diff --git a/roles/authelia-for-tandoor/defaults/main.json b/roles/authelia-for-tandoor/defaults/main.json
new file mode 100644
index 0000000..ac1e5c6
--- /dev/null
+++ b/roles/authelia-for-tandoor/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_tandoor_tandoor_url_base": "https://tandoor.example.org",
+	"var_authelia_for_tandoor_client_id": "tandoor",
+	"var_authelia_for_tandoor_client_secret": "REPLACE_ME"
+}
diff --git a/roles/authelia-for-tandoor/info.md b/roles/authelia-for-tandoor/info.md
new file mode 100644
index 0000000..d9c0efb
--- /dev/null
+++ b/roles/authelia-for-tandoor/info.md
@@ -0,0 +1,8 @@
+## Beschreibung
+
+Um [Tandoor](../tandoor) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [allauth-Dokumentation | Authelia](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/authelia.html)
diff --git a/roles/authelia-for-tandoor/tasks/main.json b/roles/authelia-for-tandoor/tasks/main.json
new file mode 100644
index 0000000..0b83858
--- /dev/null
+++ b/roles/authelia-for-tandoor/tasks/main.json
@@ -0,0 +1,33 @@
+[
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_tandoor_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_tandoor_client_secret_hashed"
+	},
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/tandoor.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]
diff --git a/roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2 b/roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2
new file mode 100644
index 0000000..7a2137e
--- /dev/null
+++ b/roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2
@@ -0,0 +1,17 @@
+{
+	"client_id": "{{var_authelia_for_tandoor_client_id}}",
+	"client_secret": "{{temp_authelia_for_tandoor_client_secret_hashed.stdout}}",
+	"client_name": "Tandoor",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"redirect_uris": [
+		"{{var_authelia_for_tandoor_tandoor_url_base}}/accounts/oidc/authelia/login/callback/"
+	],
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"userinfo_signed_response_alg": "none",
+	"token_endpoint_auth_method": "client_secret_basic"
+}
diff --git a/roles/postgresql-for-tandoor/defaults/main.json b/roles/postgresql-for-tandoor/defaults/main.json
new file mode 100644
index 0000000..93f9536
--- /dev/null
+++ b/roles/postgresql-for-tandoor/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_tandoor_username": "tandoor_user",
+	"var_postgresql_for_tandoor_password": "REPLACE_ME",
+	"var_postgresql_for_tandoor_schema": "tandoor"
+}
diff --git a/roles/postgresql-for-tandoor/tasks/main.json b/roles/postgresql-for-tandoor/tasks/main.json
new file mode 100644
index 0000000..abd0400
--- /dev/null
+++ b/roles/postgresql-for-tandoor/tasks/main.json
@@ -0,0 +1,50 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"acl",
+				"python3-psycopg2",
+				"libpq-dev"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_tandoor_username}}",
+			"password": "{{var_postgresql_for_tandoor_password}}"
+		},
+		"environment": {
+			"PGOPTIONS": "-c password_encryption=scram-sha-256"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_tandoor_schema}}",
+			"owner": "{{var_postgresql_for_tandoor_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_tandoor_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_tandoor_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]
diff --git a/roles/tandoor-and-nginx/defaults/main.json b/roles/tandoor-and-nginx/defaults/main.json
new file mode 100644
index 0000000..f3c0a1a
--- /dev/null
+++ b/roles/tandoor-and-nginx/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_tandoor_and_nginx_domain": "tandoor.example.org",
