diff --git a/defaults/main.yaml b/defaults/main.yaml
new file mode 100644
index 0000000..ee7e9ef
--- /dev/null
+++ b/defaults/main.yaml
@@ -0,0 +1,20 @@
+timezone: Europe/Berlin
+
+debian_distribution: bullseye
+debian_components:
+  - main
+  - contrib
+  - non-free
+
+debian_mirror: http://deb.debian.org/debian
+
+debian_backports: false
+debian_backports_distribution: "{{debian_distribution}}-backports"
+
+debian_security: true
+debian_security_mirror: "{{debian_mirror}}-security"
+debian_security_distribution: "{{debian_distribution}}-security"
+
+debian_sources: true
+debian_backports_sources: "{{debian_sources}}"
+debian_security_sources: "{{debian_sources}}"
diff --git a/files/fish/global/fish_greeting.fish b/files/fish/global/fish_greeting.fish
new file mode 100644
index 0000000..488f4d6
--- /dev/null
+++ b/files/fish/global/fish_greeting.fish
@@ -0,0 +1,2 @@
+# disable greeting
+set fish_greeting
diff --git a/files/fish/global/fish_prompt.fish b/files/fish/global/fish_prompt.fish
new file mode 100644
index 0000000..1e82e1d
--- /dev/null
+++ b/files/fish/global/fish_prompt.fish
@@ -0,0 +1,27 @@
+# target format: user@host:~$
+function fish_prompt --description 'prompt'
+	# Just calculate this once, to save a few cycles when displaying the prompt
+	if not set -q __fish_prompt_hostname
+		set -g __fish_prompt_hostname (hostname|cut -d . -f 1)
+	end
+
+	set -l color_cwd
+	set -l suffix
+	switch $USER
+	case root toor
+		if set -q fish_color_cwd_root
+			set color_cwd $fish_color_cwd_root
+		else
+			set color_cwd $fish_color_cwd
+		end
+		set suffix '#'
+	case '*'
+		echo -n -s "$USER" @
+		set color_cwd $fish_color_cwd
+		set suffix '>'
+	end
+
+  set -g fish_prompt_pwd_dir_length 0
+
+	echo -n -s "$__fish_prompt_hostname" : (set_color $color_cwd) (prompt_pwd) (set_color normal) " $suffix "
+end
diff --git a/files/fish/global/fish_title.fish b/files/fish/global/fish_title.fish
new file mode 100644
index 0000000..3859bbf
--- /dev/null
+++ b/files/fish/global/fish_title.fish
@@ -0,0 +1,16 @@
+function fish_title
+  # Just calculate this once, to save a few cycles when displaying the prompt
+  if not set -q __fish_prompt_hostname
+    set -g __fish_prompt_hostname (hostname|cut -d . -f 1)
+  end
+
+  set -l suffix
+  switch $USER
+  case root toor
+    set suffix '#'
+  case '*'
+    set suffix '>'
+  end
+
+  echo -n -s "$USER" @ "$__fish_prompt_hostname" : (prompt_pwd) " $suffix $_"
+end
diff --git a/files/fish/root/root-shell-aliases.fish b/files/fish/root/root-shell-aliases.fish
new file mode 100644
index 0000000..7b7d286
--- /dev/null
+++ b/files/fish/root/root-shell-aliases.fish
@@ -0,0 +1,7 @@
+function aptitude-list-manually-installed --description 'list all manually installed packages without system packages'
+  aptitude search '!?priority(required) !?priority(important) ?installed !?automatic' $argv
+end
+
+function apt-tail-log --description 'tail the apt log'
+  tail -f /var/log/apt/term.log $argv
+end
diff --git a/handlers/main.yaml b/handlers/main.yaml
new file mode 100644
index 0000000..c98cdb5
--- /dev/null
+++ b/handlers/main.yaml
@@ -0,0 +1,4 @@
+---
+
+- name: dconf update
+  command: dconf update
diff --git a/tasks/debian_packages.yaml b/tasks/debian_packages.yaml
new file mode 100644
index 0000000..11ccd5a
--- /dev/null
+++ b/tasks/debian_packages.yaml
@@ -0,0 +1,20 @@
+---
+
+- name: base packages
+  apt:
+    pkg: "{{ debian_base_packages }}"
+  when: debian_base_packages is defined
+
+- name: boot packages
+  apt:
+    pkg: "{{ debian_boot_packages }}"
+  when: debian_boot_packages is defined
+
+- name: common packages
+  apt:
+    pkg: "{{ debian_common_packages }}"
+
+- name: custom packages
+  apt:
+    pkg: "{{ debian_custom_packages }}"
+  when: debian_custom_packages is defined
diff --git a/tasks/debian_repos.yaml b/tasks/debian_repos.yaml
new file mode 100644
index 0000000..8e9d29a
--- /dev/null
+++ b/tasks/debian_repos.yaml
@@ -0,0 +1,15 @@
+---
+
+- name: required debian packages
+  apt:
+    pkg: python3-apt
+    state: present
+
+- name: apt sources.list
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+
+- name: update apt cache
+  apt:
+    update_cache: yes
diff --git a/tasks/fish.yml b/tasks/fish.yml
new file mode 100644
index 0000000..67bf146
--- /dev/null
+++ b/tasks/fish.yml
@@ -0,0 +1,40 @@
+---
+
+- name: fish package
+  apt:
+    pkg: fish
+
+- name: fish config directory
+  file:
+    path: /etc/fish/conf.d
+    state: directory
+
+- name: fish config files
+  copy:
+    src: fish/global/
+    dest: /etc/fish/conf.d/
+  with_items:
+    - fish_title
+    - fish_prompt
+    - fish_greeting
+
+- name: fish package
+  package:
+    name: fish
+  when: not root_target_directory is defined
+
+# root user
+- name: fish root user config directory
+  file:
+    path: /root/.config/fish/conf.d/
+    state: directory
+
+- name: fish root user config files
+  copy:
+    src: fish/root/
+    dest: /root/.config/fish/conf.d/
+
+- name: fish shell for root user
+  user:
+    name: root
+    shell: /usr/bin/fish
diff --git a/tasks/hostname.yaml b/tasks/hostname.yaml
new file mode 100644
index 0000000..28b3ebb
--- /dev/null
+++ b/tasks/hostname.yaml
@@ -0,0 +1,47 @@
+---
+
+- setup:
+    gather_subset: '!all'
+  when: not root_target_directory is defined
+
+- apt:
+    pkg: dbus
+    state: present
+  when:
+    - not root_target_directory is defined
+    - ansible_os_family == "Debian"
+
+- name: hostname
+  hostname:
+    name: "{{inventory_hostname}}"
+  when: not root_target_directory is defined
+
+- name: etc directory
+  file:
+    path: "{{ root_target_directory }}/etc"
+    state: directory
+  when: root_target_directory is defined
+
+- name: hostname file
+  copy:
+    content: "{{inventory_hostname}}"
+    dest: "{{ root_target_directory }}/etc/hostname"
+  when: root_target_directory is defined
+
+- name: hosts file
+  file:
+    path: "{{ root_target_directory }}/etc/hosts"
+    state: touch
+  when: root_target_directory is defined
+
+- name: localhost ipv4 entry
+  lineinfile:
+    dest: "{{ root_target_directory | default('') }}/etc/hosts"
+    regexp: '^127\.0\.0\.1'
+    line: "127.0.0.1 localhost {{inventory_hostname}}"
+
+- name: localhost ipv6 entry
+  lineinfile:
+    dest: "{{ root_target_directory | default('') }}/etc/hosts"
+    regexp: '^::1'
+    line: "::1 localhost ip6-localhost ip6-loopback {{inventory_hostname}}"
diff --git a/tasks/keyboard_configuration.yaml b/tasks/keyboard_configuration.yaml
new file mode 100644
index 0000000..96bb788
--- /dev/null
+++ b/tasks/keyboard_configuration.yaml
@@ -0,0 +1,17 @@
+---
+
+- name: apt install console-setup
+  apt:
+    pkg: console-setup
+  when: not root_target_directory is defined
+
+- name: default directory
+  file:
+    path: "{{ root_target_directory | default('') }}/etc/default"
+    state: directory
+  when: root_target_directory is defined
+
+- name: keyboard configuration
+  template:
+    src: default-keyboard.j2
+    dest: "{{ root_target_directory | default('') }}/etc/default/keyboard"
diff --git a/tasks/main.yaml b/tasks/main.yaml
index dfa7383..9907227 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -1,39 +1,28 @@
 ---
 
 # user setup
-- import_role:
-    name: root_user
-- import_role:
-    name: users
-- import_role:
-    name: fish
+- import_tasks: root_user
+- import_tasks: fish
 
 # system setup
-- import_role:
-    name: hostname
+- import_tasks: hostname
   when:
     - not ansible_bender is defined
     - not container_type | default('') == 'podman'
-- import_role:
-    name: locales
-- import_role:
-    name: timezone
+    
+- import_tasks: locales
+
+- import_tasks: timezone.yaml
   when: not ansible_bender is defined
-- import_role:
-    name: keyboard_configuration
+
+- import_tasks: keyboard_configuration.yaml
   when: not ansible_bender is defined
 
 # packages setup
-- import_role:
-    name: debian_repos
+- import_tasks: debian_repos.yaml
   when:
     - ansible_distribution == "Debian"
     - not ansible_lsb.id is defined or ansible_lsb.id != "Raspbian"
-- import_role:
-    name: debian_packages
+
+- import_tasks: debian_packages
   when: ansible_distribution == "Debian"
-- import_role:
-    name: system_upgrade
