diff --git a/ejabberd/Makefile b/ejabberd/Makefile
index de219eb..34354c8 100644
--- a/ejabberd/Makefile
+++ b/ejabberd/Makefile
@@ -1,15 +1,21 @@
-02firstboot = $(CHROOT)/etc/local.d/02firstboot.start
-cert-renew.sh = $(CHROOT)/usr/local/bin/cert-renew.sh
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
 nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig
 example_com_conf = $(CHROOT)/etc/nginx/conf.d/example.com.conf
 ejabberd_example_com_conf = $(CHROOT)/etc/nginx/conf.d/ejabberd.example.com.conf
 
+systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
+	mkdir -p $(CHROOT)/usr/local/bin
+	cp appliance/PostgreSQL-Backup.sh $(CHROOT)/usr/local/bin/
+	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
 $(02firstboot): appliance/02firstboot.start
-	mkdir -p $(CHROOT)/etc/local.d
+	mkdir -p $(CHROOT)/usr/local/bin
 	cp $< $@
 	touch $(CHROOT)/02firstboot
 
 $(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
 	cp $< $@
 
 $(nginx_conf): nginx/nginx.conf
@@ -29,7 +35,7 @@ preinstall:
 	mkdir -p $(CHROOT)/etc/ssl/ejabberd
 	touch $(CHROOT)/etc/ssl/ejabberd/server.pem
 
-postinstall: $(nginx_conf) $(example_com_conf) $(ejabberd_example_com_conf) $(02firstboot) $(cert-renew.sh)
+postinstall: systemd-units $(nginx_conf) $(example_com_conf) $(ejabberd_example_com_conf) $(02firstboot) $(cert-renew.sh)
 	# workaround for https://bugs.gentoo.org/716968
 	rm -rf $(CHROOT)/etc/ssl/ejabberd
 	# configure postgresql
diff --git a/ejabberd/appliance/02firstboot.start b/ejabberd/appliance/02firstboot.start
index 5878ba7..daa280e 100755
--- a/ejabberd/appliance/02firstboot.start
+++ b/ejabberd/appliance/02firstboot.start
@@ -2,7 +2,7 @@
 
 # variables
 LABEL="DATA"
-DATABASE_PASS="Di1sgPgSQLPw."
+DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
 TLD="example.com"
 HOST="ejabberd"
 ORGNAME="Ejabberd example"
@@ -15,36 +15,17 @@ PGVER=$(eselect postgresql show)
 [ -e /01firstboot ] && exit 0
 [ -e /02firstboot ] || exit 0
 