+	"var_tandoor_and_nginx_tls_mode": "force",
+	"var_tandoor_and_nginx_directory": "/opt/tandoor"
+}
diff --git a/roles/tandoor-and-nginx/info.md b/roles/tandoor-and-nginx/info.md
new file mode 100644
index 0000000..f8798d6
--- /dev/null
+++ b/roles/tandoor-and-nginx/info.md
@@ -0,0 +1,4 @@
+## Verweise
+
+- [Tandoor-Dokumentation | nginx](https://docs.tandoor.dev/install/manual/#nginx)
+
diff --git a/roles/tandoor-and-nginx/tasks/main.json b/roles/tandoor-and-nginx/tasks/main.json
new file mode 100644
index 0000000..5519556
--- /dev/null
+++ b/roles/tandoor-and-nginx/tasks/main.json
@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_tandoor_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
diff --git a/roles/tandoor-and-nginx/templates/conf.j2 b/roles/tandoor-and-nginx/templates/conf.j2
new file mode 100644
index 0000000..31c5568
--- /dev/null
+++ b/roles/tandoor-and-nginx/templates/conf.j2
@@ -0,0 +1,43 @@
+{% macro tandoor_common() %}
+	location /static {
+		alias {{var_tandoor_and_nginx_directory}}/program/staticfiles;
+	}
+	
+	location /media {
+		alias {{var_tandoor_and_nginx_directory}}/program/mediafiles;
+	}
+	
+	location / {
+		proxy_set_header Host $http_host;
+		proxy_pass http://unix:{{var_tandoor_and_nginx_directory}}/program/recipes.sock;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+{% endmacro %}
+
+server {
+	listen 80;
+	listen [::]:80;
+	
+	server_name {{var_tandoor_and_nginx_domain}};
+	
+{% if var_tandoor_and_nginx_tls_mode == 'force' %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ tandoor_common() }}
+{% endif %}
+}
+
+{% if var_tandoor_and_nginx_tls_mode != 'disable' %}
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	
+	server_name {{var_tandoor_and_nginx_domain}};
+	
+	ssl_certificate_key /etc/ssl/private/{{var_tandoor_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_tandoor_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ tandoor_common() }}
+}
+{% endif %}
diff --git a/roles/tandoor-and-nginx/vardef.json b/roles/tandoor-and-nginx/vardef.json
new file mode 100644
index 0000000..882b53b
--- /dev/null
+++ b/roles/tandoor-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"port": {
+		"mandatory": false,
+		"type": "integer"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/tandoor/defaults/main.json b/roles/tandoor/defaults/main.json
new file mode 100644
index 0000000..ea267ea
--- /dev/null
+++ b/roles/tandoor/defaults/main.json
@@ -0,0 +1,27 @@
+{
+	"var_tandoor_user": "tandoor",
+	"var_tandoor_directory": "/opt/tandoor",
+	"var_tandoor_repository_url": "https://github.com/vabene1111/recipes.git",
+	"var_tandoor_repository_reference": "master",
+	"var_tandoor_database_kind": "sqlite",
+	"var_tandoor_database_data_postgresql_host": "postgresql.example.org",
+	"var_tandoor_database_data_postgresql_port": 5432,
+	"var_tandoor_database_data_postgresql_username": "tandoor_user",
+	"var_tandoor_database_data_postgresql_password": "REPLACE_ME",
+	"var_tandoor_database_data_postgresql_schema": "tandoor",
+	"var_tandoor_authentication_kind": "internal",
+	"var_tandoor_authentication_data_authelia_client_id": "REPLACE_ME",
+	"var_tandoor_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_tandoor_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_tandoor_authentication_data_authelia_label": "Authelia",
+	"var_tandoor_smtp_host": "smtp.example.org",
+	"var_tandoor_smtp_port": 587,
+	"var_tandoor_smtp_username": "tandoor@smtp.example.org",
+	"var_tandoor_smtp_password": "REPLACE_ME",
+	"var_tandoor_notification_sender": "notification@tandoor.example.org",
+	"var_tandoor_secret_key": "REPLACE_ME",
