diff --git a/roles/custom/fvs/files/policies.json b/roles/custom/fvs/files/policies.json
index b1c20cc..f0acb53 100644
--- a/roles/custom/fvs/files/policies.json
+++ b/roles/custom/fvs/files/policies.json
@@ -30,6 +30,10 @@
                 "url": "https://info.steinbeis.schule",
                 "name": "FvS-Hilfesystem"
             },
+            {
+                "url": "https://ticket.steinbeis.schule",
+                "name": "FvS-IT-Support"
+            },
             {
                 "url": "https://moodle.steinbeis.schule",
                 "name": "FvS-Moodle"
diff --git a/roles/custom/fvs/tasks/main.yml b/roles/custom/fvs/tasks/main.yml
index 2248651..8f7c49c 100644
--- a/roles/custom/fvs/tasks/main.yml
+++ b/roles/custom/fvs/tasks/main.yml
@@ -59,6 +59,7 @@
       - net-tools
       - netcat-openbsd
       - nmap
+      - octave
       - okular-extra-backends ## needed for CHM files
       - pdf-presenter-console
       - php-cli
diff --git a/roles/lmn_localhome/tasks/main.yml b/roles/lmn_localhome/tasks/main.yml
index a06998b..ea3cf2e 100644
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@@ -33,6 +33,7 @@
     dest: /etc/profile.d/lmn-logout.sh
     mode: '0755'
     content: |
+      # logout script (may be empty)
       {% if localhome_logout_missing_serverhome %}
       [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
       {% endif %}
diff --git a/roles/lmn_misc/files/reporter b/roles/lmn_misc/files/reporter
deleted file mode 100755
index 2ee481f..0000000
--- a/roles/lmn_misc/files/reporter
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/bash
-#
-# Send stdout of some commands to monitoring server.
-# Collect the reports with 'nc -u -k -l 1234' on 'sendto'.
-# Use /bin/nc.openbsd, /bin/nc.traditional seems not to work.
-#
-set -eu
-
-sendto="collector.steinbeis.schule 1234"
-n=0
-
-cmds=(
-    'uname -a'
-    'tail -1 /var/local/ansible-stamps'
-    'ip route list default'
-    'ip link show | \
-       sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
-       paste - -'
-)
-#    'w'
-#    'uptime'
-#    'ls -d --full-time /home/ansible/.ansible/tmp/'
-#    'ip addr show'
-#    'apt list --upgradeable -o Apt::Cmd::Disable-Script-Warning=true'
-
-r="$HOSTNAME ------- $(date --rfc-3339=seconds) -------
-$(for c in "${cmds[@]}" ; do
-      n=$(( n + 1 ))
-      echo -n "$n"
-      eval "$c" | sed 's/^/\t/'
-done | sed "s/^/$HOSTNAME /")
-## -------------------------------------------------"
-echo "$r" | nc -w 1 -u $sendto
diff --git a/roles/lmn_misc/tasks/main.yml b/roles/lmn_misc/tasks/main.yml
index 23dce2b..212e418 100644
--- a/roles/lmn_misc/tasks/main.yml
+++ b/roles/lmn_misc/tasks/main.yml
@@ -98,7 +98,7 @@
       export superusers
       password_pbkdf2 root {{ grub_pwd }}
   notify: Run update-grub
-  when: grub_pwd | bool | default(false)
+  when: grub_pwd is defined and grub_pwd is truthy
 
 - name: Allow booting grub menu entries
   ansible.builtin.lineinfile:
@@ -190,6 +190,36 @@
   tags:
     - baseinstall
 
+# Updater
+
+- name: Provide services and timers for updater
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: '0644'
+  loop:
+    - lmn-updater.service
+    - lmn-updater.timer
+  when: misc_updater_repository | default(false) is truthy
+
+- name: Enable updater.timer
+  ansible.builtin.systemd:
+    name: lmn-updater.timer
+    enabled: true
+  when:
+    - misc_updater_repository | default(false) is truthy
+    - misc_updater_autostart | default(false) is truthy
+
+- name: Deploy inventory password file
+  ansible.builtin.copy:
+    dest: /root/.inventory-pw
+    owner: root
+    mode: '0640'
+    content: "{{ misc_updater_inventory_password }}"
+  when:
+    - misc_updater_repository | default(false) is truthy
+    - misc_updater_inventory_password | default(false) is truthy
+
 # Prepare CloneScreen on Presenter PCs
 
 - name: Fix primary screen for class room PCs with projector
diff --git a/roles/lmn_misc/templates/lmn-fix-screen.j2 b/roles/lmn_misc/templates/lmn-fix-screen.j2
index a70ec3b..0fb2e08 100644
--- a/roles/lmn_misc/templates/lmn-fix-screen.j2
+++ b/roles/lmn_misc/templates/lmn-fix-screen.j2
@@ -22,8 +22,8 @@ fi
   pactl set-card-profile alsa_card.{{ audio_output[0] }} output:{{ audio_output[1] }}
   pactl set-default-sink alsa_output.{{ audio_output[0] }}.{{ audio_output[1] }}
 {% else %}
-if pactl list cards | grep output:hdmi-stereo: | grep verfügbar:\ ja; then
+if pactl list cards | grep output:hdmi-stereo: | grep -E "verfügbar: ja|available: yes"; then
   pactl set-card-profile $(pactl list short cards | grep -m1 pci | head -1 | cut -f2) output:hdmi-stereo
-  pactl set-default-sink $(pactl list short cards | grep -m1 pci | head -1 | cut -f2 | sed s/card/output/g).output:hdmi-stereo
+  pactl set-default-sink $(pactl list short cards | grep -m1 pci | head -1 | cut -f2 | sed s/card/output/g).hdmi-stereo
 fi
 {% endif %}
diff --git a/roles/lmn_misc/templates/lmn-updater.service.j2 b/roles/lmn_misc/templates/lmn-updater.service.j2
new file mode 100644
index 0000000..6fe3d85
--- /dev/null
+++ b/roles/lmn_misc/templates/lmn-updater.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run LMN Client updates via ansible-pull
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/ansible-pull --only-if-changed --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
+           --skip-tags no_ansible_pull -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml
+
diff --git a/roles/lmn_misc/templates/lmn-updater.timer.j2 b/roles/lmn_misc/templates/lmn-updater.timer.j2
new file mode 100644
index 0000000..b64fdea
--- /dev/null
+++ b/roles/lmn_misc/templates/lmn-updater.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run LMN Updater every day
+After=network-online.target
+
+[Timer]
+OnBootSec=5min
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/lmn_misc/templates/reporter.j2 b/roles/lmn_misc/templates/reporter.j2
index 6a19bec..e652b55 100755
--- a/roles/lmn_misc/templates/reporter.j2
+++ b/roles/lmn_misc/templates/reporter.j2
@@ -16,6 +16,7 @@ cmds=(
     'ip link show | \
        sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
        paste - -'
+    'systemctl --failed | grep -v "^$"'
 )
 #    'w'
 #    'uptime'
diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index 0f09299..504269b 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -97,7 +97,7 @@
   ansible.posix.mount:
     src: "{{ nfs_server }}:tools"
     path: /lmn/tools
-    opts: rw,_netdev,x-systemd.automount,x-systemd.idle-timeout=10s,timeo=100,soft
+    opts: rw,_netdev,x-systemd.automount,x-systemd.idle-timeout=10s,x-systemd.mount-timeout=10,timeo=100,soft
     state: present
     fstype: nfs4
   when: nfs_server is defined
diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml
index 571c107..416a173 100644
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@@ -5,14 +5,14 @@
     mode: '0644'
     content: >
       {{ apt_conf }}
-  when: apt_conf | bool | default(false)
+  when: apt_conf is defined and apt_conf is truthy
 
 - name: Set NTP server
   ansible.builtin.lineinfile:
     path: /etc/systemd/timesyncd.conf
     insertafter: '^#NTP='
     line: NTP={{ ntp_serv }}
-  when: ntp_serv | bool | default(false)
+  when: ntp_serv is defined and ntp_serv is truthy
 
 - name: Add proposed-updates repository
   ansible.builtin.apt_repository:
diff --git a/roles/lmn_tmpfixes/tasks/main.yml b/roles/lmn_tmpfixes/tasks/main.yml
index 23e0bf8..4adf52c 100644
--- a/roles/lmn_tmpfixes/tasks/main.yml
+++ b/roles/lmn_tmpfixes/tasks/main.yml
@@ -32,3 +32,29 @@
     state: absent
     purge: true
     autoremove: true
+
+# CVE-2026-31431 https://copy.fail/#mitigation
+- name: Create modprobe config to disable algif_aead
+  ansible.builtin.lineinfile:
+    path: /etc/modprobe.d/disable-algif.conf
+    line: "install algif_aead /bin/false"
+    create: true
+    mode: '0644'
+
+- name: Remove algif_aead module if loaded
+  community.general.modprobe:
+    name: algif_aead
+    state: absent
+
+# Dirty.Frag
+- name: Create modprobe config to disable modules needed for dirty.frag
+  ansible.builtin.copy:
+    dest: /etc/modprobe.d/dirtyfrag.conf
+    content: |
+      install esp4 /bin/false
+      install esp6 /bin/false
+      install rxrpc /bin/false
+    mode: '0644'
+
+- name: Set VM permissions
+  ansible.builtin.command: chmod -R o+r /lmn/vm
diff --git a/roles/lmn_vm/files/lmn-vm b/roles/lmn_vm/files/lmn-vm
index 006b84c..bc79403 100644
--- a/roles/lmn_vm/files/lmn-vm
+++ b/roles/lmn_vm/files/lmn-vm
@@ -16,11 +16,6 @@ lmnsynci ALL=(root) NOPASSWD: /usr/local/bin/vm-aria2
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/vm-link-images
 %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/vm-link-images
 
-# vm-virtiofsd: Start Virtiofsd as systemd-service
-%examusers ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
-%role-student ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
-%role-teacher ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
-
 # desktop-sync:
 %examusers ALL=(root) NOPASSWD: /usr/local/bin/desktop-sync
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/desktop-sync
diff --git a/roles/lmn_vm/files/virtiofsd b/roles/lmn_vm/files/virtiofsd
deleted file mode 100755
index 83fa42a..0000000
Binary files a/roles/lmn_vm/files/virtiofsd and /dev/null differ
diff --git a/roles/lmn_vm/files/vm-run b/roles/lmn_vm/files/vm-run
index af0bd67..3fa4f75 100755
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@@ -125,8 +125,6 @@ create_clone() {
 
 create_printerlist() {
   ## Prepare .printerlist.csv
-  mkdir -p "${VM_MEDIADIR}"
-  chgrp "$(id -g)" "${VM_MEDIADIR}"
   echo "Name;IppURL" > "${VM_MEDIADIR}/.printerlist.csv"
   for p in $(lpstat -v | cut -f 3 -d" " | sed 's/:$//'); do
     echo "$p;ipp://192.168.122.1/printers/$p" >> "${VM_MEDIADIR}/.printerlist.csv"
@@ -149,7 +147,7 @@ start_virtiofs_service() {
   local drive_letter=$3
   local socket="/run/user/${UID}/virtiofs-${VM_NAME}-${target_name,,}.sock"
 
-  systemd-run --user /usr/local/bin/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
+  systemd-run --user /usr/lib/qemu/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
         --socket-path "${socket}" --shared-dir "${shared_dir}" --syslog
 
   if [[ $? -ne 0 ]]; then
@@ -208,6 +206,7 @@ EOF
 
 QEMU='qemu:///session'
 
+
 NEWCLONE=0
 PERSISTENT=0
 LIBVIRTOSINFO="win10"
@@ -361,6 +360,8 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
     else
       VMINFO_DIR="/lmn/media/${USER}"
     fi
+    mkdir -p "${VM_MEDIADIR}" -m 700
+    chgrp "$(id -g)" "${VM_MEDIADIR}"
     create_printerlist
     create_mountlist
 
@@ -368,7 +369,7 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
     [[ "${QEMU}" = 'qemu:///session' ]] && start_virtiofsd
 
     # Create VMInfo Json file
-    #( umask 027; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
+    #( umask 077; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
     # Start vminfo.timer
     systemctl --user restart vminfo.timer
 
