diff --git a/README.md b/README.md
index b148314..f09655e 100644
--- a/README.md
+++ b/README.md
@@ -25,10 +25,15 @@ base__extra_packages: []
 base__add_ethz: true
 
 # add nonfree/firmware packages?
-base__pkg_non_free_firmware: false
-base__pkg_contrib: false
+base__pkg_non_free_firmware: true
+base__pkg_contrib: true
+
+# add security repo
 base__pkg_security: true
 
+# add Debian Volatile
+base__pkg_updates: true
+
 # optionaly print some OS vars
 base__print_os_vars: false
 
diff --git a/defaults/main.yml b/defaults/main.yml
index dd3dbab..f5183e5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,12 +5,17 @@ base__extra_packages: []
 # - bar
 
 # should we add additional package source?
-base__add_ethz: "{{ add_ethz }}"
+base__add_ethz: true
 # add nonfree/firmware packages?
-base__pkg_non_free_firmware: "{{ base_pkg_non_free_firmware }}"
-base__pkg_contrib: "{{ base_pkg_contrib }}"
+base__pkg_non_free_firmware: true
+base__pkg_contrib: true
+
+# add security repo
 base__pkg_security: true
 
+# add Debian Volatile
+base__pkg_updates: true
+
 # optionaly print some OS vars
 base__print_os_vars: "{{ print_os_vars }}"
 
@@ -25,7 +30,7 @@ base__upgrade_packages_to_latest_version: "{{ upgrade_packages_to_latest_version
 base__install_keychain: true
 
 # install vim as awesome command line editor
-base__install_vim: "{{ editor_is_vim }}"
+base__install_vim: true
 
 # directlink to keychain becaus RHEL do not provide it...
 _base__keychain_rpm: 'http://packages.psychotic.ninja/7/base/x86_64/RPMS//keychain-2.8.0-3.el7.psychotic.noarch.rpm'
@@ -34,25 +39,13 @@ _base__keychain_rpm: 'http://packages.psychotic.ninja/7/base/x86_64/RPMS//keycha
 # LEGACY VARS
 # ++ WILL BE REMOVED SOON ++
 # add eth zurich apt source
-add_ethz: true
-
 
 # do we want the latest package version or just upgrade manually?
 upgrade_packages_to_latest_version: false
 
-
-# we use vim!
-editor_is_vim: true
-
 # print os variables
 print_os_vars: false
 
-# do we want non-free firmware from eth zuerich?
-base_pkg_non_free_firmware: false
-
-# do we want contrib from eth zuerich?
-base_pkg_contrib: false
-
 # mailx for debian (recomended for unattended_upgrades role
 base__install_mailx: true
 
diff --git a/tasks/editor.yml b/tasks/editor.yml
index d13ecb9..b508487 100644
--- a/tasks/editor.yml
+++ b/tasks/editor.yml
@@ -5,7 +5,7 @@
     name: editor
     path: /usr/bin/vim.basic
   when:
-    - editor_is_vim | bool
+    - base__install_vim | bool
     - ansible_distribution != 'CentOS'
     - ansible_distribution != 'RedHat'
     - ansible_distribution != 'Archlinux'
@@ -17,7 +17,7 @@
     name: editor
     path: /usr/bin/vim
   when:
-    - editor_is_vim | bool
+    - base__install_vim | bool
     - ansible_distribution == 'CentOS'
     - ansible_distribution == 'RedHat'
     - ansible_distribution == 'Archlinux'
diff --git a/tasks/sources.yml b/tasks/sources.yml
index f261934..65a05f5 100644
--- a/tasks/sources.yml
+++ b/tasks/sources.yml
@@ -16,7 +16,7 @@
       - apt-transport-https
     state: present
 
