diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml
new file mode 100644
index 0000000..465ca22
--- /dev/null
+++ b/host_vars/file-blkr.blkr.netz.yml
@@ -0,0 +1,265 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+  - resolvconf
+
+
+network_interfaces:
+
+  - device: eno1
+    # use only once per device (for the first device entry)
+    headline: eno1 - LAN
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    description:
+    address: 192.168.162.10
+    netmask: 24
+    gateway: 192.168.162.254
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    nameservers:
+      - 192.168.162.1
+    search: blkr.netz
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/samba-config-server.yml
+# vars used by roles/common/tasks/samba-user.yml
+# ---
+
+samba_workgroup: BLKR
+
+samba_netbios_name: FILE-BLKR
+
+samba_groups:
+  - name: buero
+    group_id: 1100
+  - name: verwaltung
+    group_id: 1110
+
+samba_user:
+  - name: anya
+    groups:
+      - buero
+      - verwaltung
+    password: 'Mq9R.WhKtP4v'
+  - name: chris
+    groups:
+      - buero
+      - verwaltung
+    password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63643330373231636537366333326630333265303265653933613835656262323863363038653234
+          3462653135633266373439626263356636646637643035340a653466356235346663626163306363
+          61313164643061306433643738643563303036646334376536626531383965303036386162393832
+          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
+          3631
+  - name: josephine
+    groups:
+      - buero
+      - verwaltung
+    password: 'H7jnJ/m9W-bf'
+  - name: julius
+    groups:
+      - buero
+      - verwaltung
+    password: 'fx9j/3X-thPr'
+  - name: philip
+    groups:
+      - buero
+      - verwaltung
+    password: 'fN%749Psv_NR'
+  - name: buero1
+    groups:
+      - buero
+    password: 'Mfr!7tK+d49C'
+  - name: buero2
+    groups:
+      - buero
+    password: 'gW-wg3Pttf4/'
+  - name: buero3
+    groups:
+      - buero
+    password: 'Qc-WyMhJ/3-2'
+  - name: referendariat
+    groups:
+      - buero
+    password: '4/zCNXnVF7+i'
+  - name: ref1
+    groups:
+      - buero
+    password: '???'
+
+base_home: /home
+
+# remove_samba_users:
+#   - name: name1
+#   - name: name2
+#
+remove_samba_users: []
+
+samba_shares:
+
+  - name: buero
+    comment: Buero auf Fileserver
+    path: /data/samba/shares/buero
+    group_valid_users: buero
+    group_write_list: buero
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: Verwaltung
+    comment: verwaltung auf Fileserver
+    path: /data/samba/shares/verwaltung
+    group_valid_users: verwaltung
+    group_write_list: verwaltung
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml
new file mode 100644
index 0000000..48db083
--- /dev/null
+++ b/host_vars/zapata.opp.netz.yml
@@ -0,0 +1,461 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+  - resolvconf
+
+
+network_interfaces:
+
+  - device: eno1
+    # use only once per device (for the first device entry)
+    headline: eno1 - The primary network interface
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    description:
+    address: 192.168.62.10
+    netmask: 24
+    gateway: 192.168.62.254
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    nameservers:
+      - 192.168.62.1
+    search: opp.netz
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/samba-config-server.yml
+# vars used by roles/common/tasks/samba-user.yml
+# ---
+
+samba_workgroup: OPP
+
+samba_netbios_name: ZAPATA
+
+samba_groups:
+  - name: buero
+    group_id: 1100
+  - name: beratung
+    group_id: 1110
+  - name: verwaltung
+    group_id: 1120
+
+
+samba_user:
+
+  - name: almut
+    groups:
+      - buero
+      - beratung
+      - verwaltung
+    password: '20_opp6_15!'
+
+  - name: andi
+    groups:
+      - buero
+      - beratung
+    password: 'D1dPWdPvopp4!'
+
+  - name: anna
+    groups:
+      - buero
+      - beratung
+    password: '20_anna#19!'
+
+  - name: anne
+    groups:
+      - buero
+      - beratung
+    password: 'antilottka110'
+
+  - name: anne-gr
+    groups:
+      - buero
+    password: '20:anne-gr:21'
+
+  - name: birgit
+    groups:
+      - buero
+      - beratung
+    password: '6/shd9c2.cHE'
+    # passwort unbekannt
+
+  - name: chris
+    groups:
+      - buero
+      - verwaltung
+    password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63643330373231636537366333326630333265303265653933613835656262323863363038653234