diff --git a/roles/lmn_vm/files/vm-virtiofsd b/roles/lmn_vm/files/vm-virtiofsd
deleted file mode 100755
index 9326a5f..0000000
--- a/roles/lmn_vm/files/vm-virtiofsd
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/bash
-
-set -eu
-
-# if less than one arguments supplied, display usage
-if [[  $# -ne 1 ]]; then
-    echo "This script takes as input the name of the VM " >&2
-    echo "Usage: $0 vm_name" >&2
-    exit 1
-fi
-
-VM_NAME="$1"
-
-## Make sure VMs can read the base directory:
-chgrp 1010 "/lmn/media/${SUDO_USER}"
-chmod 0775 "/lmn/media/${SUDO_USER}"
-
-socket="/run/user/$(id -u $SUDO_USER)/virtiofs-${VM_NAME}.sock"
-
-#  FIXME: This does not work.  In windows, there is no virtiofs device.
-#  In GNU/Linux it's only readable.
-#
-#if ! systemctl -q is-active virtiofs-${VM_NAME}.socket ; then
-#    systemd-run --unit=virtiofs-${VM_NAME} \
-#		--slice=system-virtiofs \
-#		--collect \
-#		--socket-property=ListenStream="$socket" \
-#		--socket-property=Accept=no \
-#		--socket-property=SocketMode=0700 \
-#		--socket-property=SocketUser=${SUDO_USER} \
-#		--property=Type=exec \
-#		--property=StandardInput=socket \
-#		/usr/local/bin/virtiofsd --log-level debug --sandbox none \
-#		--syslog --fd=0 --shared-dir "/lmn/media/${SUDO_USER}"
-#else
-#    systemctl restart virtiofs-${VM_NAME}.socket
-#fi
-
-if [[ ! -S "$socket" ]] ; then
-    systemd-run --unit=virtiofs-${VM_NAME} \
-		--slice=system-virtiofs \
-		--collect \
-		--property=Type=exec \
-		--property=SuccessExitStatus=1 \
-		--property="ExecStopPost=rm $socket" \
-		/usr/local/bin/virtiofsd --socket-path "$socket" \
-		--shared-dir "/lmn/media/${SUDO_USER}"
-fi
-sleep 1
-chown "${SUDO_USER}" "$socket"
diff --git a/roles/lmn_vm/files/vm-vminfo b/roles/lmn_vm/files/vm-vminfo
index 559d47f..c99627d 100755
--- a/roles/lmn_vm/files/vm-vminfo
+++ b/roles/lmn_vm/files/vm-vminfo
@@ -57,7 +57,9 @@ def get_krb5 ():
 def get_mounts():
     mounts = []
     mounts.append({ 'Drive': 'H', 'RemotePath': '\\\\server.pn.steinbeis.schule' + nethome.replace('/srv/samba/schools','').replace('/','\\'), 'Name': 'Home_Server' })
-    mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\default-school\share', 'Name': 'Tausch' })
+    mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\\default-school\\share', 'Name': 'Tausch' })
+    if "role-teacher" in vminfo['Groups']:
+        mounts.append({ 'Drive': 'S', 'RemotePath': '\\\\server.pn.steinbeis.schule\\default-school\\students', 'Name': 'SuS' })
     return mounts
 
 def get_user_folders():
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index e2c312b..053c613 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -16,11 +16,13 @@
     name:
       - aria2
       - mktorrent
+      - guestfs-tools
       - libvirt-daemon-system
       - virt-manager
       - virt-viewer
       - dialog # for vm-netboot menu
       - python3-impacket
+      - virtiofsd
 
     # - name: allow all users to use VMs
     #   lineinfile:
@@ -125,9 +127,7 @@
     - vm-upload
     - vm-sync
     - vm-link-images
-    - vm-virtiofsd
     - vm-vminfo
-    - virtiofsd
     - vm-aria2
     - uploadseed
     - desktop-sync
@@ -222,7 +222,7 @@
       Description=Create .vminfo.json for VMs
       [Service]
       Type=simple
-      ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
+      ExecStart=/usr/bin/bash -c 'umask 077; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
     dest: /etc/systemd/user/vminfo.service
     mode: '0644'
 
diff --git a/roles/lmn_vpn/tasks/main.yml b/roles/lmn_vpn/tasks/main.yml
index b6da7e0..5daa5d0 100644
--- a/roles/lmn_vpn/tasks/main.yml
+++ b/roles/lmn_vpn/tasks/main.yml
@@ -29,3 +29,5 @@
 - name: Configure Wireguard
   ansible.builtin.include_tasks: wg_config.yml
   when: vpn is defined and vpn == "wg"
+  tags:
+    - no_ansible_pull
diff --git a/roles/lmn_wlan/tasks/main.yaml b/roles/lmn_wlan/tasks/main.yaml
index d5adcea..eb9bacf 100644
--- a/roles/lmn_wlan/tasks/main.yaml
+++ b/roles/lmn_wlan/tasks/main.yaml
@@ -39,3 +39,5 @@
 - name: Configure WPA-Enterprise (EAP-TLS)
   ansible.builtin.include_tasks: eap-tls_check-certificate.yaml
   when: wlan == 'eap-tls'
+  tags:
+    - no_ansible_pull