diff --git a/roles/lmn_localhome/tasks/main.yml b/roles/lmn_localhome/tasks/main.yml
index a06998b..ea3cf2e 100644
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@@ -33,6 +33,7 @@
     dest: /etc/profile.d/lmn-logout.sh
     mode: '0755'
     content: |
+      # logout script (may be empty)
       {% if localhome_logout_missing_serverhome %}
       [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
       {% endif %}
diff --git a/roles/lmn_misc/files/reporter b/roles/lmn_misc/files/reporter
deleted file mode 100755
index 2ee481f..0000000
--- a/roles/lmn_misc/files/reporter
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/bash
-#
-# Send stdout of some commands to monitoring server.
-# Collect the reports with 'nc -u -k -l 1234' on 'sendto'.
-# Use /bin/nc.openbsd, /bin/nc.traditional seems not to work.
-#
-set -eu
-
-sendto="collector.steinbeis.schule 1234"
-n=0
-
-cmds=(
-    'uname -a'
-    'tail -1 /var/local/ansible-stamps'
-    'ip route list default'
-    'ip link show | \
-       sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
-       paste - -'
-)
-#    'w'
-#    'uptime'
-#    'ls -d --full-time /home/ansible/.ansible/tmp/'
-#    'ip addr show'
-#    'apt list --upgradeable -o Apt::Cmd::Disable-Script-Warning=true'
-
-r="$HOSTNAME ------- $(date --rfc-3339=seconds) -------
-$(for c in "${cmds[@]}" ; do
-      n=$(( n + 1 ))
-      echo -n "$n"
-      eval "$c" | sed 's/^/\t/'
-done | sed "s/^/$HOSTNAME /")
-## -------------------------------------------------"
-echo "$r" | nc -w 1 -u $sendto
diff --git a/roles/lmn_misc/tasks/main.yml b/roles/lmn_misc/tasks/main.yml
index 23dce2b..212e418 100644
--- a/roles/lmn_misc/tasks/main.yml
+++ b/roles/lmn_misc/tasks/main.yml
@@ -98,7 +98,7 @@
       export superusers
       password_pbkdf2 root {{ grub_pwd }}
   notify: Run update-grub
-  when: grub_pwd | bool | default(false)
+  when: grub_pwd is defined and grub_pwd is truthy
 
 - name: Allow booting grub menu entries
   ansible.builtin.lineinfile:
@@ -190,6 +190,36 @@
   tags:
     - baseinstall
 
+# Updater
+
+- name: Provide services and timers for updater
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: '0644'
+  loop:
+    - lmn-updater.service
+    - lmn-updater.timer
+  when: misc_updater_repository | default(false) is truthy
+
+- name: Enable updater.timer
+  ansible.builtin.systemd:
+    name: lmn-updater.timer
+    enabled: true
+  when:
+    - misc_updater_repository | default(false) is truthy
+    - misc_updater_autostart | default(false) is truthy
+
+- name: Deploy inventory password file
+  ansible.builtin.copy:
+    dest: /root/.inventory-pw
+    owner: root
+    mode: '0640'
+    content: "{{ misc_updater_inventory_password }}"
+  when:
+    - misc_updater_repository | default(false) is truthy
+    - misc_updater_inventory_password | default(false) is truthy
+
 # Prepare CloneScreen on Presenter PCs
 
 - name: Fix primary screen for class room PCs with projector
diff --git a/roles/lmn_misc/templates/lmn-updater.service.j2 b/roles/lmn_misc/templates/lmn-updater.service.j2
new file mode 100644
index 0000000..76aad89
--- /dev/null
+++ b/roles/lmn_misc/templates/lmn-updater.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run LMN Client updates via ansible-pull
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/ansible-pull --only-if-changed --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
+           -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml
+
diff --git a/roles/lmn_misc/templates/lmn-updater.timer.j2 b/roles/lmn_misc/templates/lmn-updater.timer.j2
new file mode 100644
index 0000000..b64fdea
--- /dev/null
+++ b/roles/lmn_misc/templates/lmn-updater.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run LMN Updater every day
+After=network-online.target
+
+[Timer]
+OnBootSec=5min
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/lmn_misc/templates/reporter.j2 b/roles/lmn_misc/templates/reporter.j2
index 6a19bec..e652b55 100755
--- a/roles/lmn_misc/templates/reporter.j2
+++ b/roles/lmn_misc/templates/reporter.j2
@@ -16,6 +16,7 @@ cmds=(
     'ip link show | \
        sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
        paste - -'
+    'systemctl --failed | grep -v "^$"'
 )
 #    'w'
 #    'uptime'
diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml
index 571c107..416a173 100644
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@@ -5,14 +5,14 @@
     mode: '0644'
     content: >
       {{ apt_conf }}
-  when: apt_conf | bool | default(false)
+  when: apt_conf is defined and apt_conf is truthy
 
 - name: Set NTP server
   ansible.builtin.lineinfile:
     path: /etc/systemd/timesyncd.conf
     insertafter: '^#NTP='
     line: NTP={{ ntp_serv }}
-  when: ntp_serv | bool | default(false)
+  when: ntp_serv is defined and ntp_serv is truthy
 
 - name: Add proposed-updates repository
   ansible.builtin.apt_repository: