diff --git a/.gitea/workflows/build-and-push.yaml b/.gitea/workflows/build-and-push.yaml
index 2bf286d..c5ab766 100644
--- a/.gitea/workflows/build-and-push.yaml
+++ b/.gitea/workflows/build-and-push.yaml
@@ -23,6 +23,10 @@ jobs:
         run: |
           export TZ=Europe/Berlin
           
+          # FIX 1: Stellt sicher, dass die Datei mit einem Zeilenumbruch endet.
+          # Das verhindert, dass Bash die letzte Zeile beim Einlesen verschluckt.
+          sed -i -e '$a\' buildargs.env
+          
           set -a
           source <(grep -v '^#' buildargs.env | sed 's/\r$//')
           set +a
@@ -34,11 +38,16 @@ jobs:
           
           echo "event_name=${{ gitea.event_name }}" >> $GITHUB_OUTPUT
           
+          # FIX 2: Kugelsicheres Auslesen des Tags direkt aus der Datei.
+          # Trimm-Befehle (tr) entfernen eventuelle unsichtbare Zeichen oder Anführungszeichen.
+          SAFE_BUILD_TAG=$(grep "^BUILD_TAG=" buildargs.env | cut -d'=' -f2 | tr -d '\r' | tr -d '"' | xargs)
+          
           if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then
             CLEAN_TAG=${{ gitea.ref_name }}
             echo "docker_tag=${CLEAN_TAG#v}" >> $GITHUB_OUTPUT
           else
-            echo "docker_tag=${BUILD_TAG:-latest}" >> $GITHUB_OUTPUT
+            # Nutzt jetzt garantiert den direkt extrahierten Wert
+            echo "docker_tag=${SAFE_BUILD_TAG:-latest}" >> $GITHUB_OUTPUT
           fi
           
           OWNER=$(echo "${{ gitea.repository }}" | cut -d'/' -f1 | tr '[:upper:]' '[:lower:]')
@@ -129,32 +138,33 @@ jobs:
           
           BASE_SHA=$(docker buildx imagetools inspect $BASE --format '{{json .Manifest.Digest}}' 2>/dev/null | tr -d '"' || echo "unknown")
 
-          AMD_TAGS=("-t" "$IMAGE_GITEA:tmp-amd64")
-          ARM_TAGS=("-t" "$IMAGE_GITEA:tmp-arm64")
-
-          if [[ "$PUSH" == *"dockerhub"* ]]; then
-            DOCKERHUB_REPO="${{ secrets.DOCKERHUB_USERNAME }}/$REPO_PURE"
-            AMD_TAGS+=("-t" "$DOCKERHUB_REPO:tmp-amd64")
-            ARM_TAGS+=("-t" "$DOCKERHUB_REPO:tmp-arm64")
-          fi
-
-          docker buildx build "${DOCKER_ARGS[@]}" "${AMD_TAGS[@]}" \
+          docker buildx build "${DOCKER_ARGS[@]}" -t "$IMAGE_GITEA:tmp-amd64" \
             --pull --platform linux/amd64 -f Dockerfile \
             --label "pi_farm.base_digest=$BASE_SHA" --label "pi_farm.args_hash=$ARGS_HASH" --push .
           
-          docker buildx build "${DOCKER_ARGS[@]}" "${ARM_TAGS[@]}" \
+          docker buildx build "${DOCKER_ARGS[@]}" -t "$IMAGE_GITEA:tmp-arm64" \
             --pull --platform linux/arm64 -f Dockerfile.aarch64 \
             --label "pi_farm.base_digest=$BASE_SHA" --label "pi_farm.args_hash=$ARGS_HASH" --push .
           
+          GITEA_MANIFEST_TAGS=("-t" "$IMAGE_GITEA:$TAG")
+          if [[ "$BUILD_TAG_LATEST" == "y" ]]; then
+            GITEA_MANIFEST_TAGS+=("-t" "$IMAGE_GITEA:latest")
+          fi
+
           docker buildx imagetools create \
             --annotation "index:pi_farm.base_digest=$BASE_SHA" --annotation "index:pi_farm.args_hash=$ARGS_HASH" \
-            -t $IMAGE_GITEA:$TAG -t $IMAGE_GITEA:latest $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64
+            "${GITEA_MANIFEST_TAGS[@]}" $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64
 
