46 files changed, 345 insertions, 49 deletions

diff --git a/.gitignore b/.gitignore
index 808abb82..7324c79b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,8 @@
-/log
-/gpg/vault-keyring.gpg~
 *.pyc
 *.retry
 .*.sw?
+/log
+/gpg/vault-keyring-*.gpg~
+/.galaxy
 /.cache/
+/artifacts/
diff --git a/ansible.cfg b/ansible.cfg
index f44889fd..8d436f20 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,19 +1,26 @@
 [defaults]
-inventory = ./hosts.ini
-roles_path = ./roles:../roles
-remote_user = root
+inventory = ./inventory/hosts.ini
+roles_path = ./.galaxy:./roles
+nocows = 1
+
 log_path = ./log
 remote_tmp = /tmp/.ansible/tmp
-nocows=1
-vault_password_file = ./gpg/get-vault-pass.sh
+
+filter_plugins = ./filter_plugins
 
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = ./.cache/facts
 fact_caching_timeout = 7200
 
+## this will be set by environment.sh
+#vault_identity_list = spreadspace@gpg/get-vault-pass-spreadsprace
+## only try keys with matching vault-ids
+vault_id_match = True
+
 var_compression_level = 9
 
+
 [ssh_connection]
 pipelining = True
 ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
diff --git a/apply-role.sh b/apply-role.sh
index 3d39f345..a2b0ac4f 100755
--- a/apply-role.sh
+++ b/apply-role.sh
@@ -1,13 +1,15 @@
 #!/bin/bash
 
-if [ -z "$1" ] || [ -z "$2" ] ; then
-  echo "$0 <host(s)> <role>"
+if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] ; then
+  echo "$0 <environment> <host(s)> <role>"
   exit 1
 fi
+env="$1"
+shift
 hosts="$1"
 shift
 role="$1"
 shift
 
-echo "######## applying the role '$role' to host(s) '$hosts' ########"
-exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ generic.yaml
+echo "######## applying the role '$role' to host(s) '$hosts' in environment '$env' ########"
+exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ "$env/generic.yaml"
diff --git a/generic.yaml b/chaos-at-home/generic.yaml
index d3b8de82..d3b8de82 100644
--- a/generic.yaml
+++ b/chaos-at-home/generic.yaml
diff --git a/elevate/generic.yaml b/elevate/generic.yaml
new file mode 100644
index 00000000..d3b8de82
--- /dev/null
+++ b/elevate/generic.yaml
@@ -0,0 +1,5 @@
+---
+- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}"
+  hosts: "{{ myhosts }}"
+  roles:
+    - role: "{{ myrole }}"
diff --git a/environment.sh b/environment.sh
new file mode 100644
index 00000000..38a38340
--- /dev/null
+++ b/environment.sh
@@ -0,0 +1,82 @@
+##
+## must be sourced in your interactive shell or by scripts before using vault files
+##
+
+print_error() {
+  echo "\033[1;31mERROR:\033[1;0m $1"
+}
+
+vault_environment__get() {
+  echo "${ANSIBLE_VAULT_IDENTITY_LIST}" | tr ',' '\n' | awk -F '@' '{ print($1) }' | sed '/^$/d'
+}
+
+vault_environment__set() {
+  unset ANSIBLE_VAULT_IDENTITY_LIST
+  for e in "$@"; do
+    vault_environment__activate $e
+  done
+}
+
+vault_environment__activate() {
+  if [ -z "$1" ]; then
+    print_error "please specify an environment"
+    return
+  fi
+
+  if [ ! -f "gpg/get-vault-pass-$1" ]; then
+    print_error "failed to activate environment: '$1' .. could not find password file 'gpg/get-vault-pass-$1'"
+    return
+  fi
+
+  for e in $(vault_environment__get); do
+    if [ "$1" = "$e" ]; then
+      return
+    fi
+  done
+
+  if [ -z "${ANSIBLE_VAULT_IDENTITY_LIST}" ]; then
+    export ANSIBLE_VAULT_IDENTITY_LIST="$1@gpg/get-vault-pass-$1"
+  else
+    export ANSIBLE_VAULT_IDENTITY_LIST="${ANSIBLE_VAULT_IDENTITY_LIST},$1@gpg/get-vault-pass-$1"
+  fi
+}
+
+vault_environment__deactivate() {
+  local new_list
+
+  if [ -z "$1" ]; then
+    print_error "please specify an environment"
+    return
+  fi
+
+  new_list=""
+  for e in $(vault_environment__get); do
+    if [ "$1" != "$e" ]; then
+      if [ -z "$new_list" ]; then
+        new_list="$e@gpg/get-vault-pass-$e"
+      else
+        new_list="$new_list,$e@gpg/get-vault-pass-$e"
+      fi
+    fi
+  done
+
+  if [ -z "$new_list" ]; then
+    unset ANSIBLE_VAULT_IDENTITY_LIST
+  else
+    export ANSIBLE_VAULT_IDENTITY_LIST="$new_list"
+  fi
+}
+
+op="$1"
+if [ -n "$op" ]; then
+  shift
+fi
+
+case $op in
+  activate|deactivate|set|get)
+    "vault_environment__$op" "$@"
+    ;;
+  *)
+    print_error "unknown operation: '$op'"
+    ;;
+esac
diff --git a/gpg/add-key.sh b/gpg/add-key.sh
index 98e29174..82970a91 100755
--- a/gpg/add-key.sh
+++ b/gpg/add-key.sh
@@ -1,21 +1,28 @@
 #!/bin/bash
 
 if [ -z "$1" ]; then
+  echo "Usage: $0 <environment> [ <keyfile> ]"
+  exit 1
+fi
+NAME="$1"
+shift
+
+if [ -z "$1" ]; then
   echo "no keyfile specified, reading from stdin ..."
 fi
 
-"${BASH_SOURCE%/*}/gpg2.sh" --import $@
+"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@"
 if [ $? -ne 0 ]; then
-  echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+  echo -e "\nERROR: importing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg."
   exit 1
 fi
 
 echo ""
-"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME"
 if [ $? -ne 0 ]; then
   echo -e "\nERROR: reencrypting vault password file failed!"
-  echo "   You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+  echo "   You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!"
   exit 1
 fi
 echo "Successfully reencrypted vault password file!"
-echo "  Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
+echo "  Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg."
diff --git a/gpg/create-environment.sh b/gpg/create-environment.sh
new file mode 100755
index 00000000..7ee5827b
--- /dev/null
+++ b/gpg/create-environment.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+  echo "Usage: $0 <environment> [ <keyfile> ]"
+  exit 1
+fi
+NAME="$1"
+shift
+
+if [ -e "${BASH_SOURCE%/*}/get-vault-pass-$NAME" ]; then
+  echo "environment '$NAME' already exists."
+  exit 0
+fi
+
+
+if [ -z "$1" ]; then
+  echo "no keyfile specified, reading from stdin ..."
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@"
+if [ $? -ne 0 ]; then
+  echo -e "\nERROR: importing key(s) failed."
+  exit 1
+fi
+
+
+### enable this as soon https://github.com/ansible/ansible/issues/18319 has landed
+#ln -s get-vault-pass- "${BASH_SOURCE%/*}/get-vault-pass-$NAME"
+cp "${BASH_SOURCE%/*}/get-vault-pass-" "${BASH_SOURCE%/*}/get-vault-pass-$NAME"
+
+echo ""
+echo "Please type in passphrase:"
+"${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME"
+if [ $? -ne 0 ]; then
+  echo -e "\nERROR: creating vault password file failed!"
+  exit 1
+fi
+echo ""
+echo "Successfully created vault password file!"
+echo "  Don't forget to commit gpg/get-vault-pass-$NAME, gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg."
diff --git a/gpg/get-vault-pass- b/gpg/get-vault-pass-
new file mode 100755
index 00000000..37f60413
--- /dev/null
+++ b/gpg/get-vault-pass-
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}"
diff --git a/gpg/get-vault-pass-chaos-at-home b/gpg/get-vault-pass-chaos-at-home
new file mode 100755
index 00000000..37f60413
--- /dev/null
+++ b/gpg/get-vault-pass-chaos-at-home
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}"
diff --git a/gpg/get-vault-pass-elevate b/gpg/get-vault-pass-elevate
new file mode 100755
index 00000000..37f60413
--- /dev/null
+++ b/gpg/get-vault-pass-elevate
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}"
diff --git a/gpg/get-vault-pass-spreadspace b/gpg/get-vault-pass-spreadspace
new file mode 100755
index 00000000..37f60413
--- /dev/null
+++ b/gpg/get-vault-pass-spreadspace
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}"
diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh
index 202c94f7..6cf2ff9a 100755
--- a/gpg/get-vault-pass.sh
+++ b/gpg/get-vault-pass.sh
@@ -1,2 +1,20 @@
 #!/bin/bash
-gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null
+if [ -z "$1" ]; then
+  echo "Usage: $0 <environment>"
+  exit 1