-- import_role:
-    name: unattended-upgrades
-  when: not ansible_bender is defined
diff --git a/tasks/root_user.yaml b/tasks/root_user.yaml
new file mode 100644
index 0000000..0196a8d
--- /dev/null
+++ b/tasks/root_user.yaml
@@ -0,0 +1,28 @@
+---
+
+- name: root user password
+  user:
+    name: root
+    password: "{{ root_password }}"
+  when: root_password is defined
+
+- name: root user ssh key
+  user:
+    name: root
+    generate_ssh_key: yes
+    ssh_key_type: ed25519
+  when:
+    - root_ssh_key
+    - not root_target_directory is defined
+
+- name: root user ssh directory
+  file:
+    path: "{{ root_target_directory | default('') }}/root/.ssh"
+    state: directory
+  when: root_ssh_authorized_keys is defined
+
+- name: root user ssh authorized keys
+  template:
+    src: root_user_ssh_authorized_keys.j2
+    dest: "{{ root_target_directory | default('') }}/root/.ssh/authorized_keys"
+  when: root_ssh_authorized_keys is defined
diff --git a/tasks/timezone.yaml b/tasks/timezone.yaml
new file mode 100644
index 0000000..b69e272
--- /dev/null
+++ b/tasks/timezone.yaml
@@ -0,0 +1,5 @@
+---
+
+- name: set timezone
+  timezone: 
+    name: "{{timezone}}"
diff --git a/templates/default-keyboard.j2 b/templates/default-keyboard.j2
new file mode 100644
index 0000000..98282b0
--- /dev/null
+++ b/templates/default-keyboard.j2
@@ -0,0 +1,7 @@
+# KEYBOARD CONFIGURATION FILE
+# Consult the keyboard(5) manual page.
+XKBMODEL="pc105"
+XKBLAYOUT="de"
+XKBVARIANT="nodeadkeys"
+XKBOPTIONS="terminate:ctrl_alt_bksp"
+BACKSPACE="guess"
diff --git a/templates/root_user_ssh_authorized_keys.j2 b/templates/root_user_ssh_authorized_keys.j2
new file mode 100644
index 0000000..4cf51ef
--- /dev/null
+++ b/templates/root_user_ssh_authorized_keys.j2
@@ -0,0 +1,3 @@
+{% for key in root_ssh_authorized_keys %}
+{{ key }}
+{% endfor %}
diff --git a/templates/sources.list.j2 b/templates/sources.list.j2
new file mode 100644
index 0000000..a8f5fd8
--- /dev/null
+++ b/templates/sources.list.j2
@@ -0,0 +1,32 @@
+{{ ansible_managed | comment }}
+
+deb     {{ debian_mirror }} {{ debian_distribution }} {{ debian_components | join(" ") }}
+{% if debian_sources %}
+deb-src {{ debian_mirror }} {{ debian_distribution }} {{ debian_components | join(" ") }}
+{% endif %}
+
+deb     {{ debian_mirror }} {{ debian_distribution }}-updates {{ debian_components | join(" ") }}
+{% if debian_sources %}
+deb-src {{ debian_mirror }} {{ debian_distribution }}-updates {{ debian_components | join(" ") }}
+{% endif %}
+
+{% if debian_backports %}
+deb     {{ debian_mirror }} {{ debian_backports_distribution }} {{ debian_components | join(" ") }}
+{% if debian_backports_sources %}
+deb-src {{ debian_mirror }} {{ debian_backports_distribution }} {{ debian_components | join(" ") }}
+{% endif %}
+{% endif %}
+
+{% if debian_security %}
+{% if debian_distribution == " stretch" or debian_distribution == "buster" %}
+deb     http://security.debian.org/debian-security {{ debian_distribution }}/updates {{ debian_components | join(" ") }}
+{% if debian_security_sources %}
+deb-src http://security.debian.org/debian-security {{ debian_distribution }}/updates {{ debian_components | join(" ") }}
+{% endif %}
+{% else %}
+deb     {{ debian_security_mirror }} {{ debian_security_distribution }} {{ debian_components | join(" ") }}
+{% if debian_security_sources %}
+deb-src {{ debian_security_mirror }} {{ debian_security_distribution }} {{ debian_components | join(" ") }}
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/vars/main.yaml b/vars/main.yaml
new file mode 100644
index 0000000..add90a4
--- /dev/null
+++ b/vars/main.yaml
@@ -0,0 +1,41 @@
+debian_common_packages:
+
+  # apt tools
+  - aptitude
+
+  # admin tools
+  - tmux
+  - rsync
+  - lsof
+  - vim
+  - pv
+  - less
+  - psmisc
+
+  # editors
+  - nano
+
+  # network tools
+  - iputils-ping
+  - whois
+  - nmap
+  - tcpdump
+  - dnsutils
+
+  # documentation
+  - man-db
+
+  # tools
+  - unzip
+  - pwgen
+
+  # pipe tools
+  - socat
+  - jq
+  - jo
+
+  # languages
+  - python3
+  - python3-pip
+  - python3-setuptools
+  - golang