diff --git a/.woodpecker.yaml b/.woodpecker.yaml
new file mode 100644
index 0000000..53da633
--- /dev/null
+++ b/.woodpecker.yaml
@@ -0,0 +1,20 @@
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      submodule_override:
+        roles/gitea: https://dev.ccchb.de/ccchb/ansible-role-gitea.git
+
+when:
+  - event: push
+    branch: main
+  - event: push
+    branch: master
+
+steps:
+  - name: lint
+    image: alpine
+    commands:
+      - apk update
+      - apk add ansible-lint
+      - ansible-lint
diff --git a/README.md b/README.md
index af86f26..8b4ba61 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
 # ansible
 
-CCC HB Ansible
+[![status-badge](https://ci.ccchb.de/api/badges/5/status.svg)](https://ci.ccchb.de/repos/5)
+
+CCCHB Ansible
 
 ## Deployment
 
-    ansible-playbook -i hosts/ [-l HOSTS] [-t TAGS] sites.yml 
+    ansible-playbook -i hosts/ [-l HOSTS] [-t TAGS] sites.yml
diff --git a/group_vars/mail.yml b/group_vars/mail.yml
index de756d2..9e29279 100644
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@@ -7,6 +7,8 @@ dovecot_users:
     zeltophil: '{BLF-CRYPT}$2y$05$rct9cKgRnB/X7tZW7MXNUeIfadqCRc..dCMG4DB1fZdefH1Qx6FAq'
     haecksen:  '{BLF-CRYPT}$2y$05$e2R8ucHVPlZuI39Uy4iX3.EaRszPJ01itsPJfQa0FIeYzBuiGxUZW'
     ari:       '{BLF-CRYPT}$2y$05$HixjVZIVDVBKy40ReKRKh.ewnuyNV/t84ANsOSjOuxz5BIgk/J7k6'
+    vorstand:  '{BLF-CRYPT}$2y$05$Cw.dfEg54gvRIhT9bDCx1O7xS4TtWf/c7Hh9Owzaf23imfwltMd4e'
+    fritz:     '{BLF-CRYPT}$2y$05$NFh8LBoHfkazQDy3iNiuWODSP.rib.jIEDyf/JUbyBnQbJ03FglI6'
 
 mlmmj_lists:
   - name: 'vorstand'
diff --git a/host_vars/brunn.ccchb.de.yml b/host_vars/brunn.ccchb.de.yml
new file mode 100644
index 0000000..f34a13b
--- /dev/null
+++ b/host_vars/brunn.ccchb.de.yml
@@ -0,0 +1,14 @@
+user_mgmt:
+  crest:
+    state: present
+    groups: sudo
+  fritz:
+    state: present
+    groups: sudo
+  humm:
+    state: present
+    groups: sudo
+  genofire:
+    state: present
+    groups: sudo
+
diff --git a/host_vars/emma.ccchb.de.yml b/host_vars/emma.ccchb.de.yml
index 320672d..5187c83 100644
--- a/host_vars/emma.ccchb.de.yml
+++ b/host_vars/emma.ccchb.de.yml
@@ -84,11 +84,15 @@ bhyve_guests:
       - DISKS
     disks:
       - name: system
+        virtio: true
+        virtio_slot: 8
         properties:
           volsize: 32g
           volblocksize: 4k
           primarycache: metadata
       - name: data
+        virtio: true
+        virtio_slot: 9
         properties:
           volsize: 128g
           volblocksize: 64k
@@ -179,6 +183,8 @@ bhyve_guests:
       - DISKS
     disks:
       - name: disk
+        virtio: true
+        virtio_slot: 8
         properties:
           volsize: 64g
           volblocksize: 64k
@@ -241,6 +247,8 @@ bhyve_guests:
       - DISKS
     disks:
       - name: disk
+        virtio: true
+        virtio_slot: 8
         properties:
           volsize: 128g
           volblocksize: 64k
diff --git a/hosts/00_brunn b/hosts/00_brunn
new file mode 100644
index 0000000..da0e00a
--- /dev/null
+++ b/hosts/00_brunn
@@ -0,0 +1,2 @@
+[brunn]
+brunn.ccchb.de
diff --git a/roles/bhyve-s6/tasks/main.yml b/roles/bhyve-s6/tasks/main.yml
index 1e75949..622ff0b 100644
--- a/roles/bhyve-s6/tasks/main.yml
+++ b/roles/bhyve-s6/tasks/main.yml
@@ -25,7 +25,7 @@
     label: 'bhyve-{{ item.0.name }}{{ item.1.name }}'
   with_nested:
     - '{{ bhyve_guests }}'
-    - '{{ bhyve_templates }}'
+    - '{{ bhyve_templates }}'
   notify:
     - Reload s6-rc
 
