- name: ensure we have self-updating websites
+  template:
+    src: cronjob.j2
+    dest: /etc/cron.d/static-websites
+    mode: '0644'
+  tags:
+    - static-website
diff --git a/static-website/templates/cronjob.j2 b/static-website/templates/cronjob.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2bc555037749b116c3ffe7e45180f7c686f5be49
--- /dev/null
+++ b/static-website/templates/cronjob.j2
@@ -0,0 +1,5 @@
+{% for website in static_websites %}
+{% if website.cron_interval|default('@daily') is not none and website.deploy_key is undefined %}
+{{ website.cron_interval|default('@daily') }} root git -C {{ website.path }} pull --ff-only --quiet
+{% endif %}
+{% endfor %}
diff --git a/uwsgi-php/meta/main.yml b/uwsgi-php/meta/main.yml
deleted file mode 100644
index 8a60ee77f32aa542f09e0d29224c262ec96e45ce..0000000000000000000000000000000000000000
--- a/uwsgi-php/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# file: roles/uwsgi-php/meta/main.yml
-dependencies:
-  - { role: uwsgi }
diff --git a/uwsgi-php/tasks/main.yml b/uwsgi-php/tasks/main.yml
deleted file mode 100644
index a6e06db7f60e51e4d3a07b372233fb89c740153b..0000000000000000000000000000000000000000
--- a/uwsgi-php/tasks/main.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-# file: roles/uwsgi-php/tasks/main.yml
-
-- name: ensure packages for uwsgi-php are installed
-  apt: name={{ item }} state=latest
-  with_items:
-    - php5
-    - php5-curl
-    - uwsgi-plugin-php
-  tags:
-    - uwsgi
-    - packages
diff --git a/uwsgi-python/defaults/main.yml b/uwsgi-python/defaults/main.yml
index 0cb68289bb51500f2ad32a771893bc8eca84f63b..d1f89d21100f65c11fdf8433b69fb946f7200ed6 100644
--- a/uwsgi-python/defaults/main.yml
+++ b/uwsgi-python/defaults/main.yml
@@ -1,14 +1,9 @@
 ---
-# files: roles/uwsgi-python/defaults/main.yml
 
-uwsgi_name: uwsgi
-uwsgi_user: uwsgi
-uwsgi_group: uwsgi
-uwsgi_home: /var/www
-uwsgi_path: /var/www
-uwsgi_program: server.py
-uwsgi_callable: app
-uwsgi_command: runserver
-uwsgi_db: none
-uwsgi_python: 3
-uwsgi_mules: 0
+uwsgi_lock_privileges: true
+uwsgi_protect_home: true
+
+# yamllint disable-line rule:line-length
+app_db_root_password: "{{ lookup('passwordstore', 'db/{{ansible_facts.hostname}}-mysql create=true length=20') }}"
+# yamllint disable-line rule:line-length
+app_db_password: "{{ lookup('passwordstore', 'db/{{ansible_facts.hostname}}-mysql-{{app_user}} create=true length=20') }}"
diff --git a/uwsgi-python/files/apps/pgdg.pref b/uwsgi-python/files/apps/pgdg.pref
new file mode 100644
index 0000000000000000000000000000000000000000..ac6889cc2ed340519f931372cffb62004c953486
--- /dev/null
+++ b/uwsgi-python/files/apps/pgdg.pref
@@ -0,0 +1,3 @@
+Package: *
+Pin: release o=apt.postgresql.org
+Pin-Priority: 200
diff --git a/uwsgi-python/files/uwsgi@.socket b/uwsgi-python/files/uwsgi@.socket
new file mode 100644
index 0000000000000000000000000000000000000000..641182e9ae065baad531f1ceac7d9f48fa81d1b4
--- /dev/null
+++ b/uwsgi-python/files/uwsgi@.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=Socket for uWSGI %I
+
+[Socket]
+# Change this to your uwsgi application port or unix socket location
+ListenStream=/run/uwsgi/%I.sock
+
+[Install]
+WantedBy=sockets.target
diff --git a/uwsgi-python/handlers/main.yml b/uwsgi-python/handlers/main.yml
index 50114394bad956804d4748192bcf1136d60cb1ea..28c6b49e21c4b28e5777a20e6a72e553e58198da 100644
--- a/uwsgi-python/handlers/main.yml
+++ b/uwsgi-python/handlers/main.yml
@@ -1,5 +1,130 @@
 ---
-# file: roles/uwsgi-python/handlers/main.yml
+# file: uwsgi-python/handlers/main.yml
 
 - name: create tmpfiles
   command: systemd-tmpfiles --create
+
+- name: reload systemd service files
+  systemd:
+    daemon_reload: true
+
+- name: restart uwsgi instance shorturl
+  service: name="uwsgi@shorturl" state=restarted
+
+- name: restart uwsgi instance lehrpreis
+  service: name="uwsgi@lehrpreis" state=restarted
+
+- name: restart uwsgi instance schilder
+  service: name="uwsgi@schilder" state=restarted
+
+- name: restart uwsgi instance boxes
+  service: name="uwsgi@boxes" state=restarted
+
+- name: restart uwsgi instance sso
+  service: name="uwsgi@sso" state=restarted
+
+- name: restart uwsgi instance sso-vampir
+  service: name="uwsgi@sso-vampir" state=restarted
+
+- name: restart uwsgi instance migration-webapp
+  service: name="uwsgi@migration-webapp" state=restarted
+
+- name: restart uwsgi instance protokollsystem uwsgi
+  service: name="uwsgi@protokollsystem" state=restarted
+  listen: "restart uwsgi instance protokollsystem"
+
+- name: restart uwsgi instance protokollsystem celery
+  service: name="protokollsystem-celery" state=restarted
+  listen: "restart uwsgi instance protokollsystem"
+
+- name: restart uwsgi instance wahlsystem uwsgi
+  service: name="uwsgi@wahlsystem" state=restarted
+  listen: "restart uwsgi instance wahlsystem"
+
+- name: restart uwsgi instance wahlsystem celery
+  service: name="wahlsystem-celery" state=restarted
+  listen: "restart uwsgi instance wahlsystem"
+
+- name: restart uwsgi instance wahlsystem-2018
+  service: name="uwsgi@wahlsystem-2018" state=restarted
+
+- name: restart uwsgi instance meckerkasten
+  service: name="uwsgi@meckerkasten" state=restarted
+
+- name: restart uwsgi instance wahlhelfer
+  service: name="uwsgi@wahlhelfer" state=restarted
+
+- name: restart uwsgi instance nfs-api
+  service: name="uwsgi@nfs-api" state=restarted
+
+- name: restart uwsgi instance mail-api
+  service: name="uwsgi@mail-api" state=restarted
+
+- name: restart uwsgi instance mm2-api
+  service: name="uwsgi@mm2-api" state=restarted
+
+- name: restart uwsgi instance printercount
+  service: name="uwsgi@printercount" state=restarted
+
+- name: restart uwsgi instance gnt-web
+  service: name="uwsgi@gnt-web" state=restarted
+
+- name: restart uwsgi instance isic
+  service: name="uwsgi@isic" state=restarted
+
+- name: restart uwsgi instance repo-sync
+  service: name="uwsgi@repo-sync" state=restarted
+
+- name: restart uwsgi instance timer
+  service: name="uwsgi@timer" state=restarted
+
+- name: restart uwsgi instance redeleitsystem
+  service: name="uwsgi@redeleitsystem" state=restarted
+
+- name: restart uwsgi instance lipclms
+  service: name="uwsgi@lipclms" state=restarted
+
+- name: restart uwsgi instance schrank
+  service: name="uwsgi@schrank" state=restarted
+
+- name: restart uwsgi instance gitlab-connector
+  service: name="uwsgi@gitlab-connector" state=restarted
+
+- name: restart uwsgi instance vampir-mitglieder
+  service: name="uwsgi@vampir-mitglieder" state=restarted
+
+- name: restart uwsgi instance alumnigraph
+  service: name="uwsgi@alumnigraph" state=restarted
+
+- name: restart uwsgi instance ak-tracker
+  service: name="uwsgi@ak-tracker" state=restarted
+
+- name: restart uwsgi instance pretix uwsgi
+  service: name="uwsgi@pretix" state=restarted
+  listen: "restart uwsgi instance pretix"
+
+- name: restart uwsgi instance pretix celery
+  service: name="pretix-celery" state=restarted
+  listen: "restart uwsgi instance pretix"
+
+- name: restart uwsgi instance infoscreen
+  service: name="uwsgi@infoscreen" state=restarted
+
+- name: restart uwsgi instance netbox
+  service: name="uwsgi@netbox" state=restarted
+
+# - name: restart uwsgi instance netbox rqworker
+#   service: name="netbox-rqworker" state=restarted
+#   listen: "restart uwsgi instance netbox"
+
+- name: restart uwsgi instance gl-rt-bridge
+  service: name="uwsgi@gl-rt-bridge" state=restarted
+
+- name: restart uwsgi instance pgadmin4
+  service: name="uwsgi@pgadmin4" state=restarted
+
+- name: restart uwsgi instance darlehen
+  service: name="uwsgi@darlehen" state=restarted
+
+- name: restart uwsgi instance etherpad-api-proxy
+  service: name="uwsgi@etherpad-api-proxy" state=restarted
diff --git a/uwsgi-python/meta/main.yml b/uwsgi-python/meta/main.yml
deleted file mode 100644
index f6ade0b85330e157e139c8a5a20fa4a8ed350d94..0000000000000000000000000000000000000000
--- a/uwsgi-python/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# file: roles/uwsgi-python/meta/main.yml
-dependencies:
-  - { role: uwsgi }
diff --git a/uwsgi-python/tasks/app.yml b/uwsgi-python/tasks/app.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d5285dd3f205fcbc6d9df565be58dee6ec9f41c4
--- /dev/null
+++ b/uwsgi-python/tasks/app.yml
@@ -0,0 +1,346 @@
+---
+
+- name: include app specific variables
+  include_vars: "{{ item }}"
+  with_items:
+    - "../vars/default.yml"
+    - "../vars/{{ app.app }}.yml"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: include usage specific configuration
+  include_vars: "{{ inventory_dir }}/vars/{{ app.app_vars }}"
+  when: app.app_vars is defined
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have python 2
+  apt:
+    name:
+      - python
+      - python-dev
+      - python-virtualenv
+      - uwsgi-plugin-python
+      - virtualenv
+    state: present
+  when:
+    - app_python_version == 2
+    - app_lang == "python"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have python 3
+  apt:
+    name:
+      - python3
+      - python3-dev
+      - python3-virtualenv
+      - uwsgi-plugin-python3
+      - virtualenv
+    state: present
+  when:
+    - app_python_version == 3
+    - app_lang == "python"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: Install Ruby packages
+  apt:
+    name:
+      - "ruby{{ app_ruby_version }}"
+      - "uwsgi-plugin-rack-ruby{{ app_ruby_version }}"
+      - ruby-bundler
+    state: present
+  when: app_lang == "ruby"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- block:
+    - include: sqlite.yml
+      when: app_db_type == "sqlite"
+    - include: mysql.yml
+      when: app_db_type == "mysql"
+    - include: postgres.yml
+      when: app_db_type == "postgres"
+  when: app_db_type is defined
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have a group
+  group:
+    name: "{{ app_group }}"
+    system: true
+    state: present
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have a user
+  user:
+    name: "{{ app_user }}"
+    group: "{{ app_group }}"
+    system: true
+    home: "{{ app_home }}"
+    shell: /usr/bin/nologin
+    createhome: false
+    state: present
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure a temporary directory exists
+  template:
+    src: tmpfiles.conf.j2
+    dest: "/etc/tmpfiles.d/10-{{ app.instance }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - create tmpfiles
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- meta: flush_handlers
+
+- name: ensure we have our uwsgi config file
+  template:
+    src: uwsgi.ini.j2
+    dest: "/etc/uwsgi/apps/{{ app.instance }}.ini"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure additional software is installed
+  apt:
+    name: "{{app_additional_software}}"
+    state: present
+  when:
+    - app_additional_software is defined
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure the deploy key is available
+  copy:
+    src: "{{ app_deploy_key }}"
+    dest: "/root/.ssh/{{ app.app }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when:
+    - app_deploy_key is defined
+    - app_deploy_key|string != ''  # noqa 602
+    - (app_git_pip is not defined) or (not app_git_pip)
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+# https://github.com/ansible/ansible/issues/27699
+# https://github.com/ansible/ansible/issues/30064#issuecomment-487149251
+- name: ensure we have the program
+  git:
+    repo: "{{ app_git_url }}"
+    dest: "{{ app_path }}"
+    key_file: "/root/.ssh/{{ app.app }}"
+    version: "{{ app_git_version }}"
+  environment:
+    TMPDIR: /root/.ansible/tmp
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  when:
+    - app_deploy_key is defined
+    - app_deploy_key|string != ''  # noqa 602
+    - (app_git_pip is not defined) or (not app_git_pip)
+    - app_git_url|string != ''  # noqa 602
+  register: git
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have the program (without key file)
+  git:
+    repo: "{{ app_git_url }}"
+    dest: "{{ app_path }}"
+    version: "{{ app_git_version }}"
+  environment:
+    TMPDIR: /root/.ansible/tmp
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  when:
+    # yamllint disable-line rule:line-length
+    - (app_deploy_key is not defined) or (not app_deploy_key|string != '')  # noqa 602
+    - (app_git_pip is not defined) or (not app_git_pip)
+    - app_git_url|string != ''  # noqa 602
+  register: git
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have a virtualenv  # noqa 403
+  pip:
+    requirements: "{{ app_path }}/{{ app_requirements_file }}"
+    virtualenv: "{{ app_venv }}"
+    virtualenv_python: "python{{ app_python_version }}"
+    state: latest
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  when:
+    - app_requirements_file is defined
+    - app_requirements_file|string != ''  # noqa 602
+    - (app_git_pip is not defined) or (not app_git_pip)
+    - app_lang == "python"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have a virtualenv (app module)  # noqa 403
+  pip:
+    # yamllint disable-line rule:line-length
+    name: "git+{{ app_git_url }}@{{ app_git_version }}{{ app_git_pip_query|default('') }}"
+    virtualenv: "{{ app_venv }}"
+    virtualenv_python: "python{{ app_python_version }}"
+    state: latest
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  when:
+    - app_git_pip is defined
+    - app_git_pip
+    - app_lang == "python"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: Create bundler directories with user permissions
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0775"
+    owner: "{{ app_user }}"
+  loop:
+    - "{{ app_path }}/.bundle"
+    - "{{ app_path }}/vendor"
+  when:
+    - app_gemfile is defined
+    - app_gemfile|string != ''  # noqa 602
+    - app_lang == "ruby"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: Install gems
+  bundler:
+    deployment_mode: true
+    exclude_groups:
+      - development
+    gemfile: "{{ app_gemfile }}"
+  become: true
+  become_user: "{{ app_user }}"
+  when:
+    - app_gemfile is defined
+    - app_gemfile|string != ''  # noqa 602
+    - app_lang == "ruby"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have our config
+  template:
+    src: "apps/{{ app.app }}.j2"
+    dest: "{{ app_path }}/{{ app_config_file }}"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0640'
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  when:
+    - app_config_file is defined
+    - app_config_file|string != ''  # noqa 602
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- name: ensure we have our secret config
+  template:
+    src: secret_config.py.j2
+    dest: "{{ app_path }}/secret_config.py"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0600'
+    force: false
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+  when:
+    - app_secret_config is defined
+    - app_secret_config
+    - app_lang == "python"
+
+- name: ensure the secret config is not part of the git repository
+  lineinfile:
+    path: "{{app_path}}/.git/info/exclude"
+    line: "secret_config.py"
+    state: present
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+  when:
+    - app_secret_config is defined
+    - app_secret_config
+    - app_lang == "python"
+
+- include_tasks: "{{ item }}"
+  with_first_found:
+    - files:
+        - "apps/{{ app.app }}.yml"
+      skip: true
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
+
+- meta: flush_handlers
+
+- name: ensure the service is enabled
+  service:
+    name: "uwsgi@{{ app.instance }}"
+    enabled: true
+    state: started
+  tags:
+    - uwsgi-app
+    - "{{ app.app }}"
+    - "{{ app.instance }}"
diff --git a/uwsgi-python/tasks/apps/alumnigraph.yml b/uwsgi-python/tasks/apps/alumnigraph.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a3ec7ee5b6a96adf3223e28676595616dae56610
--- /dev/null
+++ b/uwsgi-python/tasks/apps/alumnigraph.yml
@@ -0,0 +1,25 @@
+---
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure data model upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/flask db upgrade"
+  args:
+    chdir: "{{app_path}}"
+  environment:
+    FLASK_APP: "{{app_program}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
diff --git a/uwsgi-python/tasks/apps/gl-rt-bridge.yml b/uwsgi-python/tasks/apps/gl-rt-bridge.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5987360a7234cf10750661907542b83b64c8e1f7
--- /dev/null
+++ b/uwsgi-python/tasks/apps/gl-rt-bridge.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Create rt-client cookie file
+  file:
+    name: "{{ app_home }}/RT_Client.{{ gl_rt_bridge.rt_user }}.cookie"
+    state: touch
+    owner: "{{ app_user }}"
+    mode: "0600"
diff --git a/uwsgi-python/tasks/apps/infoscreen.yml b/uwsgi-python/tasks/apps/infoscreen.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d82aa37299667fe69f019969e3c2015e5ea656e2
--- /dev/null
+++ b/uwsgi-python/tasks/apps/infoscreen.yml
@@ -0,0 +1,37 @@
+---
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure data model upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/python {{app_path}}/createdb.py"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
+
+- name: ensure some directories are present
+  file:
+    state: directory
+    path: "{{ app_path }}/{{ item }}"
+    mode: '0755'
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+  with_items:
+    - ''
+    - 'display'
+    - 'tmp'
+    - 'uploads'
+    - 'build'
diff --git a/uwsgi-python/tasks/apps/lehrpreis.yml b/uwsgi-python/tasks/apps/lehrpreis.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e5cb936d2daf8665f74724142b6bbfa23f46d20e
--- /dev/null
+++ b/uwsgi-python/tasks/apps/lehrpreis.yml
@@ -0,0 +1,27 @@
+---
+
+- name: ensure we have our branded logo
+  copy:
+    src: "{{ lehrpreis_branding_logo_src }}"
+    dest: "{{ app_path }}/static/images/{{ lehrpreis_branding_logo }}"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0644'
+  notify:
+    - restart uwsgi instance {{ app.instance }}
+  when: lehrpreis_branding_logo and lehrpreis_branding_logo_src
+
+- name: ensure the branded logo is not considered a part of the git repository
+  lineinfile:
+    path: "{{app_path}}/.git/info/exclude"
+    line: "static/images/{{ lehrpreis_branding_logo }}"
+    state: present
+  when: lehrpreis_branding_logo and lehrpreis_branding_logo_src
+
+- name: ensure the translations are compiled  # noqa 503
+  command: "{{ app_venv }}/bin/pybabel compile -d translations"
+  args:
+    chdir: "{{ app_path }}"
+  when: git.changed
+  notify:
+    - restart uwsgi instance {{ app.instance }}
diff --git a/uwsgi-python/tasks/apps/lipclms.yml b/uwsgi-python/tasks/apps/lipclms.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ae36dee0cb9f1d5dc7fbb35d12d7c75a12518efc
--- /dev/null
+++ b/uwsgi-python/tasks/apps/lipclms.yml
@@ -0,0 +1,23 @@
+---
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure data model upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/python {{app_path}}/lipclms.py db upgrade"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
diff --git a/uwsgi-python/tasks/apps/mail-api.yml b/uwsgi-python/tasks/apps/mail-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..616dda39a9771891e6a3f4759c39485bc14eeb2e
--- /dev/null
+++ b/uwsgi-python/tasks/apps/mail-api.yml
@@ -0,0 +1,21 @@
+---
+
+- name: ensure mail-api can create maildirs
+  template:
+    src: apps/mail-api-sudoers.j2
+    dest: /etc/sudoers.d/mailapi
+    owner: root
+    group: root
+    mode: '0440'
+  tags:
+    - usercripts
+    - mailapi
+    - webservices
+
+- name: check the sudo config
+  command: visudo -q -c -f /etc/sudoers
+  changed_when: false
+  tags:
+    - userscripts
+    - mailapi
+    - webservices
diff --git a/uwsgi-python/tasks/apps/mm2-api.yml b/uwsgi-python/tasks/apps/mm2-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..dc71694450d930395a8107caae110da155f1e765
--- /dev/null
+++ b/uwsgi-python/tasks/apps/mm2-api.yml
@@ -0,0 +1,21 @@
+---
+
+- name: ensure mm2-api can manipulate mailman
+  template:
+    src: apps/mm2-api-sudoers.j2
+    dest: /etc/sudoers.d/mm2api
+    owner: root
+    group: root
+    mode: '0440'
+  tags:
+    - usercripts
+    - mm2api
+    - webservices
+
+- name: check the sudo config
+  command: visudo -q -c -f /etc/sudoers
+  changed_when: false
+  tags:
+    - userscripts
+    - mm2api
+    - webservices
diff --git a/uwsgi-python/tasks/apps/netbox.yml b/uwsgi-python/tasks/apps/netbox.yml
new file mode 100644
index 0000000000000000000000000000000000000000..032e500385a0582bb44dcda51fece54882c28e3e
--- /dev/null
+++ b/uwsgi-python/tasks/apps/netbox.yml
@@ -0,0 +1,67 @@
+---
+
+- name: Install LDAP auth configuration
+  template:
+    src: apps/netbox-ldap.py.j2
+    dest: "{{app_path}}/netbox/netbox/ldap_config.py"
+    owner: root
+    group: "{{app_group}}"
+    mode: '0640'
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure plugins are installed  # noqa 403
+  pip:
+    name:
+      - napalm
+      - django-auth-ldap
+    virtualenv: "{{ app_venv }}"
+    virtualenv_python: "python{{ app_python_version }}"
+    state: latest
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+
+- name: ensure data model migrations are applied  # noqa 301
+  command: "{{app_venv}}/bin/python manage.py migrate"
+  args:
+    chdir: "{{app_chdir}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: Collect static files  # noqa 301
+  command: "{{app_venv}}/bin/python manage.py collectstatic --no-input"
+  args:
+    chdir: "{{app_chdir}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
+
+- name: ensure the rqworker unit file exists
+  template:
+    src: apps/netbox-rqworker.service.j2
+    dest: "/etc/systemd/system/{{ app_name }}-rqworker.service"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload systemd service files
+    - "restart uwsgi instance {{app.instance}}"
+
+# Not needed (and working) at the moment
+# - name: ensure the rqworker service is enabled
+#   service:
+#     name: "{{app_name}}-rqworker"
+#     enabled: true
+#     state: started
diff --git a/uwsgi-python/tasks/apps/nfs-api.yml b/uwsgi-python/tasks/apps/nfs-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f53ceb4956dca16c6dba89015267796c29ebd90a
--- /dev/null
+++ b/uwsgi-python/tasks/apps/nfs-api.yml
@@ -0,0 +1,21 @@
+---
+
+- name: ensure nfs-api can create homedirs
+  template:
+    src: apps/nfs-api-sudoers.j2
+    dest: /etc/sudoers.d/nfsapi
+    owner: root
+    group: root
+    mode: '0440'
+  tags:
+    - usercripts
+    - nfsapi
+    - webservices
+
+- name: check the sudo config
+  command: visudo -q -c -f /etc/sudoers
+  changed_when: false
+  tags:
+    - userscripts
+    - nfsapi
+    - webservices
diff --git a/uwsgi-python/tasks/apps/pgadmin4.yml b/uwsgi-python/tasks/apps/pgadmin4.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9a8660daff13ef1cf4d9a23e99c70e6a6bf5e9eb
--- /dev/null
+++ b/uwsgi-python/tasks/apps/pgadmin4.yml
@@ -0,0 +1,45 @@
+---
+
+- name: Add the Postgres APT repo signing key
+  apt_key:
+    url: "https://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc"
+    id: B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
+
+- name: Pin Postgres APT repo
+  copy:
+    src: pgdg.pref
+    dest: /etc/apt/preferences.d/pgdg.pref
+
+- name: Enable Postgres APT repository
+  apt_repository:
+    # yamllint disable-line rule:line-length
+    repo: "deb https://apt.postgresql.org/pub/repos/apt/ {{ debian_version }}-pgdg main"
+
+- name: Debconf pgadmin4
+  debconf:
+    pkg: pgadmin4-apache2
+    question: "pgadmin4/{{ item.k }}"
+    value: "{{ item.v }}"
+    vtype: "{{ item.t }}"
+  loop:
+    - {k: password, v: "{{ pgadmin4_admin_password }}", t: password}
+    - {k: email, v: "{{ pgadmin4_admin_email }}", t: string}
+
+- name: Install pgAdmin4
+  apt:
+    # In contrast to the name, this is the general WSGI package
+    # It does not depend hard on apache2, but rather on any wsgi webserver
+    name: pgadmin4-apache2
+
+- name: Install newer version of python3-flaskext.wtf
+  apt:
+    name: python3-flaskext.wtf
+    default_release: stretch-pgdg
+  when: debian_version == "stretch"
+
+- name: Fix directory permissions
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ app_user }}"
+    recurse: true
diff --git a/uwsgi-python/tasks/apps/pretix.yml b/uwsgi-python/tasks/apps/pretix.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a09a3c68f6f9c5315f265a3a9a4c7e0bd7dc58cf
--- /dev/null
+++ b/uwsgi-python/tasks/apps/pretix.yml
@@ -0,0 +1,91 @@
+---
+
+- name: ensure pretix data directory exists
+  file:
+    state: directory
+    path: "{{ app_path }}/data"
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure pretix media directory exists
+  file:
+    state: directory
+    path: "{{ app_path }}/data/media"
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure pretix logs directory exists
+  file:
+    state: directory
+    path: "{{ app_path }}/data/logs"
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure periodic tasks are executed
+  template:
+    src: apps/pretix-cronjob.j2
+    dest: "/etc/cron.d/{{ app.instance }}"
+    owner: root
+    group: root
+    mode: '0644'
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure plugins are installed  # noqa 403
+  pip:
+    name: "{{ pretix_plugins }}"
+    virtualenv: "{{ app_venv }}"
+    virtualenv_python: "python{{ app_python_version }}"
+    state: latest
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
+
+- name: ensure data model migrations are applied  # noqa 301
+  command: "{{app_venv}}/bin/python -m pretix {{ item }}"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  with_items:
+    - migrate
+    - updatestyles
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/python -m pretix {{ item }}"
+  args:
+    chdir: "{{app_path}}"
+  with_items:
+    - rebuild
+    - compress
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
+
+- name: ensure the celery unit file exists
+  template:
+    src: apps/pretix-celery.service.j2
+    dest: "/etc/systemd/system/{{ app_name }}-celery.service"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload systemd service files
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the celery service is enabled
+  service:
+    name: "{{app_name}}-celery"
+    enabled: true
+    state: started
diff --git a/uwsgi-python/tasks/apps/printercount.yml b/uwsgi-python/tasks/apps/printercount.yml
new file mode 100644
index 0000000000000000000000000000000000000000..38128bc3247943af278a9299b6cf136cf4eae420
--- /dev/null
+++ b/uwsgi-python/tasks/apps/printercount.yml
@@ -0,0 +1,41 @@
+---
+
+- name: ensure git ignores our secret config
+  lineinfile:
+    dest: "{{app_path}}/.git/info/exclude"
+    line: "secret_config.py"
+    state: present
+  tags:
+    - printercount
+
+- name: ensure the program has access to all the logs
+  acl:
+    path: "{{printercount_log_dir}}"
+    entity: "{{app_user}}"
+    etype: user
+    permissions: r
+    state: present
+    recursive: true
+  tags:
+    - printercount
+
+- name: ensure the program will have access to all the logs
+  acl:
+    path: "{{printercount_log_dir}}"
+    entity: "{{app_user}}"
+    etype: user
+    permissions: r
+    default: true
+    state: present
+  tags:
+    - printercount
+
+- name: ensure the program may see all the logs
+  acl:
+    path: "{{printercount_log_dir}}"
+    entity: "{{app_user}}"
+    etype: user
+    permissions: rx
+    state: present
+  tags:
+    - printercount
diff --git a/uwsgi-python/tasks/apps/protokollsystem.yml b/uwsgi-python/tasks/apps/protokollsystem.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9cf06a1aa05a4c94d1059bd7435abd2966384d87
--- /dev/null
+++ b/uwsgi-python/tasks/apps/protokollsystem.yml
@@ -0,0 +1,75 @@
+---
+# file: protokollsystem/tasks/main.yml
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: check our config  # noqa 301
+  # yamllint disable-line rule:line-length
+  command: "{{app_venv}}/bin/python {{app_path}}/configproxy.py check --log-level warning"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  changed_when: false
+
+- name: ensure data model upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/python {{app_path}}/server.py db upgrade"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
+
+- name: ensure we have our local templates
+  copy:
+    src: "{{ protokolle_local_templates }}"
+    dest: "{{ app_path }}/"
+    owner: "{{ protokolle_user }}"
+    group: "{{ protokolle_group }}"
+    mode: '0644'
+  when: protokolle_local_templates|default('')|string != ''  # noqa 602
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure one local template is the default
+  file:
+    # yamllint disable-line rule:line-length
+    src: "{{ app_path }}/{{ protokolle_latex_local_templates }}/{{ protokolle_local_templates_default }}/{{ item.path }}"
+    # yamllint disable-line rule:line-length
+    dest: "{{ app_path }}/{{ protokolle_latex_local_templates }}/{{ item.path }}"
+    state: link
+  # yamllint disable-line rule:line-length
+  with_filetree: "{{ protokolle_local_templates }}/{{ protokolle_local_templates_default }}"
+  # yamllint disable-line rule:line-length
+  when: protokolle_local_templates|default(False) and protokolle_local_templates_default|default(False)
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the celery unit file exists
+  template:
+    src: apps/protokollsystem-celery.service.j2
+    dest: "/etc/systemd/system/{{ app_name }}-celery.service"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload systemd service files
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the celery service is enabled
+  service:
+    name: "{{app_name}}-celery"
+    enabled: true
+    state: started
diff --git a/uwsgi-python/tasks/apps/redeleitsystem.yml b/uwsgi-python/tasks/apps/redeleitsystem.yml
new file mode 100644
index 0000000000000000000000000000000000000000..27b4f8d3166ee2ceb011548630f6602cc0d1421a
--- /dev/null
+++ b/uwsgi-python/tasks/apps/redeleitsystem.yml
@@ -0,0 +1,23 @@
+---
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure data model upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/python {{app_path}}/server.py db upgrade"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
diff --git a/uwsgi-python/tasks/apps/repo-sync.yml b/uwsgi-python/tasks/apps/repo-sync.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2b07d041cf0a5b5754973be6a8d088f3024b5a29
--- /dev/null
+++ b/uwsgi-python/tasks/apps/repo-sync.yml
@@ -0,0 +1,28 @@
+---
+
+- name: ensure our home directory has appropriate permissions
+  file:
+    state: directory
+    dest: "{{ app_home }}"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0700'
+
+- name: ensure we have a directory for additional ssh keys
+  file:
+    state: directory
+    dest: "{{ app_home }}/.ssh/"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0700'
+
+- name: ensure we have additional ssh keys
+  copy:
+    src: "{{ repo_sync_ssh_key }}{{ item }}"
+    dest: "{{ app_home }}/.ssh/id_ed25519{{ item }}"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0600'
+  with_items:
+    - ""
+    - ".pub"
diff --git a/uwsgi-python/tasks/apps/schilder.yml b/uwsgi-python/tasks/apps/schilder.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1159c596559ca6e8f4d06ed91e8962f92b9893b8
--- /dev/null
+++ b/uwsgi-python/tasks/apps/schilder.yml
@@ -0,0 +1,14 @@
+---
+
+# https://github.com/ansible/ansible/issues/27699
+# https://github.com/ansible/ansible/issues/30064#issuecomment-487149251
+- name: ensure we have our templates
+  git:
+    repo: "{{ schilder_templates_url }}"
+    dest: "{{ app_home }}/tex"
+    key_file: /root/.ssh/schilder
+    version: HEAD
+  environment:
+    TMPDIR: /root/.ansible/tmp
+  notify:
+    - "restart uwsgi instance {{ app.instance }}"
diff --git a/uwsgi-python/tasks/apps/shorturl.yml b/uwsgi-python/tasks/apps/shorturl.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ad4ec9514da37d419385a7dc45f345e0da5d75fe
--- /dev/null
+++ b/uwsgi-python/tasks/apps/shorturl.yml
@@ -0,0 +1,23 @@
+---
+
+# https://github.com/ansible/ansible/issues/42983
+- name: ensure there exists a .ansible folder
+  file:
+    path: "{{app_path}}/.ansible"
+    state: directory
+    owner: "{{app_user}}"
+    group: "{{app_group}}"
+
+- name: ensure data model upgrades are applied  # noqa 301
+  command: "{{app_venv}}/bin/python {{app_path}}/createdb.py"
+  args:
+    chdir: "{{app_path}}"
+  become: true
+  become_user: "{{app_user}}"
+  notify:
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the folder from above is not present anymore
+  file:
+    path: "{{app_path}}/.ansible"
+    state: absent
diff --git a/uwsgi-python/tasks/apps/wahlhelfer.yml b/uwsgi-python/tasks/apps/wahlhelfer.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5a6ad5af188cc7e2c7e2bbde38b93a8da146947f
--- /dev/null
+++ b/uwsgi-python/tasks/apps/wahlhelfer.yml
@@ -0,0 +1,15 @@
+---
+
+- name: ensure we have the linear solver
+  copy:
+    src: "apps/{{ item }}"
+    dest: "{{ app_path }}/zibopt/"
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0755'
+  with_items:
+    - scip
+    - zimpl
+  tags:
+    - wahlhelfer
+    - webservices
diff --git a/uwsgi-python/tasks/apps/wahlsystem.yml b/uwsgi-python/tasks/apps/wahlsystem.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3f6db2e89ecdc5b0fceeffc0425a80c3c810eaff
--- /dev/null
+++ b/uwsgi-python/tasks/apps/wahlsystem.yml
@@ -0,0 +1,29 @@
+---
+
+- name: ensure we have the blogfiles folder
+  file:
+    name: "{{ app_path }}/blogfiles"
+    state: directory
+    owner: "{{ app_user }}"
+    group: "{{ app_group }}"
+    mode: '0755'
+  tags:
+    - wahlsystem
+    - webservices
+
+- name: ensure the celery unit file exists
+  template:
+    src: apps/wahlsystem-celery.service.j2
+    dest: "/etc/systemd/system/{{ app_name }}-celery.service"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload systemd service files
+    - "restart uwsgi instance {{app.instance}}"
+
+- name: ensure the celery service is enabled
+  service:
+    name: "{{app_name}}-celery"
+    enabled: true
+    state: started
diff --git a/uwsgi-python/tasks/main.yml b/uwsgi-python/tasks/main.yml
index c4337fc17cf7f998ba8367ddc2539240323f0410..f890d8ccfd40934403f6ce8d767812857f71afd7 100644
--- a/uwsgi-python/tasks/main.yml
+++ b/uwsgi-python/tasks/main.yml
@@ -1,172 +1,43 @@
 ---
-# file: roles/uwsgi-python/tasks/main.yml
+# file: uwsgi-python/tasks/main.yml
 