-if [ ! -d "/$LABEL/var/lib/postgresql" ]; then
-	echo 'Start PostgeSQL DB, create ejabberd database...'
-	systemctl stop postgresql-$PGVER
-	mkdir -p "/$LABEL/var/lib"
-	rm -rf "/$LABEL/var/lib/postgresql.orig"
-	cp -a "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
-	mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql"
-	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
-	systemctl start postgresql-$PGVER
-	psql -U postgres -d postgres -c "CREATE ROLE ejabberd WITH LOGIN;"
-	psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
-	psql -U postgres -d postgres -c "CREATE DATABASE ejabberd WITH OWNER ejabberd;"
-	psql -U ejabberd -d ejabberd < /usr/share/ejabberd/sql/pg.new.sql
-else
-	echo 'start PostgreSQL DB...'
-	rm -rf "/$LABEL/var/lib/postgresql.orig"
-	mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
-	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
-	systemctl start postgresql-$PGVER
-fi
-
-if [ ! -f "/$LABEL/etc/jabber/ejabberd.yml" ]; then
-	echo 'edit ejabberd configuration'
+if [ ! -L "/etc/jabber/ejabberd.yml" ]; then
+    if [ ! -f "/$LABEL/etc/jabber/ejabberd.yml" ]; then
+	echo 'Create ejabberd configuration'
 	mkdir -p "/$LABEL/etc/jabber"
 	chown jabber:jabber "/$LABEL/etc/jabber"
 	chmod 770  "/$LABEL/etc/jabber"
-	cp "/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml.orig"
-	mv "/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml"
-	ln -s "/$LABEL/etc/jabber/ejabberd.yml" "/etc/jabber/ejabberd.yml"
+	cp "/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml"
+	chown root:jabber "/$LABEL/etc/jabber/ejabberd.yml"
+	mv "/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml.orig"
 	sed -i 's#  - localhost#  - localhost\n  - example.com#' "/$LABEL/etc/jabber/ejabberd.yml"
+	sed -i 's/  - \/etc\/ssl\/ejabberd\/server.pem/  - \/etc\/ssl\/ejabberd\/server.pem\n  - \/etc\/ssl\/ejabberd\/server.key/' "/$LABEL/etc/jabber/ejabberd.yml"
 	sed -i 's/listen:/### ==============\n### DATABASE SETUP\n\nlisten:/' "/$LABEL/etc/jabber/ejabberd.yml"
 	sed -i 's/listen:/sql_type: pgsql\nlisten:/' "/$LABEL/etc/jabber/ejabberd.yml"
 	sed -i 's/listen:/sql_server: "localhost"\nlisten:/' "/$LABEL/etc/jabber/ejabberd.yml"
@@ -53,25 +34,72 @@ if [ ! -f "/$LABEL/etc/jabber/ejabberd.yml" ]; then
 	sed -i "s/listen:/sql_password: \"$DATABASE_PASS\"\\nlisten:/" "/$LABEL/etc/jabber/ejabberd.yml"
 	sed -i 's/listen:/default_db: sql\nlisten:/' "/$LABEL/etc/jabber/ejabberd.yml"
 	sed -i 's/listen:/new_sql_schema: true\n\nlisten:/' "/$LABEL/etc/jabber/ejabberd.yml"
-else
-	mv "/$LABEL/etc/jabber/ejabberd.yml.orig" "/$LABEL/etc/jabber/ejabberd.yml.orig-alt"
-	mv "/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml.orig"
 	ln -s "/$LABEL/etc/jabber/ejabberd.yml" "/etc/jabber/ejabberd.yml"
+    else
+	echo 'Linking ejabberd configuration'
+	cp -f "/$LABEL/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml.alt"
+	mv -f "/$LABEL/etc/jabber/ejabberd.yml.orig" "/$LABEL/etc/jabber/ejabberd.yml.orig-alt"
+	mv -f "/etc/jabber/ejabberd.yml" "/$LABEL/etc/jabber/ejabberd.yml.orig"
+	ln -s "/$LABEL/etc/jabber/ejabberd.yml" "/etc/jabber/ejabberd.yml"
+    fi
 fi
 
-if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then
-	echo 'Create certificates...'
-	mkdir -p "/$LABEL/CERTS/KEYS/"
-	mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
-	echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD , DNS:conference.$TLD , DNS:guest.$TLD , DNS:proxy.$TLD , DNS:pubsub.$TLD , DNS:turn.$TLD , DNS:upload.$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
-	cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
-	touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+# Database
+if [ ! -L "/var/lib/postgresql" ]; then
+    systemctl stop postgresql-$PGVER
+    if [ ! -d "/$LABEL/var/lib/postgresql" ]; then
+	echo 'Start PostgeSQL DB...'
+	mkdir -p "/$LABEL/var/lib"
+	rm -rf "/$LABEL/var/lib/postgresql"
+	cp -a "/var/lib/postgresql" "/$LABEL/var/lib/postgresql"
+	mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
+	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
+	systemctl start postgresql-$PGVER
+	
+	echo 'Create ejabberd database...'
+	psql -U postgres -d postgres -c "CREATE ROLE ejabberd WITH LOGIN;"
+	psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
+	psql -U postgres -d postgres -c "CREATE DATABASE ejabberd WITH OWNER ejabberd;"
+	psql -U ejabberd -d ejabberd < /usr/share/ejabberd/sql/pg.new.sql
+    else
+	echo 'start PostgreSQL DB...'
+	rm -rf "/$LABEL/var/lib/postgresql.orig"
+	mv "/var/lib/postgresql" "/$LABEL/var/lib/postgresql.orig"
+	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
+	systemctl start postgresql-$PGVER
+	psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
+    fi
+else
+    echo 'Set new database password...'
+    systemctl restart postgresql-$PGVER
+    psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
+fi
+# update config with new database password
+sed -i "s/sql_password: .*/sql_password: \"$DATABASE_PASS\"/" "/$LABEL/etc/jabber/ejabberd.yml"
+
+# Certificate
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
+else
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
 fi
 