           if [[ "$PUSH" == *"dockerhub"* ]]; then
             DOCKERHUB_REPO="${{ secrets.DOCKERHUB_USERNAME }}/$REPO_PURE"
+            DH_MANIFEST_TAGS=("-t" "$DOCKERHUB_REPO:$TAG")
+            if [[ "$BUILD_TAG_LATEST" == "y" ]]; then
+              DH_MANIFEST_TAGS+=("-t" "$DOCKERHUB_REPO:latest")
+            fi
+
             docker buildx imagetools create \
               --annotation "index:pi_farm.base_digest=$BASE_SHA" --annotation "index:pi_farm.args_hash=$ARGS_HASH" \
-              -t $DOCKERHUB_REPO:$TAG -t $DOCKERHUB_REPO:latest $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64
+              "${DH_MANIFEST_TAGS[@]}" $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64
           fi
 
       - name: Update Documentation and Compose
@@ -163,7 +173,6 @@ jobs:
         run: |
           set -x
           
-          # --- 1. VARIABLEN VORBEREITEN ---
           export TZ=Europe/Berlin
           CURRENT_TIME=$(date '+%d.%m.%Y %H:%M')
           BUILD_TAG="${{ steps.prep.outputs.docker_tag }}"
@@ -185,11 +194,9 @@ jobs:
           EOF
           COMMIT_MSG=$(sed 's/\[skip ci\]//g' commit_msg.txt | xargs)
 
-          # --- 2. TEMPLATES LADEN ---
           wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/README.template -O README.template || echo "Warnung: README Template fehlt"
           wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/docker-compose.template -O docker-compose.template || echo "Warnung: Compose Template fehlt"
 
-          # --- 3. VERSION HISTORY ---
           NEW_ROW="| **$BUILD_TAG** | $CURRENT_TIME | $COMMIT_MSG ✅ |"
           if [ -f "VERSION.history" ]; then
              grep -v "| **$BUILD_TAG** |" VERSION.history > VERSION.history.tmp || true
@@ -232,9 +239,6 @@ jobs:
              done <<< "$vol_vars"
           fi
 
-          # --- 5. DOCKER RUN BEFEHL (NEU: Als Datei schreiben) ---
-          # Wir schreiben direkt in eine Datei. Da gibt es keine Interpretationsfehler.
-          # Wichtig: " \\" am Ende der Zeilen explizit hinschreiben.
           {
             echo "docker run -d \\"
             echo "  --name $REPO_PURE \\"
@@ -256,24 +260,20 @@ jobs:
                 fi
               done <<< "$all_params"
             fi
-            # Letzte Zeile OHNE Backslash
             echo "  $FULL_URL:$BUILD_TAG"
           } > docker_run_block.txt
 
-          # --- 6. DOCKER HUB LINK ---
           DOCKERHUB_LINK_CONTENT=""
           if [[ "${{ steps.prep.outputs.push_targets }}" == *"dockerhub"* ]]; then
             DH_USER="${{ secrets.DOCKERHUB_USERNAME }}"
             DOCKERHUB_LINK_CONTENT="[![Docker Hub](https://img.shields.io/badge/docker-hub-blue?logo=docker&logoColor=white)](https://hub.docker.com/r/${DH_USER}/${REPO_PURE})"
           fi
 
-          # --- 7. TEMPLATE ENGINE (Optimiert für File-Injection) ---
           process_template() {
             local template=$1; local output=$2
             [ ! -f "$template" ] && return
             cp "$template" "$output"
             
-            # Simple Ersetzungen
             sed -i "s|__REPO_NAME__|$REPO_PURE|g" "$output"
             sed -i "s|__FULL_URL__|$FULL_URL|g" "$output"
             sed -i "s|__BUILD_TAG__|$BUILD_TAG|g" "$output"
@@ -281,28 +281,23 @@ jobs:
             sed -i "s|__ARM_STATUS__|$ARM_STATUS|g" "$output"
             sed -i "s|__CURRENT_DATE__|$CURRENT_TIME|g" "$output"
             
-            # Komplexe Blöcke: AWK für Strings, SED für Files
             awk -v r="$HISTORY_CONTENT" '{gsub(/__HISTORY_CONTENT__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             awk -v r="$DOCKERHUB_LINK_CONTENT" '{gsub(/__DOCKERHUB_LINK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
 