+          3462653135633266373439626263356636646637643035340a653466356235346663626163306363
+          61313164643061306433643738643563303036646334376536626531383965303036386162393832
+          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
+          3631
+
+  - name: cristina
+    groups:
+      - buero
+      - beratung
+    password: '20_cristina_18!'
+
+  - name: drucker
+    groups:
+      - buero
+    password: '20-printer-18'
+
+  - name: elisabeth
+    groups:
+      - buero
+      - beratung
+    password: '20_elisabeth_18!'
+
+  - name: evren
+    groups:
+      - buero
+      - beratung
+    password: '3v*ren_2020'
+
+  - name: gudrun
+    groups:
+      - buero
+      - beratung
+    password: '20good+run18'
+
+  - name: hannes
+    groups:
+      - buero
+      - beratung
+    password: 'U24Pdm-2'
+
+  - name: ingmar
+    groups:
+      - buero
+      - beratung
+    password: '20_ingmar_16!'
+
+  - name: jenny
+    groups:
+      - buero
+      - beratung
+    password: '20_jenn13_18!'
+
+  - name: joschka
+    groups:
+      - buero
+      - beratung
+    password: '20_joschka_15'
+
+  - name: josef
+    groups:
+      - buero
+      - beratung
+    password: 'P1nGu!N12345!'
+
+  - name: judith
+    groups:
+      - buero
+      - beratung
+      - verwaltung
+    password: '20judith14'
+
+  - name: julian
+    groups:
+      - buero
+      - beratung
+    password: 'Jul14n_2018'
+
+  - name: kyra
+    groups:
+      - buero
+      - beratung
+    password: 'kyra+burg*2021'
+
+  - name: lavinia
+    groups:
+      - buero
+      - beratung
+    password: '20!lavinia*20'
+
+  - name: marcus
+    groups:
+      - buero
+      - beratung
+      - verwaltung
+    password: ''
+
+  - name: martin
+    groups:
+      - buero
+      - beratung
+    password: '20_martin_18'
+
+  - name: nevena
+    groups:
+      - buero
+      - beratung
+    password: 'n3v3na*2020'
+
+  - name: nuria
+    groups:
+      - buero
+      - beratung
+    password: 'Nur1a*0bs21'
+
+  - name: oezge
+    groups:
+      - buero
+      - beratung
+    password: '20_oezge_18!'
+
+  - name: opp
+    groups:
+      - buero
+      - beratung
+      - verwaltung
+    password: 'DaWirdIhnenGeholfen!'
+
+  - name: opp2
+    groups:
+      - beratung
+    password: 'antilottka110'
+
+  - name: opp3
+    groups:
+      - beratung
+    password: '20_martin_18'
+
+  - name: opp6
+    groups:
+      - buero
+      - beratung
+      - verwaltung
+    password: '20_opp6_15!'
+
+  - name: opp7
+    groups:
+      - buero
+      - beratung
+      - verwaltung
+    password: '20_opp6_19!'
+
+  - name: philipp
+    groups:
+      - buero
+      - beratung
+    password: 'Adorno*2411'
+
+  - name: praktikum
+    groups:
+      - buero
+    password: 'praktikant*in_00p'
+
+  - name: simon
+    groups:
+      - buero
+      - beratung
+    password: '20_simon_18!'
+
+  - name: tine
+    groups:
+      - buero
+      - beratung
+    password: 't!ne*2018'
+
+  - name: vali
+    groups:
+      - buero
+    password: '20_valentina_18!'
+
+base_home: /home
+
+# remove_samba_users:
+#   - name: name1
+#   - name: name2
+#
+remove_samba_users: []
+
+samba_shares:
+
+  - name: buero
+    comment: Büro auf Fileserver
+    path: /data/samba/OPP/buero
+    group_valid_users: buero
+    group_write_list: buero
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: beratung
+    comment: Beratung auf Fileserver
+    path: /data/samba/OPP/beratung
+    group_valid_users: beratung
+    group_write_list: beratung
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: verwaltung
+    comment: Verwaltung auf Fileserver
+    path: /data/samba/OPP/verwaltung
+    group_valid_users: verwaltung
+    group_write_list: verwaltung
+    file_create_mask: !!str 0660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: backup
+    comment: Sicherungen User
+    path: /data/backup
+    browseable: !!str yes
+    read_only: !!str yes
+    writeable: !!str  no
+    guest_ok: !!str  no
+    file_create_mask: !!str 0664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: false
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
diff --git a/hosts b/hosts
index 350a919..bdbb530 100644
--- a/hosts
+++ b/hosts
@@ -44,6 +44,8 @@ gw-kb.oopen.de
 bbb-server.b3-bornim.netz
 file-ah.kanzlei-kiel.netz
 file-km.anw-km.netz
+file-blkr.blkr.netz
+zapata.opp.netz
 