 rm -rf /etc/ssl/ejabberd
@@ -80,13 +108,13 @@ mkdir -p /etc/ssl
 ln -sf "/$LABEL/etc/ssl/ejabberd" "/etc/ssl/ejabberd"
 ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
 
+/etc/ssl/cert-renew.sh
+
 systemctl enable postgresql-$PGVER
 systemctl enable ejabberd
 systemctl enable nginx
 
-/usr/local/bin/cert-renew.sh
-
-systemctl start ejabberd
-systemctl start nginx
+systemctl restart ejabberd
+systemctl restart nginx
 
 rm /02firstboot
diff --git a/ejabberd/appliance/PostgreSQL-Backup.sh b/ejabberd/appliance/PostgreSQL-Backup.sh
new file mode 100755
index 0000000..3a50d12
--- /dev/null
+++ b/ejabberd/appliance/PostgreSQL-Backup.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+DIR="/DATA/Backup/PostgreSQL"
+USER="postgres"
+##PASS="gentoo"
+
+if [ -z $1 ]; then
+ echo "database name missing! use --all for all db's"
+ exit 1;
+elif [ $1 = '--all' ]; then
+ echo "full backup"
+## for i in `psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'`; do
+for i in $(psql -U $USER -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'); do
+  if [ "$i" != "postgres" ] && [ "$i" != "template0" ] && [ "$i" != "template1" ] && [ "$i" != "template_postgis" ]; then
+   if test -f ${DIR}/${i}.sql; then
+    echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
+    mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
+   fi
+   echo "dump ${i} to ${DIR}/${i}.sql"
+   pg_dump -U $USER $i > ${DIR}/${i}.sql
+   chmod 600 ${DIR}/${i}.sql
+  fi
+ done;
+elif [ -n $1 ]; then
+ echo "Starting backup of $1"
+ if test -f $DIR/$1.sql; then
+  echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
+  mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
+ fi
+ pg_dump -U $USER $1 > ${DIR}/${1}.sql
+ chmod 600 ${DIR}/${1}.sql
+fi
+echo "Done"
+exit 0;
diff --git a/ejabberd/appliance/backup.service b/ejabberd/appliance/backup.service
new file mode 100644
index 0000000..619cd03
--- /dev/null
+++ b/ejabberd/appliance/backup.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/PostgreSQL-Backup.sh --all
diff --git a/ejabberd/appliance/backup.timer b/ejabberd/appliance/backup.timer
new file mode 100644
index 0000000..ec59929
--- /dev/null
+++ b/ejabberd/appliance/backup.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 02:19:00
+Unit=backup.service
+ 
+[Install]
+WantedBy=default.target
diff --git a/ejabberd/appliance/cert-renew.service b/ejabberd/appliance/cert-renew.service
new file mode 100644
index 0000000..59ec86d
--- /dev/null
+++ b/ejabberd/appliance/cert-renew.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh
diff --git a/ejabberd/appliance/cert-renew.timer b/ejabberd/appliance/cert-renew.timer
new file mode 100644
index 0000000..fa2ee54
--- /dev/null
+++ b/ejabberd/appliance/cert-renew.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 04:03:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target