+fi
+NAME="$1"
+shift
+
+gpg2 --decrypt --batch --no-tty --quiet < "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg"
+
+# Ansible up to including 2.6 seems to have a bug which ignores the setting of 'vault_id_match = True'
+# in ansible.cfg (or the equivalent environment variable).
+#
+# To make it possible to use ansible-vault view as a textconv filter for git, we need to support
+# the case that some people do not have access to all vaults.  So let's return an invalid
+# secret, and pretend success.
+if [ $? -ne 0 ]; then
+  echo This is my secret. There are many others like it, but this one is mine. My secret is my best friend. It is my life. I must master it as I must master my life. Without me, my secret is useless. Without my secret, I am useless. Please do not quote from movies when searching for a passphrase.
+  exit 0
+fi
diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh
index 27435ab5..2c0f2157 100755
--- a/gpg/gpg2.sh
+++ b/gpg/gpg2.sh
@@ -1,2 +1,10 @@
 #!/bin/bash
-exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-options --no-default-keyring --trust-model always $@
+
+if [ -z "$1" ]; then
+  echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]"
+  exit 1
+fi
+NAME="$1"
+shift
+
+exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring-$NAME.gpg" --secret-keyring /dev/null --no-default-keyring --trust-model always "$@"
diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh
index 4b010495..4166fa59 100755
--- a/gpg/list-keys.sh
+++ b/gpg/list-keys.sh
@@ -1,2 +1,10 @@
 #!/bin/bash
-exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@
+
+if [ -z "$1" ]; then
+  echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]"
+  exit 1
+fi
+NAME="$1"
+shift
+
+exec "${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --list-keys "$@"
diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh
index 80ae1573..d5fd93c3 100755
--- a/gpg/remove-keys.sh
+++ b/gpg/remove-keys.sh
@@ -1,9 +1,16 @@
 #!/bin/bash
 
 if [ -z "$1" ]; then
+  echo "Usage: $0 <environment> [ <key-id> [ <key-id> [ .. ] ] ]"
+  exit 1
+fi
+NAME="$1"
+shift
+
+if [ -z "$1" ]; then
   echo "Please specify at least one key ID!"
   echo ""
-  echo "You can find out the key ID using the command: gpg/list-keys.sh"
+  echo "You can find out the key ID using the command: ${0%/*}/list-keys.sh $NAME"
   echo ""
   echo " Here is an example output:"
   echo ""
@@ -18,18 +25,18 @@ if [ -z "$1" ]; then
   exit 1
 fi
 
-"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@
+"${BASH_SOURCE%/*}/gpg2.sh" $NAME --delete-keys $@
 if [ $? -ne 0 ]; then
-  echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+  echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg."
   exit 1
 fi
 
 echo ""
-"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME"
 if [ $? -ne 0 ]; then
   echo -e "\nERROR: reencrypting vault password file failed!"
-  echo "   You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+  echo "   You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!"
   exit 1
 fi
 echo "Successfully reencrypted vault password file!"
-echo "  Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
+echo "  Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg."
diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh
index 1fb3426c..64191a37 100755
--- a/gpg/set-vault-pass.sh
+++ b/gpg/set-vault-pass.sh
@@ -1,6 +1,13 @@
 #!/bin/bash
 
-keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}')
+if [ -z "$1" ]; then
+  echo "Usage: $0 <environment>"
+  exit 1
+fi
+NAME="$1"
+shift
+
+keyids=$("${BASH_SOURCE%/*}/list-keys.sh" "$NAME" --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}')
 if [ -z "$keyids" ]; then
   echo "ERROR: no keys to encrypt to, is the keyring empty?"
   exit 1
@@ -12,9 +19,9 @@ for keyid in $keyids; do
 done
 
 
-"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients
+"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --yes --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" $receipients
 if [ $? -ne 0 ]; then
-  rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$"
+  rm -f "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$"
   exit 1
 fi
-mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg"
+mv "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg"
diff --git a/gpg/vault-keyring-chaos-at-home.gpg b/gpg/vault-keyring-chaos-at-home.gpg
new file mode 100644
index 00000000..864ce7d3
--- /dev/null
+++ b/gpg/vault-keyring-chaos-at-home.gpg
diff --git a/gpg/vault-keyring-elevate.gpg b/gpg/vault-keyring-elevate.gpg
new file mode 100644
index 00000000..161d61bc
--- /dev/null
+++ b/gpg/vault-keyring-elevate.gpg
diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring-spreadspace.gpg
index 8d2e0443..8d2e0443 100644
--- a/gpg/vault-keyring.gpg
+++ b/gpg/vault-keyring-spreadspace.gpg
diff --git a/gpg/vault-pass-chaos-at-home.gpg b/gpg/vault-pass-chaos-at-home.gpg
new file mode 100644
index 00000000..b69478a6
--- /dev/null
+++ b/gpg/vault-pass-chaos-at-home.gpg
@@ -0,0 +1,19 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMA+Qd5U24qffPAQ//XhC91fRTgM2g8c9sPYLVakqUrr0ErQNWCUvKCRQxV3TA
+sxgKWdIpuam4mW7HkE96BHGB+qLd//lrq+LM3jCZFUHgGal1XyWgHwAoHNC0y8Cg
+5LKdVyGhDeeh8dSAs9pYouyfwUx3UTG9sFFcm5Nl7KFXP38VHA9ZyerUmC0g7t7F
+l5mQmtK+Nc+ZBrZ5+Yr79U/f1VeKaNX2qkDbBrQmO+VubZ4covr4S1amG34ymvlr
+2mLf+9wV8sGiOikZTzdDyCtO+32BpjuYvfoZnFRpTdCeKa0niFyrzvqFn6C0No9H
+zhIY/SDdfauzLIIvj6WODOW0H6ILVGJ0Eq9KGACTAka+98uhIunHB4MKpOBC01x9
+LLCiISodqIfQuuOHVz4jJqHAwq+MGm0vmoWOfqiNDnOnRCC2kJnMP9K/wynPmXdm
+eLSfOz9/8sOqW0MLL5Ugz0sZr9+5rdISlSf2/oa4ssJb3uUQwlSGkG+2MwD0dEMT
+wowZBJOrGhGtKxzLRzSsErkng/j/arW3NU9Rai9RIzfyUFjDND5SqnTBdWp+AZqc
+YGAeQ1hBTPQzYppx9qgF51p0rGzBmoB9/wC3Td0HavJaswtiwUL4/BATenoMzkG4
+KnB81ZFpkFW1Ze3XilFtmKXXqWpj7dURQ54D4moIwV2dk6dSCKmRumJVREKa5NvS
+vAHID0sr7R7BF4z/IrdElmrXa1HExsPAIkPLeyUeU8fkvToSJ009avz6f68hkWEp
+vR4hzN6Fe14HU4m9NP8Gn7HJsBnym8d93E8KVKcyEdCb9La1FfFHWm2Ado85Vll0
+EN/GMVhrD2sbX4Dz7+TCklx7n+hzZahankBgP4/1ZyTrrUyQvYNuczXPanckmrCV
+DQaYuh+RY1C4bRgQZy47nQzCsYqZpxyn6jH2LvWZWyN9xDuj6vPefphfawqv
+=MPgO
+-----END PGP MESSAGE-----
diff --git a/gpg/vault-pass-elevate.gpg b/gpg/vault-pass-elevate.gpg
new file mode 100644
index 00000000..382a0e3a
--- /dev/null
+++ b/gpg/vault-pass-elevate.gpg
@@ -0,0 +1,19 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMA+Qd5U24qffPARAAh/hpOPDkQFckrlbmwFYiKtMyzJcHVOeSckFAsGYh0BFa
+MzcbLqdRPGDwZL9yIruc/6ubQv1zqq8MZcvRW7BZkkCzBk5h2BcJ76iMgWfcwte6
+Jc2pmog36GihU9t41BJFtxm6mazEN4JTW3SC6i1boMPEJBOEcSIu8SBAFNGm0nCq
+GL0j9Rw/T/EiMtmjY6c9nMTSnhOtcedpWeBsMPtYoWAo8/ea1kaGHCON+UGs6/4D
+QUhI/ate8RA0vAD6NFkZE9C+uwU22/cyT7pZZTA11ohF32aF4vyVgMf9UY0+MYy0
++msJZps2KRmECcVZiFGQZ2/OwU4tnYq53jUwL1erzADeFAco4vKtc7yVffN/pIn8
+aQ48kaKe9WT064fe92zWJfWF285fyEB8we72j6AmwA5RxIViVvl/2xdCdYNN6yv+
+kqYmdCEBdMHhcDz73K2mCGeqlkB8+DVpeHwtn+TT5J1IeFkCiK2LD2PtpyqV7BTn
+dExQaKtUCbF3+jiPTv6N5ChMbY5ql2roN2zzHgoGVNREGaTxJXnkroJpxaelf4Q3
+ahnNE+/3G16TNCpzYXBNWh9wIHh+6mFhwqKxPy40goW4TMXqSs9+n1MCQhu8GCTH
+8CsW6tK98vBgzbhoWLyyNVa40hdltw4+D0YdRle+YFqHaiXJcf2/FjaLoz+jSXvS
+uwHQGVypRlmepR7lAKTTVCEjBrJ3lnW7LcBsHEKTr1gX+UleiPri5e029BRLcJDR
+PJE4PBi7fp4tAUgSiN6D+mVF0+eXz2px+NVPAeavveMY/oTl8GsPQc/hYtjW9CnM
+nhadEDPSmkaLMkCjR6XApprZtuoPyHPSTFIKGTe4bSU1Ezbpd9XNfXcU2Gz55JEk
+rAvuyAfHqyXB1zzyA3UTPvRDAw0TN72wbMPEg2v5TE8TFB2Q3XoDuZYsN/A=
+=fg/w
+-----END PGP MESSAGE-----
diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass-spreadspace.gpg
index 20130b37..20130b37 100644
--- a/gpg/vault-pass.gpg
+++ b/gpg/vault-pass-spreadspace.gpg
diff --git a/group_vars/spreadspace/vars.yml b/group_vars/spreadspace/vars.yml
deleted file mode 100644
index 30011725..00000000
--- a/group_vars/spreadspace/vars.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-sshserver_root_keys: "{{ [ ssh_keys.equinox.spread ] | join('\n') }}"
-
-acmetool_account_email: equinox@spreadspace.org
diff --git a/group_vars/spreadspace/vault.yml b/group_vars/spreadspace/vault.yml
deleted file mode 100644
index 625cf08f..00000000
--- a/group_vars/spreadspace/vault.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-32323866383432633535336666356561623133626164346637376531333330313938363639303763
-6665643638373736653863366537336432333662396638660a336564616431313330623065643733
-66326231663364303432623839363638303565646438373333653837633235373961656633366333
-6330393836653433610a386633343737646663313764356538653664336539366630313837323739
-38363165373462386230356338396662653634316534343738643438343132616132333238623333
-30313339653537643066343262373339336363333030353538326466653833313638356639316237
-39313632373831613161306535656133363266353133343865373561346266306538363935303538
-30313164356361613265613763616364316330663735653662643937666166316562633339363037
-3733
diff --git a/group_vars/all/vars.yml b/inventory/group_vars/all/main.yml
index 65417f03..65417f03 100644
--- a/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/main.yml
diff --git a/group_vars/elevate/vars.yml b/inventory/group_vars/elevate/main.yml
index 1808db88..1808db88 100644
--- a/group_vars/elevate/vars.yml
+++ b/inventory/group_vars/elevate/main.yml
diff --git a/group_vars/hetzner/vars.yml b/inventory/group_vars/hetzner/main.yml
index 2e5c8b4a..2e5c8b4a 100644
--- a/group_vars/hetzner/vars.yml
+++ b/inventory/group_vars/hetzner/main.yml
diff --git a/group_vars/k8s-emc/vars.yml b/inventory/group_vars/k8s-emc/main.yml
index 6b1344ae..6b1344ae 100644
--- a/group_vars/k8s-emc/vars.yml
+++ b/inventory/group_vars/k8s-emc/main.yml
diff --git a/group_vars/skillz/vars.yml b/inventory/group_vars/skillz/main.yml
index 4d8f679d..4d8f679d 100644
--- a/group_vars/skillz/vars.yml
+++ b/inventory/group_vars/skillz/main.yml
diff --git a/inventory/group_vars/spreadspace/main.yml b/inventory/group_vars/spreadspace/main.yml
new file mode 100644
index 00000000..cfe1ec2b
--- /dev/null
+++ b/inventory/group_vars/spreadspace/main.yml
@@ -0,0 +1,8 @@
+---
+sshserver_root_keys: "{{ [ ssh_keys.equinox.spread ] | join('\n') }}"
+
+acmetool_account_email: equinox@spreadspace.org
+
+blackmagic_desktopvideo_apt:
+  username: "streaming"
+  password: "{{ vault_spreadspace.blackmagic_desktopvideo_apt_password }}"
diff --git a/host_vars/calypso.yml b/inventory/host_vars/calypso.yml
index ff853586..ff853586 100644
--- a/host_vars/calypso.yml
+++ b/inventory/host_vars/calypso.yml
diff --git a/host_vars/dione.yml b/inventory/host_vars/dione.yml
index 75b289c2..75b289c2 100644
--- a/host_vars/dione.yml
+++ b/inventory/host_vars/dione.yml
diff --git a/host_vars/elesearch.yml b/inventory/host_vars/elesearch.yml
index 0e235000..0e235000 100644
--- a/host_vars/elesearch.yml
+++ b/inventory/host_vars/elesearch.yml
diff --git a/host_vars/emc-master.yml b/inventory/host_vars/emc-master.yml
index 95b3062a..95b3062a 100644
--- a/host_vars/emc-master.yml
+++ b/inventory/host_vars/emc-master.yml
diff --git a/host_vars/emc-stats.yml b/inventory/host_vars/emc-stats.yml
index 89352b4f..89352b4f 100644
--- a/host_vars/emc-stats.yml
+++ b/inventory/host_vars/emc-stats.yml
diff --git a/host_vars/helene.yml b/inventory/host_vars/helene.yml
index b40fb069..b40fb069 100644
--- a/host_vars/helene.yml
+++ b/inventory/host_vars/helene.yml
diff --git a/host_vars/sk2013.yml b/inventory/host_vars/sk2013.yml
index 920748c1..920748c1 100644
--- a/host_vars/sk2013.yml
+++ b/inventory/host_vars/sk2013.yml
diff --git a/host_vars/sk2016.yml b/inventory/host_vars/sk2016.yml
index 872223db..872223db 100644
--- a/host_vars/sk2016.yml
+++ b/inventory/host_vars/sk2016.yml
diff --git a/host_vars/telesto.yml b/inventory/host_vars/telesto.yml
index ff853586..ff853586 100644
--- a/host_vars/telesto.yml
+++ b/inventory/host_vars/telesto.yml
diff --git a/host_vars/thetys.yml b/inventory/host_vars/thetys.yml
index ff853586..ff853586 100644
--- a/host_vars/thetys.yml
+++ b/inventory/host_vars/thetys.yml
diff --git a/hosts.ini b/inventory/hosts.ini
index 28fb4e4e..771b1b2c 100644
--- a/hosts.ini
+++ b/inventory/hosts.ini
@@ -1,3 +1,16 @@
+[all:vars]
+ansible_host={{ inventory_hostname }}.{{ host_domain }}
+ansible_user=root
+ansible_port=22000
+
+
+###############################
+# environment: chaos-at-home
+
+[chaos-at-home:vars]
+host_domain=chaos-at-home.org
+environment_group=chaos-at-home
+
 [chaos-at-home]
 prometheus
 web
@@ -9,8 +22,16 @@ pan
 keyserver
 mimas
 
