diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml
index 566f1b4..c945fc2 100644
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@@ -74,7 +74,6 @@ backupuser_user_name: backupuser
 hetzner_ssh_keys:
   - "claus.paetow@netgo.de"
   - "friedrich.goerz@netgo.de"
-  - "peter.heise@netgo.de"
   - "sven.ketelsen@netgo.de"
   - "michael.haehnel@netgo.de"
   - "hoan.to@netgo.de"
@@ -117,10 +116,8 @@ default_users:
 default_plattform_users:
   - 'claus.paetow'
   - 'friedrich.goerz'
-  - 'peter.heise'
   - 'sven.ketelsen'
   - 'michael.haehnel'
-  - 'philipp.eichhorn'
   - 'hoan.to'
   - '{{ awx_ansible_user_name }}'
   - '{{ gitlab_ansible_user_name }}'
diff --git a/group_vars/stage_devscr/plain.yml b/group_vars/stage_devscr/plain.yml
index a729a80..3002795 100644
--- a/group_vars/stage_devscr/plain.yml
+++ b/group_vars/stage_devscr/plain.yml
@@ -5,16 +5,14 @@ stage: "devscr"
 default_plattform_users:
   - 'claus.paetow'
   - 'friedrich.goerz'
-  - 'peter.heise'
   - 'sven.ketelsen'
   - 'michael.haehnel'
-  - 'philipp.eichhorn'
   - 'hoan.to'
   - '{{ awx_ansible_user_name }}'
   - '{{ gitlab_ansible_user_name }}'
   - 'daniel.risse'
   - 'esther.fuhrmann'
-  - 'bas.cancrinus'
+  - 'philipp.eichhorn'
 
 # TODO read configuration with hetzner rest api
 shared_service_network: "10.1.0.0/16"
diff --git a/stage-ext-netgo-hcloud.yml b/stage-ext-netgo-hcloud.yml
new file mode 100644
index 0000000..eaaf484
--- /dev/null
+++ b/stage-ext-netgo-hcloud.yml
@@ -0,0 +1,26 @@
+#  dynamic inventory for hetzner which reads the stage variable from environment
+#
+#  parameters:
+#    HETZNER_CLOUD_TOKEN := hetzner cloud api token
+#    HETZNER_LABEL_SELECTOR := the label selector to use (note: multiple selectors are not supported by rest api)
+#      (e.g. stage=dev)
+#      (e.g. service=prometheus)
+#  usage:
+#    export HETZNER_LABEL_SELECTOR='stage=dev'
+#    ansible-playbook -i stage-netgo-hcloud.yml ...
+
+plugin: netgo-hcloud
+
+stage: "ext"
+label_selector: "stage=ext" # jinja isn't available here
+
+api_token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39356339353061313966656333373665666266626265626662386430613838656561323565373731
+          3735623333336561326236303832373631376533313830320a343037336365316138323163346464
+          66623363663662623862636264366539386262303864336233643765613232356666323431366633
+          3836386533386338650a626631313731326635633132383538313131353238623665313839376437
+          35353639373432633563666566643262623534353032326166356566393661623066643339313337
+          37646238306334636230626630303766633730376439613339366239353434626238313138376136
+          62393464323135643333353436626361363230373331643838633765626137383834366665613366
+          63656661643836353365
diff --git a/users/bas.cancrinus/ssh.pub b/users/outdated/bas.cancrinus.2022.09.23.pub
similarity index 100%
rename from users/bas.cancrinus/ssh.pub
rename to users/outdated/bas.cancrinus.2022.09.23.pub
diff --git a/users/peter.heise/ssh.pub b/users/outdated/peter.heise.2022.09.23.pub
similarity index 100%
rename from users/peter.heise/ssh.pub
rename to users/outdated/peter.heise.2022.09.23.pub