diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..b754eef
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,42 @@
+[submodule "roles/do1jlr.ranger"]
+	path = roles/do1jlr.ranger
+	url = https://github.com/roles-ansible/ansible_role_ranger.git
+[submodule "roles/do1jlr.dotfiles"]
+	path = roles/do1jlr.dotfiles
+	url = https://github.com/roles-ansible/ansible_role_dotfiles.git
+[submodule "roles/do1jlr.users"]
+	path = roles/do1jlr.users
+	url = https://github.com/roles-ansible/ansible_role_users.git
+[submodule "roles/do1jlr.auth"]
+	path = roles/do1jlr.auth
+	url = https://github.com/roles-ansible/ansible_role_auth.git
+[submodule "roles/do1jlr.base"]
+	path = roles/do1jlr.base
+	url = https://github.com/roles-ansible/ansible_role_base.git
+[submodule "roles/do1jlr.sshd"]
+	path = roles/do1jlr.sshd
+	url = https://github.com/roles-ansible/ansible_role_sshd.git
+[submodule "files/ssh_public_keys"]
+	path = files/ssh_public_keys
+	url = https://backwesen.de/ansible/ssh_public_keys.git
+[submodule "roles/do1jlr.ansible_version"]
+	path = roles/do1jlr.ansible_version
+	url = https://github.com/roles-ansible/ansible_role_versioncheck.git
+[submodule "roles/unattended_upgrades"]
+	path = roles/unattended_upgrades
+	url = https://github.com/jnv/ansible-role-unattended-upgrades.git
+[submodule "roles/do1jlr.nginx"]
+	path = roles/do1jlr.nginx
+	url = https://github.com/DO1JLR/ansible_role_nginx.git
+[submodule "roles/do1jlr.acmetool"]
+	path = roles/do1jlr.acmetool
+	url = https://github.com/DO1JLR/ansible_role_acmetool.git
+[submodule "roles/do1jlr.webhost"]
+	path = roles/do1jlr.webhost
+	url = https://github.com/DO1JLR/ansible_role_acmetool.git
+[submodule "roles/do1jlr.ntp"]
+	path = roles/do1jlr.ntp
+	url = https://github.com/roles-ansible/ansible_role_ntp.git
+[submodule "roles/do1jlr.admin_base"]
+	path = roles/do1jlr.admin_base
+	url = https://github.com/roles-ansible/ansible_admin_base_role.git
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..c8bbc93
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,8 @@
+---
+extends: default
+
+rules:
+  # 160 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 160
+    level: warning
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..5f10bc1
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,29 @@
+[defaults]
+inventory = ./hosts.ini
+remote_user = ansible
+retry_files_enabled = false
+nocows = true
+
+log_path = $HOME/.ansible/ansible.log
+
+forks = 20
+gathering = smart
+fact_caching = jsonfile
+fact_caching_connection = $HOME/.ansible/facts
+host_key_checking = false
+
+interpreter_python = /usr/bin/python3
+
+[ssh_connection]
+control_path = %(directory)s/%%h-%%r-%%p
+ssh_args = -o StrictHostKeyChecking=accept-new -o ControlMaster=auto -o ControlPersist=600s
+pipelining = true
+retries = 10
+
+[privilege_escalation]
+become_method = sudo
+become_user = root
+become_ask_pass = false
+
+[passwordstore_lookup]
+backend = gopass
diff --git a/files/ssh_public_keys b/files/ssh_public_keys
new file mode 160000
index 0000000..a4bc67b
--- /dev/null
+++ b/files/ssh_public_keys
@@ -0,0 +1 @@
+Subproject commit a4bc67b5659e47aa5b115c6768c859bcb50b7f08
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
new file mode 100644
index 0000000..8b7b6f9
--- /dev/null
+++ b/group_vars/all/vars.yml
@@ -0,0 +1,17 @@
+---
+# version check for all supported roles
+submodules_versioncheck: true
+
+# do1jlr.ntp
+ntp_set_time_zone: true
+ntp_servers:
+  - ntp3.hetzner.de iburst
+  - ntp2.hetzner.de iburst
+  - ntp1.hetzner.de iburst
+  - ptbtime1.ptb.de
+  - ptbtime3.ptb.de
+  - 1.pool.ntp.org iburst
+  - 2.pool.ntp.org iburst
+  - 3.pool.ntp.org iburst
+
+unattended_mail: "{{ lookup('community.general.passwordstore', 'other/ansible/do1jlr/unattended_mail') }}"
diff --git a/hosts.ini b/hosts.ini