 gw-replacement.local.netz
 gw-replacement2.local.netz
@@ -221,6 +223,8 @@ gw-kb.oopen.de
 bbb-server.b3-bornim.netz
 file-ah.kanzlei-kiel.netz
 file-km.anw-km.netz
+file-blkr.blkr.netz
+zapata.opp.netz
 
 gw-ckubu.local.netz
 
@@ -412,8 +416,16 @@ gw-ak.oopen.de
 # - Kanzlei Kiel
 gw-ah.oopen.de
 file-ah.kanzlei-kiel.netz
+
+# - Kanzlei Berenice
 file-km.anw-km.netz
 
+# - Kanzlei BLKR
+file-blkr.blkr.netz
+
+# OPP
+zapata.opp.netz
+
 # - Kanzlei EBS Leipzig
 gw-ebs.oopen.de
 
@@ -664,7 +676,6 @@ cl-test.oopen.de
 # ---
 
 file-ah.kanzlei-kiel.netz
-file-km.anw-km.netz
 
 
 [ftp_server]
@@ -1080,6 +1091,8 @@ anita.wf.netz
 bbb-server.b3-bornim.netz
 file-ah.kanzlei-kiel.netz
 file-km.anw-km.netz
+file-blkr.blkr.netz
+zapata.opp.netz
 
 
 [mumble_server]
@@ -1162,6 +1175,8 @@ lxc-host-kb.anw-kb.netz
 bbb-server.b3-bornim.netz
 file-ah.kanzlei-kiel.netz
 file-km.anw-km.netz
+file-blkr.blkr.netz
+zapata.opp.netz
 
 # - GA - Gemeinschaft Altensclirf
 ga-st-lxc1.ga.netz
@@ -1291,6 +1306,8 @@ cl-test.oopen.de
 bbb-server.b3-bornim.netz
 file-ah.kanzlei-kiel.netz
 file-km.anw-km.netz
+file-blkr.blkr.netz
+zapata.opp.netz
 
 # - GA - Gemeinschaft Altensclirf
 ga-st-mail.ga.netz
diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2
index 3e7ed65..f83f7f1 100644
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@@ -383,7 +383,7 @@
    # - included in the entry. '*' and '?' can be used to  specify multiple files or
    # - directories as in DOS wildcards.
    # -
-   veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/
+   veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
    delete veto files = yes
 {%       else %}
 
diff --git a/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 b/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2
index 94165be..92b0dc1 100644
--- a/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2
+++ b/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2
@@ -27,7 +27,9 @@
 {% if count.samba_shares > 0 %}
 dir_permissions="
 {%    for item in samba_shares | default([]) %}
+{%       if 'backup' not in item.path %}
    {{ item.path }}:{{ item.group_write_list | default('root', true) }}:{{ item.file_create_mask|string | default('660', true) }}:{{ item.dir_create_mask | default('2770', true) }};
+{%    endif  %}
 {%    endfor %}
 "
 {% endif %}