diff --git a/.github/workflows/ansible-debian-stable.yml b/.github/workflows/ansible-debian-stable.yml
index 9630036..38a456d 100644
--- a/.github/workflows/ansible-debian-stable.yml
+++ b/.github/workflows/ansible-debian-stable.yml
@@ -7,8 +7,6 @@ on:
     branches: '*'
   pull_request:
     branches: '*'
-  schedule:
-    - cron: '23 6 * */1 *'
 
 jobs:
   build:
diff --git a/.github/workflows/ansible-linting-check.yml b/.github/workflows/ansible-linting-check.yml
index 7973217..ab63487 100644
--- a/.github/workflows/ansible-linting-check.yml
+++ b/.github/workflows/ansible-linting-check.yml
@@ -7,8 +7,6 @@ on:
     branches: '*'
   pull_request:
     branches: '*'
-  schedule:
-    - cron: '42 6 * */1 *'
 
 jobs:
   build:
diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
index ddb5b89..d4ad029 100644
--- a/.github/workflows/yamllint.yaml
+++ b/.github/workflows/yamllint.yaml
@@ -7,8 +7,6 @@ on:
     branches: '*'
   pull_request:
     branches: '*'
-  schedule:
-    - cron: '23 6 * */1 *'
 
 jobs:
   yamllint:
diff --git a/README.md b/README.md
index 09ee336..b148314 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@ base__add_ethz: true
 # add nonfree/firmware packages?
 base__pkg_non_free_firmware: false
 base__pkg_contrib: false
+base__pkg_security: true
 
 # optionaly print some OS vars
 base__print_os_vars: false
diff --git a/defaults/main.yml b/defaults/main.yml
index 7caf875..dd3dbab 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -9,6 +9,7 @@ base__add_ethz: "{{ add_ethz }}"
 # add nonfree/firmware packages?
 base__pkg_non_free_firmware: "{{ base_pkg_non_free_firmware }}"
 base__pkg_contrib: "{{ base_pkg_contrib }}"
+base__pkg_security: true
 
 # optionaly print some OS vars
 base__print_os_vars: "{{ print_os_vars }}"
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..14a521a
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: apt update
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+  when:
+    - ansible_pkg_mgr == "apt"
diff --git a/tasks/sources.yml b/tasks/sources.yml
index d7eea06..f261934 100644
--- a/tasks/sources.yml
+++ b/tasks/sources.yml
@@ -7,7 +7,7 @@
   when:
     - ansible_pkg_mgr == "apt"
 
-- name: Install requirements to add packages
+- name: Install requirements to add packages via https
   become: true
   ansible.builtin.apt:
     package:
@@ -18,30 +18,13 @@
 
 - name: add eth zurich apt (main)
   become: true
-  ansible.builtin.apt_repository:
-    repo: "deb https://debian.ethz.ch/debian/ {{ ansible_distribution_release }} main"
-    state: present
+  ansible.builtin.template:
+    src: "templates/apt.sources.list.j2"
+    dest: '/etc/apt/sources.list.d/debian_ethz_ch_debian.list'
     mode: 0644
-  when:
-    - not base__pkg_non_free_firmware | bool
-    - not base__pkg_contrib | bool
+    group: root
+    owner: root
+  notify: apt update
 
-- name: add eth zurich apt (main non-free)
-  become: true
-  ansible.builtin.apt_repository:
-    repo: "deb-src https://debian.ethz.ch/debian/ {{ ansible_distribution_release }} main non-free"
-    state: present
-    mode: 0644
-  when:
-    - base__pkg_non_free_firmware | bool
-    - not base__pkg_contrib | bool
-
-- name: add eth zurich apt (main contrib non-free)
-  become: true
-  ansible.builtin.apt_repository:
-    repo: "deb-src https://debian.ethz.ch/debian/ {{ ansible_distribution_release }} main contrib non-free"
-    state: present
-    mode: 0644
-  when:
-    - base__pkg_non_free_firmware | bool
-    - base__pkg_contrib | bool
+- name: force all notified handlers to run at this point, not waiting for normal sync points
+  ansible.builtin.meta: flush_handlers
diff --git a/templates/apt.sources.list.j2 b/templates/apt.sources.list.j2
new file mode 100644
index 0000000..039af60
--- /dev/null
+++ b/templates/apt.sources.list.j2
@@ -0,0 +1,44 @@
+# Debian mirror der ETH Zürich
+# https://debian.ethz.ch/
+
+# HTTPS mirror:
+deb https://debian.ethz.ch/debian {{ ansible_distribution_release }} main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n' -}}
+deb-src https://debian.ethz.ch/debian {{ ansible_distribution_release }} main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n\n' -}}
+
+{%- if base__pkg_security | bool -%}
+# Inofficial Security Mirror
+deb https://security.debian.ethz.ch/ {{ ansible_distribution_release }}/updates main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n' -}}
+deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n\n' -}}
+{%- endif -%}
+
+# Contact for proplems with the mirror:
+# https://readme.phys.ethz.ch/services/contact/
+# Or #isgphys on irc.phys.ethz.ch
diff --git a/vars/main.yml b/vars/main.yml
index bc76add..8a306d8 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -61,5 +61,5 @@ base__linux_packages:
   - bzip2
   - jq
 
-playbook_version_number: 9012
+playbook_version_number: 9014
 playbook_version_path: 'base-packages_roles-ansible_github.version'