-- name: ensure we have python 2
-  apt: name="{{item}}"
-  with_items:
-    - python
-    - python-dev
-    - python-virtualenv
-    - uwsgi-plugin-python
-  when: uwsgi_python == 2
-  tags:
-    - packages
-    - uwsgi-python
-
-- name: ensure we have python 3
-  apt: name="{{item}}"
-  with_items:
-    - python3
-    - python3-dev
-    - python3-virtualenv
-    - uwsgi-plugin-python3
-  when: uwsgi_python == 3
-  tags:
-    - packages
-    - uwsgi-python
-
-- name: ensure we have the necessary libraries for ldap
-  apt: name="{{item}}"
-  with_items:
-    - libsasl2-dev
-    - libssl-dev
-    - libldap2-dev
-  tags:
-    - packages
-    - uwsgi-python
-    - ldap
-
-- name: ensure we have python mysql packages
-  apt: name="{{item}}"
-  with_items:
-    - python-mysqldb
-    - python3-mysqldb
-    - default-libmysqlclient-dev
-  when: uwsgi_db == "mysql"
-  tags:
-    - packages
-    - uwsgi-python
-    - mysql
-
-- name: "get database password for mysql"
-  local_action: pass name="db/{{ansible_hostname}}-mysql" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
-  register: mysql_password
-  when: uwsgi_db == "mysql"
-  tags:
-    - config
-    - uwsgi-python
-    - mysql
-    - password
-
-- name: "ensure the mysql database exists"
-  mysql_db:
-    name: "{{uwsgi_name}}"
+- name: ensure uwsgi is installed
+  apt:
+    name: uwsgi
     state: present
-    login_user: root
-    login_password: "{{mysql_password.password}}"
-  when: uwsgi_db == "mysql"
   tags:
-    - config
-    - mysql
-    - uwsgi-python
-
-- name: "ensure we have a user password for mysql"
-  local_action: pass name="db/{{ansible_hostname}}-mysql-{{uwsgi_user}}" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
-  register: mysql_user_password
-  when: uwsgi_db == "mysql"
-  tags:
-    - config
-    - uwsgi-python
-    - mysql
-    - password
-
-- name: ensure the database user for mysql exists
-  mysql_user:
-    name: "{{uwsgi_user}}"
-    password: "{{mysql_user_password.password}}"
-    state: present
-    login_user: root
-    login_password: "{{mysql_password.password}}"
-    priv: "{{uwsgi_name}}.*:ALL"
-  when: uwsgi_db == "mysql"
-  tags:
-    - config
-    - mysql
-    - uwsgi-python
-
-- name: ensure we have a postgres database user
-  postgresql_user:
-    name: "{{uwsgi_user}}"
-    state: present
-  become: yes
-  become_user: postgres
-  when: uwsgi_db == "postgres"
-  tags:
-    - postgresql
-    - config
-    - uwsgi-python
-
-- name: ensure we have a postgres database
-  postgresql_db:
-    name: "{{uwsgi_name}}"
-    owner: "{{uwsgi_user}}"
-    state: present
-  become: yes
-  become_user: postgres
-  when: uwsgi_db == "postgres"
-  tags:
-    - postgresql
-    - config
-    - uwsgi-python
-
-- name: ensure the database user has privileges
-  postgresql_privs:
-    database: "{{uwsgi_name}}"
-    roles: "{{uwsgi_user}}"
-    privs: ALL
-    state: present
-    type: database
-  become: yes
-  become_user: postgres
-  when: uwsgi_db == "postgres"
-  tags:
-    - postgresql
-    - config
-    - uwsgi_python
-
-- name: ensure we have a group
-  group: name="{{uwsgi_group}}" system=yes state=present
-  tags:
-    - group
-    - config
-    - uwsgi-python
-
-- name: ensure we have a user
-  user: name="{{uwsgi_user}}" group="{{uwsgi_group}}" system=yes home="{{uwsgi_home}}" shell=/usr/bin/nologin createhome=no state=present
-  tags:
-    - user
-    - config
-    - uwsgi-python
+    - uwsgi
+    - webservices
 
-- name: ensure a temporary directory exists
-  lineinfile:
-    dest: "/etc/tmpfiles.d/10-{{uwsgi_name}}.conf"
-    line: "d /run/uwsgi/app/{{uwsgi_name}} 0775 {{uwsgi_user}} {{uwsgi_group}} - -"
-    create: yes
+- name: ensure we have archlinux's systemd-service file
+  template:
+    src: uwsgi@.service.j2
+    dest: /etc/systemd/system/uwsgi@.service
+    owner: root
+    group: root
+    mode: '0644'
   notify:
-    - create tmpfiles
+    - reload systemd service files
   tags:
-    - config
-    - uwsgi-python
+    - uwsgi
+    - webservices
 
