diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9084a547..868cbfcc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,13 +1,62 @@
-image: python:3-slim
-
-before_script:
-  - pip install ansible-lint
-  - ansible-lint --version
-
 stages:
-  - ansible-lint
+  - lint
+  - deploy-dry
+  - deploy
 
 ansible-lint:
-  stage: ansible-lint
+  image: willhallonline/ansible:2.9-ubuntu-20.04
+  stage: lint
+  before_script:
+    - chmod 0755 /builds/mg/ansible
   script:
     - ansible-lint .
+  interruptible: true
+  allow_failure: true
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+
+markdown-lint:
+  stage: lint
+  image: pipelinecomponents/markdownlint:latest
+  script:
+    - mdl --style all --warnings .
+  interruptible: true
+  allow_failure: true
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+
+ansible-deploy-dry:
+  image: willhallonline/ansible:2.9-ubuntu-20.04
+  stage: deploy-dry
+  interruptible: false
+  before_script:
+    - chmod 0755 /builds/mg/ansible
+    - echo "$id_rsa_ansible_user" > /builds/mg/ansible/id_rsa_ansible_user
+    - chmod 0400 /builds/mg/ansible/id_rsa_ansible_user
+  script:
+    - ansible-playbook playbooks/base/0_master.yml playbooks/service/* -i inventory --check --limit production --vault-password-file $ansible_vault_pass
+  after_script:
+    - rm /builds/mg/ansible/id_rsa_ansible_user
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  allow_failure: true
+
+ansible-deploy:
+  image: willhallonline/ansible:2.9-ubuntu-20.04
+  stage: deploy
+  interruptible: false
+  before_script:
+    - chmod 0755 /builds/mg/ansible
+    - echo "$id_rsa_ansible_user" > /builds/mg/ansible/id_rsa_ansible_user
+    - chmod 0400 /builds/mg/ansible/id_rsa_ansible_user
+  script:
+    - ansible-playbook playbooks/base/0_master.yml playbooks/service/* -i inventory --check --limit test --vault-password-file $ansible_vault_pass
+  after_script:
+    - rm /builds/mg/ansible/id_rsa_ansible_user
+  rules:
+    - if: $CI_COMMIT_BRANCH == 'master'
+  allow_failure: true
+
+# GitLab-CI-Vars
+# $ansible_vault_pass - Type: File
+# $id_rsa_ansible_user - Type: Variable
diff --git a/README.md b/README.md
index 06cbb38c..23dbcd88 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,8 @@
 # ansible_heimserver
 
+[![pipeline status](http://git.mgrote.net/mg/ansible/badges/master/pipeline.svg)](http://git.mgrote.net/mg/ansible/-/commits/master)
+
+
 ## Ansible KeePass Lookup Plugin aktualisieren
 ```bash
 pip install 'pykeepass>3.2.0' --user
@@ -31,7 +34,7 @@ default('GitLab-Runner') }}" <-- wenn Inhalt leer, dann default...
 `ansible-playbook-grapher --include-role-tasks  tests/fixtures/with_roles.yml`
 
 ## example-cli
-`ansible-playbook playbooks/base/0_master.yml  -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml`
+`ansible-playbook playbooks/base/0_master.yml  -i inventory --key-file id_rsa_ansible_user  --limit jenkins-test.grote.lan`
 
 ## install necessary collections
 `ansible-galaxy collection install -r requirements.yml`
diff --git a/ansible.cfg b/ansible.cfg
index f2a00f1a..d40fa117 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,6 +5,8 @@ retry_files_enabled   = False
 roles_path            = ./roles
 lookup_plugins        = ./plugins/lookup
 collections_paths     = ./ansible_collections
+private_key_file      = ./id_rsa_ansible_user
+#vault_password_file   = ./vault-pass.yml
 [inventory]
 
 [privilege_escalation]
diff --git a/group_vars/gitlabrunner.yml b/group_vars/gitlabrunner.yml
index 482a2724..c1fd21ec 100644
--- a/group_vars/gitlabrunner.yml
+++ b/group_vars/gitlabrunner.yml
@@ -18,3 +18,10 @@
       docker_image: 'alpine'
       docker_volumes:
         - "/var/run/docker.sock:/var/run/docker.sock"
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 192.168.2.0/24