diff --git a/Earthfile b/Earthfile
deleted file mode 100644
index 2c59020e3629b013557ab2756c6157cd226ba26a..0000000000000000000000000000000000000000
--- a/Earthfile
+++ /dev/null
@@ -1,26 +0,0 @@
-VERSION --use-copy-include-patterns 0.5
-
-install-deps:
-    FROM debian:stable@sha256:13db79e523a13e3e55b606128a4193d7b9ae788d0c11c95d6a6de0bd30aa3a14
-
-shorewall-deps:
-    FROM +install-deps
-    RUN apt update
-    RUN apt install shorewall shorewall6 ipset -y
-    USER root
-
-validate-shorewall:
-    FROM +shorewall-deps
-    RUN apt update
-    RUN apt install shorewall ipset -y
-    COPY ./roles/firewall/files/shorewall /tmp/shorewall
-    RUN --privileged shorewall check /tmp/shorewall
-
-validate-shorewall6:
-    FROM +shorewall-deps
-    COPY ./roles/firewall/files/shorewall6 /tmp/shorewall6
-    RUN --privileged shorewall6 check /tmp/shorewall6
-
-test:
-    BUILD +validate-shorewall
-    BUILD +validate-shorewall6
diff --git a/ansible.cfg b/ansible.cfg
index e70461d648115a530d6a1fc54d75a60fd51f22e0..4de30240018243bbea62068d6b2cf825ca5650c4 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,20 +1,10 @@
 [defaults]
 remote_tmp = /tmp/.ansible-${USER}/tmp
 timeout = 30
-#ask_pass = True
-#ask_sudo_pass = False
-#nocows = 1
 retry_files_enabled = False
 interpreter_python=/usr/bin/python3
 remote_user = root
-callback_whitelist = foreman
 vault_password_file = /etc/ansible_vault_pw
 
 [ssh_connection]
 pipelining = True
-
-[callback_foreman]
-url = 'https://foreman.intern.teckids.org'
-ssl_cert = /etc/puppetlabs/puppet/ssl/certs/foreman.teckids.org.pem
-ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/foreman.teckids.org.pem
-verify_certs = 0
diff --git a/roles/common/files/csync2.cfg b/roles/common/files/csync2.cfg
deleted file mode 100644
index d9252638aa96770958a9fed59fa9b78713f360fc..0000000000000000000000000000000000000000
--- a/roles/common/files/csync2.cfg
+++ /dev/null
@@ -1,79 +0,0 @@
-# Csync2 Example Configuration File
-# ---------------------------------
-#
-# Please read the documentation:
-# http://oss.linbit.com/csync2/paper.pdf
-
-# group mygroup
-# {
-# 	host host1 host2 (host3);
-# 	host host4@host4-eth2;
-#
-# 	key /etc/csync2.key_mygroup;
-#
-# 	#
-# 	# WARNING:
-# 	# You CANNOT use paths containing a symlink
-# 	# component in include/exclude options!
-# 	#
-# 	# Here is a real-life example:
-# 	# Suppose you have some 64bit Linux systems
-# 	# and /usr/lib/ocf is what you want to keep
-#	# in sync. On 64bit Linux systems, /usr/lib
-# 	# is usually a symlink to /usr/lib64.
-# 	# This does not work:
-# 	#   include /usr/lib/ocf;
-# 	# But this does work:
-# 	#   include /usr/lib64/ocf;
-# 	#
-# 
-# 	include /etc/apache;
-# 	include %homedir%/bob;
-# 	exclude %homedir%/bob/temp;
-# 	exclude *~ .*;
-#
-# 	action
-# 	{
-# 		pattern /etc/apache/httpd.conf;
-# 		pattern /etc/apache/sites-available/*;
-# 		exec "/usr/sbin/apache2ctl graceful";
-# 		logfile "/var/log/csync2_action.log";
-# 		do-local;
-#		# you can use do-local-only if the execution
-#		# should be done locally only
-#		# do-local-only;
-# 	}
-#
-# 	# The backup-directory needs to be created first!
-# 	backup-directory /var/backups/csync2;
-# 	backup-generations 3;
-#
-# 	auto none;
-# }
-#
-# prefix homedir
-# {
-# 	on host[12]: /export/users;
-# 	on *:        /home;
-# }
-
-nossl * *;
-lock-timeout 60;
-
-group teckids-skole
-{
-	host desktop;
-	host skole-portable;
-	host skole-tarent;
-	host skole-hbrs;
-	host skole-rb;
-
-	key /etc/csync2.key_teckids-skole;
-
-	include /home;
-	exclude .git/index;
-	exclude /home/*/.cache;
-	exclude /home/*/.xsession-errors;
-
-	auto younger;
-}
diff --git a/roles/common/files/guacamole-noauth-config.xml b/roles/common/files/guacamole-noauth-config.xml
deleted file mode 100644
index e7abb35ff7a66e7e047244e8f602521c35d6bce8..0000000000000000000000000000000000000000
--- a/roles/common/files/guacamole-noauth-config.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<configs>
-  <config name="rdp" protocol="rdp">
-    <param name="hostname" value="localhost" />
-    <param name="port" value="3389" />
-    <param name="security" value="rdp" />
-  </config>
-  <config name="ssh" protocol="ssh">
-    <param name="hostname" value="localhost" />
-    <param name="port" value="22" />
-  </config>
-</configs>
diff --git a/roles/common/files/http-teckids-auth b/roles/common/files/http-teckids-auth
deleted file mode 100644
index f8a35b79a5c94a7619ca73055c459610bdd56456..0000000000000000000000000000000000000000
--- a/roles/common/files/http-teckids-auth
+++ /dev/null
@@ -1,12 +0,0 @@
-AuthName "Teckids-Account Login"
-
-# GSSAPI authentication
-AuthType Kerberos
-KrbServiceName http
-KrbSaveCredentials on
-KrbLocalUserMapping On
-
-# Forward to PAM if GSSAPI fails
-KrbAuthoritative off
-AuthBasicProvider PAM
-AuthPAMService apache2
diff --git a/roles/common/files/ldap.conf b/roles/common/files/ldap.conf
deleted file mode 100644
index cd675e7626a408ecc06c8957108c3189b3af3d13..0000000000000000000000000000000000000000
--- a/roles/common/files/ldap.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-#
-# LDAP Defaults
-#
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-BASE	dc=teckids,dc=org
-URI	ldaps://db.teckids.org
-
-#SIZELIMIT	12
-#TIMELIMIT	15
-#DEREF		never
-
-# TLS certificates (needed for GnuTLS)
-TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
-TLS_REQCERT	demand
-
-SASL_MECH	GSSAPI
diff --git a/roles/common/files/ldapvi.conf b/roles/common/files/ldapvi.conf
deleted file mode 100644
index 2ac98f9508fceaf0af84dd9cf636af0278eb9dd8..0000000000000000000000000000000000000000
--- a/roles/common/files/ldapvi.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-profile default
-unpaged-help: yes
-ldap-conf: yes
-bind: sasl
diff --git a/roles/common/files/ltsp-build-client.conf b/roles/common/files/ltsp-build-client.conf
deleted file mode 100644
index fc40a5ee54e0baf990166ae6451b8754d7ad6b9f..0000000000000000000000000000000000000000
--- a/roles/common/files/ltsp-build-client.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# Sat 02 April 16:02:00 CEST 2019 - Install new packages
-# Changes to this timestamp trigger a rebuild of the LTSP images.
-# Add a comment describing why you want to run a rebuild.