-- name: ensure we have our uwsgi config file
-  template:
-    src: uwsgi.ini
-    dest: "/etc/uwsgi/apps-available/{{uwsgi_name}}.ini"
+- name: ensure the uwsgi app folder is present
+  file:
+    path: /etc/uwsgi/apps/
+    state: directory
     owner: root
     group: root
-    mode: 0644
+    mode: '0755'
+  tags:
+    - uwsgi
+    - webservices
+
+- include_tasks: app.yml
+  with_items: "{{ webapps }}"
+  loop_control:
+    loop_var: app
+    label: "{{app.app}} {{app.instance}}"
   tags:
-    - config
     - uwsgi
-    - uwsgi-python
+    - webservices
diff --git a/uwsgi-python/tasks/mysql.yml b/uwsgi-python/tasks/mysql.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d9bf5933ca26b81d882d2220f10259c125e13e00
--- /dev/null
+++ b/uwsgi-python/tasks/mysql.yml
@@ -0,0 +1,37 @@
+---
+# file: uwsgi-python/tasks/mysql.yml
+
+- name: ensure we have python mysql packages
+  apt:
+    name:
+      - python-mysqldb
+      - python3-mysqldb
+      - default-libmysqlclient-dev
+    state: present
+  tags:
+    - uwsgi-python
+    - webservices
+
+- name: ensure the mysql database exists
+  mysql_db:
+    name: "{{ app_db_name }}"
+    state: present
+    login_user: root
+    login_password: "{{ app_db_root_password }}"
+  no_log: true
+  tags:
+    - uwsgi-python
+    - webservices
+
+- name: ensure the database user for mysql exists
+  mysql_user:
+    name: "{{ app_user }}"
+    password: "{{ app_db_password }}"
+    state: present
+    login_user: root
+    login_password: "{{ app_db_root_password }}"
+    priv: "{{ app_db_name }}.*:ALL"
+  no_log: true
+  tags:
+    - uwsgi-python
+    - webservices
diff --git a/uwsgi-python/tasks/postgres.yml b/uwsgi-python/tasks/postgres.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f97b3e77b0e0ea57f83c4d95a6939817b6497c2c
--- /dev/null
+++ b/uwsgi-python/tasks/postgres.yml
@@ -0,0 +1,36 @@
+---
+# file: uwsgi-python/tasks/postgres.yml
+
+- name: ensure we have a postgres database user
+  postgresql_user:
+    name: "{{ app_user }}"
+    state: present
+  become: true
+  become_user: postgres
+  tags:
+    - uwsgi-python
+    - webservices
+
+- name: ensure we have a postgres database
+  postgresql_db:
+    name: "{{ app_db_name }}"
+    owner: "{{ app_user }}"
+    state: present
+  become: true
+  become_user: postgres
+  tags:
+    - uwsgi-python
+    - webservices
+
+- name: ensure the database user has privileges
+  postgresql_privs:
+    database: "{{ app_db_name }}"
+    roles: "{{ app_user }}"
+    privs: ALL
+    state: present
+    type: database
+  become: true
+  become_user: postgres
+  tags:
+    - uwsgi-python
+    - webservices
diff --git a/uwsgi-python/tasks/sqlite.yml b/uwsgi-python/tasks/sqlite.yml
new file mode 100644
index 0000000000000000000000000000000000000000..28d31cb918b698a2345e912b866fcb9652d2eb15
--- /dev/null
+++ b/uwsgi-python/tasks/sqlite.yml
@@ -0,0 +1,10 @@
+---
+# file: uwsgi-python/tasks/sqlite.yml
+
+- name: ensure we have sqlite installed
+  apt:
+    name: sqlite3
+    state: present
+  tags:
+    - uwsgi-python
+    - webservices
diff --git a/uwsgi-python/templates/apps/ak-tracker.j2 b/uwsgi-python/templates/apps/ak-tracker.j2
new file mode 100644
index 0000000000000000000000000000000000000000..bae75911dc1a3760f73b16be70140a718b31d088
--- /dev/null
+++ b/uwsgi-python/templates/apps/ak-tracker.j2
@@ -0,0 +1,15 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = 'postgresql://{{ app_user }}:@/{{ app_db_name }}'
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+AD_HOST = '{{ ak_tracker_ad_host }}'
+AD_DOMAIN = '{{ ak_tracker_ad_domain }}'
+AD_USER_DN = '{{ ak_tracker_ad_user_dn }}'
+AD_GROUP_DN = '{{ ak_tracker_ad_group_dn }}'
+AD_CA_CERT = '{{ ak_tracker_ad_ca_cert }}'
+AD_AUTH_GROUP = '{{ ak_tracker_ad_auth_group }}'
+
+KIF_WIKI = '{{ ak_tracker_kif_wiki }}'
+KIF_WIKI_VERIFY = {{ ak_tracker_kif_wiki_verify }}
diff --git a/uwsgi-python/templates/apps/alumnigraph.j2 b/uwsgi-python/templates/apps/alumnigraph.j2
new file mode 100644
index 0000000000000000000000000000000000000000..31ba5f45a0a28cde24a55bfaf7a065fddebc0b48
--- /dev/null
+++ b/uwsgi-python/templates/apps/alumnigraph.j2
@@ -0,0 +1,25 @@
+from secret_config import secret_key as SECRET_KEY
+
+SQLALCHEMY_DATABASE_URI = "postgresql://{{ app_user }}:@/{{ app_db_name }}"
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+
+YEAR_DISTANCE = {{ alumni_graph_year_distance }}
+NOTIFICATION_WAITING_PERIOD = {{ alumni_graph_notification_waiting_period }}
+
+MAIL_FROM = "{{ alumni_graph_mail_from }}"
+MAIL_REPLY_TO = "{{ alumni_graph_mail_reply_to }}"
+
+SERVER_NAME = "{{ alumni_graph_server_name }}"
+#PREFERRED_URL_SCHEME = "https"
+
+MAIL_SERVER = "{{ alumni_graph_mail_server }}"
+MAIL_PORT = {{ alumni_graph_mail_port }}
+MAIL_USE_TLS = {{ alumni_graph_mail_tls }}
+{% if alumni_graph_mail_user is defined %}
+MAIL_USERNAME = "{{ alumni_graph_mail_user }}"
+MAIL_PASSWORD = "{{ alumni_graph_mail_pass }}"
+{% endif %}
+SEND_INVITATIONS = {{ alumni_graph_send_invitation }}
+SENTRY_URL = "{{ alumni_graph_sentry_url }}"
+BABEL_DEFAULT_LOCALE = "DE"
+
diff --git a/uwsgi-python/templates/apps/darlehen.j2 b/uwsgi-python/templates/apps/darlehen.j2
new file mode 100644
index 0000000000000000000000000000000000000000..aff8699dbc4386465cbdca7ae2fb7616e4de1562
--- /dev/null
+++ b/uwsgi-python/templates/apps/darlehen.j2
@@ -0,0 +1,26 @@
+##########
+# CONFIG #
+##########
+
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = 'postgresql://{{ app_user }}:@/{{ app_db_name }}'
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+import datetime
+REMEMBER_COOKIE_NAME = 'remember_token'
+REMEMBER_COOKIE_DURATION = datetime.timedelta(30)
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
+
+LDAP_HOST = '{{app_ldap_host}}'
+SESSION_TIMEOUT_DAYS = 31
+
+# MAIL
+MAIL_FROM = '{{ app_mail_from }}'
+MAIL_TO = ['{{ app_mail_to }}']
+MAIL_SERVER = '{{app_mail_server}}'
+MAIL_INTERVAL = 24 * 7 # in hours
diff --git a/uwsgi-python/templates/apps/etherpad-api-proxy.j2 b/uwsgi-python/templates/apps/etherpad-api-proxy.j2
new file mode 100644
index 0000000000000000000000000000000000000000..50688b07b83f8f7d3b09139ee0b97533f2ad6dc6
--- /dev/null
+++ b/uwsgi-python/templates/apps/etherpad-api-proxy.j2
@@ -0,0 +1,10 @@
+[upstream]
+url = "{{etherpad_api_proxy_upstream_url}}"
+api_key = "{{etherpad_api_proxy_upstream_api_key}}"
+
+{% for account in etherpad_api_proxy_accounts %}
+[[api_keys]]
+orga = "{{account.name}}"
+api_key = "{{account.api_key}}"
+
+{% endfor %}
diff --git a/uwsgi-python/templates/apps/gitlab-connector.j2 b/uwsgi-python/templates/apps/gitlab-connector.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6d6e05904a284f7af7d700d41b6467422366d56d
--- /dev/null
+++ b/uwsgi-python/templates/apps/gitlab-connector.j2
@@ -0,0 +1,33 @@
+from secret_config import secret_key as SECRET_KEY
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+AD_HOST = '{{ glcon_ad_host }}'
+AD_DOMAIN = '{{ glcon_ad_domain }}'
+AD_USER_DN = '{{ glcon_ad_user_dn }}'
+AD_GROUP_DN = '{{ glcon_ad_group_dn }}'
+AD_CA_CERT = '{{ glcon_ad_ca_cert }}'
+AD_AUTH_GROUP = '{{ glcon_ad_auth_group }}'
+
+BRANDING_NAME = '{{ glcon_branding_name }}'
+BRANDING_CONTACT = '{{ glcon_branding_contact }}'
+
+GITLAB_URL = '{{ glcon_gitlab_url }}'
+GITLAB_TOKEN = '{{ glcon_gitlab_token }}'
+GITLAB_AD_PROVIDER = '{{ glcon_gitlab_ad_provider }}'
+
+import gitlab
+AD_TO_GITLAB = {
+{% for ad in glcon_ad_to_gitlab %}
+    '{{ ad.name }}': [
+    {% for gl in ad.gitlab %}
+        {
+            'name': '{{ gl.name }}',
+            'is_group': {{ gl.is_group }},
+            'access_level': gitlab.{{ gl.access_level|default('developer')|upper }}_ACCESS,
+            'expires_at': {{ "'" ~ gl.expires_at ~ "'" if gl.expires_at is defined else 'None' }}
+        },
+    {% endfor %}
+    ],
+{% endfor %}
+}
diff --git a/uwsgi-python/templates/apps/gl-rt-bridge.j2 b/uwsgi-python/templates/apps/gl-rt-bridge.j2
new file mode 100644
index 0000000000000000000000000000000000000000..440d1d3e047c973c196d65c27235c602b84500a0
--- /dev/null
+++ b/uwsgi-python/templates/apps/gl-rt-bridge.j2
@@ -0,0 +1,8 @@
+---
+issue_tag: {{ gl_rt_bridge.issue_tag }}
+token: {{ (2**2048)|random }}
+rt:
+  server: {{ gl_rt_bridge.rt_server }}
+  user: {{ gl_rt_bridge.rt_user }}
+  pass: {{ gl_rt_bridge.rt_pass }}
+  cookies: {{ app_home }}
diff --git a/uwsgi-python/templates/apps/gnt-web.j2 b/uwsgi-python/templates/apps/gnt-web.j2
new file mode 100644
index 0000000000000000000000000000000000000000..b42dbd45a013eee66349724d81a56467b32bdc00
--- /dev/null
+++ b/uwsgi-python/templates/apps/gnt-web.j2
@@ -0,0 +1,12 @@
+from secret_config import secret_key as SECRET_KEY, security_key as SECURITY_KEY
+
+DEBUG = False
+
+#RAPI_ENDPOINT = "localhost"
+RAPI_ENDPOINT="{{ gnt_web_rapi_endpoint }}"
+RAPI_USER = "{{ gnt_web_rapi_user }}"
+RAPI_PASSWORD = "{{ gnt_web_rapi_password }}"
+
+SESSION_PROTECTION = "strong"
+
+ADMIN_GROUP = "{{ gnt_web_admin_group }}"
diff --git a/uwsgi-python/templates/apps/infoscreen.j2 b/uwsgi-python/templates/apps/infoscreen.j2
new file mode 100644
index 0000000000000000000000000000000000000000..094bf4e177ab04ef04614724d076452242d4a5a6
--- /dev/null
+++ b/uwsgi-python/templates/apps/infoscreen.j2
@@ -0,0 +1,34 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = 'postgresql://{{ app_user }}:@/{{ app_db_name }}'
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+import datetime
+REMEMBER_COOKIE_NAME = 'remember_token'
+REMEMBER_COOKIE_DURATION = datetime.timedelta(30)
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
+
+USER_GROUP = '{{ infoscreen_user_group }}'
+
+AD_HOST = '{{ infoscreen_ad_host }}'
+AD_DOMAIN = '{{ infoscreen_ad_domain }}'
+AD_USER_DN = '{{ infoscreen_ad_user_dn }}'
+AD_GROUP_DN = '{{ infoscreen_ad_group_dn }}'
+AD_CA_CERT = '{{ infoscreen_ad_cert }}'
+
+BRANDING_NAME = '{{ infoscreen_branding_name }}'
+BRANDING_CONTACT = '{{ infoscreen_branding_contact }}'
+
+TMP_DIR = '{{ infoscreen_tmp_dir }}'
+UPLOAD_DIR = '{{ infoscreen_upload_dir }}'
+REMOTE_UPLOAD = '{{ infoscreen_remote_upload }}'
+{% if infoscreen_remote_verify is string %}
+REMOTE_VERIFY = '{{ infoscreen_remote_verify }}'
+{% elif infoscreen_remote_verify %}
+REMOTE_VERIFY = True
+{% else %}
+REMOTE_VERIFY = False
+{% endif %}
diff --git a/uwsgi-python/templates/apps/isic.j2 b/uwsgi-python/templates/apps/isic.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e14ea599301363c8f75ad69d7a8c12463b42ff5a
--- /dev/null
+++ b/uwsgi-python/templates/apps/isic.j2
@@ -0,0 +1,28 @@
+from secret_config import secret_key as SECRET_KEY
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+import datetime
+REMEMBER_COOKIE_NAME = 'remember_token'
+REMEMBER_COOKIE_DURATION = datetime.timedelta(30)
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
+
+AD_HOST = '{{ isic_ad_host }}'
+AD_DOMAIN = '{{ isic_ad_domain }}'
+AD_USER_DN = '{{ isic_ad_user_dn }}'
+AD_GROUP_DN = '{{ isic_ad_group_dn }}'
+AD_CA_CERT = '{{ isic_ad_ca_cert }}'
+AD_AUTH_GROUP = '{{ isic_ad_auth_group }}'
+{% if isic_allowed_networks %}
+ALLOWED_NETWORKS = ['{{ isic_allowed_networks|join("', '") }}']
+{% else %}
+ALLOWED_NETWORKS = []
+{% endif %}
+
+import socket
+USE_EXTERNAL_COMMAND = {{ isic_use_external_command }}
+PRINTER_HOST = socket.gethostbyname('{{ isic_printer_host }}')
+PRINTER_PORT = {{ isic_printer_port }}
diff --git a/uwsgi-python/templates/apps/lehrpreis.j2 b/uwsgi-python/templates/apps/lehrpreis.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d4f8a805975dc475a416a92b51044fa63b00fc44
--- /dev/null
+++ b/uwsgi-python/templates/apps/lehrpreis.j2
@@ -0,0 +1,39 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = 'postgresql://{{ app_user }}:@/{{ app_db_name }}'
+DEBUG = False
+PORT = 5001
+SESSION_COOKIE_SECURE = True
+
+import datetime
+REMEMBER_COOKIE_NAME = 'remember_token'
+REMEMBER_COOKIE_DURATION = datetime.timedelta(30)
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
+
+BABEL_DEFAULT_LOCALE = '{{ lehrpreis_default_locale }}'
+BABEL_DEFAULT_TIMEZONE = '{{ lehrpreis_default_timezone }}'
+
+USER_GROUP = '{{ lehrpreis_auth_group }}'
+
+AD_HOST = '{{ lehrpreis_ad_host }}'
+AD_DOMAIN = '{{ lehrpreis_ad_domain }}'
+AD_USER_DN = '{{ lehrpreis_ad_user_dn }}'
+AD_GROUP_DN = '{{ lehrpreis_ad_group_dn }}'
+AD_CA_CERT = '{{ lehrpreis_ad_cert }}'
+
+BRANDING_APP_NAME = {'de': '{{ lehrpreis_branding_app_name_de }}',
+	'en': '{{ lehrpreis_branding_app_name_en }}'}
+BRANDING_APP_URL = '{{ lehrpreis_branding_app_url }}'
+BRANDING_ORG_NAME = '{{ lehrpreis_branding_org_name }}'
+BRANDING_CONTACT = '{{ lehrpreis_branding_contact }}'
+BRANDING_LOGO = '{{ lehrpreis_branding_logo }}'
+BRANDING_INFORMATION = {'de': '''{{ lehrpreis_branding_information_de }}''',
+	'en': '''{{ lehrpreis_branding_information_en }}'''}
+
+MAIL_ENABLED = {{ lehrpreis_mail_enabled }}
+MAIL_ADDRESS = '{{ lehrpreis_mail_address }}'
+MAIL_HOST = '{{ lehrpreis_mail_host }}'
+MAIL_LOCALE = '{{ lehrpreis_mail_locale }}'
+
diff --git a/uwsgi-python/templates/apps/lipclms.j2 b/uwsgi-python/templates/apps/lipclms.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1c0b61d44d6ad8191820caea550d83e4658664e9
--- /dev/null
+++ b/uwsgi-python/templates/apps/lipclms.j2
@@ -0,0 +1,13 @@
+SQLALCHEMY_DATABASE_URI = 'postgresql://{{ app_user }}:@/{{ app_db_name }}'
+MAILMAN_API_URL = '{{ lipclms_mailman_api_url }}'
+MAILMAN_API_KEY = '{{ lipclms_mailman_api_key }}'
+PRINTING_ACTIVE = {{ lipclms_printing_active }}
+
+DEBUG = False
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+SESSION_COOKIE_SECURE = True
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
diff --git a/uwsgi-python/templates/apps/mail-api-sudoers.j2 b/uwsgi-python/templates/apps/mail-api-sudoers.j2
new file mode 100644
index 0000000000000000000000000000000000000000..14e84ae7b16127fc6e8a3dbc7f9ac6dc0f5c34fb
--- /dev/null
+++ b/uwsgi-python/templates/apps/mail-api-sudoers.j2
@@ -0,0 +1 @@
+{{app_user}} ALL=NOPASSWD: {{app_path}}/create-maildir.py
diff --git a/uwsgi-python/templates/apps/mail-api.j2 b/uwsgi-python/templates/apps/mail-api.j2
new file mode 100644
index 0000000000000000000000000000000000000000..b6d8fb2d54b6c8f98eef3bf3ab1e5f95c294d954
--- /dev/null
+++ b/uwsgi-python/templates/apps/mail-api.j2
@@ -0,0 +1,30 @@
+AUTH_GROUP = '{{ mail_api_auth_group }}'
+AD_HOST = '{{ mail_api_ad_host }}'
+AD_DOMAIN = '{{ mail_api_domain }}'
+AD_USER_DN = '{{ mail_api_user_dn }}'
+AD_GROUP_DN = '{{ mail_api_group_dn }}'
+AD_CA_CERT = '{{ mail_api_ca_cert }}'
+
+MAILDIRS = '{{ mail_api_maildirs }}'
+APPEND_PATH = '{{ mail_api_append_path }}'
+PERMISSIONS = int(0o{{ mail_api_permissions }})
+SUB_MAILDIRS = [
+{% for sdir in mail_api_sub_maildirs %}
+    '{{ sdir }}',
+{% endfor %}
+]
+
+SMTP_TEMPLATE = '{{ mail_api_smtp_template }}'
+SMTP_SUBJECT = '{{ mail_api_smtp_subject }}'
+SMTP_DOMAIN = '{{ mail_api_smtp_domain }}'
+SMTP_REPLY_TO = '{{ mail_api_smtp_reply_to }}'
+SMTP_NOTIFY_TEMPLATE = '{{ mail_api_smtp_notify_template }}'
+SMTP_NOTIFY_SUBJECT = '{{ mail_api_smtp_notify_subject }}'
+SMTP_NOTIFY_MAIL = '{{ mail_api_smtp_notify_mail }}'
+SMTP_ENCRYPTION = '{{ mail_api_smtp_encryption }}' # 'starttls', 'ssl', 'none'
+SMTP_HOST = '{{ mail_api_smtp_host }}'
+SMTP_PORT = '{{ mail_api_smtp_port }}'
+SMTP_AUTH = {{ mail_api_smtp_auth }}
+ONBOARDING_ORGANIZATION = '{{ mail_api_onboarding_organization }}'
+ONBOARDING_WIKI = '{{ mail_api_onboarding_wiki }}'
+ONBOARDING_WIKI_HOWTO = '{{ mail_api_onboarding_wiki_howto }}'
diff --git a/uwsgi-python/templates/apps/meckerkasten.j2 b/uwsgi-python/templates/apps/meckerkasten.j2
new file mode 100644
index 0000000000000000000000000000000000000000..991cdfc331520ec82ff0957a669cbab1f2e3424d
--- /dev/null
+++ b/uwsgi-python/templates/apps/meckerkasten.j2
@@ -0,0 +1,12 @@
+from secret_config import secret_key as SECRET_KEY
+
+SESSION_COOKIE_SECURE = False
+
+MAIL_SERVER = "{{meckerkasten_mail_host}}"
+MAIL_DEFAULT_SENDER = "{{meckerkasten_sender}}"
+
+TOPICS = {
+    {% for question, mail in meckerkasten_topics.items() %}
+        "{{question}}": "{{mail}}",
+    {% endfor %}
+}
diff --git a/uwsgi-python/templates/apps/mm2-api-sudoers.j2 b/uwsgi-python/templates/apps/mm2-api-sudoers.j2
new file mode 100644
index 0000000000000000000000000000000000000000..21613335202d4142a4654e2ab577a33f661ba572
--- /dev/null
+++ b/uwsgi-python/templates/apps/mm2-api-sudoers.j2
@@ -0,0 +1,5 @@
+{{app_user}} ALL=NOPASSWD: /var/lib/mailman/bin/list_lists
+{{app_user}} ALL=NOPASSWD: /var/lib/mailman/bin/list_members
+{{app_user}} ALL=NOPASSWD: /var/lib/mailman/bin/add_members
+{{app_user}} ALL=NOPASSWD: /var/lib/mailman/bin/remove_members
+{{app_user}} ALL=NOPASSWD: /var/lib/mailman/bin/find_member
diff --git a/uwsgi-python/templates/apps/mm2-api.j2 b/uwsgi-python/templates/apps/mm2-api.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a4c39f62aff4ac9e1896b8baa497e383c06801f8
--- /dev/null
+++ b/uwsgi-python/templates/apps/mm2-api.j2
@@ -0,0 +1,6 @@
+AUTH_GROUP = '{{mm2_api_auth_group}}'
+AD_HOST = '{{mm2_api_ad_host}}'
+AD_DOMAIN = '{{mm2_api_domain}}'
+AD_USER_DN = '{{mm2_api_user_dn}}'
+AD_GROUP_DN = '{{mm2_api_group_dn}}'
+AD_CA_CERT = '{{mm2_api_ca_cert}}'
diff --git a/uwsgi-python/templates/apps/netbox-ldap.py.j2 b/uwsgi-python/templates/apps/netbox-ldap.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ec891e3be69865da7b471ae8056bbb1b8bd4185f
--- /dev/null
+++ b/uwsgi-python/templates/apps/netbox-ldap.py.j2
@@ -0,0 +1,61 @@
+import ldap
+from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType
+
+# Server URI
+AUTH_LDAP_SERVER_URI = "{{netbox_ldap.uri}}"
+
+# The following may be needed if you are binding to Active Directory.
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0
+}
+
+# Set the DN and password for the NetBox service account.
+AUTH_LDAP_BIND_DN = "{{netbox_ldap.binddn}}"
+AUTH_LDAP_BIND_PASSWORD = "{{netbox_ldap.bindpw}}"
+
+# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
+# Note that this is a NetBox-specific setting which sets:
+#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+LDAP_IGNORE_CERT_ERRORS = False
+
+# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
+# username is not in their DN (Active Directory).
+AUTH_LDAP_USER_SEARCH = LDAPSearch("{{netbox_ldap.user_base}}",
+                                    ldap.SCOPE_SUBTREE,
+                                    "(sAMAccountName=%(user)s)")
+
+# If a user's DN is producible from their username, we don't need to search.
+AUTH_LDAP_USER_DN_TEMPLATE = "cn=%(user)s,{{netbox_ldap.user_base}}"
+
+# You can map user attributes to Django attributes as so.
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail"
+}
+
+# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
+# hierarchy.
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch("{{netbox_ldap.group_base}}", ldap.SCOPE_SUBTREE,
+                                    "(objectClass=group)")
+AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
+
+# Define a group required to login.
+AUTH_LDAP_REQUIRE_GROUP = "{{netbox_ldap.login_group}}"
+
+# Mirror LDAP group assignments.
+AUTH_LDAP_MIRROR_GROUPS = True
+
+# Define special user types using groups. Exercise great caution when assigning superuser status.
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": "{{netbox_ldap.group_flags.is_active}}",
+    "is_staff": "{{netbox_ldap.group_flags.is_staff}}",
+    "is_superuser": "{{netbox_ldap.group_flags.is_superuser}}"
+}
+
+# For more granular permissions, we can map LDAP groups to Django groups.
+AUTH_LDAP_FIND_GROUP_PERMS = True
+
+# Cache groups for one hour to reduce LDAP traffic
+AUTH_LDAP_CACHE_GROUPS = True
+AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
diff --git a/uwsgi-python/templates/apps/netbox-rqworker.service.j2 b/uwsgi-python/templates/apps/netbox-rqworker.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..9cf00677ddc20f1276905b4b5c742f78e7130741
--- /dev/null
+++ b/uwsgi-python/templates/apps/netbox-rqworker.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description={{ app_name }}-rqworker
+After=network.target
+
+[Service]
+User={{ app_user }}
+Group={{ app_group }}
+WorkingDirectory={{ app_chdir }}
+Environment="VIRTUAL_ENV={{ app_venv }}"
+Environment="PATH={{ app_venv }}/bin:/usr/local/bin:/usr/bin:/bin"
+ExecStart={{ app_venv }}/bin/python manage.py rqworker
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/uwsgi-python/templates/apps/netbox.j2 b/uwsgi-python/templates/apps/netbox.j2
new file mode 100644
index 0000000000000000000000000000000000000000..68b23b57c0c27e5322643b96c18f012046861469
--- /dev/null
+++ b/uwsgi-python/templates/apps/netbox.j2
@@ -0,0 +1,178 @@
+#########################
+#                       #
+#   Required settings   #
+#                       #
+#########################
+
+# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
+# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
+#
+# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
+ALLOWED_HOSTS = ['{{ netbox_host }}']
+
+# PostgreSQL database configuration.
+DATABASE = {
+    'NAME': 'netbox',         # Database name
+    'USER': '',               # PostgreSQL username
+    'PASSWORD': '',           # PostgreSQL password
+    'HOST': '',               # Database server
+    'PORT': '',               # Database port (leave blank for default)
+}
+
+# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
+# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
+# symbols. NetBox will not run without this defined. For more information, see
+# https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY
+from .secret_config import secret_key as SECRET_KEY
+
+# Redis database settings. The Redis database is used for caching and background processing such as webhooks
+REDIS = {
+    'HOST': 'localhost',
+    'PORT': 6379,
+    'PASSWORD': '',
+    'DATABASE': 0,
+    'CACHE_DATABASE': 1,
+    'DEFAULT_TIMEOUT': 300,
+    'SSL': False,
+}
+
+
+#########################
+#                       #
+#   Optional settings   #
+#                       #
+#########################
+
+# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
+# application errors (assuming correct email settings are provided).
+ADMINS = [
+    {% for a in netbox_admins %}
+    [ "{{ a[0] }}", "{{ a[1] }}" ],
+    {% endfor %}
+]
+
+# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
+# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
+BANNER_TOP = ''
+BANNER_BOTTOM = ''
+
+# Text to include on the login page above the login form. HTML is allowed.
+BANNER_LOGIN = ''
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
+# BASE_PATH = 'netbox/'
+BASE_PATH = ''
+
+# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
+CACHE_TIMEOUT = 900
+
+# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
+CHANGELOG_RETENTION = 90
+
+# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
+# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
+# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
+CORS_ORIGIN_ALLOW_ALL = False
+CORS_ORIGIN_WHITELIST = [
+    # 'https://hostname.example.com',
+]
+CORS_ORIGIN_REGEX_WHITELIST = [
+    # r'^(https?://)?(\w+\.)?example\.com$',
+]
+
+# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
+# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
+# on a production system.
+DEBUG = False
+
+# Email settings
+EMAIL = {
+    'SERVER': '{{ netbox_mail.server }}',
+    'PORT': 25,
+    'USERNAME': '',
+    'PASSWORD': '',
+    'TIMEOUT': 10,  # seconds
+    'FROM_EMAIL': '{{ netbox_mail.from }}',
+}
+
+# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
+# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
+ENFORCE_GLOBAL_UNIQUE = False
+
+# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
+# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
+EXEMPT_VIEW_PERMISSIONS = [
+    # 'dcim.site',
+    # 'dcim.region',
+    # 'ipam.prefix',
+]
+
+# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
+#   https://docs.djangoproject.com/en/1.11/topics/logging/
+LOGGING = {}
+
+# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
+# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
+LOGIN_REQUIRED = True
+
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 1209600 [14 days])
+LOGIN_TIMEOUT = None
+
+# Setting this to True will display a "maintenance mode" banner at the top of every page.
+MAINTENANCE_MODE = False
+
+# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
+# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
+# all objects by specifying "?limit=0".
+MAX_PAGE_SIZE = 1000
+
+# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
+# the default value of this setting is derived from the installed location.
+# MEDIA_ROOT = '/opt/netbox/netbox/media'
+
+# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
+METRICS_ENABLED = False
+
+# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
+NAPALM_USERNAME = ''
+NAPALM_PASSWORD = ''
+
+# NAPALM timeout (in seconds). (Default: 30)
+NAPALM_TIMEOUT = 30
+
+# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
+# be provided as a dictionary.
+NAPALM_ARGS = {}
+
+# Determine how many objects to display per page within a list. (Default: 50)
+PAGINATE_COUNT = 50
+
+# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
+# prefer IPv4 instead.
+PREFER_IPV4 = True
+
+# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# REPORTS_ROOT = '/opt/netbox/netbox/reports'
+
+# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
+# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
+# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
+SESSION_FILE_PATH = None
+
+# Time zone (default: UTC)
+TIME_ZONE = '{{ netbox_tz }}'
+
+# The webhooks backend is disabled by default. Set this to True to enable it. Note that this requires a Redis
+# database be configured and accessible by NetBox.
+WEBHOOKS_ENABLED = False
+
+# Date/time formatting. See the following link for supported formats:
+# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date
+DATE_FORMAT = 'N j, Y'
+SHORT_DATE_FORMAT = 'Y-m-d'
+TIME_FORMAT = 'g:i a'
+SHORT_TIME_FORMAT = 'H:i:s'
+DATETIME_FORMAT = 'N j, Y g:i a'
+SHORT_DATETIME_FORMAT = 'Y-m-d H:i'
diff --git a/uwsgi-python/templates/apps/nfs-api-sudoers.j2 b/uwsgi-python/templates/apps/nfs-api-sudoers.j2
new file mode 100644
index 0000000000000000000000000000000000000000..13266702d9ded85f5f735272fdf4ac3a1f701387
--- /dev/null
+++ b/uwsgi-python/templates/apps/nfs-api-sudoers.j2
@@ -0,0 +1,4 @@
+{{app_user}} ALL=NOPASSWD: {{app_path}}/create-homedir.py
+{% if nfs_api_quota == 'xfs' %}
+{{app_user}} ALL=NOPASSWD: /usr/sbin/xfs_quota
+{% endif %}
diff --git a/uwsgi-python/templates/apps/nfs-api.j2 b/uwsgi-python/templates/apps/nfs-api.j2
new file mode 100644
index 0000000000000000000000000000000000000000..917fa5a3351c48681ea9c04ddd0bd47f0ef2f25a
--- /dev/null
+++ b/uwsgi-python/templates/apps/nfs-api.j2
@@ -0,0 +1,10 @@
+HOMEDIRS = '{{nfs_api_homedirs}}'
+AUTH_GROUP = '{{nfs_api_auth_group}}'
+AD_HOST = '{{nfs_api_ad_host}}'
+AD_DOMAIN = '{{nfs_api_domain}}'
+AD_USER_DN = '{{nfs_api_user_dn}}'
+AD_GROUP_DN = '{{nfs_api_group_dn}}'
+AD_CA_CERT = '{{nfs_api_ca_cert}}'
+QUOTA = {{ 'False' if not nfs_api_quota else "'" ~ nfs_api_quota ~ "'" }}
+QUOTA_SOFT = '{{nfs_api_quota_soft}}'
+QUOTA_HARD = '{{nfs_api_quota_hard}}'
diff --git a/uwsgi-python/templates/apps/pretix-celery.service.j2 b/uwsgi-python/templates/apps/pretix-celery.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c13ea4a440b7f057fc40f338ebbabc066c85b4d9
--- /dev/null
+++ b/uwsgi-python/templates/apps/pretix-celery.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description={{ app_name }}-Celery
+After=network.target
+
+[Service]
+User={{ app_user }}
+Group={{ app_group }}
+WorkingDirectory={{ app_path }}
+Environment="VIRTUAL_ENV={{ app_venv }}"
+Environment="PATH={{ app_venv }}/bin:/usr/local/bin:/usr/bin:/bin"
+ExecStart={{ app_venv }}/bin/celery -A pretix.celery_app worker -l info
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/uwsgi-python/templates/apps/pretix-cronjob.j2 b/uwsgi-python/templates/apps/pretix-cronjob.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e54e87b17a88b17174176ab9b7ff144dc73fabdd
--- /dev/null
+++ b/uwsgi-python/templates/apps/pretix-cronjob.j2
@@ -0,0 +1,3 @@
+HOME="{{ app_home }}"
+PATH="{{ app_venv }}/bin:/usr/local/bin:/usr/bin:/bin"
+15,45 * * * * {{ app_user }} cd {{ app_path }} && python -m pretix runperiodic
diff --git a/uwsgi-python/templates/apps/pretix.j2 b/uwsgi-python/templates/apps/pretix.j2
new file mode 100644
index 0000000000000000000000000000000000000000..204384bc0ff8eb4fd59e64ac8c66e8e05f692a35
--- /dev/null
+++ b/uwsgi-python/templates/apps/pretix.j2
@@ -0,0 +1,86 @@
+[pretix]
+instance_name={{ pretix_instance_name }}
+url={{ pretix_external_url }}
+cookie_domain={{ pretix_cookie_domain }}
+currency={{ pretix_currency }}
+datadir={{ app_path }}/data
+plugins_default={{ pretix_plugins_default }}
+plugins_exclude={{ pretix_plugins_exclude }}
+registration={{ pretix_registration }}
+password_reset={{ pretix_password_reset }}
+long_sessions={{ pretix_long_sessions }}
+ecb_rates={{ pretix_ecb_rates }}
+audit_comments={{ pretix_audit_comments }}
+loglevel={{ pretix_loglevel }}
+
+{% if pretix_ldap %}
+auth_backends=pretix_ldap.LDAPAuthBackend
+{% endif %}
+
+[database]
+backend=postgresql
+name={{ app_db_name }}
+user={{ app_user }}
+
+[mail]
+from={{ pretix_mail_from }}
+host={{ pretix_mail_host }}
+port={{ pretix_mail_port }}
+user={{ pretix_mail_user }}
+password={{ pretix_mail_password }}
+tls={{ pretix_mail_tls }}
+ssl={{ pretix_mail_ssl and not pretix_mail_tls }}
+admins={{ pretix_mail_admins }}
+
+[redis]
+location={{ pretix_redis }}
+sessions={{ pretix_redis_sessions }}
+
+[celery]
+backend={{ pretix_celery_backend }}
+broker={{ pretix_celery_broker }}
+
+[locale]
+default={{ pretix_locale_default }}
+timezone={{ pretix_locale_timezone }}
+
+[urls]
+media={{ pretix_urls_media }}
+static={{ pretix_urls_static }}
+
+[django]
+secret={{ (2**2048)|random }}
+debug=off
+
+[metrics]
+enabled={{ pretix_metrics }}
+user={{ pretix_metrics_user }}
+passphrase={{ pretix_metrics_password }}
+
+{% if pretix_memcached %}
+[memcached]
+location={{ pretix_memcached }}
+{% endif %}
+
+{% if pretix_sentry_dsn %}
+[sentry]
+dsn={{ pretix_sentry_dsn }}
+{% endif %}
+
+{% if pretix_tools_pdftk %}
+[tools]
+pdftk={{ pretix_tools_pdftk }}
+{% endif %}
+{% if pretix_ldap %}
+[ldap]
+bind_url={{ pretix_ldap_bind_url }}
+bind_dn={{ pretix_ldap_bind_dn }}
+bind_password={{ pretix_ldap_password }}
+search_base={{ pretix_ldap_search_base }}
+search_filter={{ pretix_ldap_search_filter }}
+{% endif %}
+
+[entropy]
+order_code={{ pretix_entropy_order_code }}
+ticket_secret={{ pretix_entropy_ticket_secret }}
+voucher_code={{ pretix_entropy_voucher_code }}
diff --git a/uwsgi-python/templates/apps/printercount.j2 b/uwsgi-python/templates/apps/printercount.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cb06fbf62b881b448d9d0fcd0da762da59d1d6ff
--- /dev/null
+++ b/uwsgi-python/templates/apps/printercount.j2
@@ -0,0 +1,8 @@
+DEBUG = False
+
+TIMEZONE = "{{printercount_timezone}}"
+DATE_FORMAT = "{{printercount_date_format}}"
+
+PRINTER_LOG_DIR = "{{printercount_log_dir}}"
+
+from secret_config import secret_key as SECRET_KEY
diff --git a/uwsgi-python/templates/apps/protokollsystem-celery.service.j2 b/uwsgi-python/templates/apps/protokollsystem-celery.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ad5b30878559674d0b0526c705870ddfa7c58b9c
--- /dev/null
+++ b/uwsgi-python/templates/apps/protokollsystem-celery.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description={{ app_name }}-Celery
+After=network.target
+
+[Service]
+User={{ app_user }}
+Group={{ app_group }}
+WorkingDirectory={{ app_path }}
+Environment=VIRTUAL_ENV="{{ app_path }}"
+ExecStart={{ app_path }}/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{ protokolle_celery_concurrency }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/uwsgi-python/templates/apps/protokollsystem.j2 b/uwsgi-python/templates/apps/protokollsystem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2255bbe87317d9a4e1f34b7b80c7f8fc9a4bb272
--- /dev/null
+++ b/uwsgi-python/templates/apps/protokollsystem.j2
@@ -0,0 +1,248 @@
+SQLALCHEMY_DATABASE_URI = "postgresql://{{app_user}}:@/{{app_name}}"
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+
+from secret_config import secret_key as SECRET_KEY, security_key as SECURITY_KEY
+
+DEBUG = False
+
+MAIL_ACTIVE = {{ protokolle_mail }}
+MAIL_FROM = "{{ protokolle_mail_from }}"
+MAIL_HOST = "{{ protokolle_mail_host }}"
+MAIL_USER = "{{ protokolle_mail_user }}"
+MAIL_PASSWORD = "{{ protokolle_mail_password }}"
+{% if protokolle_mail_tls == 'tls' %}
+MAIL_USE_TLS = True
+MAIL_USE_STARTTLS = False
+{% elif protokolle_mail_tls == 'starttls' %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = True
+{% else %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = False
+{% endif %}
+
+CELERY_BROKER_URL = "{{ protokolle_celery_broker }}"
+CELERY_TASK_SERIALIZER = "pickle"
+CELERY_ACCEPT_CONTENT = ["pickle"]
+
+{% if protokolle_sentry_dsn is defined %}
+SENTRY_DSN = "{{protokolle_sentry_dsn}}"
+{% endif %}
+
+SERVER_NAME = "{{ protokolle_url_root }}"
+PREFERRED_URL_SCHEME = "{{ protokolle_url_proto }}"
+URL_ROOT = "{{ protokolle_url_root }}"
+URL_PROTO = "{{ protokolle_url_proto }}"
+URL_PATH = "{{ protokolle_url_path }}"
+URL_PARAMS = ""
+
+{% if cdn_url is defined %}
+CDN_URL = "{{cdn_url}}"
+{% endif %}
+PERMITTED_METADATA_DOMAINS = {{protokolle_metadata_domain_whitelist|default([])}}
+
+PRINTING_ACTIVE = {{ protokolle_printing }}
+PRINTING_SERVER = "{{ protokolle_printing_server }}"
+PRINTING_USER = "{{ protokolle_printing_user }}"
+PRINTING_PRINTERS = {
+{% for p in protokolle_printing_printers %}
+	"{{ p.printer }}": [
+{% for o in p.options %}
+		"{{ o }}",
+{% endfor %}
+	],
+{% endfor %}
+}
+
+ETHERPAD_ACTIVE = {{ protokolle_etherpad }}
+ETHERPAD_URL = "{{ protokolle_etherpad_url }}"
+ETHERPAD_API_URL = "{{ protokolle_etherpad_api_url }}"
+ETHERPAD_APIKEY = "{{ protokolle_etherpad_apikey }}"
+EMPTY_ETHERPAD = """Welcome to Etherpad!
+
+This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!
+
+Get involved with Etherpad at https://etherpad.org
+
+"""
+
+WIKI_ACTIVE = {{ protokolle_wiki }}
+WIKI_TYPE = "{{ protokolle_wiki_type }}"
+WIKI_API_URL = "{{ protokolle_wiki_api }}"
+WIKI_ANONYMOUS = {{ protokolle_wiki_anonymous }}
+WIKI_USER = "{{ protokolle_wiki_user }}"
+WIKI_PASSWORD = "{{ protokolle_wiki_password }}"
+WIKI_DOMAIN = "{{ protokolle_wiki_domain }}"
+
+CALENDAR_ACTIVE = {{ protokolle_calendar }}
+CALENDAR_URL = "{{ protokolle_calendar_url }}"
+CALENDAR_DEFAULT_DURATION = 3
+CALENDAR_MAX_REQUESTS = 10
+CALENDAR_TIMEZONE_MAP = {
+    "CET": "Europe/Berlin",
+    "CEST": "Europe/Berlin",
+}
+
+SESSION_PROTECTION = "strong"
+
+from common.auth import LdapManager, ADManager
+AUTH_MAX_DURATION = {{ protokolle_auth_max_duration }}
+AUTH_BACKENDS = [
+{% for auth in protokolle_auth_backends %}
+    {{ auth.type }}(
+        {% if auth.host is defined %}
+        host="{{ auth.host }}",
+        {% elif auth.hosts is defined %}
+        host=(
+        {% for host in auth.hosts %}
+        "{{host}}",
+        {% endfor %}
+        )
+        {% endif %}
+        domain="{{ auth.domain }}",
+        user_dn="{{ auth.user_dn }}",
+        group_dn="{{ auth.group_dn }}",
+        ca_cert="{{ auth.ca_cert }}"),
+{% endfor %}
+]
+
+OBSOLETION_WARNING = "{{ protokolle_auth_obsoletion_warning }}"
+
+ERROR_CONTEXT_LINES = 3
+
+PAGE_LENGTH = 20
+PAGE_DIFF = 3
+
+MAX_INDEX_DAYS = 14
+MAX_PAST_INDEX_DAYS = 2
+MAX_PAST_INDEX_DAYS_BEFORE_REMINDER = 14
+
+HTML_LEVEL_OFFSET = 3
+
+ADMIN_MAIL = "{{ protokolle_admin_mail }}"
+ADMIN_GROUP = "{{ protokolle_admin_group }}"
+
+PARSER_LAZY = False
+
+FUZZY_MIN_SCORE = 90
+
+{#
+FONTS = {
+    "main": {
+        "extension": ".otf",
+        "path": "/usr/share/fonts/OTF/",
+        "regular": "NimbusSans-Regular",
+        "bold": "NimbusSans-Bold",
+        "italic": "NimbusSans-Oblique",
+        "bolditalic": "NimbusSans-BoldOblique"
+    },
+    "roman": {
+        "extension": ".otf",
+        "path": "/usr/share/fonts/OTF/",
+        "regular": "NimbusRoman-Regular",
+        "bold": "NimbusRoman-Bold",
+        "italic": "NimbusRoman-Italic",
+        "bolditalic": "NimbusRoman-BoldItalic"
+    },
+    "sans": {
+        "extension": ".otf",
+        "path": "/usr/share/fonts/OTF/",
+        "regular": "NimbusSans-Regular",
+        "bold": "NimbusSans-Bold",
+        "italic": "NimbusSans-Oblique",
+        "bolditalic": "NimbusSans-BoldOblique"
+    },
+    "mono": {
+        "extension": ".otf",
+        "path": "/usr/share/fonts/OTF/",
+        "regular": "NimbusMonoPS-Regular",
+        "bold": "NimbusMonoPS-Bold",
+        "italic": "NimbusMonoPS-Italic",
+        "bolditalic": "NimbusMonoPS-BoldItalic"
+    }
+}
+#}
+
+FONTS = {
+    "main": {
+        "extension": ".pfb",
+        "path": "/usr/share/fonts/type1/gsfonts/",
+        "regular": "n019003l",
+        "bold": "n019004l",
+        "italic": "n019023l",
+        "bolditalic": "n019024l"
+    },
+    "roman": {
+        "extension": ".pfb",
+        "path": "/usr/share/fonts/type1/gsfonts/",
+        "regular": "n021003l",
+        "bold": "n021004l",
+        "italic": "n021023l",
+        "bolditalic": "n021024l"
+    },
+    "sans": {
+        "extension": ".pfb",
+        "path": "/usr/share/fonts/type1/gsfonts/",
+        "regular": "n019003l",
+        "bold": "n019004l",
+        "italic": "n019023l",
+        "bolditalic": "n019024l"
+    },
+    "mono": {
+        "extension": ".pfb",
+        "path": "/usr/share/fonts/type1/gsfonts/",
+        "regular": "n022003l",
+        "bold": "n022004l",
+        "italic": "n022023l",
+        "bolditalic": "n022024l"
+    }
+}
+
+DOCUMENTS_PATH = "documents"
+
+PRIVATE_KEYWORDS = ["private", "internal", "privat", "intern"]
+
+LATEX_BULLETPOINTS = [
+    r"\textbullet",
+    r"\normalfont \bfseries \textendash",
+    r"$\circ$",
+    r"\textperiodcentered"
+]
+
+{% if protokolle_latex_local_templates %}
+LATEX_LOCAL_TEMPLATES = "{{ protokolle_latex_local_templates }}"
+{% endif %}
+{% if protokolle_latex_logo_template %}
+LATEX_LOGO_TEMPLATE = "{{ protokolle_latex_logo_template }}"
+{% endif %}
+{% if protokolle_latex_geometry %}
+LATEX_GEOMETRY = "{{ protokolle_latex_geometry }}"
+{% endif %}
+{% if protokolle_latex_pagestyle %}
+LATEX_PAGESTYLE = "{{ protokolle_latex_pagestyle }}"
+{% endif %}
+{% if protokolle_latex_packages %}
+LATEX_ADDITIONAL_PACKAGES = ["{{ protokolle_latex_packages|join('", "') }}"]
+{% endif %}
+{% if protokolle_latex_header_footer %}
+LATEX_HEADER_FOOTER = True
+{% elif protokolle_latex_header_footer == False %}
+LATEX_HEADER_FOOTER = False
+{% endif %}
+
+LATEX_TEMPLATES = {
+{% for logo in protokolle_logos %}
+    "{{ logo.id }}": {
+        "name": "{{ logo.name }}",
+        "logo": "{{ logo.tex }}",
+    },
+{% endfor %}
+}
+
+#def dummy_todomail_provider():
+#    return {"example": ("Name", "mail@example.com")}
+#
+#ADDITIONAL_TODOMAIL_PROVIDERS = [
+#    dummy_todomail_provider
+#]
+
diff --git a/uwsgi-python/templates/apps/redeleitsystem.j2 b/uwsgi-python/templates/apps/redeleitsystem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..99d9a7b4298d00cdf49b07894301b94bd6b5ae0f
--- /dev/null
+++ b/uwsgi-python/templates/apps/redeleitsystem.j2
@@ -0,0 +1,12 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = "postgresql://{{ app_user }}:@/{{ app_db_name }}"
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+DEBUG = False
+UPDATE_INDEX_INTERVAL = {{ redeleitsystem_update_index }}
+UPDATE_TIME_INTERVAL = {{ redeleitsystem_update_time }}
+
+SESSION_COOKIE_SECURE = True
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
diff --git a/uwsgi-python/templates/apps/repo-sync.j2 b/uwsgi-python/templates/apps/repo-sync.j2
new file mode 100644
index 0000000000000000000000000000000000000000..526749bfae0b4b594a21539ac05a5fab56facb31
--- /dev/null
+++ b/uwsgi-python/templates/apps/repo-sync.j2
@@ -0,0 +1,12 @@
+DEBUG = False
+WORKERS = {{ repo_sync_workers }}
+REPOS = {
+{% for repo in repo_sync_repos %}
+    '{{ repo.source }}': '{{ repo.dest }}',
+{% endfor %}
+}
+ALLOWED_SECRETS = {
+{% for repo in repo_sync_repos %}
+    '{{ repo.source }}': '{{ repo.secret }}',
+{% endfor %}
+}
diff --git a/schildergenerator/templates/config.py b/uwsgi-python/templates/apps/schilder.j2
similarity index 88%
rename from schildergenerator/templates/config.py
rename to uwsgi-python/templates/apps/schilder.j2
index a237a96312123f0511512fa1104beccf6a9c0b6a..0952fa5ee905d1da91c0971da263ea1e0eb5144a 100644
--- a/schildergenerator/templates/config.py
+++ b/uwsgi-python/templates/apps/schilder.j2
@@ -3,12 +3,13 @@
 # Secret key (used for session cookie encryption). Needs to be set to some random string.
 # Yes, just smash your keyboard for some random characters. No, don't publish them anywhere.
 # Yes, you will need this. If you get random RuntimeErrors, you did not set this.
-app_secret = '{{range(10**15, 10**16)|random}}'
+
+from secret_config import secret_key as app_secret
 
 ## You will need to use absolute paths!
 
 # Base directory. You need to set this again in schilder.wsgi if you use WSGI.
-basedir = '{{schilder_web_root}}/program'
+basedir = '{{ app_path }}'
 
 # Temp directory for imagemagick/pdflatex work files (needs to be writeable)
 tmpdir = '/tmp'
@@ -22,7 +23,7 @@ datadir = basedir + '/data'
 templatedir = basedir + '/templates'
 
 # TeX template directory
-textemplatedir = '{{schilder_web_root}}/tex'
+textemplatedir = '{{ app_home }}/tex'
 
 # TeX support file directory (all files that might be needed by a tex template)
 texsupportdir = textemplatedir + '/support'
@@ -48,15 +49,15 @@ allowed_extensions = set(['png', 'jpg', 'jpeg', 'gif', 'svg'])
 # CUPS printer names
 printers = { 
   {% for printer in schilder_printers %}
-    '{{printer.description}}': '{{printer.name}}',
+    '{{ printer.description }}': '{{ printer.name }}',
   {% endfor %}
 }
-printserver = '{{schilder_printsrv}}'
+printserver = '{{ schilder_printsrv }}'
 
 # additional lpr options. Use an empty list if not needed.
 lproptions = [
 {% for option in schilder_lproptions %}
-    '{{option}}',
+    '{{ option }}',
 {% endfor %}
 ]
 
diff --git a/uwsgi-python/templates/apps/shorturl.j2 b/uwsgi-python/templates/apps/shorturl.j2
new file mode 100644
index 0000000000000000000000000000000000000000..77b9b2f1b399402f3eccb229cbc3acaae2e561af
--- /dev/null
+++ b/uwsgi-python/templates/apps/shorturl.j2
@@ -0,0 +1,40 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = 'postgresql://{{ app_user }}:@/{{ app_db_name }}'
+DEFAULT_REDIRECT = '{{ shorturl_default_redirect }}'
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+import datetime
+REMEMBER_COOKIE_NAME = 'remember_token'
+REMEMBER_COOKIE_DURATION = datetime.timedelta(30)
+REMEMBER_COOKIE_DOMAIN = None
+REMEMBER_COOKIE_PATH = '/'
+REMEMBER_COOKIE_SECURE = True
+REMEMBER_COOKIE_HTTPONLY = True
+
+ADMIN_GROUP = '{{ shorturl_admin_group }}'
+USER_GROUP = '{{ shorturl_user_group }}'
+
+AD_HOST = '{{ shorturl_ad_host }}'
+AD_DOMAIN = '{{ shorturl_ad_domain }}'
+AD_USER_DN = '{{ shorturl_ad_user_dn }}'
+AD_GROUP_DN = '{{ shorturl_ad_group_dn }}'
+AD_CA_CERT = '{{ shorturl_ad_cert }}'
+
+SOURCE_FORBIDDEN = {{ shorturl_source_forbidden|string }}
+SOURCE_REGEX = r'{{ shorturl_source_regex }}'
+TARGET_REGEX = r'{{ shorturl_target_regex }}'
+
+BRANDING_NAME = '{{ shorturl_branding_name }}'
+BRANDING_DOMAIN = '{{ shorturl_branding_domain }}'
+BRANDING_DOMAIN_REGEX = '{{ shorturl_branding_domain_regex }}'
+BRANDING_CONTACT = '{{ shorturl_branding_contact }}'
+
+MAIL_SUBJECT = '{{ shorturl_mail_subject }}'
+MAIL_DOMAIN = '{{ shorturl_mail_domain }}'
+MAIL_ADMIN = '{{ shorturl_mail_admin }}'
+MAIL_HOST = '{{ shorturl_mail_host }}'
+
+{% if cdn_url is defined %}
+CDN_URL = '{{cdn_url}}'
+{% endif %}
diff --git a/uwsgi-python/templates/apps/sso.j2 b/uwsgi-python/templates/apps/sso.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3734fdb8f19aae6fdf557826f55842a52503ce91
--- /dev/null
+++ b/uwsgi-python/templates/apps/sso.j2
@@ -0,0 +1,25 @@
+DEBUG = False
+
+from common.auth import LdapManager, ADManager
+
+{% if sso_auth_use_ad %}
+AUTH_MANAGER = ADManager(
+    host="{{ sso_auth_host }}",
+    domain="{{ sso_auth_domain }}",
+    user_dn="{{ sso_auth_user_dn }}",
+    group_dn="{{ sso_auth_group_dn }}",
+    ca_cert="{{ sso_auth_ca_cert }}")
+{% else %}
+AUTH_MANAGER = LdapManager(
+    host="{{ sso_auth_host }}",
+    user_dn="{{ sso_auth_user_dn }}",
+    group_dn="{{ sso_auth_group_dn }}")
+{% endif %}
+
+SESSION_COOKIE_DOMAIN = "{{ sso_domain }}"
+SESSION_COOKIE_NAME = "SSO-{}-SESSION".format(SESSION_COOKIE_DOMAIN.split(".")[0].upper())
+SESSION_COOKIE_HTTPONLY = True
+SESSION_REFRESH_EACH_REQUEST = True
+SESSION_COOKIE_SECURE = True
+
+from secret_config import secret_key as SECRET_KEY
diff --git a/uwsgi-python/templates/apps/vampir-mitglieder.j2 b/uwsgi-python/templates/apps/vampir-mitglieder.j2
new file mode 100644
index 0000000000000000000000000000000000000000..93855ba5c64af1f80c3f91cf26b920f5b4f24b95
--- /dev/null
+++ b/uwsgi-python/templates/apps/vampir-mitglieder.j2
@@ -0,0 +1,8 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = 'mysql://{{ app_user }}:{{ app_db_password }}@/{{ app_db_name }}'
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+DEBUG = False
+SESSION_COOKIE_SECURE = True
+
+BRANDING_TITLE = "{{ app_branding_title }}"
+BRANDING_DESCRIPTION = """{{ app_branding_description }}"""
diff --git a/wahlhelfer/templates/settings.py b/uwsgi-python/templates/apps/wahlhelfer.j2
similarity index 84%
rename from wahlhelfer/templates/settings.py
rename to uwsgi-python/templates/apps/wahlhelfer.j2
index 4bbd12cac44c4561ea19d024cca9a1b3d993b175..25be5877dccd240ed584bcf7cbd7147ef8a12c72 100644
--- a/wahlhelfer/templates/settings.py
+++ b/uwsgi-python/templates/apps/wahlhelfer.j2
@@ -4,28 +4,29 @@ DEBUG = True
 
 ADMINS = (
     {% for name, address in wahlhelfer_admins %}
-    ('{{name}}', '{{address}}'),
+    ('{{ name }}', '{{ address }}'),
     {% endfor %}
 )
-
-SERVER_EMAIL = "{{wahlhelfer_sender}}"
-EMAIL_HOST = "{{wahlhelfer_mail_host}}"
-EMAIL_HOST_USER = "{{wahlhelfer_mail_user|default('')}}"
-EMAIL_HOST_PASSWORD = "{{wahlhelfer_mail_password|default('')}}"
-
 MANAGERS = ADMINS
 
+SERVER_EMAIL = "{{ wahlhelfer_sender }}"
+EMAIL_HOST = "{{ wahlhelfer_mail_host }}"
+EMAIL_HOST_USER = "{{ wahlhelfer_mail_user|default('') }}"
+EMAIL_HOST_PASSWORD = "{{ wahlhelfer_mail_password|default('') }}"
+EMAIL_PORT = {{ wahlhelfer_mail_port|default('25') }}
+DEFAUL_FROM_EMAIL = "{{ wahlhelfer_sender }}"
+
 LOGIN_URL = '/'
 LOGIN_REDIRECT_URL = '/'
 
 DATABASES = {
     'default': {
-        'ENGINE': 'django.db.backends.mysql', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
-        'NAME': '{{wahlhelfer_name}}',                      # Or path to database file if using sqlite3.
-        'USER': '{{wahlhelfer_user}}',                      # Not used with sqlite3.
-        'PASSWORD': '{{mysql_user_password.password}}',                  # Not used with sqlite3.
-        'HOST': '',                      # Set to empty string for localhost. Not used with sqlite3.
-        'PORT': '',                      # Set to empty string for default. Not used with sqlite3.
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': '{{ app_db_name }}',
+        'USER': '{{ app_user }}',
+        'PASSWORD': "{{ app_db_password }}",
+        'HOST': '',
+        'PORT': '',
     }
 }
 
@@ -33,7 +34,7 @@ DATABASES = {
 # See https://docs.djangoproject.com/en/1.4/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = [
 {% for host in wahlhelfer_allowed_hosts %}
-    "{{host}}"
+    "{{ host }}"
 {% endfor %}
 ]
 
@@ -95,7 +96,9 @@ STATICFILES_FINDERS = (
 )
 
 # Make this unique, and don't share it with anybody.
-SECRET_KEY = '{{(2**2048)|random}}'
+import sys
+sys.path.append('..')
+from secret_config import secret_key as SECRET_KEY
 
 TEMPLATES = [
     {
diff --git a/uwsgi-python/templates/apps/wahlsystem-celery.service.j2 b/uwsgi-python/templates/apps/wahlsystem-celery.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ef365d22ac9bca7d806307e76cad6633dc5d1f12
--- /dev/null
+++ b/uwsgi-python/templates/apps/wahlsystem-celery.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description={{ app_name }}-Celery
+After=network.target
+
+[Service]
+User={{ app_user }}
+Group={{ app_group }}
+WorkingDirectory={{ app_path }}
+Environment=VIRTUAL_ENV="{{ app_path }}"
+ExecStart={{ app_path }}/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{ wahl_celery_concurrency }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/uwsgi-python/templates/apps/wahlsystem.j2 b/uwsgi-python/templates/apps/wahlsystem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ef7a7685152533b854864d705c56d2f816fdec00
--- /dev/null
+++ b/uwsgi-python/templates/apps/wahlsystem.j2
@@ -0,0 +1,34 @@
+from secret_config import secret_key as SECRET_KEY
+SQLALCHEMY_DATABASE_URI = "postgresql://{{ app_user }}:@/{{ app_name }}"
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+DEBUG = False
+MAIL_ACTIVE = {{ wahl_mail }}
+MAIL_FROM = "{{ wahl_mail_from }}"
+MAIL_HOST = "{{ wahl_mail_host }}"
+MAIL_USER = "{{ wahl_mail_user }}"
+MAIL_PASSWORD = "{{ wahl_mail_password }}"
+{% if wahl_mail_tls == 'tls' %}
+MAIL_USE_TLS = True
+MAIL_USE_STARTTLS = False
+{% elif wahl_mail_tls == 'starttls' %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = True
+{% else %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = False
+{% endif %}
+MAIL_PREFIX = "{{ wahl_mail_prefix }}"
+CELERY_BROKER_URL = "{{ wahl_celery_broker }}"
+CELERY_TASK_SERIALIZER = "pickle"
+CELERY_ACCEPT_CONTENT = ["pickle"]
+SERVER_NAME = "{{ wahl_server_name }}"
+PREFERRED_URL_SCHEME = "{{ wahl_url_proto }}"
+URL_ROOT = "{{ wahl_url_root }}"
+URL_PROTO = "{{ wahl_url_proto }}"
+URL_PATH = "{{ wahl_url_path }}"
+URL_PARAMS = ""
+MAILMAN_ACTIVE = {{ wahl_mailman_active }}
+MAILMAN_API_URL = "{{ wahl_mailman_api_url }}"
+MAILMAN_API_KEY = "{{ wahl_mailman_api_key }}"
+MAILMAN_DEFAULT_NEW_PASSWORD = "{{ wahl_mailman_default_newpw }}"
+MAILMAN_HOST = "{{ wahl_mailman_host }}"
diff --git a/uwsgi-python/templates/secret_config.py.j2 b/uwsgi-python/templates/secret_config.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..20aae5bcc4ce7a5239bab38edb767a6ce3aae911
--- /dev/null
+++ b/uwsgi-python/templates/secret_config.py.j2
@@ -0,0 +1,6 @@
+secret_key = '{{ (2**2048)|random }}'
+{% if app_secret_config_keys is defined %}
+{% for key in app_secret_config_keys %}
+{{key}} = '{{ (2**2048)|random }}'
+{% endfor %}
+{% endif %}
diff --git a/uwsgi-python/templates/tmpfiles.conf.j2 b/uwsgi-python/templates/tmpfiles.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..378ee5b8823d61ad5f92f028030b20ee71362e7f
--- /dev/null
+++ b/uwsgi-python/templates/tmpfiles.conf.j2
@@ -0,0 +1 @@
+d /run/uwsgi/{{app.instance}} 0775 {{app_user}} {{app_group}} - -
diff --git a/uwsgi-python/templates/uwsgi.ini b/uwsgi-python/templates/uwsgi.ini
deleted file mode 100644
index d3927f204a1bdc660a3274fc10d29519fad5d1e5..0000000000000000000000000000000000000000
--- a/uwsgi-python/templates/uwsgi.ini
+++ /dev/null
@@ -1,44 +0,0 @@
-[uwsgi]
-uwsgi-socket = /run/uwsgi/app/{{uwsgi_name}}/{{uwsgi_name}}.sock
-#http = localhost:5000
-chmod-socket = 660
-chown-socket = {{uwsgi_user}}:www-data
-autoload =
-master =
-processes = 4
-workers = 4
-prio = -5
-harakiri = 5
-{% for mule in range(uwsgi_mules) %}
-mule = 
-{% endfor %}
-#umask = 227
-chdir = {{uwsgi_path}}
-uid = {{uwsgi_user}}
-gid = {{uwsgi_group}}
-logto = /var/log/uwsgi/{{uwsgi_name}}.log
-logfile-chown = {{uwsgi_user}}:{{uwsgi_group}}
-logfile-chmod = 664
-log-date =
-log-4xx = 
-log-5xx = 
-log-x-forwarded-for =
-{% if uwsgi_python == 2 %}
-plugin = python27
-{% elif uwsgi_python == 3 %}
-{% if debian_version == "jessie" %}
-plugin = python34
-{% elif debian_version == "stretch" %}
-plugin = python35
-{% else %}
-plugin = {{protokolle_python_plugin|mandatory}}{# or add new debian versions here #}
-{% endif %}
-{% else %}
-plugin = {{protokolle_python_plugin|mandatory}}{# or add new python versions here #}
-{% endif %}
-virtualenv = {{uwsgi_path}}
-wsgi-file = {{uwsgi_path}}/{{uwsgi_program}}
-callable = {{uwsgi_callable}}
-pyargv = {{uwsgi_program}} {{uwsgi_command}}
-manage-script-name =
-mount=/={{uwsgi_path}}/{{uwsgi_program}}
diff --git a/uwsgi-python/templates/uwsgi.ini.j2 b/uwsgi-python/templates/uwsgi.ini.j2
new file mode 100644
index 0000000000000000000000000000000000000000..8686c8dd95f47bee9b1d7752986d04e95066288d
--- /dev/null
+++ b/uwsgi-python/templates/uwsgi.ini.j2
@@ -0,0 +1,76 @@
+[uwsgi]
+uwsgi-socket = /run/uwsgi/{{app.instance}}/{{app.instance}}.sock
+#http = localhost:5000
+chmod-socket = 660
+chown-socket = {{app_user}}:www-data
+autoload =
+master =
+workers = {{ app_workers|default(4) }}
+prio = -5
+harakiri = {{app_harakiri|default(30)}}
+buffer-size=32768
+
+cheaper = 1
+cheaper-algo = spare
+cheaper-overload = 1
+cheaper-initial = 1
+cheaper-step = 1
+
+{% if app_enable_threads|default(false) %}
+enable-threads = 
+single-interpreter = true
+{% endif %}
+{% for option in app_uwsgi_options|default([]) %}
+{{option}}{% if "=" not in option %} ={% endif %}
+
+{% endfor %}
+{% for env in app_service_env %}
+env = {{ env }}
+
+{% endfor %}
+
+{% for mule in range(app_mules|default(0)) %}
+mule = 
+{% endfor %}
+#umask = 227
+chdir = {{app_chdir}}
+uid = {{app_user}}
+gid = {{app_group}}
+log-date =
+log-4xx = 
+log-5xx = 
+log-x-forwarded-for =
+{% if app_lang == "python" %}
+{% if app_python_version == 2 %}
+plugin = python27
+{% elif app_python_version == 3 %}
+{% if debian_version == "stretch" %}
+plugin = python35
+{% elif debian_version == "buster" %}
+plugin = python37
+{% endif %}
+{% endif %}
+{% if app_venv != '' %}
+virtualenv = {{app_venv}}
+{% endif %}
+{% if app_module is defined and app_module != '' %}
+{% if app_mountpoint != '/' and app_mountpoint != '' %}
+mount={{app_mountpoint}}={{app_module}}
+{% else %}
+module = {{ app_module }}
+{% endif %}
+{% else %}
+wsgi-file = {{app_path}}/{{app_program}}
+callable = {{app_callable}}
+pyargv = {{app_program}} {{app_command}}
+mount={{app_mountpoint}}={{app_path}}/{{app_program}}
+{% endif %}
+{% elif app_lang == "ruby" %}
+plugin = rack_ruby{{app_ruby_version|replace(".", "")}}
+rack = {{app_rack}}
+{% if app_gemfile is defined and app_gemfile != '' %}
+env = BUNDLE_GEMFILE={{app_gemfile}}
+rbrequire = bundler/setup
+{% endif %}
+{% endif %}
+manage-script-name =
diff --git a/uwsgi-python/templates/uwsgi@.service.j2 b/uwsgi-python/templates/uwsgi@.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7602659616daa182c90861e991c24d59354b15d5
--- /dev/null
+++ b/uwsgi-python/templates/uwsgi@.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=uWSGI service unit
+After=syslog.target
+
+[Service]
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps/%i.ini
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -INT $MAINPID
+Restart=always
+Type=notify
+StandardError=syslog
+NotifyAccess=all
+KillSignal=SIGQUIT
+SuccessExitStatus=15 17 29 30
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+{% if uwsgi_protect_home %}
+ProtectHome=yes
+{% endif %}
+{% if uwsgi_lock_privileges %}
+NoNewPrivileges=yes
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/uwsgi-python/vars/ak-tracker.yml b/uwsgi-python/vars/ak-tracker.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b07e6cde57f79bbd5000599aa362bf1e6fe5a821
--- /dev/null
+++ b/uwsgi-python/vars/ak-tracker.yml
@@ -0,0 +1,27 @@
+---
+
+app_name: 'ak-tracker'
+app_python_version: 3
+app_program: 'tracker.py'
+app_callable: 'app'
+app_command: ''
+
+app_db_name: 'tracker'
+app_db_type: 'postgres'
+
+app_git_url: 'git@git.fsmpi.rwth-aachen.de:redl/ak-tracker.git'
+app_git_version: 'HEAD'
+
+app_requirements_file: 'requirements.txt'
+app_config_file: 'config.py'
+app_secret_config: true
+
+ak_tracker_ad_host: 'ad.example.com'
+ak_tracker_ad_domain: 'EXAMPLE'
+ak_tracker_ad_user_dn: 'cn=users,dc=example,dc=com'
+ak_tracker_ad_group_dn: 'cn=users,dc=example,dc=com'
+ak_tracker_ad_ca_cert: ''
+ak_tracker_ad_auth_group: 'users'
+
+ak_tracker_kif_wiki: 'https://kif.fsinf.de/'
+ak_tracker_kif_wiki_verify: true
diff --git a/uwsgi-python/vars/alumnigraph.yml b/uwsgi-python/vars/alumnigraph.yml
new file mode 100644
index 0000000000000000000000000000000000000000..330e5135978929b062082e12ca384e9c18ffefec
--- /dev/null
+++ b/uwsgi-python/vars/alumnigraph.yml
@@ -0,0 +1,49 @@
+---
+
+app_name: "alumnigraph"
+app_user: "alumnigraph"
+app_group: "alumnigraph"
+app_home: "/var/www/alumnigraph"
+app_path: "/var/www/alumnigraph"
+app_python_version: 3
+app_venv: "/var/www/alumnigraph/venv/"
+app_program: "server.py"
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: 'alumnigraph'
+app_db_type: postgres
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/alumnigraph"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:vampir/alumnigraph.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+alumni_graph_year_distance: 5
+alumni_graph_notification_waiting_period: 21
+alumni_graph_mail_from: "Sender <sender@example.org>"
+alumni_graph_mail_reply_to: "Reply-To <reply-to@example.org>"
+
+alumni_graph_server_name: "alumni.example.com"
+
+alumni_graph_mail_server: "mail.examle.com"
+alumni_graph_mail_port: 25
+alumni_graph_mail_tls: false
+alumni_graph_send_invitation: true
+
+alumni_graph_sentry_url: ""
+
+# Do not define if there is no authentication needed
+# alumni_graph_mail_user: None
+# alumni_graph_mail_pass: None
diff --git a/uwsgi-python/vars/darlehen.yml b/uwsgi-python/vars/darlehen.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ae101127daf7037bdfe310f59e77447cd7dc3aac
--- /dev/null
+++ b/uwsgi-python/vars/darlehen.yml
@@ -0,0 +1,34 @@
+---
+
+app_name: "darlehen"
+app_user: "{{ app.app }}"
+app_group: "{{ app.app }}"
+app_home: "/var/www/{{ app.app }}"
+app_path: "/var/www/{{ app.app }}"
+app_chdir: "{{ app_path }}"
+app_lang: python
+
+# Python specifics
+app_python_version: 3
+app_venv: "/var/www/{{ app.app }}/venv/"
+app_module: 'app:create_app()'
+
+app_mountpoint: /
+
+app_db_name: 'darlehen'
+app_db_type: 'postgres'
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/{{ app.app }}"
+app_git_url: "git@git.stud.rwth-aachen.de:finanzen/darlehensverwaltung.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+app_mail_to: "finanzen@asta.rwth-aachen.de"
+app_mail_from: "admin@asta.rwth-aachen.de"
+app_mail_server: "mail.asta.rwth-aachen.de"
+
+app_ldap_host: "ldaps://ad.asta.rwth-aachen.de:636"
diff --git a/uwsgi-python/vars/default.yml b/uwsgi-python/vars/default.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6b834dc888ad237c04da89e45d740a3586462fd8
--- /dev/null
+++ b/uwsgi-python/vars/default.yml
@@ -0,0 +1,45 @@
+---
+
+app_name: "{{ app.app }}"
+app_user: "{{ app.app }}"
+app_group: "{{ app.app }}"
+app_home: "/var/www/{{ app.app }}"
+app_path: "/var/www/{{ app.app }}"
+app_chdir: "{{ app_path }}"
+app_lang: python
+
+# Python specifics
+app_python_version: 3
+app_venv: "/var/www/{{ app.app }}/venv/"
+app_program: "{{ app.app }}.py"
+app_callable: app
+app_command: ""
+app_module: ''
+
+# Ruby specifics
+app_ruby_version: "2.5"
+app_rack: "{{ app_path }}/config.ru"
+app_gemfile: "{{ app_path }}/Gemfile"
+
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_workers: 4
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/{{ app.app }}"
+app_git_url: ""
+app_git_version: HEAD
+app_git_pip: false
+app_git_pip_query: ''
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
diff --git a/uwsgi-python/vars/etherpad-api-proxy.yml b/uwsgi-python/vars/etherpad-api-proxy.yml
new file mode 100644
index 0000000000000000000000000000000000000000..feb8a9710ddf778237881cbdd7f6b384ae04e8f7
--- /dev/null
+++ b/uwsgi-python/vars/etherpad-api-proxy.yml
@@ -0,0 +1,30 @@
+---
+
+app_name: etherpad-api-proxy
+app_user: etherpad-api-proxy
+app_group: etherpad-api-proxy
+app_home: /var/www/etherpad-api-proxy
+app_path: /var/www/etherpad-api-proxy
+app_python_version: 3
+app_venv: /var/www/etherpad-api-proxy/venv/
+app_program: proxy.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: ''
+app_git_url: 'https://git.fsmpi.rwth-aachen.de/infra/etherpad-api-proxy.git'
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: 'config.toml'
+app_secret_config: false
diff --git a/uwsgi-python/vars/gitlab-connector.yml b/uwsgi-python/vars/gitlab-connector.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a1df130b611185474b1d257383858be3e2cec793
--- /dev/null
+++ b/uwsgi-python/vars/gitlab-connector.yml
@@ -0,0 +1,37 @@
+---
+
+app_name: 'gitlab-connector'
+app_python_version: 3
+app_program: 'connector.py'
+app_callable: 'app'
+app_command: ''
+
+app_git_url: 'git@git.fsmpi.rwth-aachen.de:infra/gitlab-connector.git'
+app_git_version: 'HEAD'
+
+app_requirements_file: 'requirements.txt'
+app_config_file: 'config.py'
+app_secret_config: true
+
+glcon_ad_host: 'ad.example.com'
+glcon_ad_domain: 'EXAMPLE'
+glcon_ad_user_dn: 'cn=users,dc=example,dc=com'
+glcon_ad_group_dn: 'cn=users,dc=example,dc=com'
+glcon_ad_ca_cert: ''
+glcon_ad_auth_group: 'users'
+
+glcon_branding_name: 'Example Org'
+glcon_branding_contact: 'it@example.com'
+
+glcon_gitlab_url: 'https://git.example.com/'
+glcon_gitlab_token: ''
+glcon_gitlab_ad_provider: 'ldapmain'
+
+glcon_ad_to_gitlab:
+  - name: 'users'
+    gitlab:
+      - name: 'ad-users'
+        is_group: true
+        access_level: 'developer'
+      - name: 'secret/project'
+        is_group: false
diff --git a/uwsgi-python/vars/gl-rt-bridge.yml b/uwsgi-python/vars/gl-rt-bridge.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b964097faeb5f47439d0934cc80bd9393de456ac
--- /dev/null
+++ b/uwsgi-python/vars/gl-rt-bridge.yml
@@ -0,0 +1,15 @@
+---
+app_git_url: 'https://git.fsmpi.rwth-aachen.de/thomas/gl-rt-bridge'
+app_git_version: 0939cc7562473dcb63969f69e627b05ee49bcebf
+app_config_file: config.yml
+app_lang: ruby
+app_secret_config: false
+app_deploy_key: ""
+app_additional_software:
+  - ruby-dev
+
+gl_rt_bridge:
+  issue_tag: RT
+  rt_server: 'https://rt.example.com/'
+  rt_user: rtuser
+  rt_pass: hunter2
diff --git a/uwsgi-python/vars/gnt-web.yml b/uwsgi-python/vars/gnt-web.yml
new file mode 100644
index 0000000000000000000000000000000000000000..abd65ba3db7cc24193404493a6c32b1d21692790
--- /dev/null
+++ b/uwsgi-python/vars/gnt-web.yml
@@ -0,0 +1,41 @@
+---
+
+app_name: gnt-web
+app_user: gnt-web
+app_group: gnt-web
+app_home: /var/www/gnt-web
+app_path: /var/www/gnt-web
+app_python_version: 3
+app_venv: /var/www/gnt-web
+app_program: server.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_harakiri: 20
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software:
+  - libcurl4-openssl-dev
+  - libssl-dev
+  - libldap2-dev
+  - libsasl2-dev
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/gnt-web"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/gnt-web.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: ["security_key"]
+
+gnt_web_rapi_endpoint: cloud.example.com
+gnt_web_rapi_user: ''
+gnt_web_rapi_password: ''
+gnt_web_admin_group: admin
diff --git a/uwsgi-python/vars/infoscreen.yml b/uwsgi-python/vars/infoscreen.yml
new file mode 100644
index 0000000000000000000000000000000000000000..15bbed94f3b34f9d945661c9b015628de8e8ce12
--- /dev/null
+++ b/uwsgi-python/vars/infoscreen.yml
@@ -0,0 +1,47 @@
+---
+
+app_name: infoscreen
+app_user: infoscreen
+app_group: infoscreen
+app_home: /var/www/infoscreen
+app_path: /var/www/infoscreen
+app_python_version: 3
+app_venv: /var/www/infoscreen/venv
+app_program: infoscreen.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: infoscreen
+app_db_type: postgres
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/infoscreen"
+app_git_url: "git@git.stud.rwth-aachen.de:infra/infoscreen.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+infoscreen_user_group: users
+
+infoscreen_ad_host: 'ad.example.com'
+infoscreen_ad_domain: 'EXAMPLE'
+infoscreen_ad_user_dn: "cn=users,dc=example,dc=com"
+infoscreen_ad_group_dn: "cn=users,dc=example,dc=com"
+infoscreen_ad_cert: "/etc/ssl/certs/example_cacert.pem"
+
+infoscreen_branding_name: 'Example'
+infoscreen_branding_contact: 'contact@example.com'
+
+infoscreen_tmp_dir: '/var/www/infoscreen/tmp'
+infoscreen_upload_dir: '/var/www/infoscreen/uploads'
+infoscreen_remote_verify: false
+infoscreen_remote_upload: 'http://infoscreen/upload/'
diff --git a/uwsgi-python/vars/isic.yml b/uwsgi-python/vars/isic.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6551eb8542d3b4dbd2a327c181697753f85f2fc4
--- /dev/null
+++ b/uwsgi-python/vars/isic.yml
@@ -0,0 +1,41 @@
+---
+
+app_name: isic
+app_user: isic
+app_group: isic
+app_home: /var/www/asta-isic
+app_path: /var/www/asta-isic
+app_python_version: 3
+app_venv: /var/www/asta-isic/venv/
+app_program: isic.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: ['netcat-openbsd']
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/isic"
+app_git_url: "git@git.stud.rwth-aachen.de:infra/isic.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+isic_ad_host: 'ad.example.com'
+isic_ad_domain: 'EXAMPLE'
+isic_ad_user_dn: 'cn=users,dc=example,dc=com'
+isic_ad_group_dn: 'cn=users,dc=example,dc=com'
+isic_ad_ca_cert: ''
+isic_ad_auth_group: 'users'
+isic_use_external_command: false
+isic_printer_host: '10.10.72.2'
+isic_printer_port: 9100
diff --git a/uwsgi-python/vars/lehrpreis.yml b/uwsgi-python/vars/lehrpreis.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a0a40216a273fe3fc5f1ec7ba78eab3f10cccd6b
--- /dev/null
+++ b/uwsgi-python/vars/lehrpreis.yml
@@ -0,0 +1,56 @@
+---
+
+app_name: lehrpreis
+app_user: lehrpreis
+app_group: lehrpreis
+app_home: /var/www/lehrpreis
+app_path: /var/www/lehrpreis
+app_python_version: 3
+app_venv: /var/www/lehrpreis/venv/
+app_program: lehrpreis.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: lehrpreis
+app_db_type: postgres
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/lehrpreis"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:studi-systeme/lehrpreis.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+lehrpreis_default_locale: en
+lehrpreis_default_timezone: Europe/Berlin
+lehrpreis_auth_group: users
+
+lehrpreis_ad_host: ad.example.com
+lehrpreis_ad_domain: EXAMPLE
+lehrpreis_ad_user_dn: 'cn=users,dc=example,dc=com'
+lehrpreis_ad_group_dn: 'cn=users,dc=example,dc=com'
+lehrpreis_ad_cert: ''
+
+lehrpreis_branding_app_name_de: 'Lehrpreis WebApp'
+lehrpreis_branding_app_name_en: 'Teaching Award WebApp'
+lehrpreis_branding_app_url: 'https://example.com'
+lehrpreis_branding_org_name: 'Example Org'
+lehrpreis_branding_contact: 'committee@example.com'
+lehrpreis_branding_logo: ''
+lehrpreis_branding_logo_src: ''
+lehrpreis_branding_information_de: ''
+lehrpreis_branding_information_en: ''
+
+lehrpreis_mail_enabled: true
+lehrpreis_mail_address: 'committee@example.com'
+lehrpreis_mail_host: mail.example.com
+lehrpreis_mail_locale: en
diff --git a/uwsgi-python/vars/lipclms.yml b/uwsgi-python/vars/lipclms.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e95cf4b519738c786f990a2633633c43b114c497
--- /dev/null
+++ b/uwsgi-python/vars/lipclms.yml
@@ -0,0 +1,35 @@
+---
+
+app_name: lipclms
+app_user: lipclms
+app_group: lipclms
+app_home: /var/www/lipclms
+app_path: /var/www/lipclms
+app_python_version: 3
+app_venv: /var/www/lipclms/venv/
+app_program: lipclms.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /anmeldung
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: 'lipclms'
+app_db_type: 'postgres'
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/lipclms"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:osak/lipclms.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+lipclms_mailman_api_url: 'https://lists.example.com/api/'
+lipclms_mailman_api_key: ''
+lipclms_printing_active: false
diff --git a/uwsgi-python/vars/mail-api.yml b/uwsgi-python/vars/mail-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bdf46130b3cd5c38c9e7fbcf9956de1d18995433
--- /dev/null
+++ b/uwsgi-python/vars/mail-api.yml
@@ -0,0 +1,59 @@
+---
+
+app_name: mail-api
+app_user: mailapi
+app_group: mailapi
+app_home: /var/www/mail-api
+app_path: /var/www/mail-api
+app_python_version: 3
+app_venv: /var/www/mail-api/venv
+app_program: mailapi.py
+app_callable: app
+app_command: ""
+app_mountpoint: /api
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: ['close-on-exec']
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/mail-api"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/user-scripts.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements-mail.txt
+app_config_file: config.py
+app_secret_config: false
+app_secret_config_keys: []
+
+mail_api_auth_group: "Domain Admins"
+mail_api_ad_host: "auth.example.com"
+mail_api_domain: "EXAMPLE"
+mail_api_user_dn: "cn=users,dc=example,dc=com"
+mail_api_group_dn: "cn=users,dc=example,dc=com"
+mail_api_ca_cert: ""
+
+mail_api_maildirs: "/maildirs"
+mail_api_append_path: "Maildir"
+mail_api_permissions: '0700'
+mail_api_sub_maildirs:
+  - 'public'
+  - 'public/.Test'
+mail_api_smtp_template: 'welcome.txt.j2'
+mail_api_smtp_subject: 'Your New Account'
+mail_api_smtp_domain: 'example.com'
+mail_api_smtp_reply_to: 'ticket@example.com'
+mail_api_smtp_notify_template: 'notify.txt.j2'
+mail_api_smtp_notify_subject: 'New Account created: {username}'
+mail_api_smtp_notify_mail: 'admin@example.com'
+mail_api_smtp_encryption: 'starttls'
+mail_api_smtp_host: 'mail.example.com'
+mail_api_smtp_port: 587
+mail_api_smtp_auth: true
+mail_api_onboarding_organization: 'EXAMPLE'
+mail_api_onboarding_wiki: 'https://wiki.example.com/'
+mail_api_onboarding_wiki_howto: 'https://wiki.example.com/infra:onboarding'
diff --git a/uwsgi-python/vars/meckerkasten.yml b/uwsgi-python/vars/meckerkasten.yml
new file mode 100644
index 0000000000000000000000000000000000000000..94da1806201e9be1715847b0139a3281a075b7e5
--- /dev/null
+++ b/uwsgi-python/vars/meckerkasten.yml
@@ -0,0 +1,36 @@
+---
+
+app_name: meckerkasten
+app_user: meckerkasten
+app_group: meckerkasten
+app_home: /var/www/meckerkasten
+app_path: /var/www/meckerkasten
+app_python_version: 3
+app_venv: /var/www/meckerkasten/venv
+app_program: meckerkasten.py
+app_callable: app
+app_command: ""
+app_mountpoint: /meckerkasten
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/meckerkasten"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:studi-systeme/meckerkasten.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+app_additional_software: []
+
+meckerkasten_sender: 'meckerkasten@example.com'
+meckerkasten_mail_host: 'mail.example.invalid'
+meckerkasten_mail_user: ''
+meckerkasten_mail_password: ''
+meckerkasten_mail_port: '25'
+
+meckerkasten_topics:
+  "Frage?": mail@example.com
diff --git a/uwsgi-python/vars/mm2-api.yml b/uwsgi-python/vars/mm2-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0b953481fd4e8e87d6438c837b551bc738732c80
--- /dev/null
+++ b/uwsgi-python/vars/mm2-api.yml
@@ -0,0 +1,38 @@
+---
+
+app_name: mm2-api
+app_user: mm2api
+app_group: mm2api
+app_home: /var/www/mm2-api
+app_path: /var/www/mm2-api
+app_python_version: 3
+app_venv: /var/www/mm2-api/venv
+app_program: mm2api.py
+app_callable: app
+app_command: ""
+app_mountpoint: /api
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: ['close-on-exec']
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/mm2-api"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/user-scripts.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements-mm2.txt
+app_config_file: config.py
+app_secret_config: false
+app_secret_config_keys: []
+
+mm2_api_auth_group: "Domain Admins"
+mm2_api_ad_host: "auth.example.com"
+mm2_api_domain: "EXAMPLE"
+mm2_api_user_dn: "cn=users,dc=example,dc=com"
+mm2_api_group_dn: "cn=users,dc=example,dc=com"
+mm2_api_ca_cert: ""
diff --git a/uwsgi-python/vars/netbox.yml b/uwsgi-python/vars/netbox.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bd6ba44651fa18213f1534dd1dc2dc53a1525958
--- /dev/null
+++ b/uwsgi-python/vars/netbox.yml
@@ -0,0 +1,29 @@
+---
+app_db_name: netbox
+app_db_type: postgres
+app_git_url: 'https://github.com/netbox-community/netbox.git'
+app_git_version: 'v2.6.7'
+app_config_file: netbox/netbox/configuration.py
+app_chdir: "{{ app_path }}/netbox"
+app_module: netbox.wsgi:application
+app_secret_config: true
+app_deploy_key: ""
+
+netbox_admins:
+  - ['Admin', 'admin@example.com']
+netbox_mail:
+  server: localhost
+  from: netbox@example.com
+netbox_host: netbox.example.com
+netbox_tz: UTC
+netbox_ldap:
+  uri: ldaps://dc.example.com
+  binddn: "CN=NETBOXSA, OU=Service Accounts,DC=example,DC=com"
+  bindpw: hunter2
+  user_base: "OU=Users,DC=example,DC=com"
+  group_base: "OU=Groups,DC=example,DC=com"
+  login_group: "CN=Netbox Users,OU=Groups,DC=example,DC=com"
+  group_flags:
+    is_active: "cn=active,ou=groups,dc=example,dc=com"
+    is_staff: "cn=staff,ou=groups,dc=example,dc=com"
+    is_superuser: "cn=superuser,ou=groups,dc=example,dc=com"
diff --git a/uwsgi-python/vars/nfs-api.yml b/uwsgi-python/vars/nfs-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..48a40f2c9b281184d83ed68467aafb78cbf28e2a
--- /dev/null
+++ b/uwsgi-python/vars/nfs-api.yml
@@ -0,0 +1,42 @@
+---
+
+app_name: nfs-api
+app_user: nfsapi
+app_group: nfsapi
+app_home: /var/www/nfs-api
+app_path: /var/www/nfs-api
+app_python_version: 3
+app_venv: /var/www/nfs-api/venv
+app_program: nfsapi.py
+app_callable: app
+app_command: ""
+app_mountpoint: /api
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: ['close-on-exec']
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/nfs-api"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/user-scripts.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements-nfs.txt
+app_config_file: config.py
+app_secret_config: false
+app_secret_config_keys: []
+
+nfs_api_homedirs: "/home"
+nfs_api_auth_group: "Domain Admins"
+nfs_api_ad_host: "auth.example.com"
+nfs_api_domain: "EXAMPLE"
+nfs_api_user_dn: "cn=users,dc=example,dc=com"
+nfs_api_group_dn: "cn=users,dc=example,dc=com"
+nfs_api_ca_cert: ""
+nfs_api_quota: false
+nfs_api_quota_soft: '45g'
+nfs_api_quota_hard: '50g'
diff --git a/uwsgi-python/vars/pgadmin4.yml b/uwsgi-python/vars/pgadmin4.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2df22a7c34db399092cad575330f0ef6e3f890c5
--- /dev/null
+++ b/uwsgi-python/vars/pgadmin4.yml
@@ -0,0 +1,17 @@
+---
+
+app_home: /var/lib/pgadmin
+app_path: /usr/share/pgadmin4/web
+app_program: pgAdmin4.wsgi
+app_callable: application
+app_mountpoint: /pgadmin4
+app_workers: 1
+app_enable_threads: true
+app_uwsgi_options:
+  - "threads = 25"
+app_db_type: sqlite
+app_secret_config: false
+app_config_file: ""
+app_requirements_file: ""
+app_venv: ""
+app_deploy_key: ""
diff --git a/uwsgi-python/vars/pretix.yml b/uwsgi-python/vars/pretix.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9db49bd4ce9a7487ed634b6c97a7d04fdf19e081
--- /dev/null
+++ b/uwsgi-python/vars/pretix.yml
@@ -0,0 +1,100 @@
+---
+
+app_name: 'pretix'
+app_user: 'pretix'
+app_group: 'pretix'
+app_home: "/var/www/pretix"
+app_path: "/var/www/pretix"
+app_venv: "/var/www/pretix/venv/"
+app_python_version: 3
+
+app_module: 'pretix.wsgi:application'
+app_mountpoint: '/'
+app_service_env:
+  - "DJANGO_SETTINGS_MODULE=pretix.settings"
+app_mules: 0
+app_enable_threads: false
+app_harakiri: 20
+app_workers: 5
+app_uwsgi_options:
+  - "max-requests = 5000"
+  - "vacuum = true"
+  - "single-interpreter = true"
+
+app_db_name: 'pretix'
+app_db_type: 'postgres'  # plus redis
+
+app_additional_software:
+  - python3-dev
+  - libxml2-dev
+  - libxslt1-dev
+  - libffi-dev
+  - zlib1g-dev
+  - libssl-dev
+  - gettext
+  - libpq-dev
+  - libjpeg-dev
+  - libopenjp2-7-dev
+
+app_deploy_key: ''
+app_git_url: 'https://github.com/pretix/pretix.git'
+app_git_version: 'stable'  # release/2.4.x
+app_git_pip: true
+app_git_pip_query: '#egg=pretix&subdirectory=src'
+app_requirements_file: ''
+
+app_config_file: 'pretix.cfg'
+app_secret_config: false
+
+pretix_plugins: []
+
+pretix_instance_name: 'Pretix'
+pretix_external_url: 'https://tickets.example.com'
+pretix_cookie_domain: 'tickets.example.com'
+pretix_currency: 'EUR'
+pretix_plugins_default: 'pretix.plugins.sendmail,pretix.plugins.statistics'
+pretix_plugins_exclude: ''
+pretix_registration: true
+pretix_password_reset: true
+pretix_long_sessions: true
+pretix_ecb_rates: true
+pretix_audit_comments: false
+pretix_loglevel: 'WARNING'
+
+pretix_mail_from: 'tickets@example.com'
+pretix_mail_host: 'mail.example.com'
+pretix_mail_port: 25
+pretix_mail_user: ''
+pretix_mail_password: ''
+pretix_mail_tls: true
+pretix_mail_ssl: false
+pretix_mail_admins: 'admin@example.com'
+
+pretix_redis: 'unix://[:password]@/path/to/socket.sock?db=0'
+pretix_redis_sessions: true
+pretix_celery_backend: 'redis://127.0.0.1/1'
+pretix_celery_broker: 'redis://127.0.0.1/2'
+
+pretix_locale_default: 'de'
+pretix_locale_timezone: 'Europe/Berlin'
+
+pretix_urls_media: '/media/'
+pretix_urls_static: '/static/'
+
+pretix_memcached: '127.0.0.1:11211'
+pretix_sentry_dsn: 'https://<key>:<secret>@sentry.io/<project>'
+pretix_metrics: true
+pretix_metrics_user: 'pretix'
+pretix_metrics_password: ''
+pretix_tools_pdftk: '/usr/bin/pdftk'
+
+pretix_entropy_order_code: 5  # <16
+pretix_entropy_ticket_secret: 32  # <64
+pretix_entropy_voucher_code: 16  # <255
+
+pretix_ldap: false  # do not forget to enable it via plugins
+pretix_ldap_bind_url: "ldaps://ad.example.com"
+pretix_ldap_bind_dn: "EXAMPLE\\user"
+pretix_ldap_password: "secret"
+pretix_ldap_search_base: "cn=User,dc=example,dc=com"
+pretix_ldap_search_filter: "(&(objectClass=inetOrgPerson)(mail={email}))"
diff --git a/uwsgi-python/vars/printercount.yml b/uwsgi-python/vars/printercount.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fc5313e9395c5524ea1e58441ddc5ff76882e1d9
--- /dev/null
+++ b/uwsgi-python/vars/printercount.yml
@@ -0,0 +1,35 @@
+---
+
+app_name: printercount
+app_user: printercount
+app_group: printercount
+app_home: /var/www/printercount
+app_path: /var/www/printercount/program
+app_python_version: 3
+app_venv: /var/www/printercount/program
+app_program: server.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /kasse
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/printercount"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:kasse/printercount.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+printercount_timezone: Europe/Berlin
+printercount_date_format: "%d.%m.%Y"
+printercount_log_dir: /var/log/cups/
diff --git a/uwsgi-python/vars/protokollsystem.yml b/uwsgi-python/vars/protokollsystem.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d71d2ce92705bf4f689e893e65f7cfe1266384b7
--- /dev/null
+++ b/uwsgi-python/vars/protokollsystem.yml
@@ -0,0 +1,45 @@
+---
+
+app_name: protokollsystem
+app_user: protokolle
+app_group: protokolle
+app_home: /var/www/protokollsystem
+app_path: /var/www/protokollsystem/program
+app_python_version: 3
+app_mules: 1
+app_enable_threads: true
+app_uwsgi_options: []
+app_venv: /var/www/protokollsystem/program/
+app_program: server.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+
+app_db_name: protokollsystem
+app_db_type: postgres
+
+app_additional_software:
+  - "libldap2-dev"
+  - "libsasl2-dev"
+  - "libxml2-dev"
+  - "libxslt-dev"
+  - "fontconfig"
+  - "tex-gyre"
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/protokollsystem"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:protokollsystem/proto3.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: ["security_key"]
+
+protokolle_celery_broker: 'redis://localhost:6379/0'
+protokolle_celery_concurrency: 4
+protokolle_wiki_type: MEDIAWIKI
+protokolle_logos: []
+
+# yamllint disable-line rule:line-length
+protokolle_sentry_dsn: ""
diff --git a/uwsgi-python/vars/redeleitsystem.yml b/uwsgi-python/vars/redeleitsystem.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ddc2d8ef3054db0c4ff634ad6286b143c74019a6
--- /dev/null
+++ b/uwsgi-python/vars/redeleitsystem.yml
@@ -0,0 +1,34 @@
+---
+
+app_name: redeleitsystem
+app_user: redeleitsystem
+app_group: redeleitsystem
+app_home: /var/www/redeleitsystem
+app_path: /var/www/redeleitsystem
+app_python_version: 3
+app_venv: /var/www/redeleitsystem/venv/
+app_program: server.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /redeleitsystem
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: 'redeleitsystem'
+app_db_type: 'postgres'
+
+app_additional_software: []
+
+app_deploy_key: ""
+app_git_url: "https://git.fsmpi.rwth-aachen.de/redl/redeleitsystem.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+redeleitsystem_update_index: 5
+redeleitsystem_update_time: 10
diff --git a/uwsgi-python/vars/repo-sync.yml b/uwsgi-python/vars/repo-sync.yml
new file mode 100644
index 0000000000000000000000000000000000000000..97b90c2382a717e1ad42d44d401b0ff28017f2a8
--- /dev/null
+++ b/uwsgi-python/vars/repo-sync.yml
@@ -0,0 +1,40 @@
+---
+
+app_name: repo-sync
+app_user: repo-sync
+app_group: repo-sync
+app_home: /var/www/stud-repo-sync
+app_path: /var/www/stud-repo-sync
+app_python_version: 3
+app_venv: /var/www/stud-repo-sync/venv/
+app_program: sync.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: true
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: ['git']
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/repo-sync"
+app_git_url: "git@git.stud.rwth-aachen.de:infra/repo-sync.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: false
+app_secret_config_keys: []
+
+repo_sync_ssh_key: "{{ inventory_dir }}/files/deploy-keys/repo-sync-worker"
+repo_sync_workers: 2
+repo_sync_repos:
+  - source: 'git@git.example.com:test/from.git'
+    dest: 'git@git.example.com:test/to.git'
+repo_sync_secrets:
+  - source: 'git@git.example.com:test/from.git'
+    secret: 'ALLOW'
diff --git a/uwsgi-python/vars/samba-migration.yml b/uwsgi-python/vars/samba-migration.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0a47208f7230fd25cd66231b45ceb26d4d873eb6
--- /dev/null
+++ b/uwsgi-python/vars/samba-migration.yml
@@ -0,0 +1,31 @@
+---
+
+app_name: migration-webapp
+app_user: migration-webapp
+app_group: migration-webapp
+app_home: /var/www/samba-migration-webapp
+app_path: /var/www/samba-migration-webapp/program
+app_python_version: 3
+app_venv: /var/www/samba-migration-webapp/program
+app_program: server.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_requirements_file: requirements.txt
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/samba-migration"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/samba-migration-webapp.git"
+app_git_version: HEAD
+
+app_config_file: ''
+app_secret_config: false
+app_secret_config_keys: []
diff --git a/uwsgi-python/vars/schilder.yml b/uwsgi-python/vars/schilder.yml
new file mode 100644
index 0000000000000000000000000000000000000000..67d57f6f8ce085ae0d467c9f519461f692f26ed1
--- /dev/null
+++ b/uwsgi-python/vars/schilder.yml
@@ -0,0 +1,41 @@
+---
+
+app_name: schilder
+app_user: schilder
+app_group: schilder
+app_home: /var/www/schilder
+app_path: /var/www/schilder/program
+app_python_version: 3
+app_venv: /var/www/schilder/program
+app_program: schilder.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_type: ""
+
+app_additional_software: ["graphicsmagick", "python-pythonmagick"]
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/schildergenerator"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:schilder/schildergenerator.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+schilder_printsrv: printsrv.example.de
+schilder_printers:
+  - description: "1 - Kopierer Turing"
+    name: "Kopierer1"
+  - description: "2 - Kopierer Moore"
+    name: "Kopierer2"
+schilder_lproptions:
+  - "-o fitplot"
+# yamllint disable-line rule:line-length
+schilder_templates_url: git@git.example.com:schilder/templates-example-schilder.git
diff --git a/uwsgi-python/vars/schrank.yml b/uwsgi-python/vars/schrank.yml
new file mode 100644
index 0000000000000000000000000000000000000000..84cf2b1e7bea1f1281ed55588e7471d99f44fdec
--- /dev/null
+++ b/uwsgi-python/vars/schrank.yml
@@ -0,0 +1,34 @@
+---
+
+app_name: schrank
+app_user: schrankweb
+app_group: schrankweb
+app_home: /var/www/schrank
+app_path: /var/www/schrank
+app_python_version: 2
+app_venv: ''
+app_program: main/wsgi.py
+app_callable: application
+app_command: ''
+app_mountpoint: /
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+app_service_env: []
+
+# There is a mysql database named schrank, but it is unmanaged by ansible.
+app_db_type: ''
+app_db_name: ''
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/schrank"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:schrank/web.git"
+app_git_version: HEAD
+
+# There is no requirements.txt file and no other documentation (e.g. venv)
+# on needed software. The settings (including secret_key and db password)
+# are also checked into the repository.
+app_requirements_file: ''
+app_config_file: ''
+app_secret_config: false
+app_secret_config_keys: []
+app_additional_software: []
diff --git a/uwsgi-python/vars/shorturl.yml b/uwsgi-python/vars/shorturl.yml
new file mode 100644
index 0000000000000000000000000000000000000000..626cf761ef5f5952b21416c60255eb830deae1b9
--- /dev/null
+++ b/uwsgi-python/vars/shorturl.yml
@@ -0,0 +1,55 @@
+---
+
+app_name: shorturl
+app_user: shorturl
+app_group: shorturl
+app_home: /var/www/shorturl
+app_path: /var/www/shorturl
+app_python_version: 3
+app_venv: /var/www/shorturl/venv
+app_program: shorturl.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: shorturl
+app_db_type: postgres
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/shorturl"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/shorturl.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+shorturl_default_redirect: "https://www.example.com"
+shorturl_admin_group: admin
+shorturl_user_group: users
+
+shorturl_ad_host: 'ad.example.com'
+shorturl_ad_domain: 'EXAMPLE'
+shorturl_ad_user_dn: "cn=users,dc=example,dc=com"
+shorturl_ad_group_dn: "cn=users,dc=example,dc=com"
+shorturl_ad_cert: "/etc/ssl/certs/example_cacert.pem"
+
+shorturl_source_forbidden: []
+shorturl_source_regex: ''
+shorturl_target_regex: '^https://([a-zA-Z0-9-]+\.)*example\.com(/(.*))?$'
+shorturl_branding_name: 'Example'
+shorturl_branding_domain: 'short.example'
+# yamllint disable-line rule:line-length
+shorturl_branding_domain_regex: '^(?!(https?://)?(www\.)?(short\.example)/?)(.*)'
+shorturl_branding_contact: 'contact@example.com'
+
+shorturl_mail_subject: 'confirmation request ShortURL service'
+shorturl_mail_domain: 'example.com'
+shorturl_mail_admin: 'contact@example.com'
+shorturl_mail_host: 'mail.example.com'
diff --git a/uwsgi-python/vars/sso.yml b/uwsgi-python/vars/sso.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8c469bfe029d1175d8d8d1d0aee96241cb24e21d
--- /dev/null
+++ b/uwsgi-python/vars/sso.yml
@@ -0,0 +1,39 @@
+---
+
+app_name: sso
+app_user: sso
+app_group: sso
+app_home: /var/www/sso
+app_path: /var/www/sso/program
+app_python_version: 3
+app_venv: /var/www/sso/program
+app_program: sso.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: ""
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/sso"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:infra/sso.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+app_additional_software: []
+
+sso_auth_use_ad: true
+sso_auth_host: auth.example.com
+sso_auth_user_dn: "cn=users,dc=example,dc=com"
+sso_auth_group_dn: "dc=example,dc=com"
+sso_auth_ca_cert: ''
+sso_auth_domain: EXAMPLE
+
+sso_domain: "{{ domain }}"
diff --git a/uwsgi-python/vars/timer.yml b/uwsgi-python/vars/timer.yml
new file mode 100644
index 0000000000000000000000000000000000000000..237418ba0ea732eb4857606e3d0596d36dd1d43a
--- /dev/null
+++ b/uwsgi-python/vars/timer.yml
@@ -0,0 +1,30 @@
+---
+
+app_name: timer
+app_user: timer
+app_group: timer
+app_home: /var/www/timer
+app_path: /var/www/timer
+app_python_version: 2
+app_venv: /var/www/timer/venv/
+app_program: timer.py
+app_callable: app
+app_command: ""
+app_mountpoint: /timer
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: ''
+app_db_type: ''
+
+app_additional_software: []
+
+app_deploy_key: ''
+app_git_url: 'https://github.com/orithena/timer-impress.git'
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: ''
+app_secret_config: false
diff --git a/uwsgi-python/vars/vampir-mitglieder.yml b/uwsgi-python/vars/vampir-mitglieder.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d0329a041641e9709dbf1840216650777eccf643
--- /dev/null
+++ b/uwsgi-python/vars/vampir-mitglieder.yml
@@ -0,0 +1,36 @@
+---
+
+app_name: vampir-mitglieder
+app_user: vampirmitglieder
+app_group: vampirmitglieder
+app_home: /var/www/vampir-mitglieder
+app_path: /var/www/vampir-mitglieder
+app_python_version: 3
+app_venv: /var/www/vampir-mitglieder/venv
+app_program: app.py
+app_callable: app
+app_command: ""
+app_mountpoint: /
+app_service_env: []
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_name: vampir
+app_db_type: mysql
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/vampir-mitglieder"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:vampir/mitgliederdatenbank.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: ["SECRET_KEY"]
+
+app_branding_title: "Vampir Mitgliederdatenbank"
+app_branding_description: >
+    Verwaltungsinterface zur Mitgliederdatenbank des Vereins der Alumni
+    der Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen e.V.
diff --git a/uwsgi-python/vars/wahlhelfer.yml b/uwsgi-python/vars/wahlhelfer.yml
new file mode 100644
index 0000000000000000000000000000000000000000..453c4fcd419228bd71ba06cee7155ee30f56d1bc
--- /dev/null
+++ b/uwsgi-python/vars/wahlhelfer.yml
@@ -0,0 +1,42 @@
+---
+
+app_name: wahlhelfer
+app_user: wahlhelfer
+app_group: wahlhelfer
+app_home: /var/www/wahlhelfer
+app_path: /var/www/wahlhelfer/program
+app_python_version: 3
+app_venv: /var/www/wahlhelfer/program
+app_program: main/wsgi.py
+app_callable: application
+app_command: "runserver"
+app_mountpoint: /
+app_mules: 0
+app_enable_threads: false
+app_uwsgi_options: []
+
+app_db_type: mysql
+app_db_name: "wahlhelfer"
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/wahlhelfer"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:wahl/wahlhelfer.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: main/settings.py
+app_secret_config: true
+app_secret_config_keys: []
+
+app_additional_software: []
+
+wahlhelfer_admins: [['Admins', 'admin@example.com']]
+wahlhelfer_sender: 'wahlhelfer@example.com'
+wahlhelfer_mail_host: 'mail.example.com'
+wahlhelfer_mail_user: ''
+wahlhelfer_mail_password: ''
+wahlhelfer_mail_port: ''
+wahlhelfer_allowed_hosts: ['example.com']
+
+app_service_env:
+  - WAHLHELFER_WEB_ROOT=/var/www/wahlhelfer/
+#  - LDAPTLS_CACERT=
diff --git a/uwsgi-python/vars/wahlsystem-2018.yml b/uwsgi-python/vars/wahlsystem-2018.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1f49757ec0b94ef7a36f720a2c53e7958946f8d4
--- /dev/null
+++ b/uwsgi-python/vars/wahlsystem-2018.yml
@@ -0,0 +1,28 @@
+---
+
+app_name: wahlsystem-2018
+app_user: wahl
+app_group: wahl
+app_home: /var/www/wahlsystem-2018
+app_path: /var/www/wahlsystem-2018/program
+app_python_version: 3
+app_enable_threads: true
+app_harakiri: 120
+app_venv: /var/www/wahlsystem-2018/program
+app_program: server.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /
+
+app_db_name: wahl2018
+app_db_type: postgres
+
+app_additional_software: []
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/wahlsystem-2018"
+app_git_url: "git@git.stud.rwth-aachen.de:wahlausschuss/website.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: ""
+app_secret_config: false
diff --git a/uwsgi-python/vars/wahlsystem.yml b/uwsgi-python/vars/wahlsystem.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8f51d25acacff0d7eb6b22682a17454aaf9bdd08
--- /dev/null
+++ b/uwsgi-python/vars/wahlsystem.yml
@@ -0,0 +1,54 @@
+---
+
+app_name: wahlsystem
+app_user: wahl
+app_group: wahl
+app_home: /var/www/wahlsystem
+app_path: /var/www/wahlsystem/program
+app_python_version: 3
+app_mules: 0
+app_enable_threads: false
+app_harakiri: 30
+app_uwsgi_options: []
+app_venv: /var/www/wahlsystem/program/
+app_program: server.py
+app_callable: app
+app_command: "runserver"
+app_mountpoint: /
+app_service_env: []
+
+app_db_name: wahlsystem
+app_db_type: postgres
+
+app_additional_software:
+  - "fontconfig"
+  - "tex-gyre"
+
+app_deploy_key: "{{ inventory_dir }}/files/deploy-keys/wahlsystem"
+app_git_url: "git@git.fsmpi.rwth-aachen.de:wahl/wahlsys.git"
+app_git_version: HEAD
+
+app_requirements_file: requirements.txt
+app_config_file: config.py
+app_secret_config: true
+app_secret_config_keys: []
+
+wahl_celery_broker: 'redis://localhost:6379/0'
+wahl_celery_concurrency: 1
+
+wahl_ldap_cert: ''
+wahl_mail: true
+wahl_mail_from: 'wahl@example.com'
+wahl_mail_host: 'mail.example.com:25'
+wahl_mail_user: ''
+wahl_mail_password: ''
+wahl_mail_tls: false
+wahl_mail_prefix: 'Wahlsystem'
+wahl_server_name: 'wahl.example.com'
+wahl_url_root: 'wahl.example.com'
+wahl_url_proto: 'https'
+wahl_url_path: '/'
+wahl_mailman_api_url: 'https://lists.example.com/mailmanAPI'
+wahl_mailman_api_key: ''
+wahl_mailman_default_newpw: ''
+wahl_mailman_host: 'lists.example.com'
diff --git a/uwsgi/handlers/main.yml b/uwsgi/handlers/main.yml
deleted file mode 100644
index 97bfdde069bd77167e985951ac73e7ba03ea7819..0000000000000000000000000000000000000000
--- a/uwsgi/handlers/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-# file: roles/uwsgi/handlers/main.yml
-
-- name: create tmpfiles
-  shell: systemd-tmpfiles --create
diff --git a/uwsgi/tasks/main.yml b/uwsgi/tasks/main.yml
deleted file mode 100644
index 2a22fca04b453319eccf4efd19a2031e30270f70..0000000000000000000000000000000000000000
--- a/uwsgi/tasks/main.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# file: roles/uwsgi/tasks/main.yml
-
-- name: ensure uwsgi is installed
-  apt: name=uwsgi state=latest
-  tags:
-    - uwsgi
-    - packages
-
-- name: ensure a temporary directory exists
-  lineinfile: dest=/etc/tmpfiles.d/10-uwsgi.conf line="d /run/uwsgi 0755 root root - -" create=yes
-  notify:
-    - create tmpfiles
-  tags:
-    - uwsgi
-    - tmpdirs
-
-- name: ensure a temporary subdirectory exists
-  lineinfile: dest=/etc/tmpfiles.d/10-uwsgi.conf line="d /run/uwsgi/app 0755 root root - -" create=yes
-  notify:
-    - create tmpfiles
-  tags:
-    - uwsgi
-    - tmpdirs
diff --git a/wahlhelfer/defaults/main.yml b/wahlhelfer/defaults/main.yml
deleted file mode 100644
index c62e365812ee0ce3cce44abd38555d93a9a120d0..0000000000000000000000000000000000000000
--- a/wahlhelfer/defaults/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-# file: roles/wahlhelfer/defaults/main.yml
-
-wahlhelfer_web_root: /var/www/wahlhelfer
-wahlhelfer_name: wahlhelfer
-wahlhelfer_user: wahlhelfer
-wahlhelfer_group: wahlhelfer
-wahlhelfer_admins: [["Robin Sonnabend", "robin@fsmpi.rwth-aachen.de"]]
-wahlhelfer_sender: wahlhelfer@fsmpi.rwth-aachen.de
-wahlhelfer_mail_host: mail.fsmpi.rwth-aachen.de
-wahlhelfer_allowed_hosts: ["wahlhelfer.stud.rwth-aachen.de"]
diff --git a/wahlhelfer/handlers/main.yml b/wahlhelfer/handlers/main.yml
deleted file mode 100644
index 31d4abeea89c68f292e28d86b3782f8dccf096bf..0000000000000000000000000000000000000000
--- a/wahlhelfer/handlers/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-# file: roles/wahlhelfer/handlers/main.yml
-
-- name: reload systemd service files
-  command: systemctl daemon-reload
-
-- name: restart uwsgi for wahlhelfer
-  service: name="{{item}}" state=restarted enabled=yes
-  with_items:
-    - "{{wahlhelfer_name}}"
-
-- name: create tmpfiles
-  command: systemd-tmpfiles --create
diff --git a/wahlhelfer/meta/main.yml b/wahlhelfer/meta/main.yml
deleted file mode 100644
index 41d187d9d87c3ad40d31fad6c01f7e386f0f0f53..0000000000000000000000000000000000000000
--- a/wahlhelfer/meta/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# file:roles/protokollsystem/meta/main.yml
-dependencies:
-  - { role: webserver }
-  - { role: mysql }
-  - { role: uwsgi-python, uwsgi_name: "{{wahlhelfer_name}}", uwsgi_user: "{{wahlhelfer_user}}", uwsgi_group: "{{wahlhelfer_group}}", uwsgi_path: "{{wahlhelfer_web_root}}/program", uwsgi_home: "{{wahlhelfer_web_root}}", uwsgi_program: "main/wsgi.py", uwsgi_callable: "application", uwsgi_command: "runserver", uwsgi_db: "mysql", uwsgi_python: 3 }
diff --git a/wahlhelfer/tasks/main.yml b/wahlhelfer/tasks/main.yml
deleted file mode 100644
index 630a19f737ef021d8f944e8ccffb3ee646b26943..0000000000000000000000000000000000000000
--- a/wahlhelfer/tasks/main.yml
+++ /dev/null
@@ -1,93 +0,0 @@
----
-# file: roles/wahlhelfer/tasks/main.yml
-
-- name: ensure we have a folder for the program
-  file: path="{{wahlhelfer_web_root}}" state=directory owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0755
-  tags:
-    - directory
-    - wahlhelfer
-
-- name: ensure we have a .ssh directory
-  file: path="{{wahlhelfer_web_root}}/.ssh" state=directory owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0755
-  tags:
-    - directory
-    - wahlhelfer
-
-- name: ensure we have our deploy key
-  copy: src="{{item}}" dest="{{wahlhelfer_web_root}}/.ssh/" owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0600
-  with_items:
-    - deploy-key
-    - deploy-key.pub
-  tags:
-    - ssh
-    - wahlhelfer
-
-- name: ensure we have our .ssh config
-  template: src=config dest="{{wahlhelfer_web_root}}/.ssh/config" owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0644
-  tags:
-    - ssh
-    - wahlhelfer
-
-- name: ensure we have the program
-  git: repo=git@git.fsmpi.rwth-aachen.de:wahl/wahlhelfer.git dest="{{wahlhelfer_web_root}}/program"
-  become: yes
-  become_user: "{{wahlhelfer_user}}"
-  notify:
-    - restart uwsgi for wahlhelfer
-  tags:
-    - git
-    - wahlhelfer
-
-- name: ensure we have a virtualenv
-  pip:
-    requirements: "{{wahlhelfer_web_root}}/program/requirements.txt"
-    virtualenv: "{{wahlhelfer_web_root}}/program"
-    virtualenv_python: python3
-  become: yes
-  become_user: "{{wahlhelfer_user}}"
-  notify:
-    - restart uwsgi for wahlhelfer
-  tags:
-    - pip
-    - python
-    - wahlhelfer
-
-- name: ensure we have our config
-  template:
-    src: settings.py
-    dest: "{{wahlhelfer_web_root}}/program/main/settings.py"
-    owner: "{{wahlhelfer_user}}"
-    group: "{{wahlhelfer_group}}"
-    mode: 0644
-  notify:
-    - restart uwsgi for wahlhelfer
-  tags:
-    - config
-    - python
-    - wahlhelfer
-
-- name: ensure the unit file exists
-  template:
-    src: wahlhelfer.service
-    dest: "/etc/systemd/system/{{wahlhelfer_name}}.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - reload systemd service files
-    - restart uwsgi for wahlhelfer
-  tags:
-    - config
-    - systemd
-    - wahlhelfer
-
-- meta: flush_handlers
-
-- name: ensure the services are enabled
-  service: name="{{item}}" enabled=yes
-  with_items:
-    - "{{wahlhelfer_name}}"
-  tags:
-    - config
-    - systemd
-    - wahlhelfer
diff --git a/wahlhelfer/templates/config b/wahlhelfer/templates/config
deleted file mode 100644
index a13911a644d24b598274220ba33dd4227ae2f1f8..0000000000000000000000000000000000000000
--- a/wahlhelfer/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{wahlhelfer_web_root}}/.ssh/deploy-key
diff --git a/wahlhelfer/templates/wahlhelfer.service b/wahlhelfer/templates/wahlhelfer.service
deleted file mode 100644
index a27cd0442e2777514d95ee1cb353fe654a3df184..0000000000000000000000000000000000000000
--- a/wahlhelfer/templates/wahlhelfer.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Wahlhelferorganisation
-After=network.target
-
-[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-Environment=WAHLHELFER_WEB_ROOT={{wahlhelfer_web_root}}/program/
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{wahlhelfer_name}}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/wahlsystem/defaults/main.yml b/wahlsystem/defaults/main.yml
deleted file mode 100644
index 237f3a572d8fc42a48ec4b8a50942e50f4a5e36b..0000000000000000000000000000000000000000
--- a/wahlsystem/defaults/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-# file: roles/protokollsystem/defaults/main.yml
-
-wahl_web_root: /var/www/wahlsystem
-wahl_name: wahlsystem
-wahl_user: wahl
-wahl_group: wahl
-wahl_celery_concurrency: 2
diff --git a/wahlsystem/handlers/main.yml b/wahlsystem/handlers/main.yml
deleted file mode 100644
index 05605fd5dcc4e70d37c75b3f4aa257b285f07fe3..0000000000000000000000000000000000000000
--- a/wahlsystem/handlers/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-# file: roles/protokollsystem/handlers/main.yml
-
-- name: reload systemd service files
-  command: systemctl daemon-reload
-
-- name: restart uwsgi for wahlsystem
-  service: name="{{item}}" state=restarted enabled=yes
-  with_items:
-    - "{{wahl_name}}"
-    - "{{wahl_name}}-celery"
-
-- name: create tmpfiles
-  command: systemd-tmpfiles --create
diff --git a/wahlsystem/meta/main.yml b/wahlsystem/meta/main.yml
deleted file mode 100644
index 7476db6a407d10229b5e5d0fe89c13be6e1fc88d..0000000000000000000000000000000000000000
--- a/wahlsystem/meta/main.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-# file:roles/protokollsystem/meta/main.yml
-dependencies:
-  - { role: webserver }
-  - { role: redis-server }
-  - { role: postgres }
-  - { role: texlive }
-  - { role: cups-client }
-  - { role: uwsgi-python, uwsgi_name: "{{wahl_name}}", uwsgi_user: "{{wahl_user}}", uwsgi_group: "{{wahl_group}}", uwsgi_path: "{{wahl_web_root}}/program", uwsgi_home: "{{wahl_web_root}}", uwsgi_program: "server.py", uwsgi_callable: "app", uwsgi_command: "runserver", uwsgi_db: "postgres", uwsgi_python: 3, uwsgi_mules: 1 }
diff --git a/wahlsystem/tasks/main.yml b/wahlsystem/tasks/main.yml
deleted file mode 100644
index f099e781447ed4eadd02e61ef2c1842e316f754c..0000000000000000000000000000000000000000
--- a/wahlsystem/tasks/main.yml
+++ /dev/null
@@ -1,133 +0,0 @@
----
-# file: roles/wahlsystem/tasks/main.yml
-
-- name: ensure we have the fonts
-  apt: name="{{item}}" state=present
-  with_items:
-    - fontconfig
-    - tex-gyre
-  tags:
-    - packages
-    - wahlsystem
-
-- name: ensure we have a folder for the program
-  file: path="{{wahl_web_root}}" state=directory owner="{{wahl_user}}" group="{{wahl_group}}" mode=0755
-  tags:
-    - directory
-    - wahlsystem
-
-- name: ensure we have a .ssh directory
-  file: path="{{wahl_web_root}}/.ssh" state=directory owner="{{wahl_user}}" group="{{wahl_group}}" mode=0755
-  tags:
-    - directory
-    - wahlsystem
-
-- name: ensure we have our deploy key
-  copy: src="{{item}}" dest="{{wahl_web_root}}/.ssh/" owner="{{wahl_user}}" group="{{wahl_group}}" mode=0600
-  with_items:
-    - deploy-key
-    - deploy-key.pub
-  tags:
-    - ssh
-    - wahlsystem
-
-- name: ensure we have our .ssh config
-  template: src=config dest="{{wahl_web_root}}/.ssh/config" owner="{{wahl_user}}" group="{{wahl_group}}" mode=0644
-  tags:
-    - ssh
-    - wahlsystem
-
-- name: ensure we have the program
-  git: repo=git@git.fsmpi.rwth-aachen.de:wahl/wahlsys.git dest="{{wahl_web_root}}/program"
-  become: yes
-  become_user: "{{wahl_user}}"
-  notify:
-    - restart uwsgi for wahlsystem
-  tags:
-    - git
-    - wahlsystem
-
-- name: ensure we have virtualenv installed
-  apt: name=virtualenv state=present
-  tags:
-    - packages
-    - wahlsystem
-
-- name: ensure we have a virtualenv
-  pip:
-    requirements: "{{wahl_web_root}}/program/requirements.txt"
-    virtualenv: "{{wahl_web_root}}/program"
-    virtualenv_python: python3
-  become: yes
-  become_user: "{{wahl_user}}"
-  notify:
-    - restart uwsgi for wahlsystem
-  tags:
-    - pip
-    - python
-    - wahlsystem
-
-- name: ensure we have the necessary folders
-  file: name={{item}} state=directory owner="{{wahl_user}}" group="{{wahl_group}}" mode=0755
-  with_items:
-    - "{{wahl_web_root}}/program/blogfiles"
-  tags:
-    - directories
-    - wahlsystem
-
-- name: ensure we have our config
-  template:
-    src: config.py
-    dest: "{{wahl_web_root}}/program/config.py"
-    owner: "{{wahl_user}}"
-    group: "{{wahl_group}}"
-    mode: 0644
-  notify:
-    - restart uwsgi for wahlsystem
-  tags:
-    - config
-    - python
-    - wahlsystem
-
-- name: ensure the unit file exists
-  template:
-    src: wahlsystem.service
-    dest: "/etc/systemd/system/{{wahl_name}}.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - reload systemd service files
-    - restart uwsgi for wahlsystem
-  tags:
-    - config
-    - systemd
-    - wahlsystem
-
-- name: ensure the celery unit file exists
-  template:
-    src: celery.service
-    dest: "/etc/systemd/system/{{wahl_name}}-celery.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - reload systemd service files
-    - restart uwsgi for wahlsystem
-  tags:
-    - config
-    - systemd
-    - celery
-    - wahlsystem
-
-- meta: flush_handlers
-
-- name: ensure the services are enabled
-  service: name="{{item}}" enabled=yes
-  with_items:
-    - "{{wahl_name}}"
-    - "{{wahl_name}}-celery"
-  tags:
-    - config
-    - systemd
-    - wahlsystem
diff --git a/wahlsystem/templates/celery.service b/wahlsystem/templates/celery.service
deleted file mode 100644
index 0f46cf213b79e4d68845c85a79159d5e2c4592fd..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/celery.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Wahlsystem-Celery
-After=network.target
-
-[Service]
-User={{wahl_user}}
-Group={{wahl_group}}
-WorkingDirectory={{wahl_web_root}}/program
-Environment=VIRTUAL_ENV="{{wahl_web_root}}/program"
-ExecStart={{wahl_web_root}}/program/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{wahl_celery_concurrency}}
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
diff --git a/wahlsystem/templates/config b/wahlsystem/templates/config
deleted file mode 100644
index bbcaec7f106d833e9fafb36943d00f07e1df98c3..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{wahl_web_root}}/.ssh/deploy-key
diff --git a/wahlsystem/templates/config.py b/wahlsystem/templates/config.py
deleted file mode 100644
index 7597a1f26b8fc988c74769c4198d7e9a7f39a645..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/config.py
+++ /dev/null
@@ -1,26 +0,0 @@
-SQLALCHEMY_DATABASE_URI = "postgresql://{{wahl_user}}:@/{{wahl_name}}"
-SQLALCHEMY_TRACK_MODIFICATIONS = False
-SECRET_KEY = "***REMOVED***"
-DEBUG = False
-MAIL_ACTIVE = True
-MAIL_FROM = "wahl@fsmpi.rwth-aachen.de"
-MAIL_HOST = "mail.fsmpi.rwth-aachen.de:25"
-MAIL_USER = None
-MAIL_PASSWORD = None
-MAIL_USE_TLS = False
-MAIL_PREFIX = "Wahlsystem"
-#CELERY_BROKER_URL = "sqla+postgresql://user:password@host/message-database"
-#CELERY_BROKER_URL = "redis+socket:///run/redis/redis.sock"
-CELERY_BROKER_URL = "redis://localhost:6379/0"
-CELERY_TASK_SERIALIZER = "pickle"
-CELERY_ACCEPT_CONTENT = ["pickle"]
-SERVER_NAME = "wahl.stud.rwth-aachen.de"
-PREFERRED_URL_SCHEME = "https"
-URL_ROOT = "wahl.stud.rwth-aachen.de"
-URL_PROTO = "https"
-URL_PATH = "/"
-URL_PARAMS = ""
-MAILMAN_API_URL = "https://lists.fsmpi.rwth-aachen.de/mailmanAPI"
-MAILMAN_API_KEY = "***REMOVED***"
-MAILMAN_DEFAULT_NEW_PASSWORD = "LnbVEiblyk8qhzmvjJhS"
-MAILMAN_HOST = "lists.fsmpi.rwth-aachen.de"
diff --git a/wahlsystem/templates/wahlsystem.service b/wahlsystem/templates/wahlsystem.service
deleted file mode 100644
index 29ea1679b07931e6b5d9a31e2683791eac9f947d..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/wahlsystem.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Wahlsystem
-After=network.target
-Wants=wahlsystem-celery.service
-
-[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{wahl_name}}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/webserver/defaults/main.yml b/webserver/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ff764b460b95063ffad6b70392f20ab5e90d2bbf
--- /dev/null
+++ b/webserver/defaults/main.yml
@@ -0,0 +1,45 @@
+---
+
+cipher_strength: modern
+nginx_pam_groups: []
+webserver_enable_acme_default: true
+webserver_enable_ipv6: true
+webserver_enable_reuseport: false
+webserver_resolver: "{{ nameservers }}"
+disallow_apache2: true
+webservers: []
+
+# If you use the Zabbix integration, define this variable.
+# zabbix_password: "{{ lookup('passwordstore', zabbix_user) }}"
+
+# The following settings may be used to tweak performance.
+# Take with a grain of salt. Measure actual performance.
+webserver_workers: 4  # may also be auto
+# webserver_enable_reuseport: true
+# webserver_worker_rlimit_nofile: 100000
+# webserver_worker_connections: 2048
+# webserver_worker_aio_requests: 128
+# webserver_sendfile_max_chunk: '1m'
+# webserver_keepalive_timeout: 75
+# webserver_keepalive_requests: 200
+# webserver_reset_timedout_connection: true
+# webserver_enable_aio: false
+# webserver_aio_threads: false
+# webserver_buffer_access_log: true  # may also be set on a per server basis
+# webserver_enable_gzip: true
+# webserver_gzip_comp_level: 3
+# webserver_gzip_min_length: 100
+# may also be off or any
+# webserver_gzip_proxied: "expired no-cache no-store private auth"
+# webserver_enable_open_file_cache: true
+# webserver_open_file_cache_max: 10000
+# webserver_open_file_cache_inactive: 30
+# webserver_open_file_cache_valid: 60
+# webserver_open_file_cache_min_uses: 2
+# webserver_enable_reuseport: true
+# this and following may also be set on a per location basis
+# webserver_proxy_connect_timeout: 120
+# webserver_send_timeout: 120
+# webserver_proxy_send_timeout: 120
+# webserver_proxy_read_timeout: 120
+# webserver_fastcgi_read_timeout: 120
diff --git a/webserver/files/main b/webserver/files/main
deleted file mode 100644
index 8d70f7bce0b12347e8d30e741591695a4a133b41..0000000000000000000000000000000000000000
--- a/webserver/files/main
+++ /dev/null
@@ -1,9 +0,0 @@
-server {
-	listen 62000;
-	root /var/www;
-	index index.html index.py;
-
-	location / {
-		try_files $uri $uri/ =404;
-	}
-}
diff --git a/webserver/files/nginx.conf b/webserver/files/nginx.conf
deleted file mode 100644
index 225bf7276f884ddef9a79b4ab9603fbc3d11bd5d..0000000000000000000000000000000000000000
--- a/webserver/files/nginx.conf
+++ /dev/null
@@ -1,86 +0,0 @@
-user www-data;
-worker_processes 4;
-pid /run/nginx.pid;
-
-events {
-	worker_connections 768;
-	# multi_accept on;
-}
-
-http {
-	set_real_ip_from	127.0.0.1;
-
-	##
-	# Basic Settings
-	##
-
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	# server_tokens off;
-
-	server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# SSL Settings
-	##
-
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
-	ssl_prefer_server_ciphers on;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-	gzip_disable "msie6";
-
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# Virtual Host Configs
-	##
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
-}
-
-
-#mail {
-#	# See sample authentication script at:
-#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-# 
-#	# auth_http localhost/auth.php;
-#	# pop3_capabilities "TOP" "USER";
-#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
-# 
-#	server {
-#		listen     localhost:110;
-#		protocol   pop3;
-#		proxy      on;
-#	}
-# 
-#	server {
-#		listen     localhost:143;
-#		protocol   imap;
-#		proxy      on;
-#	}
-#}
diff --git a/webserver/files/pin-apache.conf b/webserver/files/pin-apache.conf
new file mode 100644
index 0000000000000000000000000000000000000000..6d7fa12d27f5e7b3a531b0e286a4058a5929fce7
--- /dev/null
+++ b/webserver/files/pin-apache.conf
@@ -0,0 +1,3 @@
+Package: apache2
+Pin: release *
+Pin-Priority: -1
diff --git a/webserver/files/snippets/acmetool.conf b/webserver/files/snippets/acmetool.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e3e44544af8bf843e32d33e819b6a1479221ed5c
--- /dev/null
+++ b/webserver/files/snippets/acmetool.conf
@@ -0,0 +1,3 @@
+location /.well-known/acme-challenge/ {
+	alias /var/run/acme/acme-challenge/;
+}
diff --git a/webserver/files/snippets/map_upgrade.conf b/webserver/files/snippets/map_upgrade.conf
new file mode 100644
index 0000000000000000000000000000000000000000..0cc431c4f66d3f1316bb28a7ec72e50c4b52e9e6
--- /dev/null
+++ b/webserver/files/snippets/map_upgrade.conf
@@ -0,0 +1,4 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
diff --git a/webserver/files/snippets/sso-auth.conf b/webserver/files/snippets/sso-auth.conf
new file mode 100644
index 0000000000000000000000000000000000000000..bb94317a91f63b84009488c2526609b62b5f3af6
--- /dev/null
+++ b/webserver/files/snippets/sso-auth.conf
@@ -0,0 +1,7 @@
+    # sso
+    auth_request /sso;
+    auth_request_set $sso_set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $sso_set_cookie;
+    auth_request_set $sso_user $upstream_http_x_remote_user;
+    auth_request_set $sso_groups $upstream_http_x_remote_groups;
+    error_page 403 = @sso;
diff --git a/webserver/files/snippets/sso-locations-fsmpi.conf b/webserver/files/snippets/sso-locations-fsmpi.conf
new file mode 100644
index 0000000000000000000000000000000000000000..93c4ca30fc9b5111c1cc047f79a4d939b217b2e0
--- /dev/null
+++ b/webserver/files/snippets/sso-locations-fsmpi.conf
@@ -0,0 +1,17 @@
+location = /sso {
+    internal;
+    proxy_pass https://sso.fsmpi.rwth-aachen.de/backend?group=$sso_group;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Original-URI $request_uri;
+}
+
+location @sso {
+    add_header Cache-Control no-store;
+    return 302 https://sso.fsmpi.rwth-aachen.de?next=https://$server_name$request_uri;
+}
+
+location @sso_logout {
+    add_header Cache-Control no-store;
+    return 302 https://sso.fsmpi.rwth-aachen.de/logout?next=https://$server_name$request_uri;
+}
diff --git a/webserver/files/snippets/sso-locations-vampir.conf b/webserver/files/snippets/sso-locations-vampir.conf
new file mode 100644
index 0000000000000000000000000000000000000000..98d2e44de81eb8e5099e25fe61ff2c2b649ea5e9
--- /dev/null
+++ b/webserver/files/snippets/sso-locations-vampir.conf
@@ -0,0 +1,17 @@
+location = /sso {
+    internal;
+    proxy_pass https://sso.vampir.rwth-aachen.de/backend?group=$sso_group;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Original-URI $request_uri;
+}
+
+location @sso {
+    add_header Cache-Control no-store;
+    return 302 https://sso.vampir.rwth-aachen.de?next=https://$server_name$request_uri;
+}
+
+location @sso_logout {
+    add_header Cache-Control no-store;
+    return 302 https://sso.vampir.rwth-aachen.de/logout?next=https://$server_name$request_uri;
+}
diff --git a/webserver/files/snippets/sso.conf b/webserver/files/snippets/sso.conf
new file mode 100644
index 0000000000000000000000000000000000000000..081956cc1cdc1d4842c7102c1d9f601197f5293d
--- /dev/null
+++ b/webserver/files/snippets/sso.conf
@@ -0,0 +1,30 @@
+location / {
+    # sso
+    auth_request /sso;
+    auth_request_set $sso_set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $sso_set_cookie;
+    auth_request_set $user $upstream_http_x_remote_user;
+    error_page 403 = @sso;
+
+    # usual location config
+    root /var/www/;
+    index index.html;
+}
+
+location = /sso {
+    internal;
+    proxy_pass https://sso.fsmpi.rwth-aachen.de/backend?group=fachschaft;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Original-URI $request_uri;
+}
+
+location @sso {
+    add_header Cache-Control no-store;
+    return 302 https://sso.fsmpi.rwth-aachen.de?next=https://$server_name$request_uri;
+}
+
+location @sso_logout {
+    add_header Cache-Control no-store;
+    return 302 https://sso.fsmpi.rwth-aachen.de/logout?;
+}
diff --git a/webserver/files/sockets.conf b/webserver/files/sockets.conf
new file mode 100644
index 0000000000000000000000000000000000000000..00111a73954fc0689f90917190fbf86e34016b32
--- /dev/null
+++ b/webserver/files/sockets.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/bin/sh -c "rm -f /run/nginx/*.sock"
diff --git a/webserver/files/tmpfiles.conf b/webserver/files/tmpfiles.conf
new file mode 100644
index 0000000000000000000000000000000000000000..b13000cd1fca9fd84e606d0059f21757fd9c1a5c
--- /dev/null
+++ b/webserver/files/tmpfiles.conf
@@ -0,0 +1 @@
+d /run/nginx 0750 www-data nginx-proxy - -
diff --git a/webserver/handlers/main.yml b/webserver/handlers/main.yml
index e58a6acd99ca434391309b227b48723a5483f1f9..d95070e76f5ef66da8bbd902ae54db953d876bd4 100644
--- a/webserver/handlers/main.yml
+++ b/webserver/handlers/main.yml
@@ -1,14 +1,19 @@
 ---
-# file: roles/webserver/handlers/main.yml
+# file: webserver/handlers/main.yml
 
 - name: reload systemd service files
-  command: systemctl daemon-reload
+  systemd:
+    daemon_reload: true
 
 - name: restart nginx
-  service: name=nginx state=restarted
+  service:
+    name: nginx
+    state: reloaded
 
 - name: restart nginx-proxy
-  service: name=nginx-proxy state=restarted
+  service:
+    name: nginx-proxy
+    state: reloaded
 
 - name: create tmpfiles
   command: systemd-tmpfiles --create
diff --git a/webserver/tasks/configure_sites.yml b/webserver/tasks/configure_sites.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7d4e62d94aa5fa96ec94d0dc94863219bf29d492
--- /dev/null
+++ b/webserver/tasks/configure_sites.yml
@@ -0,0 +1,139 @@
+---
+# file: webserver/tasks/configure-sites.yml
+
+- name: ensure there is a directory for tls-sites
+  file:
+    path: "/etc/nginx/{{item}}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - proxy-sites-available
+    - proxy-sites-enabled
+
+- name: ensure we have our sites configured
+  template:
+    src: servers/internal.conf
+    dest: "/etc/nginx/sites-available/{{item.name}}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items: "{{webservers}}"
+  when: item.servers|selectattr("internal_locations", "defined") is any
+  loop_control:
+    label: "{{item.name}}"
+  notify:
+    - restart nginx
+
+- name: enable our active sites
+  file:
+    src: "/etc/nginx/sites-available/{{item.name}}.conf"
+    dest: "/etc/nginx/sites-enabled/{{item.name}}.conf"
+    state: link
+  with_items: "{{webservers}}"
+  when:
+    - item.servers|selectattr("internal_locations", "defined") is any
+    - item.enabled
+  loop_control:
+    label: "{{item.name}}"
+  notify:
+    - restart nginx
+
+- name: disable our inactive sites
+  file:
+    path: "/etc/nginx/sites-enabled/{{item.name}}.conf"
+    state: absent
+  with_items: "{{webservers}}"
+  when:
+    - item.servers|selectattr("internal_locations", "defined") is any
+    - not item.enabled
+  loop_control:
+    label: "{{item.name}}"
+  notify:
+    - restart nginx
+
+- name: get activated sites
+  find:
+    paths: /etc/nginx/sites-enabled
+    pattern: '*.conf'
+    file_type: link
+  register: activated_sites
+
+- name: deactivate unconfigured sites
+  file:
+    path: "/etc/nginx/sites-enabled/{{item}}.conf"
+    state: absent
+  # yamllint disable-line rule:line-length
+  loop: "{{activated_sites.files|map(attribute='path')|map('basename')|map('splitext')|map('first')|difference(webservers|selectattr('enabled')|map(attribute='name'))|list}}"
+  loop_control:
+    label: "{{item}}"
+  notify:
+    - restart nginx
+
+- name: ensure we have our sites tls-proxied
+  template:
+    src: servers/public.conf
+    dest: "/etc/nginx/proxy-sites-available/{{item.name}}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items: "{{webservers}}"
+  # yamllint disable-line rule:line-length
+  when: item.servers|selectattr("public_locations", "defined")|map(attribute="public_locations") is any
+  loop_control:
+    label: "{{item.name}}"
+  notify:
+    - restart nginx-proxy
+
+- name: enable our active proxied sites
+  file:
+    src: "/etc/nginx/proxy-sites-available/{{item.name}}.conf"
+    dest: "/etc/nginx/proxy-sites-enabled/{{item.name}}.conf"
+    state: link
+  with_items: "{{webservers}}"
+  when:
+    # yamllint disable-line rule:line-length
+    - item.servers|selectattr("public_locations", "defined")|map(attribute="public_locations") is any
+    - item.enabled
+  loop_control:
+    label: "{{item.name}}"
+  notify:
+    - restart nginx-proxy
+
+- name: disable our inactive proxied sites
+  file:
+    path: "/etc/nginx/proxy-sites-enabled/{{item.name}}.conf"
+    state: absent
+  with_items: "{{webservers}}"
+  when:
+    # yamllint disable-line rule:line-length
+    - item.servers|selectattr("public_locations", "defined")|map(attribute="public_locations") is any
+    - not item.enabled
+  loop_control:
+    label: "{{item.name}}"
+  notify:
+    - restart nginx-proxy
+
+- name: get activated proxy sites
+  find:
+    paths: /etc/nginx/proxy-sites-enabled
+    pattern: '*.conf'
+    file_type: link
+  register: activated_proxy_sites
+
+- name: deactivate unconfigured proxy sites
+  file:
+    path: "/etc/nginx/proxy-sites-enabled/{{item}}.conf"
+    state: absent
+  # yamllint disable-line rule:line-length
+  loop: "{{activated_proxy_sites.files|map(attribute='path')|map('basename')|map('splitext')|map('first')|difference(webservers|selectattr('enabled')|map(attribute='name'))|list}}"
+  loop_control:
+    label: "{{item}}"
+  notify:
+    - restart nginx-proxy
+
+- include_tasks: zabbix.yml
+  when: zabbix_server is defined and zabbix_user|default(none)
+  tags:
+    - zabbix-check
diff --git a/webserver/tasks/main.yml b/webserver/tasks/main.yml
index 67cf47969714c1547ee9d7bf340a96d2ee28188e..187b4ab6acb057e14152632b6ddfbe3e1ef2db01 100644
--- a/webserver/tasks/main.yml
+++ b/webserver/tasks/main.yml
@@ -1,115 +1,250 @@
 ---
-# file: roles/webserver/tasks/main.yml
+# file: webserver/tasks/main.yml
 
-- name: ensure nginx is installed
-  apt: name={{ item }} state=latest
-  with_items:
+- name: include debian version specific configuration
+  include_vars:
+    file: "{{debian_version|default('fallback')}}.yml"
+  tags:
     - nginx
-    - nginx-full
+    - webservices
+
+- name: ensure nginx is installed
+  apt:
+    name:
+      - nginx
+      - nginx-full
+    state: present
   notify:
     - restart nginx
     - restart nginx-proxy
   tags:
-    - packages
     - nginx
+    - webservices
 
 - name: ensure we got our nginx config
-  copy: src=nginx.conf dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
   notify:
     - restart nginx
   tags:
-    - config
     - nginx
+    - webservices
 
 - name: ensure we got our nginx-proxy config
-  template: src=nginx-proxy.conf dest=/etc/nginx/nginx-proxy.conf owner=root group=root mode=0644
+  template:
+    src: nginx-proxy.conf
+    dest: /etc/nginx/nginx-proxy.conf
+    owner: root
+    group: root
+    mode: '0644'
   notify:
     - restart nginx-proxy
   tags:
-    - config
     - nginx
+    - webservices
 
 - name: ensure there is the nginx-proxy group
-  group: name=nginx-proxy state=present system=yes
+  group:
+    name: nginx-proxy
+    state: present
+    system: true
   tags:
-    - config
     - nginx
+    - webservices
 
 - name: ensure there is the nginx-proxy user
-  user: name=nginx-proxy state=present group=nginx-proxy system=yes shell=/usr/sbin/nologin home=/var/www createhome=no
+  user:
+    name: nginx-proxy
+    state: present
+    group: nginx-proxy
+    system: true
+    shell: /usr/sbin/nologin
+    home: /var/www
+    createhome: false
   tags:
-    - config
     - nginx
-
-- name: ensure there is some tls-proxy config
-  template: src=tls-proxy.j2 dest=/etc/nginx/sites-available/tls-proxy owner=root group=root mode=0644 force=no
-  notify:
-    - restart nginx-proxy
+    - webservices
+
+- name: ensure the pam login is configured
+  copy:
+    content: "@include common-auth"
+    dest: /etc/pam.d/nginx
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - nginx
+    - webservices
+    - pam
+
+- name: "ensure the pam login is configured"
+  template:
+    src: nginx-pam.conf
+    dest: /etc/pam.d/nginx-{{pam_group}}
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{nginx_pam_groups}}"
+  loop_control:
+    loop_var: pam_group
+  when: nginx_pam_groups is defined
   tags:
-    - config
     - nginx
+    - webservices
+    - pam
 
-- name: ensure there is some main config
-  copy: src=main dest=/etc/nginx/sites-available/main owner=root group=root mode=0644 force=no
-  notify:
-    - restart nginx
+- import_tasks: configure_sites.yml
   tags:
-    - config
     - nginx
+    - webservices
 