+	"var_tandoor_admin_username": "admin",
+	"var_tandoor_admin_password": "REPLACE_ME",
+	"var_tandoor_admin_email": "admin@tandoor.example.org",
+	"var_tandoor_domain": "tandoor.exmaple.org"
+}
diff --git a/roles/tandoor/info.md b/roles/tandoor/info.md
new file mode 100644
index 0000000..dc339bf
--- /dev/null
+++ b/roles/tandoor/info.md
@@ -0,0 +1,18 @@
+## Beschreibung
+
+Für Rezepte-Sammlung [Tandoor](https://tandoor.dev/)
+
+
+## Verweise
+
+- [Tandoor-Dokumentation | Installation](https://docs.tandoor.dev/install/manual/)
+- [Tandoor-Dokumentation | Konfiguration](https://docs.tandoor.dev/system/configuration/)
+- [Tandoor-Dokumentation | Allauth](https://docs.tandoor.dev/features/authentication/#allauth)
+- [Django-Dokumentation | Variable `DJANGO_SUPERUSER_PASSWORD`](https://docs.djangoproject.com/en/5.1/ref/django-admin/#envvar-DJANGO_SUPERUSER_PASSWORD)
+- [allauth-Dokumentation | OpenID Connect](https://docs.allauth.org/en/latest/socialaccount/providers/openid_connect.html)
+- [allauth-Dokumentation | Authelia](https://docs.allauth.org/en/latest/socialaccount/providers/authelia.html)
+
+
+## ToDo
+
+- Idempotenz
diff --git a/roles/tandoor/tasks/main.json b/roles/tandoor/tasks/main.json
new file mode 100644
index 0000000..b9ee618
--- /dev/null
+++ b/roles/tandoor/tasks/main.json
@@ -0,0 +1,136 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"git",
+				"gcc",
+				"libpq-dev",
+				"libldap2-dev",
+				"libsasl2-dev",
+				"python3-venv",
+				"python3-dev",
+				"nodejs",
+				"yarnpkg"
+			]
+		}
+	},
+	{
+		"name": "user and directory",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_tandoor_user}}",
+			"create_home": true,
+			"home": "{{var_tandoor_directory}}"
+		}
+	},
+	{
+		"name": "sources",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"ansible.builtin.git": {
+			"repo": "{{var_tandoor_repository_url}}",
+			"version": "{{var_tandoor_repository_reference}}",
+			"single_branch": true,
+			"dest": "{{var_tandoor_directory}}/program",
+			"force": true
+		}
+	},
+	{
+		"name": "venv",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"ansible.builtin.command": {
+			"chdir": "{{var_tandoor_directory}}",
+			"cmd": "python3 -m venv program"
+		}
+	},
+	{
+		"name": "python requirements",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"ansible.builtin.pip": {
+			"virtualenv": "{{var_tandoor_directory}}/program",
+			"virtualenv_python": "python3",
+			"requirements": "{{var_tandoor_directory}}/program/requirements.txt"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "{{var_tandoor_directory}}/program/.env",
+			"mode": "644"
+		}
+	},
+	{
+		"name": "initialize",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"environment": {
+			"VIRTUAL_ENV": "{{var_tandoor_directory}}/program"
+		},
+		"loop": [
+			"migrate",
+			"collectstatic --no-input",
+			"collectstatic_js_reverse"
+		],
+		"ansible.builtin.shell": {
+			"chdir": "{{var_tandoor_directory}}/program",
+			"cmd": "bin/python3 manage.py {{item}}"
+		}
+	},
+	{
+		"name": "admin account",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"environment": {
+			"VIRTUAL_ENV": "{{var_tandoor_directory}}/program"
+		},
+		"ansible.builtin.shell": {
+			"chdir": "{{var_tandoor_directory}}/program",
+			"cmd": "DJANGO_SUPERUSER_PASSWORD={{var_tandoor_admin_password}} bin/python3 manage.py createsuperuser --no-input --username {{var_tandoor_admin_username}} --email {{var_tandoor_admin_email}}"
+		}
+	},
+
+	{
+		"name": "frontend stuff | core",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"ansible.builtin.shell": {
+			"chdir": "{{var_tandoor_directory}}/program/vue",
+			"cmd": "yarnpkg install && yarnpkg build"
+		}
+	},
+	{
+		"name": "frontend stuff | link",
+		"become": true,
+		"become_user": "{{var_tandoor_user}}",
+		"ansible.builtin.file": {
+			"type": "link",
+			"src": "{{var_tandoor_directory}}/program/cookbook/static/vue",
+			"dest": "{{var_tandoor_directory}}/program/staticfiles/vue",
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd-unit.j2",
+			"dest": "/etc/systemd/system/tandoor.service"
+		}
+	},
+	{
+		"name": "start",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"enabled": true,
+			"state": "started",
+			"name": "tandoor"
+		}
+	}
+]
diff --git a/roles/tandoor/templates/conf.j2 b/roles/tandoor/templates/conf.j2
new file mode 100644
index 0000000..4837105
--- /dev/null
+++ b/roles/tandoor/templates/conf.j2
@@ -0,0 +1,42 @@
+{% if var_tandoor_database_kind == 'sqlite' %}
+DB_ENGINE=django.db.backends.sqlite3
+{% endif %}
+
+{% if var_tandoor_database_kind == 'postgresql' %}
+DB_ENGINE=django.db.backends.postgresql
+POSTGRES_HOST={{var_tandoor_database_data_postgresql_host}}
+POSTGRES_DB={{var_tandoor_database_data_postgresql_schema}}
+POSTGRES_PORT={{var_tandoor_database_data_postgresql_port | string}}
+POSTGRES_USER={{var_tandoor_database_data_postgresql_username}}
+POSTGRES_PASSWORD={{var_tandoor_database_data_postgresql_password}}
+{% endif %}
+
+{% if var_tandoor_authentication_kind == 'internal' %}
+ENABLE_SIGNUP=1
+REMOTE_USER_AUTH=0
+{% endif %}
+
+{% if var_tandoor_authentication_kind == 'authelia' %}
+ENABLE_SIGNUP=0
+REMOTE_USER_AUTH=1
+SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid
+# SOCIALACCOUNT_PROVIDERS={"openid_connect": {"OAUTH_PKCE_ENABLED": false, "APPS": [{"provider_id": "authelia", "name": "{{var_tandoor_authentication_data_authelia_label}}", "client_id": "{{var_tandoor_authentication_data_authelia_client_id}}", "secret": "{{var_tandoor_authentication_data_authelia_client_secret}}", "settings": {"server_url":"{{var_tandoor_authentication_data_authelia_url_base}}", "token_auth_method": "client_secret_basic", "oauth_pkce_enabled": false}}]}}
+SOCIALACCOUNT_PROVIDERS={"openid_connect": {"APPS": [{"provider_id": "authelia", "name": "{{var_tandoor_authentication_data_authelia_label}}", "client_id": "{{var_tandoor_authentication_data_authelia_client_id}}", "secret": "{{var_tandoor_authentication_data_authelia_client_secret}}", "settings": {"server_url": "{{var_tandoor_authentication_data_authelia_url_base}}/.well-known/openid-configuration"}}]}}
+{% endif %}
+
+EMAIL_HOST={{var_tandoor_smtp_host}}
+EMAIL_PORT={{var_tandoor_smtp_port | string}}
+EMAIL_HOST_USER={{var_tandoor_smtp_username}}
+EMAIL_HOST_PASSWORD={{var_tandoor_smtp_password}}
+EMAIL_USE_TLS=1
+EMAIL_USE_SSL=0
+DEFAULT_FROM_EMAIL={{var_tandoor_notification_sender}}
+
+SECRET_KEY={{var_tandoor_secret_key}}
+
+ALLOWED_HOSTS={{var_tandoor_domain}}
+
+ENABLE_METRICS=0
+ENABLE_PDF_EXPORT=0
+
+DEBUG=0
diff --git a/roles/tandoor/templates/systemd-unit.j2 b/roles/tandoor/templates/systemd-unit.j2
new file mode 100644
index 0000000..ad9dfc8
--- /dev/null
+++ b/roles/tandoor/templates/systemd-unit.j2
@@ -0,0 +1,16 @@
+[Unit]
+Description=Tandoor (gunicorn daemon)
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=3
+User={{var_tandoor_user}}
+Group=www-data
+WorkingDirectory={{var_tandoor_directory}}/program
+EnvironmentFile={{var_tandoor_directory}}/program/.env
+ExecStart={{var_tandoor_directory}}/program/bin/gunicorn --capture-output --bind unix:{{var_tandoor_directory}}/program/recipes.sock recipes.wsgi:application
+
+[Install]
+WantedBy=multi-user.target