diff --git a/playbooks/3_service/git.yml b/playbooks/3_service/git.yml
index 86582928..7f31daab 100644
--- a/playbooks/3_service/git.yml
+++ b/playbooks/3_service/git.yml
@@ -2,7 +2,11 @@
 - hosts: git
   roles:
     - role: geerlingguy.postgresql
-      tags: "db"
+      tags:
+        - db
+        - postgres
+        - psql
+        - postgresql
       become: true
     - role: roles-ansible.gitea
       tags: "gitea"
diff --git a/roles/mgrote_user_setup/tasks/main.yml b/roles/mgrote_user_setup/tasks/main.yml
index c0995f31..ab300f97 100644
--- a/roles/mgrote_user_setup/tasks/main.yml
+++ b/roles/mgrote_user_setup/tasks/main.yml
@@ -109,8 +109,8 @@
   loop: "{{ dotfiles }}"
 
 - name: Ensure vundle-repository is cloned
-  become: true
   become_user: "{{ item.user }}"
+  become: true
   ansible.builtin.git:
     repo: "{{ dotfiles_vim_vundle_repo_url }}"
     dest: "{{ item.home }}/.vim/bundle/Vundle.vim"
diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml
index 797d8e55..cde9e3a9 100644
--- a/roles/mgrote_users/tasks/main.yml
+++ b/roles/mgrote_users/tasks/main.yml
@@ -37,13 +37,25 @@
   loop: '{{ users }}'
   no_log: true
 
-- name: Ensure users are added to sudoers
-  community.general.sudoers:
-    name: "users-sudo-{{ item.username }}"
+# teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a
+# das modul erstellt die sudoers falsch:
+# richtig: ansible-user ALL=(ALL) NOPASSWD:ALL
+# falsch: ansible-user ALL=NOPASSWD: ALL
+# damit failed ansible wenn der become_user != ansible-user ist
+# mit Meldung:
+# TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.]
+# fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"}
+- name: Ensure users are added or removed to/from sudoers
+  ansible.builtin.blockinfile:
+    create: true
+    path: "/etc/sudoers.d/users-sudo-{{ item.username }}"
     state: "{{ item.state | default('present') }}"
-    user: "{{ item.username }}"
-    commands: ALL
-    nopassword: "{{ item.allow_passwordless_sudo }}"
+    block: |
+      {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL
+    validate: 'visudo -cf %s'
+    owner: root
+    group: root
+    mode: "0440"
   loop: '{{ users }}'
   when: item.allow_sudo|default(false) and item.allow_sudo is defined
   no_log: true