new file mode 100644
index 0000000..4de7d20
--- /dev/null
+++ b/hosts.ini
@@ -0,0 +1,2 @@
+[voc]
+localhost
diff --git a/roles/do1jlr.acmetool b/roles/do1jlr.acmetool
new file mode 160000
index 0000000..2590767
--- /dev/null
+++ b/roles/do1jlr.acmetool
@@ -0,0 +1 @@
+Subproject commit 25907677aaa7e9467bad04bf9576f460bf890da8
diff --git a/roles/do1jlr.admin_base b/roles/do1jlr.admin_base
new file mode 160000
index 0000000..7d430be
--- /dev/null
+++ b/roles/do1jlr.admin_base
@@ -0,0 +1 @@
+Subproject commit 7d430bec45e39dcc19f739f2f69669086d2fcdc2
diff --git a/roles/do1jlr.ansible_version b/roles/do1jlr.ansible_version
new file mode 160000
index 0000000..2bf5d7c
--- /dev/null
+++ b/roles/do1jlr.ansible_version
@@ -0,0 +1 @@
+Subproject commit 2bf5d7c4369a8213b42829b14f78920e9906d099
diff --git a/roles/do1jlr.auth b/roles/do1jlr.auth
new file mode 160000
index 0000000..1b60b7d
--- /dev/null
+++ b/roles/do1jlr.auth
@@ -0,0 +1 @@
+Subproject commit 1b60b7da3a50a9264a33bec13c9eab69e51a78db
diff --git a/roles/do1jlr.base b/roles/do1jlr.base
new file mode 160000
index 0000000..00fa283
--- /dev/null
+++ b/roles/do1jlr.base
@@ -0,0 +1 @@
+Subproject commit 00fa2834959d2279cf44b4dba04c760c3d1bcc42
diff --git a/roles/do1jlr.dotfiles b/roles/do1jlr.dotfiles
new file mode 160000
index 0000000..5cd1afc
--- /dev/null
+++ b/roles/do1jlr.dotfiles
@@ -0,0 +1 @@
+Subproject commit 5cd1afc65018125ee419917b9b87bb8d038f6fcc
diff --git a/roles/do1jlr.nginx b/roles/do1jlr.nginx
new file mode 160000
index 0000000..955cf7c
--- /dev/null
+++ b/roles/do1jlr.nginx
@@ -0,0 +1 @@
+Subproject commit 955cf7c6c825f4c0039bf71eae0f0138c9ea3ecd
diff --git a/roles/do1jlr.ntp b/roles/do1jlr.ntp
new file mode 160000
index 0000000..8d33019
--- /dev/null
+++ b/roles/do1jlr.ntp
@@ -0,0 +1 @@
+Subproject commit 8d330190c4052981bdb146136dc7f41071a66289
diff --git a/roles/do1jlr.ranger b/roles/do1jlr.ranger
new file mode 160000
index 0000000..ad75843
--- /dev/null
+++ b/roles/do1jlr.ranger
@@ -0,0 +1 @@
+Subproject commit ad758436369d3de02a5214e29464bfbaa233521e
diff --git a/roles/do1jlr.sshd b/roles/do1jlr.sshd
new file mode 160000
index 0000000..15b7867
--- /dev/null
+++ b/roles/do1jlr.sshd
@@ -0,0 +1 @@
+Subproject commit 15b7867a37e4036947de29c727075c4a75859e43
diff --git a/roles/do1jlr.users b/roles/do1jlr.users
new file mode 160000
index 0000000..9203f23
--- /dev/null
+++ b/roles/do1jlr.users
@@ -0,0 +1 @@
+Subproject commit 9203f239c66bb771ba2f9ad3639994200486c584
diff --git a/roles/do1jlr.webhost b/roles/do1jlr.webhost
new file mode 160000
index 0000000..2590767
--- /dev/null
+++ b/roles/do1jlr.webhost
@@ -0,0 +1 @@
+Subproject commit 25907677aaa7e9467bad04bf9576f460bf890da8
diff --git a/roles/unattended_upgrades b/roles/unattended_upgrades
new file mode 160000
index 0000000..ff35ee6
--- /dev/null
+++ b/roles/unattended_upgrades
@@ -0,0 +1 @@
+Subproject commit ff35ee6e1cd604bdd71437f73e2b912dd39a9a16
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000..d33c613
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,19 @@
+---
+- name: Check if ansible is not to old
+  hosts: localhost
+  roles:
+    - {role: do1jlr.ansible_version, tags: [default, version, default, always], gather_facts: false}
+
+- name: General roles for all hosts
+  hosts: all
+  roles:
+    - {role: do1jlr.base, tags: [default, packages, base]}
+    - {role: do1jlr.ranger, tags: [packages, ranger]}
+    - {role: unattended_upgrades, tags: [default, unattended, unattended_upgrades, security], become: true, when: ansible_distribution == 'Debian'}
+    - {role: do1jlr.ntp, tags: [ntp]}
+
+- name: User specific roles for all hosts
+  hosts: all
+  roles:
+    - {role: do1jlr.admin_base, tags: [default, init, users, accounts, dotfiles]}
+    - {role: do1jlr.dotfiles, tags: [default, dotfiles]}