-
-ARCH=amd64
-FAT_CLIENT=True
-#DEBCONF_SEEDS=/etc/ltsp/debconf.seeds
-MOUNT_PACKAGE_DIR=/var/cache/apt/archives
-EATMYDATA=True
-ENABLE_POPCON=True
-SQUASHFS_IMAGE=True
-PURGE_CHROOT=True
-LOCALE=de_DE.UTF-8
-COMPONENTS="main contrib non-free"
diff --git a/roles/common/files/ltsp-debconf.seeds b/roles/common/files/ltsp-debconf.seeds
deleted file mode 100644
index 7f8a8e6d1a3e7127b66fd0765d7479d576b2001f..0000000000000000000000000000000000000000
--- a/roles/common/files/ltsp-debconf.seeds
+++ /dev/null
@@ -1 +0,0 @@
-heimdal/realm heimdal/realm string TECKIDS.ORG
diff --git a/roles/common/files/monit/sssd b/roles/common/files/monit/sssd
deleted file mode 100644
index 4d8295a9b18c1a82be54cd2cea9afd9eab7e910b..0000000000000000000000000000000000000000
--- a/roles/common/files/monit/sssd
+++ /dev/null
@@ -1,5 +0,0 @@
-check process sssd pidfile "/run/sssd.pid"
-	start program = "/usr/sbin/service sssd start"
-	stop program = "/usr/sbin/service sssd stop"
-	if cpu > 20% for 2 cycles then restart
-	if 3 restarts within 10 cycles then timeout
diff --git a/roles/common/files/monitrc b/roles/common/files/monitrc
deleted file mode 100644
index cb8ed20f29f603569612e9f292814ac15add401b..0000000000000000000000000000000000000000
--- a/roles/common/files/monitrc
+++ /dev/null
@@ -1,6 +0,0 @@
-set alert root@teckids.org
-
-set httpd port 2812 and
-	use address localhost
-	allow localhost
-	
\ No newline at end of file
diff --git a/roles/common/files/redirect-root.conf b/roles/common/files/redirect-root.conf
deleted file mode 100644
index 901172ec642f0134b1d705a0df73a5281da4a4d9..0000000000000000000000000000000000000000
--- a/roles/common/files/redirect-root.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-<If "%{HTTP_HOST} == 'desktop.teckids.org'">
-        RedirectMatch ^/?$ https://desktop.teckids.org/guacamole/#/client/cmRwAGMAbm9hdXRo
-</If>
-<If "%{HTTP_HOST} == 'shell.teckids.org'">
-        RedirectMatch ^/?$ https://desktop.teckids.org/guacamole/#/client/c3NoAGMAbm9hdXRo
-</If>
-<If "%{HTTP_HOST} == 'mail.teckids.org'">
-        RedirectMatch ^/?$ https://commu-intern.teckids.org/roundcube
-</If>
-<If "%{HTTP_HOST} == 'otrs.teckids.org'">
-        RedirectMatch ^/?$ https://commu-intern.teckids.org/otrs
-</If>
-<If "%{HTTP_HOST} == 'wiki.teckids.org'">
-        RedirectMatch ^/?$ https://commu-intern.teckids.org/wiki
-</If>
-<If "%{HTTP_HOST} == 'lists.teckids.org'">
-        RedirectMatch ^/?$ https://commu-intern.teckids.org/wws
-</If>
-
diff --git a/roles/common/files/sssd.conf b/roles/common/files/sssd.conf
deleted file mode 100644
index 3578f6159eb3bf8e1fd8b59132583af2767bbd1b..0000000000000000000000000000000000000000
--- a/roles/common/files/sssd.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-[sssd]
-config_file_version = 2
-services = nss,pam,ssh,sudo
-domains = TECKIDS.ORG
-
-[nss]
-filter_users = root
-filter_groups = root
-
-[pam]
-
-[ssh]
-
-[sudo]
-
-[domain/TECKIDS.ORG]
-lookup_family_order = ipv6_first
-id_provider = ldap
-ignore_group_members = False
-ldap_uri = ldap://db.teckids.org
-ldap_search_base = dc=teckids,dc=org
-ldap_id_use_start_tls = true