-            # NEU: Docker Run Block via File einfügen (sicherste Methode)
             if grep -q "__DOCKER_RUN__" "$output" && [ -f "docker_run_block.txt" ]; then
                sed -e '/__DOCKER_RUN__/{r docker_run_block.txt' -e 'd;}' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             fi
             
-            # Compose Block via File einfügen
             if grep -q "__COMPOSE_BLOCK__" "$output" && [ -f "docker-compose.yml" ]; then
                sed -e '/__COMPOSE_BLOCK__/{r docker-compose.yml' -e 'd;}' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             fi
             
-            # ENV/PORTS/VOL Blöcke
             if grep -q "__ENV_BLOCK__" "$output"; then
                awk -v r="$(echo -e "$ENV_BLOCK_CONTENT")" '{gsub(/__ENV_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             fi
             awk -v r="$(echo -e "$PORTS_BLOCK_CONTENT")" '{gsub(/__PORTS_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             awk -v r="$(echo -e "$VOL_BLOCK_CONTENT")" '{gsub(/__VOL_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             
-             # Description als letztes
             if grep -q "__DESCRIPTION__" "$output"; then
                awk -v r="$(echo -e "${DESCRIPTION:-Keine Beschreibung.}")" '{gsub(/__DESCRIPTION__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
             fi
@@ -311,7 +306,6 @@ jobs:
           process_template "docker-compose.template" "docker-compose.yml"
           process_template "README.template" "README.md"
           
-          # --- 8. EXPORTS ---
           echo "FINAL_MSG=$COMMIT_MSG" >> $GITHUB_ENV
           echo "DESCRIPTION<<EOF" >> $GITHUB_ENV
           echo -e "$DESCRIPTION" >> $GITHUB_ENV
@@ -372,23 +366,18 @@ jobs:
           git config --local user.email "action@pi-farm.de"
           git config --local user.name "Gitea Action"
           
-          # Sicherstellen, dass wir etwas zum Committen haben
           git add VERSION.history README.md docker-compose.yml
           
-          # Nur committen, wenn es Änderungen gibt
           git diff --quiet && git diff --staged --quiet || git commit -m "${{ env.FINAL_MSG }} [skip ci]"
           
-          # Das Tag exakt so setzen, wie es in prep definiert wurde (ohne extra 'v')
           TARGET_TAG="${{ steps.prep.outputs.docker_tag }}"
           git tag -f "$TARGET_TAG"
           
           if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then
             echo "🏷️ Build aus Tag getriggert: $TARGET_TAG"
-            # Wir pushen das Tag (force), um die Doku-Updates einzuschließen
             git push -f origin "$TARGET_TAG"
           else
             echo "🌿 Build aus Branch/Schedule getriggert: ${{ gitea.ref_name }}"
-            # In den Branch pushen (HEAD:branch_name) und das Tag setzen
             git push origin HEAD:${{ gitea.ref_name }}
             git push -f origin "$TARGET_TAG"
           fi
@@ -435,7 +424,7 @@ jobs:
       - name: Cleanup Docker Artifacts
         if: always()
         run: docker image prune -f
-      
+       
       - name: Workflow Summary
         if: always()
         run: |
diff --git a/.gitignore b/.gitignore
index 430d480..41213cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,12 +8,7 @@
 .DS_Store
 Thumbs.db
 
-# Deine spezifischen Ordner
-# Wir ignorieren den Inhalt von data, behalten aber den Ordner
-data/*
-!data/.gitkeep
-
-# Falls in config sensible Daten (Passwörter) landen, 
-# solltest du sie hier ebenfalls ausschließen:
 config/*
 !config/.gitkeep
+home/*
+!home/.gitkeep
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 07bb5b9..6c35377 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,27 +1,110 @@
-# Example Dockerfile for amd64
-ARG BASE_IMAGE=alpine:latest
+ARG BUILD_BASE_IMAGE=debian:bookworm
 
-FROM ${BASE_IMAGE}
+FROM ${BUILD_BASE_IMAGE}
 
-ARG MAINTAINER
-ARG TZ
-ARG APP_NAME
-ARG APP_USER
+ARG BUILD_MAINTAINER
+ARG BUILD_TZ
+ARG BUILD_APP_NAME
+ARG BUILD_LANG
+ARG BUILD_LANGUAGE
+ARG BUILD_LC_ALL
+ARG BUILD_COUNTRY
 
-LABEL maintainer="${MAINTAINER}"
-LABEL org.opencontainers.image.title="${APP_NAME}"
+LABEL maintainer="${BUILD_MAINTAINER}"
+LABEL org.opencontainers.image.title="${BUILD_APP_NAME}"
 
-ENV TZ=${TZ}
-ENV USER=${APP_USER}
+ENV TZ=${BUILD_TZ}
+ENV LANG=${BUILD_LANG}
+ENV LANGUAGE=${BUILD_LANGUAGE}
+ENV LC_ALL=${BUILD_LC_ALL}
+ENV COUNTRY=${BUILD_COUNTRY}
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apk add --no-cache tzdata ca-certificates
+RUN sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources && \
+    apt-get update && apt-get install -y \
+    xrdp \
+    sssd \
+    sssd-tools \
+    libpam-sss \
+    libnss-sss \
+    libsss-sudo \
+    ldap-utils \
+    ca-certificates \
+    dbus-x11 \
+    xfce4 \
+    xfce4-terminal \
+    sudo \
+    firefox-esr \
+    firefox-esr-l10n-${COUNTRY} \
+    thunderbird \
+    thunderbird-l10n-${COUNTRY} \
+    locales \
+    tzdata \
+    keyboard-configuration \
+    x11-xkb-utils \
+    pulseaudio \
+    build-essential \
+    dpkg-dev \
+    git \
+    libpulse-dev \
+    meson \
+    ninja-build \
+    pkg-config \
+    autoconf \
+    libtool && \
+    apt-get build-dep -y pulseaudio && \
+    cd /tmp && \
+    apt-get source pulseaudio && \
+    PULSE_DIR=$(find /tmp -maxdepth 1 -type d -name "pulseaudio-*" | head -n 1) && \
+    cd $PULSE_DIR && \
+    meson setup build \
+        -Dman=false \
+        -Dtests=false \
+        -Ddoxygen=false && \
+    cd /tmp && \
+    git clone https://github.com/neutrinolabs/pulseaudio-module-xrdp.git && \
+    cd pulseaudio-module-xrdp && \
+    ./bootstrap && \
+    ./configure PULSE_DIR=$PULSE_DIR && \
+    make && \
+    make install && \
+    cd / && \
+    rm -rf /tmp/pulseaudio-* /tmp/pulseaudio-module-xrdp && \
+    apt-get remove -y build-essential dpkg-dev meson ninja-build autoconf libtool && \
+    apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/* && \
+    echo "${LANG} UTF-8" > /etc/locale.gen && \
+    locale-gen ${LANG} && \
+    update-locale LANG=${LANG} LANGUAGE=${LANGUAGE} && \
+    ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
+    dpkg-reconfigure -f noninteractive tzdata && \
+    printf 'XKBMODEL="pc105"\nXKBLAYOUT="%s"\nXKBVARIANT=""\nXKBOPTIONS=""\nBACKSPACE="guess"\n' "${COUNTRY}" > /etc/default/keyboard && \
+    dpkg-reconfigure -f noninteractive keyboard-configuration
 
-WORKDIR /app
-COPY ./config /app/config
-COPY ./data /app/data
+# NEU: Systemweite statische Konfigurationen für LDAP/PAM/Sudo
+# 1. Entfernt die gefährliche %users Regel
+# 2. Sagt nsswitch, dass Sudoers auch im SSS (LDAP) gesucht werden sollen
+# 3. Aktiviert das automatische Erstellen von Home-Verzeichnissen (mkhomedir)
+RUN sed -i '/%users/s/^/# /' /etc/sudoers && \
+    echo "sudoers: files sss" >> /etc/nsswitch.conf && \
+    echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-session
 
