diff --git a/group_vars/all.yml b/group_vars/all.yml
index 37c5f6d3..9febc7ef 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -16,14 +16,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create
diff --git a/group_vars/docker.yml b/group_vars/docker.yml
index f920ddd4..eb04d1c6 100644
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@@ -9,14 +9,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root, docker
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create
diff --git a/group_vars/proxmox.yml b/group_vars/proxmox.yml
index d1d7ac41..e71840fc 100644
--- a/group_vars/proxmox.yml
+++ b/group_vars/proxmox.yml
@@ -16,14 +16,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create
diff --git a/group_vars/proxmoxtest.yml b/group_vars/proxmoxtest.yml
index c35af506..3cef2031 100644
--- a/group_vars/proxmoxtest.yml
+++ b/group_vars/proxmoxtest.yml
@@ -20,14 +20,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create
diff --git a/host_vars/bastelstube-gui.grote.lan.yml b/host_vars/bastelstube-gui.grote.lan.yml
index 37d10a7c..e46f91ca 100644
--- a/host_vars/bastelstube-gui.grote.lan.yml
+++ b/host_vars/bastelstube-gui.grote.lan.yml
@@ -26,14 +26,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create
diff --git a/playbooks/0_setup.yml b/playbooks/0_setup.yml
deleted file mode 100644
index 3cf616f3..00000000
--- a/playbooks/0_setup.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-  - import_playbook: 1_bootstrap.yml
-  - import_playbook: base/apt_sources.yml
-  - import_playbook: 4_update_packages.yml
-  - import_playbook: 2_all.yml
diff --git a/playbooks/1_bootstrap.yml b/playbooks/1_bootstrap.yml
index c8592163..65773141 100644
--- a/playbooks/1_bootstrap.yml
+++ b/playbooks/1_bootstrap.yml
@@ -7,6 +7,8 @@
       - { role: mgrote.users, tags: "user", become: yes}
       - { role: mgrote.r8152_kernel_module }
       - { role: mgrote.qemu_guest_agent }
+      - { role: mgrote.apt_manage_sources, tags: "apt_sources" }
+      - { role: mgrote.apt_update_packages, tags: "updates"}
     post_tasks:
       - name: Change user password
         become: true
@@ -15,6 +17,7 @@
           update_password: always
           password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
 
+
     vars:
       ### reobertdebock.bootstrap
       bootstrap_user: mg
diff --git a/playbooks/2_all.yml b/playbooks/2_all.yml
index 51581be8..ccddba75 100644
--- a/playbooks/2_all.yml
+++ b/playbooks/2_all.yml
@@ -15,3 +15,4 @@
   - import_playbook: base/monitoring.yml
   - import_playbook: base/remove_snapd.yml
   - import_playbook: base/unattended_upgrades.yml
+  - import_playbook: base/update_packages.yml
diff --git a/playbooks/4_update_packages.yml b/playbooks/base/update_packages.yml
similarity index 100%
rename from playbooks/4_update_packages.yml
rename to playbooks/base/update_packages.yml
diff --git a/roles/mgrote.munin-node/defaults/main.yml b/roles/mgrote.munin-node/defaults/main.yml
index 35323382..2723ad8e 100644
--- a/roles/mgrote.munin-node/defaults/main.yml
+++ b/roles/mgrote.munin-node/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+  munin_user_group: root # group to which the user belongs
   munin_node_log: /var/log/munin/munin-node.log
   munin_node_pid: /var/run/munin/munin-node.pid
   munin_node_plugin_timeout: 60 # in sec
diff --git a/roles/mgrote.munin-node/tasks/main.yml b/roles/mgrote.munin-node/tasks/main.yml
index a6b26c06..b8074b34 100644
--- a/roles/mgrote.munin-node/tasks/main.yml
+++ b/roles/mgrote.munin-node/tasks/main.yml
@@ -1,6 +1,8 @@
 ---
   - name: include install-tasks
     include_tasks: install.yml
+  - name: include user tasks
+    include_tasks: user.yml
   - name: include plugin-tasks
     include_tasks: additional.yml
     when: munin_node_plugins is defined
diff --git a/roles/mgrote.munin-node/tasks/user.yml b/roles/mgrote.munin-node/tasks/user.yml
new file mode 100644
index 00000000..e6b41fce
--- /dev/null
+++ b/roles/mgrote.munin-node/tasks/user.yml
@@ -0,0 +1,26 @@
+---
+  - name: ensure group exists
+    become: true
+    ansible.builtin.group:
+      name: "{{ munin_user_group }}"
+      state: present
+
+  - name: ensure user exists
+    become: true
+    ansible.builtin.user:
+      name: munin
+      group: "{{ munin_user_group }}"
+      shell: /usr/sbin/nologin
+      create_home: no
+
+  - name: add user to sudoers
+    become: true
+    ansible.builtin.blockinfile:
+      path: /etc/sudoers
+      state: present
+      block:  |
+        munin ALL=(ALL) NOPASSWD:ALL
+      validate: '/usr/sbin/visudo -cf %s'
+      backup: yes
+      marker_begin: munin-sudoers BEGIN
+      marker_end: munin-sudoers END