-- name: ensure the main config is activated
-  file: path=/etc/nginx/sites-enabled/main state=link src=/etc/nginx/sites-available/main
-  notify:
-    - restart nginx
+- name: create diffie-hellman parameters (this could take some time)
+  command: openssl dhparam -out /etc/ssl/dhparam.pem 2048
+  args:
+    creates: /etc/ssl/dhparam.pem
   tags:
-    - config
+    - dhparam
     - nginx
+    - webservices
+
+- name: ensure we have our snippets
+  copy:
+    src: "{{item}}"
+    dest: /etc/nginx/snippets/
+    owner: root
+    group: root
+    mode: '0644'
+  with_fileglob:
+    - "snippets/*.conf"
+  tags:
+    - nginx
+    - webservices
 
 - name: ensure we have a directory for sockets
-  lineinfile:
+  copy:
+    src: tmpfiles.conf
     dest: /etc/tmpfiles.d/10-nginx.conf
-    line: "d /run/nginx 0750 www-data nginx-proxy - -"
-    create: yes
+    owner: root
+    group: root
+    mode: '0644'
   notify:
     - create tmpfiles
   tags:
-    - config
     - nginx
+    - webservices
+
+- name: ensure we can modify the nginx service behaviour
+  file:
+    path: /etc/systemd/system/nginx.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  notify:
+    - reload systemd service files
+  tags:
+    - nginx
+    - webserver
+
+- name: ensure remaining unix sockets are deleted on startup
+  copy:
+    src: sockets.conf
+    dest: /etc/systemd/system/nginx.service.d/sockets.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - reload systemd service files
+  tags:
+    - nginx
+    - webserver
 
 - name: ensure the default config is not activated
-  file: path=/etc/nginx/sites-enabled/default state=absent
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
   notify:
     - restart nginx
   tags:
-    - config
     - nginx
+    - webservices
 
 - name: ensure there is a lib dir for nginx-proxy
-  file: path=/var/lib/nginx-proxy state=directory owner=root group=root mode=0755
+  file:
+    path: /var/lib/nginx-proxy
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  tags:
+    - nginx
+    - webservices
+
+- name: check our website config
+  command: nginx -tqc /etc/nginx/nginx.conf
+  changed_when: false
   tags:
-    - config
     - nginx
+    - webservices
+
+- name: check our proxy config
+  command: nginx -tqc /etc/nginx/nginx-proxy.conf
+  changed_when: false
+  tags:
+    - nginx
+    - webservices
 
 - name: ensure there is a nginx-proxy service
-  copy: src=nginx-proxy.service dest=/etc/systemd/system/nginx-proxy.service owner=root group=root mode=0644
+  copy:
+    src: nginx-proxy.service
+    dest: /etc/systemd/system/nginx-proxy.service
+    owner: root
+    group: root
+    mode: '0644'
   notify:
     - reload systemd service files
     - restart nginx-proxy
   tags:
-    - service
     - nginx
+    - webservices
 
 - meta: flush_handlers
 
 - name: ensure nginx is enabled and running
-  service: name=nginx state=running enabled=yes
+  service:
+    name: nginx
+    state: started
+    enabled: true
   tags:
-    - service
     - nginx
+    - webservices
 
 - name: ensure nginx-proxy is enabled and running
-  service: name=nginx-proxy state=running enabled=yes
+  service:
+    name: nginx-proxy
+    state: started
+    enabled: true
+  tags:
+    - nginx
+    - webservices
+
+- name: ensure we can store apt preferences
+  file:
+    state: directory
+    path: /etc/apt/preferences.d
   tags:
-    - service
     - nginx
+    - webservices
 
+- name: ensure nobody tries to depend on apache
+  copy:
+    src: pin-apache.conf
+    dest: /etc/apt/preferences.d/apache2
+  when: disallow_apache2
+  tags:
+    - nginx
+    - webservices
diff --git a/webserver/tasks/zabbix.yml b/webserver/tasks/zabbix.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a23676d235f8d9f8ec2524f7cc1adebb382a8dcc
--- /dev/null
+++ b/webserver/tasks/zabbix.yml
@@ -0,0 +1,22 @@
+---
+
+- name: configure a zabbix check for this endpoint
+  zabbix_check:
+    zabbix_url: "{{zabbix_server}}"
+    zabbix_user: "{{zabbix_user}}"
+    zabbix_password: "{{zabbix_password}}"
+    hostname: "{{ansible_fqdn}}"
+    name: "{{item.0.name}} {{item.1.server_name}}"
+    # yamllint disable-line rule:line-length
+    state: "{{'present' if item.0.enabled and item.1.zabbix_check|default(true) else 'absent'}}"
+    steps:
+      - url: "https://{{item.1.server_name}}{{item.1.zabbix_check_url|default('/')}}"
+  with_subelements:
+    - "{{webservers}}"
+    - servers
+  when: zabbix_server is defined and zabbix_user|default(none)
+  delegate_to: localhost
+  loop_control:
+    label: "{{item.0.name}}"
+  tags:
+    - zabbix-check
diff --git a/webserver/templates/include-snippets b/webserver/templates/include-snippets
new file mode 100644
index 0000000000000000000000000000000000000000..ce9265ca10298e90bfee3d2b307e9b373383d17b
--- /dev/null
+++ b/webserver/templates/include-snippets
@@ -0,0 +1,5 @@
+{% if item.include_snippets is defined %}
+{% for snippet in item.include_snippets %}
+include /etc/nginx/snippets/{{snippet}}.conf;
+{% endfor %}
+{% endif %}
diff --git a/webserver/templates/location-auth b/webserver/templates/location-auth
new file mode 100644
index 0000000000000000000000000000000000000000..64428b9635b15dc0ce02a4c7ceed5554e6ae4866
--- /dev/null
+++ b/webserver/templates/location-auth
@@ -0,0 +1,10 @@
+{% if location.pam_auth is defined %}
+        auth_pam "{{location.pam_auth.name|default("FSMPI")}}";
+        auth_pam_service_name "{{location.pam_auth.service|default("nginx")}}";
+
+{% endif %}
+{% if location.basic_auth is defined %}
+        auth_basic "{{location.basic_auth.name|default("FSMPI")}}";
+        auth_basic_user_file {{location.basic_auth.file}};
+
+{% endif %}
diff --git a/webserver/templates/location-header b/webserver/templates/location-header
new file mode 100644
index 0000000000000000000000000000000000000000..48f2fe0a967a51e9b25fc9c1275096b44b226712
--- /dev/null
+++ b/webserver/templates/location-header
@@ -0,0 +1,24 @@
+    location {% if location.exact is defined and location.exact -%} =
+        {%- elif location.prefer_to_regex is defined and location.prefer_to_regex -%} ^~
+        {%- elif location.regex is defined and location.regex -%}
+            {%- if location.case_insensitive is defined and location.case_insensitive -%}
+                ~*
+            {%- else -%}
+                ~
+            {%- endif -%}
+        {%- endif %} {{location.path}} {
+    {% if location.root is defined %}
+        root {{location.root}};
+    {% endif %}
+    {% if location.indices is defined %}
+        index {{location.indices|join(" ")}};
+    {% elif location.autoindex is defined and location.autoindex %}
+        autoindex on;
+    {% endif %}
+    {% if location.error_pages is defined %}
+        {% for error_page in location.error_pages %}
+        error_page {{error_page}};
+        {% endfor %}
+    {% elif location.error_page is defined %}
+        error_page {{location.error_page}};
+    {% endif %}
diff --git a/webserver/templates/location-limit-networks b/webserver/templates/location-limit-networks
new file mode 100644
index 0000000000000000000000000000000000000000..515004993d1bfb29738aae0bd671d988d6b2622b
--- /dev/null
+++ b/webserver/templates/location-limit-networks
@@ -0,0 +1,8 @@
+{% if location.allow_only_networks is defined %}
+        satisfy any;
+{% for network in location.allow_only_networks %}
+        allow {{network.network}}; # {{network.comment|default('?')}}
+{% endfor %}
+        deny all;
+
+{% endif %}
diff --git a/webserver/templates/location-nested b/webserver/templates/location-nested
new file mode 100644
index 0000000000000000000000000000000000000000..e11c3e5e8dcf69d52fe65fd4a50bde1b9c4180ca
--- /dev/null
+++ b/webserver/templates/location-nested
@@ -0,0 +1,10 @@
+{% if location.locations is defined %}
+
+    {% for location in location.locations %}
+    {% macro includelocation() %}{% include "locations/%s.conf"|format(location.type) %}{% endmacro %}
+    {{includelocation()|indent(4)}}
+    {% if not loop.last %}
+
+    {% endif %}
+    {% endfor %}
+{% endif %}
diff --git a/webserver/templates/location-params b/webserver/templates/location-params
new file mode 100644
index 0000000000000000000000000000000000000000..1d594d8a61db1aeba7eee7c08edce07482d45d55
--- /dev/null
+++ b/webserver/templates/location-params
@@ -0,0 +1,19 @@
+{% if location.params is defined %}
+{% for param in location.params %}
+        {{param.key}} {{param.value}};
+{% endfor %}
+
+{% endif %}
+{% if location.conditions is defined %}
+{% for condition in location.conditions %}
+
+        if ({{condition.condition}}) {
+{% for action in condition.actions %}
+            {{action}};
+{% endfor %}
+        }
+{% endfor %}
+{% endif %}
+{% if location.expires is defined %}
+    expires {{location.expires}};
+{% endif %}
diff --git a/webserver/templates/locations/deny.conf b/webserver/templates/locations/deny.conf
new file mode 100644
index 0000000000000000000000000000000000000000..448d9bd500cb81caeb590edf492182c1f2f9b7de
--- /dev/null
+++ b/webserver/templates/locations/deny.conf
@@ -0,0 +1,9 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+    {% include "location-nested" %}
+        deny all;
+        {% if location.hide|default(False) %}
+        return 404;
+        {% endif %}
+    }
diff --git a/webserver/templates/locations/fastcgi.conf b/webserver/templates/locations/fastcgi.conf
new file mode 100644
index 0000000000000000000000000000000000000000..fcd7411195afc27e670ce61039c79f62bf5a6a57
--- /dev/null
+++ b/webserver/templates/locations/fastcgi.conf
@@ -0,0 +1,35 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+        include fastcgi_params;
+        {% include "location-limit-networks" -%}
+        {%- include "location-params" -%}
+        {%- include "location-auth" %}
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root{% if location.script_name is defined %}{{location.script_name}}{% else %}$fastcgi_script_name{% endif %};
+        {% if location.pass_real_ip|default(true) %}
+        fastcgi_param REMOTE_ADDR $http_x_real_ip;
+        {% endif %}
+        fastcgi_index {{location.index|default('index.php')}};
+        {% if location.pass_user|default(true) %}
+        fastcgi_param REMOTE_USER $remote_user;
+        {% endif %}
+        proxy_set_header Host {{server.server_name}};
+        {% if server.forward_http|default(true) %}
+        fastcgi_param HTTPS on;
+        fastcgi_param REQUEST_SCHEME https;
+        proxy_set_header X-Forwarded-Proto https;
+        {% else %}
+        proxy_set_header X-Forwarded-Proto $scheme;
+        {% endif %}
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_connect_timeout {{ location.proxy_connect_timeout|default(webserver_proxy_connect_timeout|default(60)) }};
+        proxy_send_timeout {{ location.proxy_send_timeout|default(webserver_proxy_send_timeout|default(60)) }};
+        proxy_read_timeout {{ location.proxy_read_timeout|default(webserver_proxy_read_timeout|default(60)) }};
+        send_timeout {{ location.send_timeout|default(webserver_send_timeout|default(60)) }};
+        fastcgi_read_timeout {{ location.fastcgi_read_timeout|default(webserver_fastcgi_read_timeout|default(60)) }};
+        fastcgi_keep_conn on;
+        fastcgi_pass {{location.socket}};
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/locations/gone.conf b/webserver/templates/locations/gone.conf
new file mode 100644
index 0000000000000000000000000000000000000000..60549d5815b87f5864c98c12f0d6ba798e91d33c
--- /dev/null
+++ b/webserver/templates/locations/gone.conf
@@ -0,0 +1,6 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+    {% include "location-nested" %}
+        return 410;
+    }
diff --git a/webserver/templates/locations/named.conf b/webserver/templates/locations/named.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7c26d019ac322735c75136dadfcaacedd544302c
--- /dev/null
+++ b/webserver/templates/locations/named.conf
@@ -0,0 +1,9 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" -%}
+        {%- include "location-params" -%}
+        {%- include "location-limit-networks" -%}
+        {%- include "location-auth" %}
+        try_files $uri $uri/ @{{location.name}};
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/locations/param-only.conf b/webserver/templates/locations/param-only.conf
new file mode 100644
index 0000000000000000000000000000000000000000..4cced73e864ceb4aecf15433e40f952c7df6d12d
--- /dev/null
+++ b/webserver/templates/locations/param-only.conf
@@ -0,0 +1,8 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+        {%- include "location-params" -%}
+        {%- include "location-limit-networks" -%}
+        {%- include "location-auth" -%}
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/locations/proxy.conf b/webserver/templates/locations/proxy.conf
new file mode 100644
index 0000000000000000000000000000000000000000..37f9de8aef27788cc7ab9dd00bcd10bce4e0310c
--- /dev/null
+++ b/webserver/templates/locations/proxy.conf
@@ -0,0 +1,58 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+        {%- include "location-params" -%}
+        {%- include "location-limit-networks" -%}
+        {%- include "location-auth" -%}
+        {% if server.use_sso is defined and server.use_sso and (server.sso_protect_all is undefined or server.sso_protect_all or location.sso_protect is defined and location.sso_protect) %}
+        include /etc/nginx/snippets/sso-auth.conf;
+        proxy_set_header X-Remote-User $sso_user;
+        proxy_set_header X-Remote-Groups $sso_groups;
+        {% endif %}
+        {% if location.proxy_host is defined %}
+        proxy_pass {{location.proxy_scheme|default("https")}}://{{location.proxy_host}}{% if not location.proxy_relative|default(false) %}/{% endif %};
+        {% elif location.proxy_port is defined %}
+        proxy_pass http://127.0.0.1:{{location.proxy_port}}{% if not location.proxy_relative|default(false) %}/{% endif %};
+        {% elif server.port is defined %}
+        proxy_pass http://127.0.0.1:{{server.port}}{% if not location.proxy_relative|default(false) %}/{% endif %};
+        {% elif location.proxy_unix is defined %}
+        proxy_pass http://unix:{{location.proxy_unix}}{% if not location.proxy_relative|default(false) %}:/{% endif %};
+        {% else %}
+        proxy_pass http://unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}}{% if not location.proxy_relative|default(false) %}:/{% endif %};
+        {% endif %}
+        proxy_set_header Host {{location.proxy_set_host|default(server.server_name)}};
+        {% if server.forward_http|default(true) %}
+        proxy_set_header X-Forwarded-Proto https;
+        {% else %}
+        proxy_set_header X-Forwarded-Proto $scheme;
+        {% endif %}
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        {% if location.proxy_cookie|default(false) %}
+        {% if location.proxy_cookie|default('lax') == 'strict' %}
+        proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Strict";
+        {% else %}
+        proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Lax";
+        {% endif %}
+        {% endif %}
+        {# 1.1 and empty Connection to enable keepalive #}
+        proxy_http_version "{{location.proxy_http_version|default('1.1')}}";
+        {% if location.allow_upgrade|default(false) %}
+        {# Upgrade allows usage of websockets #}
+        proxy_set_header Upgrade "$http_upgrade";
+        proxy_set_header Connection "$connection_upgrade";
+        {% else %}
+        proxy_set_header Connection "";
+        {% endif %}
+        {% if location.proxy_headers is defined %}
+
+        {% for key, value in location.proxy_headers.items() %}
+        proxy_set_header {{key}} {{value}};
+        {% endfor %}
+        {% endif %}
+        proxy_connect_timeout {{ location.proxy_connect_timeout|default(webserver_proxy_connect_timeout|default(60)) }};
+        proxy_send_timeout {{ location.proxy_send_timeout|default(webserver_proxy_send_timeout|default(60)) }};
+        proxy_read_timeout {{ location.proxy_read_timeout|default(webserver_proxy_read_timeout|default(60)) }};
+        send_timeout {{ location.send_timeout|default(webserver_send_timeout|default(60)) }};
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/locations/redirect.conf b/webserver/templates/locations/redirect.conf
new file mode 100644
index 0000000000000000000000000000000000000000..845a35c63bb92950165c81cdb8b71180fbff5103
--- /dev/null
+++ b/webserver/templates/locations/redirect.conf
@@ -0,0 +1,6 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+    {% include "location-nested" %}
+        return {% if location.temporary is defined and location.temporary %}302{% else %}301{% endif %} {{location.target}};
+    }
diff --git a/webserver/templates/locations/rewrite.conf b/webserver/templates/locations/rewrite.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7d3dff701c24973cb012832d6cea8977c9d37104
--- /dev/null
+++ b/webserver/templates/locations/rewrite.conf
@@ -0,0 +1,11 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+        {%- include "location-params" -%}
+        {%- include "location-limit-networks" -%}
+        {%- include "location-auth" -%}
+    {% for rewrite in location.rewrites %}
+        rewrite {{ rewrite }};
+    {% endfor %}
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/locations/static.conf b/webserver/templates/locations/static.conf
new file mode 100644
index 0000000000000000000000000000000000000000..fdcb1080e095b322a9c0f8a879e02645b9e6b6f3
--- /dev/null
+++ b/webserver/templates/locations/static.conf
@@ -0,0 +1,12 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+        {%- include "location-params" -%}
+        {%- include "location-limit-networks" -%} 
+        {%- include "location-auth" -%} 
+        {% if location.alias is defined %}
+        alias {{location.alias}};
+        {% endif %}
+        try_files {{ location.try_uri|default('$uri $uri/') }} {{ location.try_default|default('=404') }};
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/locations/uwsgi.conf b/webserver/templates/locations/uwsgi.conf
new file mode 100644
index 0000000000000000000000000000000000000000..3672ac071366e7feeb6c3239c247a3a7f0e671d9
--- /dev/null
+++ b/webserver/templates/locations/uwsgi.conf
@@ -0,0 +1,30 @@
+
+    {%- set location = location -%}
+    {%- include "location-header" %}
+        include uwsgi_params;
+        {% include "location-params" -%}
+        {%- include "location-limit-networks" -%}
+        {%- include "location-auth" -%}
+        proxy_set_header Host {{server.server_name}};
+        {% if location.pass_real_ip|default(false) %}
+        uwsgi_param REMOTE_ADDR $realip_remote_addr;
+        {% endif %}
+        {% if server.forward_http|default(true) %}
+        uwsgi_param HTTPS on;
+        uwsgi_param REQUEST_SCHEME https;
+        proxy_set_header X-Forwarded-Proto https;
+        {% else %}
+        proxy_set_header X-Forwarded-Proto $scheme;
+        {% endif %}
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        {# 1.1 and empty Connection to enable keepalive #}
+        proxy_http_version {{location.proxy_http_version|default('1.1')}};
+        proxy_set_header Connection "";
+        proxy_connect_timeout {{ location.proxy_connect_timeout|default(webserver_proxy_connect_timeout|default(60)) }};
+        proxy_send_timeout {{ location.proxy_send_timeout|default(webserver_proxy_send_timeout|default(60)) }};
+        proxy_read_timeout {{ location.proxy_read_timeout|default(webserver_proxy_read_timeout|default(60)) }};
+        send_timeout {{ location.send_timeout|default(webserver_send_timeout|default(60)) }};
+        uwsgi_pass {{location.socket}};
+    {% include "location-nested" %}
+    }
diff --git a/webserver/templates/nginx-pam.conf b/webserver/templates/nginx-pam.conf
new file mode 100644
index 0000000000000000000000000000000000000000..5075d1efc1fd6a9540a227920997a48a54f73132
--- /dev/null
+++ b/webserver/templates/nginx-pam.conf
@@ -0,0 +1,2 @@
+@include common-auth
+auth    required     pam_succeed_if.so user ingroup {{pam_group}}
diff --git a/webserver/templates/nginx-proxy.conf b/webserver/templates/nginx-proxy.conf
index 4991371c51589fc07c7ed9ac60c781cd661ad97f..d4da389f8f8007c2eeee20f3b611900284dc80fd 100644
--- a/webserver/templates/nginx-proxy.conf
+++ b/webserver/templates/nginx-proxy.conf
@@ -1,77 +1,122 @@
 user nginx-proxy;
-worker_processes 4;
+worker_processes {{ webserver_workers }};
+worker_rlimit_nofile {{ webserver_worker_rlimit_nofile|default(100000) }};
 pid /run/nginx-proxy.pid;
-{% if debian_version == "stretch" %}
 include /etc/nginx/modules-enabled/*.conf;
-{% endif %}
+pcre_jit on;
 
 events {
-	worker_connections 768;
-	# multi_accept on;
+    worker_connections {{ webserver_worker_connections|default(768) }};
+    worker_aio_requests {{ webserver_worker_aio_requests|default(32) }};
+    # multi_accept on;
 }
 
 http {
-	proxy_set_header        X-Real-IP       $remote_addr;
-	proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-	client_body_temp_path /var/lib/nginx-proxy/body-temp;
-	fastcgi_cache_path /var/lib/nginx-proxy/fastcgi-cache keys_zone=one:10m;
-	fastcgi_temp_path /var/lib/nginx-proxy/fastcgi-temp;
-	proxy_cache_path /var/lib/nginx-proxy/proxy-cache keys_zone=two:10m;
-	proxy_temp_path /var/lib/nginx-proxy/proxy-temp;
-	scgi_cache_path /var/lib/nginx-proxy/scgi-cache keys_zone=three:10m;
-	scgi_temp_path /var/lib/nginx-proxy/scgi-temp;
-	uwsgi_cache_path /var/lib/nginx-proxy/uwsgi-cache keys_zone=four:10m;
-	uwsgi_temp_path /var/lib/nginx-proxy/uwsgi-temp;
-
-	##
-	# Basic Settings
-	##
-
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	# server_tokens off;
-
-	server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# SSL Settings
-	##
-
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
-	ssl_prefer_server_ciphers on;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/proxy-access.log;
-	error_log /var/log/nginx/proxy-error.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-	gzip_disable "msie6";
-
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# Virtual Host Configs
-	##
-
-	#include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-available/tls-proxy;
+    client_body_temp_path /var/lib/nginx-proxy/body-temp;
+    fastcgi_cache_path /var/lib/nginx-proxy/fastcgi-cache keys_zone=one:10m;
+    fastcgi_temp_path /var/lib/nginx-proxy/fastcgi-temp;
+    proxy_cache_path /var/lib/nginx-proxy/proxy-cache keys_zone=two:10m;
+    proxy_temp_path /var/lib/nginx-proxy/proxy-temp;
+    scgi_cache_path /var/lib/nginx-proxy/scgi-cache keys_zone=three:10m;
+    scgi_temp_path /var/lib/nginx-proxy/scgi-temp;
+    uwsgi_cache_path /var/lib/nginx-proxy/uwsgi-cache keys_zone=four:10m;
+    uwsgi_temp_path /var/lib/nginx-proxy/uwsgi-temp;
+
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    sendfile_max_chunk {{ webserver_sendfile_max_chunk|default('1m') }};
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout {{ webserver_keepalive_timeout|default(65) }};
+    keepalive_requests {{ webserver_keepalive_requests|default(100) }};
+    types_hash_max_size 2048;
+    # server_tokens off;
+    reset_timedout_connection {{ 'on' if webserver_reset_timedout_connection|default(False) else 'off' }};
+    client_max_body_size 2m;
+
+    {% if webserver_enable_aio|default(False) %}
+    aio            {{ 'on' if webserver_aio_threads|default(False) else 'off' }};
+    directio       {{ webserver_aio_directio|default('512') }};
+    output_buffers 1 128k;
+    {% endif %}
+
+    server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    types {
+        application/wasm wasm;
+    }
+    default_type application/octet-stream;
+
+    resolver {{ webserver_resolver|join(" ") }} ipv6={% if webserver_enable_ipv6 %}on{% else %}off{% endif %};
+
+    ##
+    # SSL Settings
+    ##
+    ssl_protocols {{protocols[cipher_strength]}};
+    ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[cipher_strength] else 'off'}};
+    {% if ciphers[cipher_strength] is not none %}
+    ssl_ciphers '{{ciphers[cipher_strength]}}';
+    {% endif %}
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_dhparam /etc/ssl/dhparam.pem;
+
+    ##
+    # Logging Settings
+    ##
+
+    {% if webserver_buffer_access_log|default(False) %}
+    access_log /var/log/nginx/proxy-access.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/proxy-access.log;
+    {% endif %}
+    error_log /var/log/nginx/proxy-error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    {% if webserver_enable_gzip|default(True) %}
+    gzip on;
+    gzip_disable "msie6";
+    gzip_comp_level {{ webserver_gzip_comp_level|default(1) }};
+    gzip_min_length {{ webserver_gzip_min_length|default(20) }};
+    gzip_proxied {{ webserver_gzip_proxied|default('off') }};
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    {% endif %}
+
+    {% if webserver_enable_open_file_cache|default(False) %}
+    open_file_cache          max={{ webserver_open_file_cache_max|default(1000) }} inactive={{ webserver_open_file_cache_inactive|default(20) }}s; # 10000, 30
+    open_file_cache_valid    {{ webserver_open_file_cache_valid|default(30) }}s; # 60
+    open_file_cache_min_uses {{ webserver_open_file_cache_min_uses|default(2) }};
+    open_file_cache_errors   on;
+    open_log_file_cache max=1000 inactive=30s valid=1m min_uses=2;
+    {% endif %}
+
+    ##
+    # Virtual Host Configs
+    ##
+
+    #include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/proxy-sites-enabled/*.conf;
+
+    {% if webserver_enable_acme_default %}
+    server {
+        listen 80 {{ 'reuseport' if webserver_enable_reuseport else '' }};
+        server_name _;
+        include /etc/nginx/snippets/acmetool.conf;
+        location / {
+            deny all;
+        }
+    }
+    {% endif %}
 }
diff --git a/webserver/templates/nginx.conf b/webserver/templates/nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..18073aeacbc18280f53c9c99f07e44af6b485e7d
--- /dev/null
+++ b/webserver/templates/nginx.conf
@@ -0,0 +1,100 @@
+user www-data;
+worker_processes {{ webserver_workers }};
+worker_rlimit_nofile {{ webserver_worker_rlimit_nofile|default(100000) }};
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+pcre_jit on;
+
+events {
+    worker_connections {{ webserver_worker_connections|default(768) }};
+    worker_aio_requests {{ webserver_worker_aio_requests|default(32) }};
+    # multi_accept on;
+}
+
+http {
+    set_real_ip_from 127.0.0.1;
+    set_real_ip_from unix:;
+    real_ip_recursive on;
+
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    sendfile_max_chunk {{ webserver_sendfile_max_chunk|default('1m') }};
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout {{ webserver_keepalive_timeout|default(65) }};
+    keepalive_requests {{ webserver_keepalive_requests|default(100) }};
+    types_hash_max_size 2048;
+    # server_tokens off;
+    reset_timedout_connection {{ 'on' if webserver_reset_timedout_connection|default(False) else 'off' }};
+    client_max_body_size 2m;
+
+    {% if webserver_enable_aio|default(False) %}
+    aio            {{ 'on' if webserver_aio_threads|default(False) else 'off' }};
+    directio       {{ webserver_aio_directio|default('512') }};
+    output_buffers 1 128k;
+    {% endif %}
+
+    server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    types {
+        application/wasm wasm;
+    }
+    default_type application/octet-stream;
+
+    resolver {{ webserver_resolver|join(" ") }} ipv6={% if webserver_enable_ipv6 %}on{% else %}off{% endif %};
+
+    ##
+    # SSL Settings
+    ##
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_dhparam /etc/ssl/dhparam.pem;
+
+    ##
+    # Logging Settings
+    ##
+
+    {% if webserver_buffer_access_log|default(False) %}
+    access_log /var/log/nginx/access.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/access.log;
+    {% endif %}
+    error_log /var/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    {% if webserver_enable_gzip|default(True) %}
+    gzip on;
+    gzip_disable "msie6";
+    gzip_comp_level {{ webserver_gzip_comp_level|default(1) }};
+    gzip_min_length {{ webserver_gzip_min_length|default(20) }};
+    gzip_proxied {{ webserver_gzip_proxied|default('off') }};
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    {% endif %}
+
+    {% if webserver_enable_open_file_cache|default(False) %}
+    open_file_cache          max={{ webserver_open_file_cache_max|default(1000) }} inactive={{ webserver_open_file_cache_inactive|default(20) }}s; # 10000, 30
+    open_file_cache_valid    {{ webserver_open_file_cache_valid|default(30) }}s; # 60
+    open_file_cache_min_uses {{ webserver_open_file_cache_min_uses|default(2) }};
+    open_file_cache_errors   on;
+    open_log_file_cache max=1000 inactive=30s valid=1m min_uses=2;
+    {% endif %}
+
+    ##
+    # Virtual Host Configs
+    ##
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*.conf;
+
+}
diff --git a/webserver/templates/servers/internal.conf b/webserver/templates/servers/internal.conf
new file mode 100644
index 0000000000000000000000000000000000000000..56ab856965305915dc7dca82e867407e287b46f4
--- /dev/null
+++ b/webserver/templates/servers/internal.conf
@@ -0,0 +1,13 @@
+#jinja2: lstrip_blocks: True
+{% for upstream in item.internal_upstreams|default([]) %}
+{% include "sites/upstream.conf" %}
+{% endfor %}
+
+{% for server in item.servers %}
+
+{% include "sites/%s.conf"|format(server.type) %}
+
+{% endfor %}
+
+{% set item = item %}
+{% include "include-snippets" %}
diff --git a/webserver/templates/servers/public.conf b/webserver/templates/servers/public.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ce968128dbd37dda1acaefac2eddafb96ab33521
--- /dev/null
+++ b/webserver/templates/servers/public.conf
@@ -0,0 +1,34 @@
+#jinja2: lstrip_blocks: True
+{% for upstream in item.public_upstreams|default([]) %}
+{% include "sites/upstream.conf" %}
+{% endfor %}
+
+{% for server in item.servers %}
+{% if server.public_locations is defined %}
+{% if server.forward_http|default(true) %}
+{% include "sites/httprewrite.conf" %}    
+
+{% endif %}
+{% if server.forward_ip|default(false) %}
+{% include "sites/iprewrite.conf" %}
+
+
+{% endif %}
+{% if server.forward_hostnames is defined %}
+{% include "sites/hostnamerewrite.conf" %}
+
+
+{% endif %}
+{% include "sites/tlsproxy.conf" %}
+{% if not loop.last %}
+
+{% endif %}
+{% endif %}
+{% if not loop.last %}
+
+
+{% endif %}
+{% endfor %}
+
+{% set item = item %}
+{% include "include-snippets" %}
diff --git a/webserver/templates/site-header b/webserver/templates/site-header
new file mode 100644
index 0000000000000000000000000000000000000000..3a01dfe5951699bded039286b9b9bfed581bd4c9
--- /dev/null
+++ b/webserver/templates/site-header
@@ -0,0 +1,7 @@
+
+    {% if server.port is defined %}
+    listen localhost:{{server.port}};
+    {% else %}
+    listen unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}};
+    {% endif %}
+
diff --git a/webserver/templates/site-security b/webserver/templates/site-security
new file mode 100644
index 0000000000000000000000000000000000000000..4d7a0aa6a3fab347225c3183bcde42a5e3c3e60c
--- /dev/null
+++ b/webserver/templates/site-security
@@ -0,0 +1,67 @@
+{% if server.http_forward|default(true) %}
+    add_header Strict-Transport-Security "max-age=15768000" always;
+{% endif %}
+
+{% if server.xss_protect|default(true) %}
+    add_header X-XSS-Protection "1; mode=block" always;
+{% endif %}
+{% if server.no_sniff|default(true) %}
+    add_header X-Content-Type-Options "nosniff" always;
+{% endif %}
+
+{% if server.referrer_policy|default(true) %}
+{% if server.referrer_policy is defined %}
+    add_header Referrer-Policy "{{ server.referrer_policy }}" always;
+{% else %}
+    add_header Referrer-Policy "same-origin" always;
+{% endif %}
+{% endif %}
+
+{% if server.expect_ct|default(true) %}
+{% if server.expect_ct is defined %}
+    add_header Expect-CT "{{ server.expect_ct }}" always;
+{% else %}
+    add_header Expect-CT "max-age=86400, enforce" always;
+{% endif %}
+{% endif %}
+
+{% if server.cors|default(false) %}
+{% if server.cors is defined %}
+    add_header Access-Control-Allow-Origin "{{ server.cors }}" always;
+{% else %}
+    add_header Access-Control-Allow-Origin "'*'" always;
+{% endif %}
+{% if not server.no_sniff|default(true) %}
+    add_header X-Content-Type-Options "nosniff" always;
+{% endif %}
+{% if not server.csp|default(true) %}
+    add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'" always;
+    add_header X-Frame-Options "DENY" always;
+{% endif %}
+{% endif %}
+
+{% if server.csp|default(true) %}
+{% if server.csp is defined and server.csp == 'self' %}
+    add_header Content-Security-Policy "object-src 'none'; default-src 'self'; frame-ancestors 'none'; block-all-mixed-content" always;
+    add_header X-Frame-Options "DENY" always;
+{% elif server.csp is defined %}
+    {% if 'frame-ancestors' in server.csp %}
+        {% if server.csp['frame-ancestors'] == "'self'" %}
+            add_header X-Frame-Options "SAMEORIGIN" always;
+        {% else %}
+            add_header X-Frame-Options "DENY" always;
+        {% endif %}
+    {% else %}
+        add_header X-Frame-Options "DENY" always;
+        {% set x=server.csp.__setitem__("frame-ancestors", "'none'") %}
+    {% endif %}
+    {% set directives = [] %}
+    {% for key, value in server.csp.items() %}
+    {{ directives.append(key ~ ' ' ~ value) }}
+    {% endfor %}
+    add_header Content-Security-Policy "{{ directives|join('; ') }}" always;
+{% else %}
+    add_header Content-Security-Policy "object-src 'self'; default-src 'self' data: 'unsafe-eval' 'unsafe-inline'; frame-ancestors 'none'" always;
+    add_header X-Frame-Options "DENY" always;
+{% endif %}
+{% endif %}
diff --git a/webserver/templates/site-server_name b/webserver/templates/site-server_name
new file mode 100644
index 0000000000000000000000000000000000000000..903a51057f12711458672c25415b3efe6ed0c44a
--- /dev/null
+++ b/webserver/templates/site-server_name
@@ -0,0 +1 @@
+    server_name {{server.server_names|default([server.server_name])|join(" ")}};
diff --git a/webserver/templates/sites/hostnamerewrite.conf b/webserver/templates/sites/hostnamerewrite.conf
new file mode 100644
index 0000000000000000000000000000000000000000..b6829139a5bd945ddb68ed4739d9142ddcc19329
--- /dev/null
+++ b/webserver/templates/sites/hostnamerewrite.conf
@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    listen 443 ssl;
+    server_name {{server.forward_hostnames.hostnames|default(server.forward_hostnames)|join(" ")}};
+    error_log /var/log/nginx/rewrite-error-{{server.forward_hostnames.hostnames|default(server.forward_hostnames)|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/rewrite-access-{{server.forward_hostnames.hostnames|default(server.forward_hostnames)|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/rewrite-access-{{server.forward_hostnames.hostnames|default(server.forward_hostnames)|first}}.log;
+    {% endif %}
+
+    {% include "ssl-certificate" %}
+
+    {% include "site-security" %}
+
+{% if server.include_acme|default(true) %}
+    include /etc/nginx/snippets/acmetool.conf;
+
+    location / {
+        return 301 https://{{server.server_name}}{{server.forward_hostnames.path|default("")}}$request_uri;
+    }
+{% else %}
+    return 301 https://{{server.server_name}}{{server.forward_hostnames.path|default("")}}$request_uri;
+{% endif %}
+}
diff --git a/webserver/templates/sites/httprewrite.conf b/webserver/templates/sites/httprewrite.conf
new file mode 100644
index 0000000000000000000000000000000000000000..8288c27c1f7e3df498458b3f2b8b8546f5248810
--- /dev/null
+++ b/webserver/templates/sites/httprewrite.conf
@@ -0,0 +1,22 @@
+server {
+    listen 80;
+    server_name {{server.server_names|default([server.server_name])|join(" ")}};
+    error_log /var/log/nginx/rewrite-error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/rewrite-access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/rewrite-access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}
+
+    {% include "site-security" %}
+
+{% if server.include_acme|default(true) %}
+    include /etc/nginx/snippets/acmetool.conf;
+
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+{% else %}
+    return 301 https://$server_name$request_uri;
+{% endif %}
+}
diff --git a/webserver/templates/sites/iprewrite.conf b/webserver/templates/sites/iprewrite.conf
new file mode 100644
index 0000000000000000000000000000000000000000..dc9c2a52413d20d32324eab1529beb902d9a4021
--- /dev/null
+++ b/webserver/templates/sites/iprewrite.conf
@@ -0,0 +1,17 @@
+server {
+    listen 80 {{ 'reuseport' if webserver_enable_reuseport and not webserver_enable_acme_default else '' }};
+    listen 443 ssl {{ 'reuseport' if webserver_enable_reuseport else '' }};
+    server_name {{ansible_all_ipv4_addresses|join(" ")}};
+    error_log /var/log/nginx/rewrite-error-{{ansible_all_ipv4_addresses|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/rewrite-access-{{ansible_all_ipv4_addresses|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/rewrite-access-{{ansible_all_ipv4_addresses|first}}.log;
+    {% endif %}
+
+    {% include "ssl-certificate" %}
+
+    {% include "site-security" %}
+
+    return 301 https://{{server.server_name}}$request_uri;
+}
diff --git a/webserver/templates/sites/mediawiki.conf b/webserver/templates/sites/mediawiki.conf
new file mode 100644
index 0000000000000000000000000000000000000000..400e73b01a3db8684fb7b3d72c51cb77d95547e5
--- /dev/null
+++ b/webserver/templates/sites/mediawiki.conf
@@ -0,0 +1,66 @@
+server {
+    {% if server.port is defined %}
+
+    listen localhost:{{server.port}} {{ 'reuseport' if webserver_enable_reuseport else '' }};
+    {% else %}
+
+    listen unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}};
+    {% endif %}
+
+    server_name {{server.server_names|default([server.server_name])|join(" ")}};
+    error_log /var/log/nginx/error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}
+
+    root {{server.root}};
+    {% if server.indices is defined %}
+    index {{server.indices|join(" ")}};
+    {% endif %}
+
+    location / {
+        try_files $uri $uri/ @rewrite;
+    }
+
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?title=$1&args;
+    }
+
+    location ^~ /maintenance/ {
+        deny all;
+    }
+
+    location ~ \.php$ {
+        include fastcgi_params;
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param REMOTE_ADDR $http_x_real_ip;
+        fastcgi_pass {{server.fastcgi_socket}};
+    }
+
+    location ~* \.(js|css|png|jpeg|gif|ico)$ {
+        try_files $uri =404;
+        expires max;
+        log_not_found off;
+    }
+
+    location = /_.gif {
+        expires max;
+        empty_gif;
+    }
+
+    location ^~ /cache/ {
+        deny all;
+    }
+
+    {% set server = server %}
+    {% if server.internal_locations is defined %}
+    {% for location in server.internal_locations %}
+
+        {% include "locations/%s.conf"|format(location.type) %}
+    {% endfor %}
+    {% endif %}
+
+}
diff --git a/webserver/templates/sites/open-xchange.conf b/webserver/templates/sites/open-xchange.conf
new file mode 100644
index 0000000000000000000000000000000000000000..40c2a027193227fd804f6ad598c83d41471a3f0a
--- /dev/null
+++ b/webserver/templates/sites/open-xchange.conf
@@ -0,0 +1,237 @@
+# taken from https://gist.github.com/stbuehler/70ec37592957ab900469b75a05baa152 by Stefan Bühler
+
+upstream oxcluster {
+    server 127.0.0.1:8009 weight=50;
+}
+
+server {
+    {%- include "site-header" %}
+
+    {% include "site-server_name" %}
+
+    error_log /var/log/nginx/error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}
+
+    root {{server.root}};
+    index index.html;
+
+    add_header "X-Frame-Options" "SAMEORIGIN";
+    client_max_body_size 100M;
+
+    # extend mime types
+    include mime.types;
+    types {
+        text/cache-manifest appcache;
+        application/x-font-ttf ttf;
+        image/png xpng;
+        text/css less;
+    }
+
+    gzip on;
+    gzip_types text/plain text/javascript application/javascript text/css text/xml application/xml text/x-js application/x-javascript;
+    gzip_vary off;
+
+    location = / {
+        rewrite .* /appsuite/ permanent;
+    }
+
+    location = /appsuite/ {
+        if ($http_user_agent ~ "MSIE [6-8]") {
+            rewrite .* /appsuite/unsupported.html permanent;
+        }
+        index ui;
+    }
+
+    location /appsuite/ {
+        location ~ ^/appsuite/v= {
+            rewrite ^/appsuite/v=[^/]*(/.*)$ /appsuite$1 last;
+        }
+
+        location ~ /(ui|core|signin)$ {
+            types { }
+            default_type text/html;
+            expires 0; # now
+            if_modified_since off;
+            etag off;
+        }
+
+        # en_US help fallback
+        location ~ ^(/appsuite/help(?:-.+)?/l10n)/([a-z_A-Z]+)(.+) {
+            try_files $uri $uri/index.html $1/en_US$3 $1/en_US$3/index.html =404;
+
+            # copied from default below
+            expires 182d; # about 6 months
+            add_header "Cache-Control" "private";
+            etag off;
+        }
+
+        # icons default-theme fallback
+        location ~ ^(/appsuite/apps/themes)/.*/([^/]+)$ {
+            try_files $uri $1/icons/default/$2 =404;
+
+            # copied from default below
+            expires 182d; # about 6 months
+            add_header "Cache-Control" "private";
+            etag off;
+        }
+
+        location ~ /online\.js$ {
+            expires 0; # now
+            add_header "Cache-Control" "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
+            etag off;
+        }
+
+        location ~ \.(jsz|cssz|xmlz) {
+            gzip off;
+            types {
+                text/javascript jsz;
+                text/css cssz;
+                text/xml xmlz;
+            }
+            add_header "Content-Encoding" "gzip";
+
+            # copied from default below
+            expires 182d; # about 6 months
+            add_header "Cache-Control" "private";
+            etag off;
+        }
+        # else:
+
+        expires 182d; # about 6 months
+        add_header "Cache-Control" "private";
+        etag off;
+    }
+    
+    location /caldav/ {
+        proxy_pass http://oxcluster/servlet/dav/caldav/;
+    }
+    
+    location /carddav/ {
+        proxy_pass http://oxcluster/servlet/dav/carddav/;
+    }
+
+    location @oxcluster {
+        proxy_pass http://oxcluster;
+        proxy_read_timeout 1900s;
+
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location @eas_oxcluster {
+        proxy_pass http://oxcluster;
+        proxy_read_timeout 1900s;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /ajax {
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /appsuite/api {
+        rewrite ^/appsuite/api(.*) /ajax$1 last;
+    }
+    location /drive {
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /infostore {
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /publications {
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /realtime {
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /servlet {
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /servlet/axis2/services {
+        allow 127.0.0.1;
+        deny all;
+        error_page 418 = @oxcluster; return 418;
+    }
+    location /webservices {
+        allow 127.0.0.1;
+        deny all;
+        error_page 418 = @oxcluster; return 418;
+    }
+
+    location /usm-json {
+        error_page 418 = @eas:oxcluster; return 418;
+    }
+    location /Microsoft-Server-ActiveSync {
+        {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+            access_log /var/log/nginx/active_sync.log combined buffer=16k flush=1m;
+        {% else %}
+            access_log /var/log/nginx/active_sync.log;
+        {% endif %}
+        error_page 418 = @eas_oxcluster; return 418;
+    }
+
+    # deny access to .htaccess files
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+{#
+server {
+    {%- include "site-header" %}
+
+    {%- include "site-server_name" %}
+
+    root {{server.root}};
+    index index.html;
+
+    add_header "X-Frame-Options" "SAMEORIGIN";
+    client_max_body_size 100M;
+
+    # extend mime types
+    include mime.types;
+    types {
+        text/cache-manifest appcache;
+        application/x-font-ttf ttf;
+        image/png xpng;
+        text/css less;
+    }
+
+    gzip on;
+    gzip_types text/plain text/javascript application/javascript text/css text/xml application/xml text/x-js application/x-javascript;
+    gzip_vary off;
+
+    location = / {
+        proxy_pass http://oxcluster/servlet/dav/;
+    }
+
+    location @oxcluster-sync {
+        proxy_pass http://oxcluster;
+        proxy_read_timeout 100s;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location @eas_oxcluster {
+        proxy_pass http://oxcluster;
+        proxy_read_timeout 1900s;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+#}
diff --git a/webserver/templates/sites/tlsproxy.conf b/webserver/templates/sites/tlsproxy.conf
new file mode 100644
index 0000000000000000000000000000000000000000..8dc832866d5c1ebaec4af3e87d6526c08ea731b3
--- /dev/null
+++ b/webserver/templates/sites/tlsproxy.conf
@@ -0,0 +1,50 @@
+server {
+    listen {% if server.no_ssl is undefined or not server.no_ssl %}443 ssl{% else %}80{% endif %};
+    server_name {{server.server_names|default([server.server_name])|join(" ")}};
+    error_log /var/log/nginx/proxy-error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/proxy-access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/proxy-access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}
+
+    {% if server.include_acme|default(true) %}
+    include /etc/nginx/snippets/acmetool.conf;
+
+    {% endif -%}
+    {% if server.root is defined %}
+    root {{server.root}};
+    {% endif %}
+    {% if not server.no_ssl|default(false) %}
+
+    {% include "ssl-certificate" %}
+    {% endif %}
+
+    {% if server.use_sso is defined and server.use_sso %}
+
+    set $sso_group "{{server.sso_group}}";
+    {% endif %}
+
+    {% include "site-security" %}
+
+    {% if server.params is defined %}
+    {% for param in server.params %}
+            {{param.key}} {{param.value}};
+    {% endfor %}
+    {% endif %}
+
+    {% for location in server.public_locations %}
+        {% set server = server %}
+        {% include "locations/%s.conf"|format(location.type) %}
+        {% if not loop.last %}
+
+
+        {% endif %}
+    {% endfor %}
+    {% if server.use_sso is defined and server.use_sso %}
+
+    include /etc/nginx/snippets/sso-locations-{{server.sso_domain|default("fsmpi")}}.conf;
+    {% else %}
+
+    {% endif %}
+}
diff --git a/webserver/templates/sites/upstream.conf b/webserver/templates/sites/upstream.conf
new file mode 100644
index 0000000000000000000000000000000000000000..6547188130bab46bb7ab63f1d797388e5756d103
--- /dev/null
+++ b/webserver/templates/sites/upstream.conf
@@ -0,0 +1,13 @@
+upstream {{ upstream.name }} {
+	{% for param in upstream.params|default([]) %}
+		{% if param is string %}
+		{{ param }};
+		{% else %}
+		{{ param.key }} {{ param.value }};
+		{% endif %}
+	{% endfor %}
+
+	{% for server in upstream.servers %}
+	server {{ server }};
+	{% endfor %}
+}
diff --git a/webserver/templates/sites/webapp.conf b/webserver/templates/sites/webapp.conf
new file mode 100644
index 0000000000000000000000000000000000000000..56e41ae8bcc1f5bf2b666039d3bc428dd32589d5
--- /dev/null
+++ b/webserver/templates/sites/webapp.conf
@@ -0,0 +1,37 @@
+server {
+    {% if server.port is defined %}
+    listen localhost:{{server.port}} {{ 'reuseport' if webserver_enable_reuseport else '' }};
+    {% else %}
+    listen unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}};
+    {% endif %}
+
+    {% include "site-server_name" %}
+
+    error_log /var/log/nginx/error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}
+
+    root {{server.root}};
+    {% if server.indices is defined %}
+    index {{server.indices|join(" ")}};
+    {% endif %}
+
+    {% if server.params is defined %}
+    {% for param in server.params %}
+            {{param.key}} {{param.value}};
+    {% endfor %}
+    {% endif %}
+
+    {% set server = server %}
+    {% for location in server.internal_locations %}
+    {% include "locations/%s.conf"|format(location.type) %}
+    {% if not loop.last %}
+
+
+    {% endif %}
+    {% endfor %}
+
+}
diff --git a/webserver/templates/ssl-certificate b/webserver/templates/ssl-certificate
new file mode 100644
index 0000000000000000000000000000000000000000..50f33900ae595e63558897e952ce0866a7eb0392
--- /dev/null
+++ b/webserver/templates/ssl-certificate
@@ -0,0 +1,3 @@
+    ssl_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}};
+    ssl_trusted_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}};
+    ssl_certificate_key {{server.private_key|default("/etc/ssl/acmebot/privkey/" + server.server_name + ".pem")}};
diff --git a/webserver/templates/tls-proxy.j2 b/webserver/templates/tls-proxy.j2
deleted file mode 100644
index 82ea4ff6894f86d670b553e3a9ece74c2fdeea10..0000000000000000000000000000000000000000
--- a/webserver/templates/tls-proxy.j2
+++ /dev/null
@@ -1,26 +0,0 @@
-server {
-	listen		80;
-	server_name	{{ ansible_hostname }}.fsmpi.rwth-aachen.de;
-	return		301 https://$server_name$request_uri;
-}
-
-server {
-	listen		80;
-	listen		443 ssl;
-	server_name	{{ ansible_default_ipv4.address }};
-	ssl_certificate	/etc/ssl/private/chained-{{ ansible_hostname }}-2016.pem;
-	ssl_certificate_key	/etc/ssl/private/private-{{ ansible_hostname }}-2016.pem;
-	return		301 https://{{ ansible_hostname }}.fsmpi.rwth-aachen.de$request_uri;
-}
-
-server {
-	listen		443 ssl;
-	server_name	{{ ansible_hostname }}.fsmpi.rwth-aachen.de;
-	ssl_certificate	/etc/ssl/private/chained-{{ ansible_hostname }}-2016.pem;
-	ssl_certificate_key	/etc/ssl/private/private-{{ ansible_hostname }}-2016.pem;
-
-	location  / {
-		proxy_pass http://127.0.0.1:62000/;
-	}
-}
-
diff --git a/webserver/vars/buster.yml b/webserver/vars/buster.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8998f738e75c174f5d03b02cfe026d050ffc198d
--- /dev/null
+++ b/webserver/vars/buster.yml
@@ -0,0 +1,12 @@
+---
+# yamllint disable rule:line-length
+
+protocols:
+  modern: 'TLSv1.3'
+  intermediate: 'TLSv1.2 TLSv1.3'
+ciphers:
+  modern: null
+  intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+prefer_server_ciphers:
+  modern: false
+  intermediate: false
diff --git a/webserver/vars/fallback.yml b/webserver/vars/fallback.yml
new file mode 100644
index 0000000000000000000000000000000000000000..972a42e1450bb0ac279b0dd3b42025d07eb58702
--- /dev/null
+++ b/webserver/vars/fallback.yml
@@ -0,0 +1,12 @@
+---
+# yamllint disable rule:line-length
+
+protocols:
+  modern: 'TLSv1.2'
+  intermediate: 'TLSv1 TLSv1.1 TLSv1.2'
+ciphers:
+  modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+  intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
+prefer_server_ciphers:
+  modern: false
+  intermediate: true
diff --git a/webserver/vars/stretch.yml b/webserver/vars/stretch.yml
new file mode 100644
index 0000000000000000000000000000000000000000..972a42e1450bb0ac279b0dd3b42025d07eb58702
--- /dev/null
+++ b/webserver/vars/stretch.yml
@@ -0,0 +1,12 @@
+---
+# yamllint disable rule:line-length
+
+protocols:
+  modern: 'TLSv1.2'
+  intermediate: 'TLSv1 TLSv1.1 TLSv1.2'
+ciphers:
+  modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+  intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
+prefer_server_ciphers:
+  modern: false
+  intermediate: true
diff --git a/wordpress/defaults/main.yml b/wordpress/defaults/main.yml
index 4d3d5e4e35eebddc008cca1ea568b390bda03052..0501c3bca6830c03945aa8df940dcd6ca3cd7800 100644
--- a/wordpress/defaults/main.yml
+++ b/wordpress/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-# file: roles/wordpress/defaults/main.yml
+# file: wordpress/defaults/main.yml
 
 wordpress_web_root: /var/www
 
@@ -10,7 +10,11 @@ wordpress_group: wordpress
 
 wordpress_dbtype: mysql
 wordpress_dbhost: localhost
-wordpress_dbislocal: yes
+wordpress_dbislocal: true
 wordpress_dbname: "{{ wordpress_name }}"
 wordpress_dbuser: "{{ wordpress_name }}"
-wordpress_dbpassword: 
+wordpress_dbpassword: ''
+
+# mysql root login password
+# yamllint disable-line rule:line-length
+wordpress_db_password: "{{ lookup('passwordstore', 'db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }} create=true length=20')}}"
diff --git a/wordpress/handlers/main.yml b/wordpress/handlers/main.yml
index a1d5ccf1a5cb678e7947fcf52bb129191d365b1e..b9ee0974507285cafcf4dba31bb97c3d6882524a 100644
--- a/wordpress/handlers/main.yml
+++ b/wordpress/handlers/main.yml
@@ -1,11 +1,14 @@
 ---
-# file: roles/wordpress/handlers/main.yml
+# file: wordpress/handlers/main.yml
 
 - name: reload systemd service files
-  command: systemctl daemon-reload
+  systemd:
+    daemon_reload: true
 
 - name: "restart uwsgi for {{ wordpress_name }}"
-  service: "name=wordpress-{{ wordpress_name }} state=restarted enabled=yes"
+  service:
+    name: "wordpress-{{ wordpress_name }}"
+    state: restarted
 
 - name: create tmpfiles
-  shell: systemd-tmpfiles --create
+  command: systemd-tmpfiles --create
diff --git a/wordpress/meta/main.yml b/wordpress/meta/main.yml
deleted file mode 100644
index 2324e43a8bb885912955537b9997c7f455060f01..0000000000000000000000000000000000000000
--- a/wordpress/meta/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# file: roles/wordpress/meta/main.yml
-
-dependencies:
-  - { role: uwsgi-php }
-  - { role: mysql }
diff --git a/wordpress/tasks/main.yml b/wordpress/tasks/main.yml
index afda9bac10902bca9f95429175dd5a66f6474856..bdd60541b6353cbd609e3c96bc674fceb8bd298a 100644
--- a/wordpress/tasks/main.yml
+++ b/wordpress/tasks/main.yml
@@ -1,41 +1,47 @@
 ---
-# file: roles/wordpress/tasks/main.yml
+# file: wordpress/tasks/main.yml
 
 - name: ensure we have aufs tools
-  apt: name=aufs-tools state=latest install_recommends=no
+  apt:
+    name:
+      - aufs-tools
+      - aufs-dkms
+    state: present
+    install_recommends: false
   tags:
-    - packages
     - wordpress
+    - webservices
 
-- name: ensure the wordpress package from backports is installed
-  apt: name=wordpress state=latest install_recommends=no default-release=jessie-backports
+- name: ensure the wordpress package is installed
+  apt:
+    name: wordpress
+    state: present
+    install_recommends: false
   tags:
-    - packages
     - wordpress
+    - webservices
 
 - name: "ensure group for {{ wordpress_name }} exists"
   group:
     name: "{{ wordpress_user }}"
     state: present
-    system: yes
+    system: true
   tags:
-    - users
-    - config
     - wordpress
+    - webservices
 
 - name: "ensure user for {{ wordpress_name }} exists"
   user:
     name: "{{ wordpress_user }}"
     group: "{{ wordpress_group }}"
     state: present
-    system: yes
+    system: true
     shell: /usr/bin/nologin
     home: "{{ wordpress_web_root }}"
-    createhome: no
+    createhome: false
   tags:
-    - users
-    - config
     - wordpress
+    - webservices
 
 - name: "ensure the wordpress folders for {{ wordpress_name }} exists"
   file:
@@ -48,9 +54,10 @@
     - "{{ wordpress_name }}-files"
     - "{{ wordpress_name }}"
   tags:
-    - config
     - wordpress
+    - webservices
 
+# yamllint disable-line rule:line-length
 - name: "ensure local folders without write permissions for {{ wordpress_name }} exist"
   file:
     state: directory
@@ -61,13 +68,14 @@
   with_items:
     - wp-content
   tags:
-    - config
     - wordpress
+    - webservices
 
+# yamllint disable-line rule:line-length
 - name: "ensure local folders with write permissions for {{ wordpress_name }} exist"
   file:
     state: directory
-    mode: "u=rwx,g=rwx,o="
+    mode: "2750"
     owner: "{{ wordpress_user }}"
     group: "www-data"
     path: "{{ wordpress_web_root }}/{{ wordpress_name }}-files/{{ item }}"
@@ -78,39 +86,29 @@
     - wp-content/themes
     - wp-content/upgrade
   tags:
-    - config
     - wordpress
+    - webservices
 
+# yamllint disable-line rule:line-length
 - name: "ensure the directories for {{ wordpress_name }} are mounted above each other"
   mount:
     state: mounted
     fstype: aufs
     name: "{{ wordpress_web_root }}/{{ wordpress_name }}/"
-    opts: "br={{ wordpress_web_root }}/{{ wordpress_name }}-files/:/usr/share/wordpress"
+    # yamllint disable-line rule:line-length
+    opts: "br={{ wordpress_web_root }}/{{ wordpress_name }}-files/:/usr/share/wordpress,udba=reval"
     src: none
   tags:
-    - mount
-    - config
-    - wordpress
-
-- name: "ensure temporary directories for {{ wordpress_name }} exist"
-  lineinfile:
-    dest: "/etc/tmpfiles.d/10-wordpress-{{ wordpress_name }}.conf"
-    line: "d /run/uwsgi/app/wordpress-{{ wordpress_name }} 0775 {{ wordpress_user }} {{ wordpress_group }} - -"
-    create: yes
-  notify:
-  - create tmpfiles
-  tags:
-    - config
     - wordpress
+    - webservices
 
 - name: "ensure the config for {{ wordpress_name }} exists"
   template:
     src: wp-config.php.j2
     dest: "{{ wordpress_web_root }}/{{ wordpress_name }}-files/wp-config.php"
   tags:
-    - config
     - wordpress
+    - webservices
 
 - name: "get randomness for secrets for {{ wordpress_name }}"
   set_fact:
@@ -127,50 +125,19 @@
   template:
     src: secrets.php.j2
     dest: "{{ wordpress_web_root }}/{{ wordpress_name }}-files/secrets.php"
-    force: no
+    force: false
   tags:
-    - config
     - wordpress
+    - webservices
 
+# yamllint disable-line rule:line-length
 - name: "ensure wordpress can access javascript files that debian places somewhere else"
   file:
     src: /usr/share/javascript
     dest: "{{ wordpress_web_root }}/javascript"
     state: link
   tags:
-    - config
     - wordpress
+    - webservices
 
 - include: mysql.yml
-
-- name: "ensure the uwsgi.ini for {{ wordpress_name }} exists"
-  template:
-    src: wordpress.ini.j2
-    dest: "/etc/uwsgi/apps-available/wordpress-{{ wordpress_name }}.ini"
-  notify:
-    - "restart uwsgi for {{ wordpress_name }}"
-  tags:
-    - config
-    - wordpress
-
-- name: "ensure the unit file for {{ wordpress_name }} exists"
-  template:
-    src: wordpress.service.j2
-    dest: "/etc/systemd/system/wordpress-{{ wordpress_name }}.service"
-  notify:
-    - reload systemd service files
-    - "restart uwsgi for {{ wordpress_name }}"
-  tags:
-    - config
-    - wordpress
-    - service
-  
-- name: "ensure the service for {{ wordpress_name }} is running"
-  service:
-    name: "wordpress-{{ wordpress_name }}"
-    state: running
-    enabled: yes
-  tags:
-    - config
-    - wordpress
-    - service
diff --git a/wordpress/tasks/mysql.yml b/wordpress/tasks/mysql.yml
index baeb5cc7b61799a5e8eb9ff3a59ac4f31bfdecf9..a3616c3022ed36e03d0e080dc832bcfe925e5e2f 100644
--- a/wordpress/tasks/mysql.yml
+++ b/wordpress/tasks/mysql.yml
@@ -1,33 +1,24 @@
 ---
-# file: roles/wordpress/tasks/mysql.yml
-
-- name: "ensure php can talk with mysql"
-  apt: name=php5-mysql state=latest
-  tags:
-    - packages
-    - mysql
-    - wordpress
-
-- name: "get database password for {{ wordpress_name }}"
-  local_action: pass name="db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }}" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
-  #local_action: "pass store=FSMPI_PASSWORD_STORE_DIR name=db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }} limit=True"
-  register: wordpress_db_login_password
+# file: wordpress/tasks/mysql.yml
+#
+- name: ensure php can talk with mysql
+  apt:
+    name: php-mysql
+    state: present
   tags:
-    - config
-    - password
     - wordpress
-    - mysql
+    - webservices
 
 - name: "ensure the database for {{ wordpress_name }} exists"
   mysql_db:
     name: "{{ wordpress_dbname }}"
     state: present
     login_user: root
-    login_password: "{{ wordpress_db_login_password.password }}"
+    login_password: "{{ wordpress_db_password }}"
+  no_log: true
   tags:
-    - mysql
-    - config
     - wordpress
+    - webservices
 
 - name: "ensure the database user for {{ wordpress_name }} exists"
   mysql_user:
@@ -35,10 +26,9 @@
     password: "{{ wordpress_dbpassword }}"
     state: present
     login_user: root
-    login_password: "{{ wordpress_db_login_password.password }}"
+    login_password: "{{ wordpress_db_password }}"
     priv: "{{ wordpress_dbname }}.*:ALL"
+  no_log: true
   tags:
-    - mysql
-    - config
     - wordpress
-
+    - webservices