-RUN adduser -D ${APP_USER} && chown -R ${APP_USER}:${APP_USER} /app
+RUN chmod 440 /etc/sudoers && \
+    mkdir -p /etc/sssd && chown root:root /etc/sssd && chmod 755 /etc/sssd && \
+    mkdir -p /home && chmod 755 /home && \
+    chown xrdp:xrdp /etc/xrdp/key.pem /etc/xrdp/cert.pem /etc/xrdp/rsakeys.ini && \
+    chmod 600 /etc/xrdp/key.pem /etc/xrdp/rsakeys.ini && \
+    chmod 644 /etc/xrdp/cert.pem && \
+    echo "LANG=${LANG}" >> /etc/environment && \
+    echo "LANGUAGE=${LANGUAGE}" >> /etc/environment && \
+    echo "LC_ALL=${LC_ALL}" >> /etc/environment && \
+    sed -i '2i export LANG=${LANG}\nexport LANGUAGE=${LANGUAGE}\nexport LC_ALL=${LC_ALL}\npulseaudio --start\npactl load-module module-xrdp-sink.so\npactl load-module module-xrdp-source.so' /etc/xrdp/startwm.sh && \
+    chmod +x /etc/xrdp/startwm.sh && \
+    mkdir -p /etc/xdg/xfce4 && \
+    echo "setxkbmap ${COUNTRY}" >> /etc/xdg/xfce4/xinitrc
 
-USER ${APP_USER}
+EXPOSE 3389
 
-CMD ["sh"]
\ No newline at end of file
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+CMD ["/entrypoint.sh"]
\ No newline at end of file
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index f02657b..6c35377 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,27 +1,110 @@
-# Example Dockerfile for arm64
-ARG BASE_IMAGE=alpine:latest
+ARG BUILD_BASE_IMAGE=debian:bookworm
 
-FROM ${BASE_IMAGE}
+FROM ${BUILD_BASE_IMAGE}
 
-ARG MAINTAINER
-ARG TZ
-ARG APP_NAME
-ARG APP_USER
+ARG BUILD_MAINTAINER
+ARG BUILD_TZ
+ARG BUILD_APP_NAME
+ARG BUILD_LANG
+ARG BUILD_LANGUAGE
+ARG BUILD_LC_ALL
+ARG BUILD_COUNTRY
 
-LABEL maintainer="${MAINTAINER}"
-LABEL org.opencontainers.image.title="${APP_NAME}"
+LABEL maintainer="${BUILD_MAINTAINER}"
+LABEL org.opencontainers.image.title="${BUILD_APP_NAME}"
 
-ENV TZ=${TZ}
-ENV USER=${APP_USER}
+ENV TZ=${BUILD_TZ}
+ENV LANG=${BUILD_LANG}
+ENV LANGUAGE=${BUILD_LANGUAGE}
+ENV LC_ALL=${BUILD_LC_ALL}
+ENV COUNTRY=${BUILD_COUNTRY}
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apk add --no-cache tzdata ca-certificates
+RUN sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources && \
+    apt-get update && apt-get install -y \
+    xrdp \
+    sssd \
+    sssd-tools \
+    libpam-sss \
+    libnss-sss \
+    libsss-sudo \
+    ldap-utils \
+    ca-certificates \
+    dbus-x11 \
+    xfce4 \
+    xfce4-terminal \
+    sudo \
+    firefox-esr \
+    firefox-esr-l10n-${COUNTRY} \
+    thunderbird \
+    thunderbird-l10n-${COUNTRY} \
+    locales \
+    tzdata \
+    keyboard-configuration \
+    x11-xkb-utils \
+    pulseaudio \
+    build-essential \
+    dpkg-dev \
+    git \
+    libpulse-dev \
+    meson \
+    ninja-build \
+    pkg-config \
+    autoconf \
+    libtool && \
+    apt-get build-dep -y pulseaudio && \
+    cd /tmp && \
+    apt-get source pulseaudio && \
+    PULSE_DIR=$(find /tmp -maxdepth 1 -type d -name "pulseaudio-*" | head -n 1) && \
+    cd $PULSE_DIR && \
+    meson setup build \
+        -Dman=false \
+        -Dtests=false \
+        -Ddoxygen=false && \
+    cd /tmp && \
+    git clone https://github.com/neutrinolabs/pulseaudio-module-xrdp.git && \
+    cd pulseaudio-module-xrdp && \
+    ./bootstrap && \
+    ./configure PULSE_DIR=$PULSE_DIR && \
+    make && \
+    make install && \
+    cd / && \
+    rm -rf /tmp/pulseaudio-* /tmp/pulseaudio-module-xrdp && \
+    apt-get remove -y build-essential dpkg-dev meson ninja-build autoconf libtool && \
+    apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/* && \
+    echo "${LANG} UTF-8" > /etc/locale.gen && \
+    locale-gen ${LANG} && \
+    update-locale LANG=${LANG} LANGUAGE=${LANGUAGE} && \
+    ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
+    dpkg-reconfigure -f noninteractive tzdata && \
+    printf 'XKBMODEL="pc105"\nXKBLAYOUT="%s"\nXKBVARIANT=""\nXKBOPTIONS=""\nBACKSPACE="guess"\n' "${COUNTRY}" > /etc/default/keyboard && \
+    dpkg-reconfigure -f noninteractive keyboard-configuration
 
-WORKDIR /app
-COPY ./config /app/config
-COPY ./data /app/data
+# NEU: Systemweite statische Konfigurationen für LDAP/PAM/Sudo
+# 1. Entfernt die gefährliche %users Regel
+# 2. Sagt nsswitch, dass Sudoers auch im SSS (LDAP) gesucht werden sollen
+# 3. Aktiviert das automatische Erstellen von Home-Verzeichnissen (mkhomedir)
+RUN sed -i '/%users/s/^/# /' /etc/sudoers && \
+    echo "sudoers: files sss" >> /etc/nsswitch.conf && \
+    echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-session
 
-RUN adduser -D ${APP_USER} && chown -R ${APP_USER}:${APP_USER} /app
+RUN chmod 440 /etc/sudoers && \
+    mkdir -p /etc/sssd && chown root:root /etc/sssd && chmod 755 /etc/sssd && \
+    mkdir -p /home && chmod 755 /home && \
+    chown xrdp:xrdp /etc/xrdp/key.pem /etc/xrdp/cert.pem /etc/xrdp/rsakeys.ini && \
+    chmod 600 /etc/xrdp/key.pem /etc/xrdp/rsakeys.ini && \
+    chmod 644 /etc/xrdp/cert.pem && \
+    echo "LANG=${LANG}" >> /etc/environment && \
+    echo "LANGUAGE=${LANGUAGE}" >> /etc/environment && \
+    echo "LC_ALL=${LC_ALL}" >> /etc/environment && \
+    sed -i '2i export LANG=${LANG}\nexport LANGUAGE=${LANGUAGE}\nexport LC_ALL=${LC_ALL}\npulseaudio --start\npactl load-module module-xrdp-sink.so\npactl load-module module-xrdp-source.so' /etc/xrdp/startwm.sh && \
+    chmod +x /etc/xrdp/startwm.sh && \
+    mkdir -p /etc/xdg/xfce4 && \
+    echo "setxkbmap ${COUNTRY}" >> /etc/xdg/xfce4/xinitrc
 
-USER ${APP_USER}
+EXPOSE 3389
 
-CMD ["sh"]
\ No newline at end of file
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+CMD ["/entrypoint.sh"]
\ No newline at end of file
diff --git a/README.md b/README.md
index f452a48..69b363f 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,75 @@
-# Projekt: {{.RepoName}} [![Build Status](https://git.pi-farm.de/{{.Owner.Name}}/{{.RepoName}}/actions/workflows/build-and-push.yaml/badge.svg)](https://git.pi-farm.de/{{.Owner.Name}}/{{.RepoName}}/actions)
+# base-image-debian-rdp-ldap
+Debian Desktop with LDAP-Authentication. To use behind Guacamole with LDAP-Authentication and pass-through to Debian-Desktop.
+
+[![Build Status](https://git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap/actions/workflows/build-and-push.yaml/badge.svg)](https://git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap/actions)
+[![Gitea Repo](https://img.shields.io/badge/gitea-repository-blue?logo=gitea&logoColor=white)](__REPO_URL__)
 
 This repository is built and pushed automatically.
 
-### 🏗️ Platform Support
-| Architecture | Status | Base-Image |
-| :--- | :--- | :--- |
-| **x86_64** (amd64) | ✅ Active | `__BASE_IMAGE__` |
-| **aarch64** (arm64) | __ARM_STATUS__ | `__BASE_IMAGE__` |
+[![Docker Hub](https://img.shields.io/badge/docker-hub-blue?logo=docker__DOCKERHUB_LINK__logoColor=white)](https://hub.docker.com/r/pifarm/base-image-debian-rdp-ldap)
 
