diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7d6630c..3e1ea18 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -191,6 +191,16 @@ run-setup-prodwork01:
   only:
     - prodnso
 
+run-setup-demompmx:
+  extends: .run-setup
+  resource_group: demompmx
+  before_script:
+    - export STAGE=demompmx
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+  only:
+    - main
+
+
 ########
 ###   http://patorjk.com/software/taag/#p=display&f=Doom&t=smardigo.yml
 ###
@@ -251,6 +261,15 @@ run-management-update-prodnso:
   only:
     - prodnso
 
+run-management-update-demompmx:
+  extends: .run-management-update
+  resource_group: demompmx
+  before_script:
+    - export STAGE=demompmx
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+  only:
+    - main
+
 ########
 ###   http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml
 ###
@@ -485,8 +504,64 @@ run-patchday-k8s-prodwork01:
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"
 
+run-patchday-elastic-demompmx:
+  extends: .run-patchday
+  stage: run-patchday-elastic-postgres
+  resource_group: demompmx
+  script:
+    - export STAGE=demompmx
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'elastic'
+  after_script:
+    - rm /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
+
+run-patchday-postgres-demompmx:
+  extends: .run-patchday
+  stage: run-patchday-elastic-postgres
+  resource_group: demompmx
+  script:
+    - export STAGE=demompmx
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'postgres'
+  after_script:
+    - rm /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
+
+run-patchday-all-demompmx:
+  extends: .run-patchday
+  stage: run-patchday-all-k8s
+  resource_group: demompmx
+  script:
+    - export STAGE=demompmx
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'all:!elastic:!postgres:!k8s_cluster'
+  after_script:
+    - rm /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
+
+run-patchday-k8s-demompmx:
+  extends: .run-patchday
+  stage: run-patchday-all-k8s
+  resource_group: demompmx
+  script:
+    - export STAGE=demompmx
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
+  after_script:
+    - rm /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
+
 ########
-###   http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml
+###   http://patorjk.com/software/taag/#p=display&f=Doom&t=hcloud-firewall.yml
 ###
 ###    _          _                 _    __ _                        _ _                  _
 ###   | |        | |               | |  / _(_)                      | | |                | |
@@ -553,6 +628,15 @@ run-hcloud-firewall-prodwork01:
   only:
     - prodnso
 
+run-hcloud-firewall-demompmx:
+  extends: .run-hcloud-firewall
+  resource_group: demompmx
+  before_script:
+    - export STAGE=demompmx
+    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
+  only:
+    - main
+
 ########
 ###   http://patorjk.com/software/taag/#p=display&f=Doom&t=Digitialocean
 ###