diff --git a/webserver/docker_gitlab/templates/docker-compose.yml b/webserver/docker_gitlab/templates/docker-compose.yml
index fe57d498fa6e5c128150b5c8f16abd3759329d2f..43848b45553c9a93c674e78911b3c860971870f3 100644
--- a/webserver/docker_gitlab/templates/docker-compose.yml
+++ b/webserver/docker_gitlab/templates/docker-compose.yml
@@ -2,7 +2,7 @@ services:
 
   app:
 
-    image: gitlab/gitlab-ce:latest
+    image: gitlab/gitlab-ce:17.2.2-ce.0
     restart: always
     ports:
       - "444:22"
diff --git a/webserver/docker_tandoor/Documentation.md b/webserver/docker_tandoor/Documentation.md
new file mode 100644
index 0000000000000000000000000000000000000000..87af86d029c64ce528282c361c380e8f6f4f10be
--- /dev/null
+++ b/webserver/docker_tandoor/Documentation.md
@@ -0,0 +1,32 @@
+
+# Overview 
+
+* Authentication to Tandoor is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'tandoor_access' can access the Application 
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup in Tandoor
+
+All setup is done in the docker-compose.yml
+References: 
+* https://docs.tandoor.dev/features/authentication/
+
+## Setup in uffd
+
+Create Groups:
+
+- tandoor_access: General Access to Tandoor
+
+Create a Service / OAuth Client: 
+
+Only Users with goup grafana_access can access Tandoor 
+
+Client-ID: tandoor
+Client-Secret: from file openid_client_secret on the server
+Redirect-URIs: 
+* https://tandoor.test-warpzone.de/accounts/oidc/uffd/login/callback/
+
diff --git a/webserver/docker_tandoor/tasks/main.yml b/webserver/docker_tandoor/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6c0629fad12138fca891f93f14cdcdfcd5ec3330
--- /dev/null
+++ b/webserver/docker_tandoor/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+    - { path: "{{ basedir }}/secrets/secret_key",  length: 32 }
+    - { path: "{{ basedir }}/secrets/postgres_user_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/tandooradmin_user_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/openid_client_secret",  length: 32 }
+
+
+- name: "create folder struct for {{ servicename }}"
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  with_items:
+    - "{{ basedir }}"
+    - "{{ basedir }}/secrets"
+    - "{{ basedir }}/db"
+    - "{{ basedir }}/staticfiles"
+    - "{{ basedir }}/mediafiles"
+
+
+- name: "deploy {{ servicename }} config files"
+  template:
+    dest:  "{{ basedir }}/{{ item }}"
+    src: "{{ item }}"
+  with_items:
+    - docker-compose.yml
+  register: config
+
+
+- name: "stop {{ servicename }} docker"
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: absent
+  when: config.changed
+
+- name: "start {{ servicename }} docker"
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: present
diff --git a/webserver/docker_tandoor/templates/docker-compose.yml b/webserver/docker_tandoor/templates/docker-compose.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0f9d348bc8f9ea20d467a7e32028cae3caa4aafe
--- /dev/null
+++ b/webserver/docker_tandoor/templates/docker-compose.yml
@@ -0,0 +1,53 @@
+
+services:
+
+
+  db:
+
+    image: postgres:16-alpine
+    restart: always
+    volumes:
+      - "{{ basedir }}/db:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: tandoor
+      POSTGRES_PORT: 5432
+      POSTGRES_USER: tandoor
+      POSTGRES_PASSWORD: "{{ postgres_user_pass }}"
+    networks:
+      - default
+
+
+  app:
+
+    restart: always
+    image: vabene1111/recipes:latest
+    depends_on:
+      - db
+    volumes:
+      - "{{ basedir }}/staticfiles:/opt/recipes/staticfiles"
+      - "{{ basedir }}/mediafiles:/opt/recipes/mediafiles"
+    environment:
+      SECRET_KEY: {{ secret_key }}
+      DB_ENGINE: django.db.backends.postgresql
+      POSTGRES_HOST: db
+      POSTGRES_DB: tandoor
+      POSTGRES_PORT: 5432
+      POSTGRES_USER: tandoor
+      POSTGRES_PASSWORD: "{{ postgres_user_pass }}"
+      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
+      SOCIALACCOUNT_PROVIDERS: '{"openid_connect":{"APPS":[{"provider_id":"uffd","name":"uffd","client_id":"tandoor","secret":"{{ openid_client_secret }}","settings":{"server_url":"{{ oidc_global.provider_url }}/.well-known/openid-configuration"}}]}}'
+      SOCIAL_DEFAULT_GROUP: "warpzone"
+      ENABLE_SIGNUP: "False"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8080
+    networks:
+      - default
+      - web
+
+
+networks:
+  web:
+    external: true