diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml
index 48fbca9..6db3cde 100644
--- a/roles/bootstrap/tasks/dnf.yml
+++ b/roles/bootstrap/tasks/dnf.yml
@@ -11,6 +11,7 @@
     state: present
 
 - name: configure dnf-automatic
+  become: true
   lineinfile:
     path: /etc/dnf/automatic.conf
     state: present
@@ -18,7 +19,8 @@
     line: "{{ item.line }}"
   with_items:
     - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' }
-    - { regexp: '^emit_via.=', line: 'emit_via = stdio' }
+    - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' }
+    - { regexp: '^apply_updates.=', line: 'apply_updates = yes' }
 
 - name: enable dnf-automatic timer
   systemd:
diff --git a/roles/fedora-upgrade/defaults/main.yml b/roles/fedora-upgrade/defaults/main.yml
index e15753b..e57fbbd 100644
--- a/roles/fedora-upgrade/defaults/main.yml
+++ b/roles/fedora-upgrade/defaults/main.yml
@@ -1,4 +1,4 @@
 ---
-fedora_latest: 33
-fedora_minimum: 31
+fedora_latest: 35
+fedora_minimum: 33
 fedora_target: "{{ fedora_latest|int }}"
diff --git a/roles/hardening/defaults/main.yml b/roles/hardening/defaults/main.yml
new file mode 100644
index 000000000..499477d
--- /dev/null
+++ b/roles/hardening/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+
+BAD_SERVICES:
+  - postfix
+  - rpcbind
+  - rsyncd.service
+  - rsyncd.socket
diff --git a/roles/hardening/tasks/centos-selinux.yml b/roles/hardening/tasks/centos-selinux.yml
new file mode 100644
index 000000000..2b3a4e2
--- /dev/null
+++ b/roles/hardening/tasks/centos-selinux.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Install required dependency libsemanage-python
+  yum:
+    name: libsemanage-python
+    state: latest
+  when: (ansible_distribution_major_version is version('7', '='))
+
+- name: Install required dependency python3-policycoreutils
+  dnf:
+    name: python3-policycoreutils
+    state: latest
+  when: (ansible_distribution_major_version is version('8', '>='))
diff --git a/roles/hardening/tasks/fedora-selinux.yml b/roles/hardening/tasks/fedora-selinux.yml
new file mode 100644
index 000000000..6a91c6e
--- /dev/null
+++ b/roles/hardening/tasks/fedora-selinux.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Install required dependency python3-libsemanage
+  dnf:
+    name: python3-libsemanage
+    state: latest
+  when: (ansible_distribution_major_version is version('31', '>='))
+
+- name: Install required dependency libsemanage-python
+  dnf:
+    name: libsemanage-python
+    state: latest
+  when: (ansible_distribution_major_version is version('30', '<='))
diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index ee22bd3..ef53844 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -1,27 +1,21 @@
 ---
-#- name: Disallow root SSH access
-#  lineinfile:
-#    dest: /etc/ssh/sshd_config 
-#    regexp: "^PermitRootLogin"
-#    line: "PermitRootLogin no"
-#    state: present
-#  notify: Restart ssh
 
+- name: include SELinux package tasks for EL (CentOS/RHEL)
+  include_tasks: centos-selinux.yml
+  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
 
-# untested on debian/ubuntu
-- name: disable services
+- name: include SELinux package tasks for Fedora (non-atomic)
+  include_tasks: fedora-selinux.yml
+  when: (ansible_distribution in ["Fedora"] and not is_atomic)
+
+# likely to break on non-RHEL/derivatives, could use improvement.
+- name: enable firewalld
   service:
-    name: "{{ item }}"
-    state: stopped
-    enabled: no
-  with_items:
-    - postfix
-    - rpcbind
-    - rsyncd.service
-    - rsyncd.socket
-  ignore_errors: true
+    name: firewalld
+    state: started
+    enabled: yes
 
-- name: disable password auth
+- name: SSH - disable password auth
   lineinfile:
     dest: /etc/ssh/sshd_config 
     regexp: "^PasswordAuthentication" 
@@ -29,4 +23,27 @@
     state: present
   notify: restart sshd
 
+- name: SSH - config port 1181
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^Port '
+    line: 'Port 1181'
+    insertbefore: "(^|#)AddressFamily.*"
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: restart sshd
 
+- name: allow custom SSH port in selinux
+  seport:
+    ports: 1181
+    proto: tcp
+    setype: ssh_port_t
+    state: present
+  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')
+
+# also likely to break on non-RHEL/derivatives, could use improvement too.
+- name: allow custom SSH port in firewalld
+  firewalld:
+    port: 1181/tcp
+    permanent: yes
+    immediate: yes
+    state: enabled
diff --git a/roles/install-packages/defaults/main.yml b/roles/install-packages/defaults/main.yml
index 6dd9710..3369ece 100644
--- a/roles/install-packages/defaults/main.yml
+++ b/roles/install-packages/defaults/main.yml
@@ -12,6 +12,7 @@ COMMON_PKGS:
   - rsync
   - lsof
   - firewalld
+  - mosh
 EL_PKGS:
   - iperf3
   - nmap
@@ -20,5 +21,6 @@ EL_PKGS:
   - psmisc # may work on deb/ubuntu also? - provides killall
   - wget
   - cockpit
+  - ioping
 DEB_PKGS:
   - dnsutils
diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml
index 4ae643c..62b1542 100644
--- a/roles/tuned/tasks/main.yml
+++ b/roles/tuned/tasks/main.yml
@@ -1,5 +1,10 @@
 ---
 
+- name: update apt caches
+  apt:
+    update_cache: yes
+  when: (ansible_os_family in ["Debian"] )
+
 - name: install packages
   package:
     name: "{{ item }}"
@@ -7,6 +12,7 @@
   with_items:
   - tuned
   - tuned-utils
+#  - tuned-profiles-realtime # only on Fedora?  not on centos 8 stream
 
 - name: start service
   service:
@@ -22,4 +28,4 @@
 
 - name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }}
   include: configure-custom-profile.yml
-  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ] and not is_atomic)
+  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
diff --git a/roles/zfs/defaults/main.yml b/roles/zfs/defaults/main.yml
index 1be7c4d..3c0c98c 100644
--- a/roles/zfs/defaults/main.yml
+++ b/roles/zfs/defaults/main.yml
@@ -6,6 +6,10 @@ EL_ZFS_PKGS:
   - kernel-devel
   - "@Development tools"
   - dkms
+  - libuuid-devel
+  - libblkid-devel
+  - libtirpc-devel
+  - openssl-devel
   - zfs
 UBUNTU_ZFS_PKGS:
   - zfsutils-linux
diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml
index e975e34..0fb926c 100644
--- a/roles/zfs/tasks/main.yml
+++ b/roles/zfs/tasks/main.yml
@@ -2,7 +2,7 @@
 
 - name: include zfs-release tasks (CentOS/RHEL/Fedora)
   include_tasks: zfs-release.yml
-  when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ])
+  when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ])
 
 - name: include zfs installation tasks (Ubuntu)
   include_tasks: ubuntu.yml
@@ -10,7 +10,7 @@
 
 - name: include zfs installation tasks (CentOS/RHEL/Fedora)
   include_tasks: el.yml
-  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ] and not is_atomic)
+  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
 
 - name: load zfs module
   modprobe: