diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 43194ec..925eb41 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,6 +53,8 @@ builder-job:
     - dind
     - harbor # 05.02.22 TODO some runners run into timeouts
 
+##################################################################################
+
 .run-ansible:
   image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
   script:
@@ -71,7 +73,6 @@ builder-job:
     - dind
     - harbor # 05.02.22 TODO some runners run into timeouts
 
-
 ########
 ###   http://patorjk.com/software/taag/#p=display&f=Doom&t=setup.yml
 ###
@@ -89,11 +90,6 @@ builder-job:
   stage: run-setup
   script:
     - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
 
 run-kubernetes-dev:
   extends: .run-setup
@@ -135,24 +131,10 @@ run-kubernetes-prodnso:
 ###                                                        |___/
 
 .run-kubernetes:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
+  extends: .run-ansible
   stage: run-kubernetes
   script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-    - ssh-add -L
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
     - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml kubernetes.yml --vault-password-file /tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
 
 run-kubernetes-dev:
   extends: .run-kubernetes
@@ -193,31 +175,17 @@ run-kubernetes-prodnso:
 ###                                     __/ |       __/ |            
 ###                                    |___/       |___/             
 
-.management:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  # A resource group ensures a job is mutually exclusive across different pipelines for the same project.
+.run-management-update:
+  extends: .run-ansible
   stage: run-management-update
   script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-    - ssh-add -L
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
     - ansible-playbook -i stage-$STAGE smardigo.yml --vault-password-file=/tmp/vault-pass -l management -t update_configurations -u gitlabci
   only:
     changes:
       - smardigo/**/*
-  except:
-    - schedules
-  tags:
-    - dind
 
-management-dev:
-  extends: .management
+run-management-update-dev:
+  extends: .run-management-update
   resource_group: dev
   before_script:
     - export STAGE=dev
@@ -225,8 +193,8 @@ management-dev:
     - main
     - schedules
 
-management-qa:
-  extends: .management
+run-management-update-qa:
+  extends: .run-management-update
   resource_group: qa
   before_script:
     - export STAGE=qa
@@ -234,8 +202,8 @@ management-qa:
     - qa
     - schedules
 
-management-prodnso:
-  extends: .management
+run-management-update-prodnso:
+  extends: .run-management-update
   resource_group: prodnso
   before_script:
     - export STAGE=prodnso
@@ -255,31 +223,15 @@ management-prodnso:
 ###   | |                                     __/ |  __/ |            
 ###   |_|                                    |___/  |___/             
 
-.patchday:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
+.run-patchday:
+  extends: .run-ansible
   stage: run-patchday
   script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-    - ssh-add -L
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
     - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
   when: manual
-  only:
-    - main
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
 
-patchday-dev:
-  extends: .patchday
+run-patchday-dev:
+  extends: .run-patchday
   resource_group: dev
   before_script:
     - export STAGE=dev
@@ -287,8 +239,8 @@ patchday-dev:
     - main
     - schedules
 
-patchday-qa:
-  extends: .patchday
+run-patchday-qa:
+  extends: .run-patchday
   resource_group: qa
   before_script:
     - export STAGE=qa
@@ -296,8 +248,8 @@ patchday-qa:
     - qa
     - schedules
 
-patchday-prodnso:
-  extends: .patchday
+run-patchday-prodnso:
+  extends: .run-patchday
   resource_group: prodnso
   before_script:
     - export STAGE=prodnso