+
+###############################
+# environment: spreadspace
+
+[spreadspace:vars]
+host_domain=spreadspace.org
+environment_group=spreadspace
+
 [spreadspace]
-ssbuild
+build ansible_port=222
 calypso
 telesto
 thetys
@@ -19,27 +40,50 @@ helene
 emc-test
 
 
+###############################
+# environment: elevate
+
+[skillz:vars]
+host_domain=skillz.biz
+environment_group=elevate
+
 [skillz]
 sk2013
 sk2016
 sktorrent
 
 
-[emc-xx]
-#emc-0[0:6]
-emc-00
+[elevate:vars]
+host_domain=elevate.at
+environment_group=elevate
 
 [elevate]
 elewolke
 elestream
 elemedia
 elesearch
+
+[elevate:children]
+emc
+
+
+[emc:vars]
+host_domain=spreadspace.org
+
+[emc]
 emc-stats
 emc-master
 
-[elevate:children]
+[emc:children]
 emc-xx
 
+[emc-xx]
+#emc-0[0:6]
+emc-00
+
+
+###############################
+# host categories
 
 [kvmhosts]
 prometheus
diff --git a/roles/blackmagic-desktopvideo/defaults/main.yml b/roles/blackmagic-desktopvideo/defaults/main.yml
new file mode 100644
index 00000000..8dde7e4d
--- /dev/null
+++ b/roles/blackmagic-desktopvideo/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+blackmagic_desktopvideo_apt:
+  username: "change-me"
+#  password: "secret"
diff --git a/roles/blackmagic-desktopvideo/tasks/main.yml b/roles/blackmagic-desktopvideo/tasks/main.yml
index 632f36ea..5283b628 100644
--- a/roles/blackmagic-desktopvideo/tasks/main.yml
+++ b/roles/blackmagic-desktopvideo/tasks/main.yml
@@ -11,7 +11,7 @@
 
 - name: add repository entry
   apt_repository:
-    repo: deb https://{{ vault_build_spreadspace_blackmagic.username }}:{{ vault_build_spreadspace_blackmagic.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic
+    repo: "deb https://{{ blackmagic_desktopvideo_apt.username }}:{{ blackmagic_desktopvideo_apt.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic"
     state: present
     filename: blackmagic
     mode: 0600
diff --git a/spreadspace/generic.yaml b/spreadspace/generic.yaml
new file mode 100644
index 00000000..d3b8de82
--- /dev/null
+++ b/spreadspace/generic.yaml
@@ -0,0 +1,5 @@
+---
+- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}"
+  hosts: "{{ myhosts }}"
+  roles:
+    - role: "{{ myrole }}"
diff --git a/spreadspace/group_vars/spreadspace.yml b/spreadspace/group_vars/spreadspace.yml
new file mode 100644
index 00000000..c34fdc8d
--- /dev/null
+++ b/spreadspace/group_vars/spreadspace.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+31313137643137373839333838343730353634616138643463333262373737356639396539643233
+3839663334323736343239373961353164646565653562390a383831383638383434623863333337
+34366232356438386563643165303735663737373566363038653061323765303466376135303565
+6331623630653931660a626235376639376231633735656333333764643064393834363134663936
+63393563323334373231643237353362653839326235336538363730356364643566303566316665
+64396539333132353131326664323866313161386232393536643733386231643737363962666531
+65336366336435633933666436616261303265326232386639333562323032393832633037636266
+36356262346132663165653530363239316438653637326330636537356234646535376365396538
+6231