-### 🚀 Docker Pull Command
+### 🏗️ Platform Support
+| Architecture | Status | Base Image | Build Date |
+| :--- | :--- | :--- | :--- |
+| x86_64 (amd64) | ✅ Active | debian:bookworm | 09.04.2026 15:23 |
+| aarch64 (arm64) | ✅ Active | debian:bookworm | 09.04.2026 15:23 |
+
+### 🚀 Docker Pull
 ```bash
-docker pull git.pi-farm.de/{{.Owner.Name}}/{{.RepoName}}:latest
+docker pull git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
 ```
----
-*Last updated on: __DATE__*
+### 🚀 Docker Compose
+```yaml
+services:
+  base-image-debian-rdp-ldap:
+    image: git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
+    container_name: base-image-debian-rdp-ldap
+    restart: unless-stopped
+    ports:
+      - 3889
+    environment:
+      - SSSD_DEBUG_LEVEL=5
+      - LDAP_URI=ldap://YOUR-LDAP-SERVER:389
+      - LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC
+      - LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC
+      - LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD
+      - LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP
+    volumes:
+      - ./YOUR-PERSISTENT-FOLDER:/home
+```
+### 🚀 Docker Run
+```bash
+docker run -d \
+  --name base-image-debian-rdp-ldap \
+  --restart unless-stopped \
+  -e SSSD_DEBUG_LEVEL=5 \
+  -e LDAP_URI=ldap://YOUR-LDAP-SERVER:389 \
+  -e LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC \
+  -e LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC \
+  -e LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD \
+  -e LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP \
+  -v ./YOUR-PERSISTENT-FOLDER:/home \
+  -p 3889 \
+  git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
+```
+
+*Last updated on: 09.04.2026 15:23*
+
+### 📜 Version History
+| Version | Date | Status |
+| :--- | :--- | :--- |
+| **bookworm-de** | 09.04.2026 15:23 |  ✅ |
+| **trixie-de** | 09.04.2026 14:58 |  ✅ |
+| **bookworm-de** | 09.04.2026 14:13 |  ✅ |
+| **bookworm-de** | 09.04.2026 13:10 |  ✅ |
+| **bookworm-de** | 09.04.2026 11:58 |  ✅ |
+| **bookworm-de** | 09.04.2026 10:11 |  ✅ |
+| **bookworm-de** | 07.04.2026 19:27 |  ✅ |
+| **bookworm-de** | 07.04.2026 17:38 |  ✅ |
+| **bookworm-de** | 05.04.2026 11:47 |  ✅ |
+| **bookworm-de** | 05.04.2026 11:20 |  ✅ |
+| **bookworm-de** | 04.04.2026 00:31 |  ✅ |
+| **bookworm-de** | 02.04.2026 17:26 |  ✅ |
+| **bookworm-de** | 02.04.2026 16:44 |  ✅ |
+| **bookworm-de** | 02.04.2026 15:37 |  ✅ |
+| **bookworm** | 02.04.2026 14:15 |  ✅ |
diff --git a/buildargs.env b/buildargs.env
index dad5f2a..5ad767f 100644
--- a/buildargs.env
+++ b/buildargs.env
@@ -1,26 +1,27 @@
 ## BUILD STAGE
-BUILD_TAG=1.00
-BUILD_BASE_IMAGE=alpine:${BUILD_TAG}
-## Examples for BUILD_BASE_IMAGE
-# alpine:${BUILD_TAG}
-# git.pi-farm.de/pi-farm/docker-baseimage-alpine:v${BUILD_TAG}
-#BUILD_ALPINE_ARCH_AMD64=x86_64
-#BUILD_ALPINE_ARCH_AARCH64=aarch64
-#BUILD_S6_ARCH_amd64=x86_64
-#BUILD_S6_ARCH_aarch64=aarch64
-#BUILD_S6_OVERLAY_VERSION=3.2.0.2
-#BUILD_MAINTAINER=pi-farm
-#BUILD_APP_VERSION=v${BUILD_TAG}
-#BUILD_APP_NAME=basimage-alpine
-#BUILD_APP_USER=pi
-#BUILD_APP_GID=1000
-## ENV STAGE
-ENV_TZ=Europe/Berlin
-ENV_PUID=1000
-ENV_PGID=1000
-# VOL_CONFIG=./config:/config
-# VOL_DATA=./data:/data
-# PORT_WEB=8080:80
-#PUSH=gitea,dockerhub
-DESCRIPTION="Example example example"
+BUILD_BASE_IMAGE=debian:bookworm
+BUILD_COUNTRY=de
+BUILD_TAG=bookworm-de
+BUILD_TAG_LATEST=n
+BUILD_LANG=de_DE.UTF-8
+BUILD_LANGUAGE=de_DE:de
+BUILD_LC_ALL=de_DE.UTF-8
+BUILD_TZ=Europe/Berlin
+BUILD_MAINTAINER=pi-farm
+BUILD_APP_NAME=base-image-debian-rdp-ldap
+BUILD_APP_VERSION=1.0.0
+PUSH=dockerhub
 