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-ldap_tls_reqcert = demand
-ldap_sasl_mech = gssapi
-ldap_user_search_base = ou=People,dc=teckids,dc=org
-ldap_group_search_base = ou=Groups,dc=teckids,dc=org
-ldap_schema = rfc2307
-ldap_account_expire_policy = shadow
-ldap_pwd_policy = shadow
-ldap_access_order = filter, expire
-ldap_user_ssh_public_key = sshAuthorizedKey
-auth_provider = krb5
-chpass_provider = krb5
-cache_credentials = true
-krb5_server = db.teckids.org
-krb5_realm = TECKIDS.ORG
-krb5_renewable_lifetime = 7d
-krb5_renew_interval = 3600
-sudo_provider = ldap
-ldap_sudo_search_base = ou=SUDOers,dc=teckids,dc=org
diff --git a/roles/common/files/update-kernels.conf b/roles/common/files/update-kernels.conf
deleted file mode 100644
index 4aff4775275abfdfab03f595ac0b657c41b8230e..0000000000000000000000000000000000000000
--- a/roles/common/files/update-kernels.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-PXELINUX_DEFAULT=menu
-TIMEOUT=80
-ONTIMEOUT=ltsp-NBD
-BOOT_METHODS=NBD
-IAPPEND=3
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 5f94aba95bb1f7b6bfd360ca910c6134e3e3c904..85783fc87520da2d7d7a8de4f4484b6fd87e5867 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -11,7 +11,7 @@
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEg8L4ctkRadSf0bOrKAxX2QZY9+3Su4Sw+1pIszJxz1UjgrSncqGJ0zVeQr1nNZsC7ftJ8W5l//RczQNd8bBCrANK9F/5hsn0QB1UJC18QfocDysHQs9eDYRyjKKOXFteQI8u1eLHu1eQuKG8APTqlj9ReewEtJ6X0GSW84ligJOhknC657xFFhrKCtJtIzCUYwV5bgmrPIy9dumjXuJq/hMXJMTHScpoUm2cQkWjdlE3yJpnaVokB3RK4FHpwIOI9etFrpBg6BG8B4/Bg6FZY/CgVOOavxm+yU8XZAijdzWrjDt4RNyyt0PG5gwFDhxjXVI1/NwQknDiJHeSmsELGBd02drmoKXVmc8WvfOmOgHA/YBpjb2SCzDTJ/4XCaFIvDp7cnjUW7uTByR0uZaOJXagZY7XZ2clNTuJd7W0P2GaM1joCZmDJKBKjHeeB9wNfVbOgqOSKqd99OlimOOKOvieT9bugOGZfoPBC4rXg4VKZ6a55i0Rsoq/HFtq4JL11UnmyAcw4vlKLRqDLPX42GmEgzvutfmeZbGk6Qt5QMbsJSxwkJk/eoL+TJvbxMixgE4E4BQ5HFi5X3xQbY1aOXPeDfuOIHkMxSF9Wu8wfkhuwRB/7Ej/CfVEHvxKiCR3pjTvlGdZXQgSW81TLM24/w7/SkjQo2p97sRlTfRF4w== cardno:000612085137
 - name: Add backports
   ansible.builtin.apt_repository:
-    repo: deb http://deb.debian.org/debian/ bullseye-backports main
+    repo: deb http://deb.debian.org/debian/ bookworm-backports main
     state: present
     filename: 'backports'
   when: ansible_facts['distribution'] == 'Debian'
@@ -191,6 +191,10 @@
     src: /etc/ansible/roles/common/files/rsyslog-server.conf
     dest: /etc/rsyslog.d/remote.conf
   when: ansible_facts['hostname'] == 'monitoring'
+- name: Configure relay host
+  ansible.builtin.lineinfile:
+    regexp: '^relayhost ='
+    line: 'relayhost = commu-intern.teckids.org'
 
 - name: Touch statefile
   ansible.builtin.file:
diff --git a/roles/common/templates/icinga-agent.sh.j2 b/roles/common/templates/icinga-agent.sh.j2
deleted file mode 100644
index 3d997b6fa9d6dd50f0535897a419972912213895..0000000000000000000000000000000000000000
--- a/roles/common/templates/icinga-agent.sh.j2
+++ /dev/null
@@ -1,320 +0,0 @@
-
-
-#!/bin/bash
-
-# This generates and signs your required certificates. Please do not
-# forget to install the Icinga 2 package and your desired monitoring
-# plugins first.
-
-# Config from Director
-ICINGA2_NODENAME='{{ inventory_hostname }}'
-ICINGA2_CA_TICKET=$(curl -k -s -u teckids-icinga-api:{{ icinga_api_password }} -H 'Accept: application/json' -X GET "https://monitoring.teckids.org/icingaweb2/director/host/ticket?name={{ inventory_hostname }}")
-ICINGA2_PARENT_ZONE='master'
-ICINGA2_PARENT_ENDPOINTS=('monitoring.teckids.org,')
-ICINGA2_CA_NODE='monitoring.teckids.org'
-ICINGA2_GLOBAL_ZONES=('director-global')
-
-# Internal defaults
-: "${ICINGA2_OSFAMILY:=}"
-: "${ICINGA2_HOSTNAME:="$(hostname -f)"}"
-: "${ICINGA2_NODENAME:="${ICINGA2_HOSTNAME}"}"
-: "${ICINGA2_CA_NODE:=}"
-: "${ICINGA2_CA_PORT:=5665}"
-: "${ICINGA2_CA_TICKET:=}"
-: "${ICINGA2_PARENT_ZONE:=master}"
-: "${ICINGA2_PARENT_ENDPOINTS:=()}"
-: "${ICINGA2_GLOBAL_ZONES:=director-global}"
-: "${ICINGA2_DRYRUN:=}"
-: "${ICINGA2_UPDATE_CONFIG:=}"
-
-# Helper functions
-fail() {
-  echo "ERROR: $1" >&2
-  exit 1
-}
-
-warn() {
-  echo "WARNING: $1" >&2
-}
-
-info() {
-  echo "INFO: $1" >&2
-}
-
-check_command() {
-  command -v "$@" &>/dev/null
-}
-
-install_config() {
-  if [ -e "$1" ] && [ ! -e "${1}.orig" ]; then
-    info "Creating a backup at ${1}.orig"
-    cp "$1" "${1}.orig"
-  fi
-  echo "Writing config to ${1}"
-  echo "$2" > "${1}"
-}
-
-[ "$BASH_VERSION" ] || fail "This is a Bash script"
-
-errors=
-for key in NODENAME CA_NODE CA_PORT CA_TICKET PARENT_ZONE PARENT_ENDPOINTS; do
-  var="ICINGA2_${key}"
-  if [ -z "${!var}" ]; then
-    warn "The variable $var needs to be configured!"
-    errors+=1
-  fi
-done
-[ -z "$errors" ] || exit 1
-
-# Detect osfamily
-if [ -n "$ICINGA2_OSFAMILY" ]; then
-  info "Assuming supplied osfamily $ICINGA2_OSFAMILY"
-elif check_command rpm && ! check_command dpkg; then
-  info "This should be a RedHat system"
-  if [ -e /etc/sysconfig/icinga2 ]; then
-    # shellcheck disable=SC1091
-    . /etc/sysconfig/icinga2
-  fi
-  ICINGA2_OSFAMILY=redhat
-elif check_command dpkg; then
-  info "This should be a Debian system"
-  if [ -e /etc/default/icinga2 ]; then
-    # shellcheck disable=SC1091
-    . /etc/default/icinga2
-  fi
-  ICINGA2_OSFAMILY=debian
-elif check_command apk; then
-  info "This should be a Alpine system"
-  if [ -e /etc/icinga2/icinga2.sysconfig ]; then
-    # shellcheck disable=SC1091
-    . /etc/icinga2/icinga2.sysconfig
-  fi
-  ICINGA2_OSFAMILY=alpine
-else
-  fail "Could not determine your os type!"
-fi
-
-# internal defaults
-: "${ICINGA2_CONFIG_FILE:=/etc/icinga2/icinga2.conf}"
-: "${ICINGA2_CONFIGDIR:="$(dirname "$ICINGA2_CONFIG_FILE")"}"
-: "${ICINGA2_DATADIR:=/var/lib/icinga2}"
-: "${ICINGA2_SSLDIR_OLD:="${ICINGA2_CONFIGDIR}"/pki}"
-: "${ICINGA2_SSLDIR_NEW:="${ICINGA2_DATADIR}"/certs}"
-: "${ICINGA2_SSLDIR:=}"
-: "${ICINGA2_BIN:=icinga2}"
-
-case "$ICINGA2_OSFAMILY" in
-debian)
-  : "${ICINGA2_USER:=nagios}"
-  : "${ICINGA2_GROUP:=nagios}"
-  ;;
-redhat)
-  : "${ICINGA2_USER:=icinga}"
-  : "${ICINGA2_GROUP:=icinga}"
-  ;;
-alpine)
-  : "${ICINGA2_USER:=icinga}"
-  : "${ICINGA2_GROUP:=icinga}"
-  ;;
-*)
-  fail "Unknown osfamily '$ICINGA2_OSFAMILY'!"
-  ;;
-esac
-
-icinga_version() {
-  "$ICINGA2_BIN" --version 2>/dev/null | grep -oPi '\(version: [rv]?\K\d+\.\d+\.\d+[^\)]*'
-}
-
-version() {
-   echo "$@" | awk -F. '{ printf("%03d%03d%03d\n", $1,$2,$3); }'
-}
-
-# Make sure icinga2 is installed and running
-echo -n "check: icinga2 installed - "
-if version=$(icinga_version); then
-  echo "OK: $version"
-else
-  fail "You need to install icinga2!"
-fi
-
-if [ -z "${ICINGA2_SSLDIR}" ]; then
-  if [ -f "${ICINGA2_SSLDIR_OLD}/${ICINGA2_NODENAME}.crt" ]; then
-    info "Using old SSL directory: ${ICINGA2_SSLDIR_OLD}"
-    info "Because you already have a certificate in ${ICINGA2_SSLDIR_OLD}/${ICINGA2_NODENAME}.crt"
-    ICINGA2_SSLDIR="${ICINGA2_SSLDIR_OLD}"
-  elif [ $(version $version) -gt $(version 2.8) ]; then
-    info "Using new SSL directory: ${ICINGA2_SSLDIR_NEW}"
-    ICINGA2_SSLDIR="${ICINGA2_SSLDIR_NEW}"
-  else
-    info "Using old SSL directory: ${ICINGA2_SSLDIR_OLD}"
-    ICINGA2_SSLDIR="${ICINGA2_SSLDIR_OLD}"
-  fi
-fi
-
-if [ ! -d "$ICINGA2_SSLDIR" ]; then
-  mkdir "$ICINGA2_SSLDIR"
-  chown "$ICINGA2_USER.$ICINGA2_GROUP" "$ICINGA2_SSLDIR"
-fi
-
-if [ -f "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" ]; then
-  warn "ERROR: a certificate for '${ICINGA2_NODENAME}' already exists"
-  warn "Please remove ${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.??? in case you want a"
-  warn "new certificate to be generated and signed by ${ICINGA2_CA_NODE}"
-
-  if [ -z "${ICINGA2_UPDATE_CONFIG}" ] && [ -z "${ICINGA2_DRYRUN}" ]; then
-    warn "Aborting here, you can can call the script like this to just update config:"
-    info " ICINGA2_UPDATE_CONFIG=1 $0"
-    exit 1
-  fi
-elif [ -z "${ICINGA2_DRYRUN}" ]; then
-  if ! "$ICINGA2_BIN" pki new-cert --cn "${ICINGA2_NODENAME}" \
-    --cert "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" \
-    --csr "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.csr" \
-    --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key"
-  then fail "Could not create self signed certificate!"
-  fi
-
-  if ! "$ICINGA2_BIN" pki save-cert \
-    --host "${ICINGA2_CA_NODE}" \
-    --port "${ICINGA2_CA_PORT}" \
-    --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key" \
-    --trustedcert "${ICINGA2_SSLDIR}/trusted-master.crt"
-  then fail "Could not retrieve trusted certificate from host ${ICINGA2_CA_NODE}"
-  fi
-
-  if ! "$ICINGA2_BIN" pki request \
-    --host "${ICINGA2_CA_NODE}" \
-    --port "${ICINGA2_CA_PORT}" \
-    --ticket "${ICINGA2_CA_TICKET}" \
-    --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key" \
-    --cert "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" \
-    --trustedcert "${ICINGA2_SSLDIR}/trusted-master.crt" \
-    --ca "${ICINGA2_SSLDIR}/ca.crt"
-  then fail "Could not retrieve final certificate from host ${ICINGA2_CA_NODE}"
-  fi
-else
-  info "Would create certificates under ${ICINGA2_SSLDIR}, but in dry-run!"
-fi
-
-# Prepare Config Files
-content_config=$(cat << EOF
-/** Icinga 2 Config - proposed by Icinga Director */
-
-include "constants.conf"
-
-$([ "${ICINGA2_HOSTNAME}" != "${ICINGA2_NODENAME}" ] || echo '// ')const NodeName = "${ICINGA2_NODENAME}"
-
-include "zones.conf"
-include "features-enabled/*.conf"
-
-include <itl>
-include <plugins>
-include <plugins-contrib>
-include <manubulon>
-include <windows-plugins>
-include <nscp>
-EOF
-)
-
-endpoint_list=''
-for item in "${ICINGA2_PARENT_ENDPOINTS[@]}"; do
-  endpoint=$(echo "$item" | cut -d, -f1)
-  endpoint_list+="\"${endpoint}\", "
-done
-
-content_zones=$(cat << EOF
-/** Icinga 2 Config - proposed by Icinga Director */
-
-object Endpoint "${ICINGA2_NODENAME}" {}
-
-object Zone "${ICINGA2_NODENAME}" {
-  parent = "${ICINGA2_PARENT_ZONE}"
-  endpoints = [ "${ICINGA2_NODENAME}" ]
-}
-
-object Zone "${ICINGA2_PARENT_ZONE}" {
-  endpoints = [ ${endpoint_list%, } ]
-}
-EOF
-)
-
-for item in "${ICINGA2_PARENT_ENDPOINTS[@]}"; do
-  endpoint=$(echo "$item" | cut -d, -f1)
-  host=$(echo "$item" | cut -s -d, -f2)
-
-  content_zones+=$(cat << EOF
-
-object Endpoint "${endpoint}" {
-$([ -n "$host" ] && echo "  host = \"${host}\"" || echo "  //host = \"${endpoint}\"")
-}
-EOF
-)
-done
-
-for zone in "${ICINGA2_GLOBAL_ZONES[@]}"; do
-  content_zones+=$(cat << EOF
-
-object Zone "${zone}" {
-  global = true
-}
-EOF
-)
-done
-
-content_api="/** Icinga 2 Config - proposed by Icinga Director */
-
-object ApiListener \"api\" {"
-
-if [ "${ICINGA2_SSLDIR}" = "${ICINGA2_SSLDIR_OLD}" ]; then
-content_api+="
-  cert_path = SysconfDir + \"/icinga2/pki/${ICINGA2_NODENAME}.crt\"
-  key_path = SysconfDir + \"/icinga2/pki/${ICINGA2_NODENAME}.key\"
-  ca_path = SysconfDir + \"/icinga2/pki/ca.crt\"
-"
-fi
-content_api+="
-  accept_commands = true
-  accept_config = true
-}
-"
-
-if [ -z "${ICINGA2_DRYRUN}" ]; then
-  install_config "$ICINGA2_CONFIGDIR"/icinga2.conf "$content_config"
-  install_config "$ICINGA2_CONFIGDIR"/zones.conf "$content_zones"
-  install_config "$ICINGA2_CONFIGDIR"/features-available/api.conf "$content_api"
-
-  "$ICINGA2_BIN" feature enable api
-
-  "$ICINGA2_BIN" daemon -C
-
-  echo "Please restart icinga2:"
-  case "$ICINGA2_OSFAMILY" in
-  debian)
-    echo "  systemctl restart icinga2"
-    ;;
-  redhat)
-    echo "  systemctl restart icinga2"
-    ;;
-  alpine)
-    echo "  rc-service icinga2 restart"
-    ;;
-  *)
-    fail "Unknown osfamily '$ICINGA2_OSFAMILY'!"
-    ;;
-  esac
-else
-  output_code() {
-    sed 's/^/    /m' <<<"$1"
-  }
-  echo "### $ICINGA2_CONFIGDIR"/icinga2.conf
-  echo
-  output_code "$content_config"
-  echo
-  echo "### $ICINGA2_CONFIGDIR"/zones.conf
-  echo
-  output_code "$content_zones"
-  echo
-  echo "### $ICINGA2_CONFIGDIR"/features-available/api.conf
-  echo
-  output_code "$content_api"
-fi
diff --git a/roles/common/vars/common.yaml b/roles/common/vars/common.yaml
deleted file mode 100644
index b7e76cf01bd9b108766e7781dd5b7767179e729e..0000000000000000000000000000000000000000
--- a/roles/common/vars/common.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38303739653035666339616536383832353838626363323638366162346538343532303232336636
-3166303033666266383034356539616637383563653136660a333465636437306139376439626665
-38666431613064306561313638363666373265333734313036326635343837613231346430303033
-3535373731623231620a653733336265376566626236356530326264373366313130336566666638
-36613964306230356134343039653739346334396333656435643335336232333439353366396364
-3862663163646365333733653137356637653665666639353666
diff --git a/roles/gitlab_runner/templates/gitlab-runner-config.j2 b/roles/gitlab_runner/templates/gitlab-runner-config.j2
index 4df5aff21b86e667620926ca2112fd3f429e1d7f..3dbc6b1f41de5dd716c23d1bddd31b470ad7ac43 100644
--- a/roles/gitlab_runner/templates/gitlab-runner-config.j2
+++ b/roles/gitlab_runner/templates/gitlab-runner-config.j2
@@ -16,7 +16,7 @@ check_interval = 0
     [runners.cache.gcs]
   [runners.docker]
     tls_verify = false
-    image = "debian:bullseye"
+    image = "debian:bookworm"
     privileged = {{ gitlab_runner_privileged }}
     disable_entrypoint_overwrite = false
     oom_kill_disable = false
diff --git a/roles/teckids_hosted/tasks/main.yml b/roles/teckids_hosted/tasks/main.yml
deleted file mode 100644
index bf5b0c6228fa332391b59de10972a1c7ddfd3830..0000000000000000000000000000000000000000
--- a/roles/teckids_hosted/tasks/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: Configure relay host
-  ansible.builtin.lineinfile:
-    regexp: '^relayhost ='
-    line: 'relayhost = commu-intern.teckids.org'