diff --git a/roles/bhyve-s6/templates/bhyve/env/DISKS.j2 b/roles/bhyve-s6/templates/bhyve/env/DISKS.j2
index 1abddda..70e4086 100644
--- a/roles/bhyve-s6/templates/bhyve/env/DISKS.j2
+++ b/roles/bhyve-s6/templates/bhyve/env/DISKS.j2
@@ -1,5 +1,5 @@
 {% set disks = [] %}
-{% for disk in item.0.disks %}
+{% for disk in item.0.disks if not disk.virtio|default(False) %}
 {{- disks.append("hd:/dev/zvol/"+bhyve_pool+"/bhyve/guests/"+item.0.name+"/"+disk.name) -}}
 {% endfor %}
 {{ disks | join(",") }}
diff --git a/roles/bhyve-s6/templates/bhyve/run.j2 b/roles/bhyve-s6/templates/bhyve/run.j2
index ebe1c38..57bbdd2 100644
--- a/roles/bhyve-s6/templates/bhyve/run.j2
+++ b/roles/bhyve-s6/templates/bhyve/run.j2
@@ -1,9 +1,9 @@
 #!/usr/local/bin/execlineb -P
-# {{ ansible_managed }}
+# {{ ansible_managed }}
 
 s6-envdir ./env
 multisubstitute {
-        importas -i -u    NAME  NAME
+	importas -i -u    NAME  NAME
 	importas -i -u -s ORDER ORDER
 	importas -i -u    RAM   RAM
 	importas -i -u    ROM   ROM
@@ -15,7 +15,7 @@ multisubstitute {
 }
 
 backtick -n AHCI {
-        forx X { $ORDER }
+	forx X { $ORDER }
 		importas X X
 		importas Y $X
 		echo -n ,$Y
@@ -29,25 +29,21 @@ foreground { fdmove -c 1 2 echo "bhyve-${NAME}: Starting VM ${NAME} with ${CPUS}
 s6-notifyoncheck -d -w 100 -n 70
 
 fdmove -c 2 1
-# Use a static password to make VNC clients happy
+{% macro bhyve_run(extra_args="") -%}
+bhyve -c "${CPUS}" -m "${RAM}" -w -A -P -H
+	-s "0,amd_hostbridge"
+	-s "2:0,ahci${AHCI}"
+	-s "3,virtio-net,${NIC}"
+	-s "4,virtio-rnd"
+	{% for disk in item.0.disks if disk.virtio|default(False) -%}
+	-s "{{ disk.virtio_slot }},virtio-blk,/dev/zvol/{{ bhyve_pool }}/bhyve/guests/{{ item.0.name }}/{{ disk.name }}"
+	{% endfor -%}
+	-s "31,lpc"
+	-l "com1,/dev/${COM}"
+	-l "bootrom,${ROM}"
+	{{ extra_args }} "${NAME}"
+{%- endmacro %}
 ifelse { test -n "$PASS" } {
-	bhyve -c "${CPUS}" -m "${RAM}" -w -A -P -H
-		-s "0,amd_hostbridge"
-		-s "2:0,ahci${AHCI}"
-		-s "3,virtio-net,${NIC}"
-		-s "4,virtio-rnd"
-		-s "29,fbuf,tcp=[::1]:${PORT},w=800,h=600,password=${PASS}"
-		-s "31,lpc"
-		-l "com1,/dev/${COM}"
-		-l "bootrom,${ROM}"
-	"${NAME}"
+	{{ bhyve_run('-s "29,fbuf,tcp=[::1]:${PORT},w=800,h=600,password=${PASS}"') }}
 }
-	bhyve -c "${CPUS}" -m "${RAM}" -w -A -P -H
-		-s "0,amd_hostbridge"
-		-s "2:0,ahci${AHCI}"
-		-s "3,virtio-net,${NIC}"
-		-s "4,virtio-rnd"
-		-s "31,lpc"
-		-l "com1,/dev/${COM}"
-		-l "bootrom,${ROM}"
-	"${NAME}"
+	{{ bhyve_run() }}
diff --git a/roles/postfix/vars/main.yml b/roles/postfix/vars/main.yml
index 3b0f7f8..84617f8 100644
--- a/roles/postfix/vars/main.yml
+++ b/roles/postfix/vars/main.yml
@@ -381,7 +381,7 @@ postfix_config:
 
   - name: tls_high_cipherlist
     value: |-
-      'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
     state: present
 
   - name: tls_ssl_options
diff --git a/users.yml b/users.yml
index 41abe04..d5fc2be 100644
--- a/users.yml
+++ b/users.yml
@@ -1,6 +1,6 @@
 ---
 - name: Perform user management
-  hosts: debian frab
+  hosts: debian frab brunn
   become: true
   tags: [user_mgmt]
   roles: