diff --git a/bundles/mariadb/README.md b/bundles/mariadb/README.md
new file mode 100644
index 0000000..854ce9e
--- /dev/null
+++ b/bundles/mariadb/README.md
@@ -0,0 +1 @@
+https://mariadb.com/kb/en/systemd/#configuring-mariadb-to-write-the-error-log-to-syslog
diff --git a/bundles/mariadb/files/override.conf b/bundles/mariadb/files/override.conf
new file mode 100644
index 0000000..ae2fccd
--- /dev/null
+++ b/bundles/mariadb/files/override.conf
@@ -0,0 +1,11 @@
+% for section, options in sorted(conf.items()):
+[${section}]
+% for key, value in sorted(options.items()):
+% if value is None:
+${key}
+% else:
+${key} = ${value}
+% endif
+% endfor
+
+% endfor
diff --git a/bundles/mariadb/items.py b/bundles/mariadb/items.py
new file mode 100644
index 0000000..031a386
--- /dev/null
+++ b/bundles/mariadb/items.py
@@ -0,0 +1,89 @@
+from shlex import quote
+
+def mariadb(sql, **kwargs):
+    kwargs_string = ''.join(f" --{k} {v}" for k, v in kwargs.items())
+    return f"mariadb{kwargs_string} -Bsr --execute {quote(sql)}"
+
+directories = {
+    '/var/lib/mysql': {
+        'owner': 'mysql',
+        'group': 'mysql',
+        'needs': [
+            'zfs_dataset:tank/mariadb',
+        ],
+        'needed_by': [
+            'pkg_apt:mariadb-server',
+        ],
+    },
+}
+
+files = {
+    '/etc/mysql/conf.d/override.conf': {
+        'context': {
+            'conf': node.metadata.get('mariadb/conf'),
+        },
+        'content_type': 'mako',
+    },
+}
+
+svc_systemd = {
+    'mariadb.service': {
+        'needs': [
+            'pkg_apt:mariadb-server',
+        ],
+    },
+}
+
+actions = {
+    'mariadb_sec_remove_anonymous_users': {
+        'command': mariadb("DELETE FROM mysql.global_priv WHERE User=''"),
+        'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User = ''") + " | grep -q '^0$'",
+        'needs': [
+            'svc_systemd:mariadb.service',
+        ],
+        'triggers': [
+            'svc_systemd:mariadb.service:restart',
+        ],
+    },
+    'mariadb_sec_remove_remote_root': {
+        'command': mariadb("DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"),
+        'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')") + " | grep -q '^0$'",
+        'needs': [
+            'svc_systemd:mariadb.service',
+        ],
+        'triggers': [
+            'svc_systemd:mariadb.service:restart',
+        ],
+    },
+}
+
+for db, conf in node.metadata.get('mariadb/databases', {}).items():
+    actions[f'mariadb_create_database_{db}'] = {
+        'command': mariadb(f"CREATE DATABASE {db}"),
+        'unless': mariadb(f"SHOW DATABASES LIKE '{db}'") + f" | grep -q '^{db}$'",
+        'needs': [
+            'svc_systemd:mariadb.service',
+        ],
+    }
+    actions[f'mariadb_user_{db}_create'] = {
+        'command': mariadb(f"CREATE USER {db}"),
+        'unless': mariadb(f"SELECT User FROM mysql.user WHERE User = '{db}'") + f" | grep -q '^{db}$'",
+        'needs': [
+            f'action:mariadb_create_database_{db}',
+        ],
+    }
+    pw = conf['password']
+    actions[f'mariadb_user_{db}_password'] = {
+        'command': mariadb(f"SET PASSWORD FOR {db} = PASSWORD('{conf['password']}')"),
+        'unless': f'echo {quote(pw)} | mariadb -u {db} -e quit -p',
+        'needs': [
+            f'action:mariadb_user_{db}_create',
+        ],
+    }
+    actions[f'mariadb_grant_privileges_to_{db}'] = {
+        'command': mariadb(f"GRANT ALL PRIVILEGES ON {db}.* TO '{db}'", database=db),
+        'unless': mariadb(f"SHOW GRANTS FOR {db}") + f" | grep -q '^GRANT ALL PRIVILEGES ON `{db}`.* TO `{db}`@`%`'",
+        'needs': [
+            f'action:mariadb_user_{db}_create',
+        ],
+    }
diff --git a/bundles/mariadb/metadata.py b/bundles/mariadb/metadata.py
new file mode 100644
index 0000000..869e3e6
--- /dev/null
+++ b/bundles/mariadb/metadata.py
@@ -0,0 +1,36 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'mariadb-server': {},
+        },
+    },
+    'mariadb': {
+        'databases': {},
+        'conf': {
+            # https://www.reddit.com/r/zfs/comments/u1xklc/mariadbmysql_database_settings_for_zfs
+            'mysqld': {
+                'skip-innodb_doublewrite': None,
+                'innodb_flush_method': 'fsync',
+                'innodb_doublewrite': '0',
+                'innodb_use_atomic_writes': '0',
+                'innodb_use_native_aio': '0',
+                'innodb_read_io_threads': '10',
+                'innodb_write_io_threads': '10',
+                'innodb_buffer_pool_size': '26G',
+                'innodb_flush_log_at_trx_commit': '1',
+                'innodb_log_file_size': '1G',
+                'innodb_flush_neighbors': '0',
+                'innodb_fast_shutdown': '2',
+            },
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/mariadb': {
+                'mountpoint': '/var/lib/mysql',
+                'recordsize': '16384',
+                'atime': 'off',
+            },
+        },
+    },
+}
diff --git a/bundles/wordpress/README.md b/bundles/wordpress/README.md
new file mode 100644
index 0000000..d623775
--- /dev/null
+++ b/bundles/wordpress/README.md
@@ -0,0 +1 @@
+https://developer.wordpress.org/advanced-administration/upgrade/upgrading/
diff --git a/bundles/wordpress/files/check_wordpress_insecure b/bundles/wordpress/files/check_wordpress_insecure
new file mode 100644
index 0000000..e7294e8
--- /dev/null
+++ b/bundles/wordpress/files/check_wordpress_insecure
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+SITE=$1
+VERSION=$(php -r "require('/opt/$SITE/wp-includes/version.php'); echo \$wp_version;")
+STATUS=$(curl -ssL http://api.wordpress.org/core/stable-check/1.0/ | jq -r '.["'$VERSION'"]')
+
+echo "WordPress $VERSION is '$STATUS'"
+
+if [[ "$STATUS" == latest ]]
+then
+  exit 0
+elif [[ "$STATUS" == outdated ]]
+then
+  exit 1
+elif [[ "$STATUS" == insecure ]]
+then
+  if test -f /etc/nginx/sites/$SITE
+  then
+    rm /etc/nginx/sites/$SITE
+    systemctl restart nginx
+  fi
+  exit 2
+else
+  exit 2
+fi
diff --git a/bundles/wordpress/files/print-version.php b/bundles/wordpress/files/print-version.php
new file mode 100644
index 0000000..3bf8de5
--- /dev/null
+++ b/bundles/wordpress/files/print-version.php
@@ -0,0 +1,5 @@
+<?php
+
+require_once '${path}/wp-includes/version.php';
+
+echo "$wp_version";
diff --git a/bundles/wordpress/files/wp-config.php b/bundles/wordpress/files/wp-config.php
new file mode 100644
index 0000000..e69de29
diff --git a/bundles/wordpress/items.py b/bundles/wordpress/items.py
new file mode 100644
index 0000000..ce51eca
--- /dev/null
+++ b/bundles/wordpress/items.py
@@ -0,0 +1,12 @@
+files = {
+    '/usr/lib/nagios/plugins/check_wordpress_insecure': {
+        'mode': '0750',
+    },
+}
+
+for site, conf in node.metadata.get('wordpress').items():
+    directories[f'/opt/{site}'] = {
+        'owner': 'www-data',
+        'group': 'www-data',
+        'mode': '0755',
+    }
diff --git a/bundles/wordpress/metadata.py b/bundles/wordpress/metadata.py
new file mode 100644
index 0000000..33a4e11
--- /dev/null
+++ b/bundles/wordpress/metadata.py
@@ -0,0 +1,84 @@
+defaults = {}
+
+
+@metadata_reactor.provides(
+    'wordpress',
+)
+def wordpress(metadata):
+    return {
+        'wordpress': {
+            site: {
+                'db_password': repo.vault.password_for(f"wordpress {site} db").value,
+            }
+                for site in metadata.get('wordpress')
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'mariadb/databases',
+)
+def mariadb(metadata):
+    return {
+        'mariadb': {
+            'databases': {
+                site: {
+                    'password': metadata.get(f'wordpress/{site}/db_password')
+                }
+                    for site in metadata.get('wordpress')
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts'
+)
+def vhost(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                conf['domain']: {
+                    'content': 'wordpress/vhost.conf',
+                    'context': {
+                        'root': f'/opt/{site}',
+                    },
+                }
+                    for site, conf in metadata.get('wordpress').items()
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'zfs/datasets',
+)
+def zfs(metadata):
+    return {
+        'zfs': {
+            'datasets': {
+                f'tank/{site}': {
+                    'mountpoint': f'/opt/{site}',
+                }
+                    for site in metadata.get('wordpress')
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'monitoring/services',
+)
+def check_insecure(metadata):
+    return {
+        'monitoring': {
+            'services': {
+                f'wordpress {site} insecure': {
+                    'vars.command': f'/usr/lib/nagios/plugins/check_wordpress_insecure {site}',
+                    'check_interval': '30m',
+                    'vars.sudo': True,
+                }
+                    for site in metadata.get('wordpress')
+            },
+        },
+    }
diff --git a/data/wordpress/vhost.conf b/data/wordpress/vhost.conf
new file mode 100644
index 0000000..61b678e
--- /dev/null
+++ b/data/wordpress/vhost.conf
@@ -0,0 +1,43 @@
+# Upstream to abstract backend connection(s) for php
+server {
+    listen 443      ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${server_name};
+    root ${root};
+    index index.php;
+
+    ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location / {
+        # This is cool because no php is touched for static content.
+        # include the "?$args" part so non-default permalinks doesn't break when using query string
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~ \.php$ {
+        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+        include params/fastcgi;
+        fastcgi_intercept_errors on;
+        fastcgi_pass php-handler;
+        # The following parameter can be also included in fastcgi_params file
+        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
+    }
+}
diff --git a/groups/applications/wordpress.py b/groups/applications/wordpress.py
new file mode 100644
index 0000000..f802d76
--- /dev/null
+++ b/groups/applications/wordpress.py
@@ -0,0 +1,8 @@
+{
+    'bundles': [
+        'letsencrypt',
+        'mariadb',
+        'nginx',
+        'wordpress',
+    ],
+}
diff --git a/nodes/home.backups.py b/nodes/home.backups.py
index aa0c79c..8d70e94 100644
--- a/nodes/home.backups.py
+++ b/nodes/home.backups.py
@@ -1,4 +1,5 @@
 {
+    'dummy': True,
     'hostname': '10.0.0.5',
     'groups': [
         'autologin',
diff --git a/nodes/home.server.py b/nodes/home.server.py
index 5dbf73d..70b9838 100644
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@@ -111,7 +111,7 @@
         },
         'nextcloud': {
             'hostname': 'cloud.sublimity.de',
-            'version': '27.1.4',
+            'version': '28.0.1',
             'config': {
                 'instanceid': 'oci6dw1woodz',
                 'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',
diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index cf60377..af45e7c 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -7,6 +7,7 @@
         'monitored',
         'webserver',
         'dnsserver',
+        'wordpress',
         #'left4dead2',
     ],
     'bundles': [
@@ -21,6 +22,11 @@
         'zfs',
     ],
     'metadata': {
+        'wordpress': {
+            'elimukwanza': {
+                'domain': 'elimu-kwanza.de',
+            },
+        },
         'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
         'network': {
             'internal': {
@@ -73,10 +79,6 @@
                 'A': ['202.61.255.108'],
                 'AAAA': ['2a01:4f8:1c1c:4121::1'],
             },
-            'elimu-kwanza.de': {
-                'A': ['202.61.255.108'],
-                'AAAA': ['2a01:4f8:1c1c:4121::1'],
-            },
         },
         'download-server': {
             'hostname': 'dl.sublimity.de',
@@ -172,14 +174,6 @@
                     },
                     'internal_dns': False,
                 },
-                'elimu-kwanza.de': {
-                    'content': 'nginx/message.conf',
-                    'context': {
-                        'title': 'Im Aufbau/under construction',
-                        'message': '<a href=mailto:info@elimu-kwanza.de>info@elimu-kwanza.de</a>',
-                    },
-                    'internal_dns': False,
-                },
                 'cronekorkn.de': {
                     'content': 'nginx/redirect.conf',
                     'context': {