-- name: add eth zurich apt (main)
+- name: add eth zurich apt for Debian > 10
   become: true
   ansible.builtin.template:
     src: "templates/apt.sources.list.j2"
@@ -25,6 +25,18 @@
     group: root
     owner: root
   notify: apt update
+  when: ansible_distribution_major_version > '10'
+
+- name: add eth zurich apt for Debian < 11
+  become: true
+  ansible.builtin.template:
+    src: "templates/apt.sources.list_legacy.j2"
+    dest: '/etc/apt/sources.list.d/debian_ethz_ch_debian.list'
+    mode: 0644
+    group: root
+    owner: root
+  notify: apt update
+  when: ansible_distribution_major_version < '11'
 
 - name: force all notified handlers to run at this point, not waiting for normal sync points
   ansible.builtin.meta: flush_handlers
diff --git a/templates/apt.sources.list.j2 b/templates/apt.sources.list.j2
index 039af60..68f2ba9 100644
--- a/templates/apt.sources.list.j2
+++ b/templates/apt.sources.list.j2
@@ -1,5 +1,6 @@
 # Debian mirror der ETH Zürich
 # https://debian.ethz.ch/
+# https://wiki.debianforum.de/Sources.list
 
 # HTTPS mirror:
 deb https://debian.ethz.ch/debian {{ ansible_distribution_release }} main
@@ -21,7 +22,7 @@ deb-src https://debian.ethz.ch/debian {{ ansible_distribution_release }} main
 
 {%- if base__pkg_security | bool -%}
 # Inofficial Security Mirror
-deb https://security.debian.ethz.ch/ {{ ansible_distribution_release }}/updates main
+deb https://security.debian.ethz.ch/ {{ ansible_distribution_release }}-security main
   {%- if base__pkg_contrib | bool -%}
     {{- ' contrib' -}}
   {%- endif -%}
@@ -29,7 +30,26 @@ deb https://security.debian.ethz.ch/ {{ ansible_distribution_release }}/updates
     {{- ' non-free' -}}
   {%- endif -%}
   {{- '\n' -}}
-deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main
+deb-src https://security.debian.ethz.ch/ {{ ansible_distribution_release }}-security main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n\n' -}}
+{%- endif -%}
+
+{%- if base__pkg_updates -%}
+deb https://debian.ethz.ch/debian stable-updates main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n' -}}
+deb-src https://debian.ethz.ch/debian {{ ansible_distribution_release }}-updates main
   {%- if base__pkg_contrib | bool -%}
     {{- ' contrib' -}}
   {%- endif -%}
diff --git a/templates/apt.sources.list_legacy.j2 b/templates/apt.sources.list_legacy.j2
new file mode 100644
index 0000000..a26f436
--- /dev/null
+++ b/templates/apt.sources.list_legacy.j2
@@ -0,0 +1,44 @@
+# Debian mirror der ETH Zürich
+# https://debian.ethz.ch/
+
+# HTTPS mirror:
+deb https://debian.ethz.ch/debian {{ ansible_distribution_release }} main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n' -}}
+deb-src https://debian.ethz.ch/debian {{ ansible_distribution_release }} main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n\n' -}}
+
+{%- if base__pkg_security | bool -%}
+# Inofficial Security Mirror
+deb https://security.debian.ethz.ch/ {{ ansible_distribution_release }}/updates main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n' -}}
+deb-src https://security.debian.ethz.ch/ {{ ansible_distribution_release }}/updates main
+  {%- if base__pkg_contrib | bool -%}
+    {{- ' contrib' -}}
+  {%- endif -%}
+  {%- if base__pkg_non_free_firmware | bool -%}
+    {{- ' non-free' -}}
+  {%- endif -%}
+  {{- '\n\n' -}}
+{%- endif -%}
+
+# Contact for proplems with the mirror:
+# https://readme.phys.ethz.ch/services/contact/
+# Or #isgphys on irc.phys.ethz.ch
diff --git a/vars/main.yml b/vars/main.yml
index 8a306d8..29bf3a3 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -61,5 +61,5 @@ base__linux_packages:
   - bzip2
   - jq
 
-playbook_version_number: 9014
+playbook_version_number: 9015
 playbook_version_path: 'base-packages_roles-ansible_github.version'