+## ENV STAGE
+ENV_SSSD_DEBUG_LEVEL=5
+ENV_LDAP_URI=ldap://YOUR-LDAP-SERVER:389
+ENV_LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC
+ENV_LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC
+ENV_LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD
+ENV_LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP
+
+## DOCKER / COMPOSE CONFIG
+VOL_HOME=./YOUR-PERSISTENT-FOLDER:/home
+PORT_RDP=3889
+
+DESCRIPTION="Debian Desktop with LDAP-Authentication and Pulse-Audio. To use behind Guacamole with LDAP-Authentication and pass-through to Debian-Desktop."
\ No newline at end of file
diff --git a/data/.gitkeep b/data/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/docker-compose.yml b/docker-compose.yml
index 8b13789..de04786 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1 +1,16 @@
-
+services:
+  base-image-debian-rdp-ldap:
+    image: git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
+    container_name: base-image-debian-rdp-ldap
+    restart: unless-stopped
+    ports:
+      - 3889
+    environment:
+      - SSSD_DEBUG_LEVEL=5
+      - LDAP_URI=ldap://YOUR-LDAP-SERVER:389
+      - LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC
+      - LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC
+      - LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD
+      - LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP
+    volumes:
+      - ./YOUR-PERSISTENT-FOLDER:/home
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..3fa5b1a
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+set -e
+
+# Mapping der Gitea-Workflow Variablen (ENV_...) auf interne Variablen
+# Falls ENV_LDAP_URI nicht gesetzt ist, wird ein Fallback genutzt
+LDAP_URI=${LDAP_URI:-"ldap://localhost:389"}
+LDAP_BASE_DN=${LDAP_BASE_DN:-"dc=example,dc=com"}
+LDAP_BIND_DN=${LDAP_BIND_DN:-"cn=admin,dc=example,dc=com"}
+LDAP_BIND_PASSWORD=${LDAP_BIND_PASSWORD}
+LDAP_SUDO_GROUP=${LDAP_SUDO_GROUP:-"sudo_users"}
+SSSD_DEBUG=${SSSD_DEBUG_LEVEL:-0}
+
+echo ">>> Erstelle SSSD Konfiguration..."
+cat <<EOF > /etc/sssd/sssd.conf
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = LDAP
+
+[domain/LDAP]
+id_provider = ldap
+auth_provider = ldap
+sudo_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ${LDAP_URI}
+ldap_search_base = ${LDAP_BASE_DN}
+ldap_sudo_search_base = ou=SUDOers,${LDAP_BASE_DN}
+
+ldap_default_bind_dn = ${LDAP_BIND_DN}
+ldap_default_authtok = ${LDAP_BIND_PASSWORD}
+
+ldap_schema = rfc2307bis
+ldap_group_member = uniqueMember
+
+ldap_id_use_start_tls = false
+ldap_tls_reqcert = never
+ldap_auth_disable_tls_never_use_in_production = true
+
+cache_credentials = true
+enumerate = false
+EOF
+
+chmod 600 /etc/sssd/sssd.conf
+chown root:root /etc/sssd/sssd.conf
+
+echo ">>> Erstelle Sudoers-Regel für Gruppe: ${LDAP_SUDO_GROUP}..."
+echo "%${LDAP_SUDO_GROUP} ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/ldap-admins
+chmod 0440 /etc/sudoers.d/ldap-admins
+
+echo ">>> Bereinige SSSD Cache..."
+rm -f /var/lib/sss/db/*
+rm -f /var/lib/sss/mc/*
+
+echo ">>> Starte Dienste..."
+# SSSD mit dem gemappten Debug-Level starten
+sssd -D --debug-level=${SSSD_DEBUG}
+
+service dbus start
+xrdp-sesman
+exec xrdp -n
\ No newline at end of file
diff --git a/config/.gitkeep b/home/.gitkeep
similarity index 100%
rename from config/.gitkeep
rename to home/.gitkeep