diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml
index 6db3cde..48fbca9 100644
--- a/roles/bootstrap/tasks/dnf.yml
+++ b/roles/bootstrap/tasks/dnf.yml
@@ -11,7 +11,6 @@
     state: present
 
 - name: configure dnf-automatic
-  become: true
   lineinfile:
     path: /etc/dnf/automatic.conf
     state: present
@@ -19,8 +18,7 @@
     line: "{{ item.line }}"
   with_items:
     - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' }
-    - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' }
-    - { regexp: '^apply_updates.=', line: 'apply_updates = yes' }
+    - { regexp: '^emit_via.=', line: 'emit_via = stdio' }
 
 - name: enable dnf-automatic timer
   systemd:
diff --git a/roles/fedora-upgrade/defaults/main.yml b/roles/fedora-upgrade/defaults/main.yml
index e57fbbd..e15753b 100644
--- a/roles/fedora-upgrade/defaults/main.yml
+++ b/roles/fedora-upgrade/defaults/main.yml
@@ -1,4 +1,4 @@
 ---
-fedora_latest: 35
-fedora_minimum: 33
+fedora_latest: 33
+fedora_minimum: 31
 fedora_target: "{{ fedora_latest|int }}"
diff --git a/roles/hardening/defaults/main.yml b/roles/hardening/defaults/main.yml
deleted file mode 100644
index 499477d..000000000
--- a/roles/hardening/defaults/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-
-BAD_SERVICES:
-  - postfix
-  - rpcbind
-  - rsyncd.service
-  - rsyncd.socket
diff --git a/roles/hardening/tasks/centos-selinux.yml b/roles/hardening/tasks/centos-selinux.yml
deleted file mode 100644
index 2b3a4e2..000000000
--- a/roles/hardening/tasks/centos-selinux.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-
-- name: Install required dependency libsemanage-python
-  yum:
-    name: libsemanage-python
-    state: latest
-  when: (ansible_distribution_major_version is version('7', '='))
-
-- name: Install required dependency python3-policycoreutils
-  dnf:
-    name: python3-policycoreutils
-    state: latest
-  when: (ansible_distribution_major_version is version('8', '>='))
diff --git a/roles/hardening/tasks/fedora-selinux.yml b/roles/hardening/tasks/fedora-selinux.yml
deleted file mode 100644
index 6a91c6e..000000000
--- a/roles/hardening/tasks/fedora-selinux.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-
-- name: Install required dependency python3-libsemanage
-  dnf:
-    name: python3-libsemanage
-    state: latest
-  when: (ansible_distribution_major_version is version('31', '>='))
-
-- name: Install required dependency libsemanage-python
-  dnf:
-    name: libsemanage-python
-    state: latest
-  when: (ansible_distribution_major_version is version('30', '<='))
diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index ef53844..ee22bd3 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -1,21 +1,27 @@
 ---
+#- name: Disallow root SSH access
+#  lineinfile:
+#    dest: /etc/ssh/sshd_config 
+#    regexp: "^PermitRootLogin"
+#    line: "PermitRootLogin no"
+#    state: present
+#  notify: Restart ssh
 
-- name: include SELinux package tasks for EL (CentOS/RHEL)
-  include_tasks: centos-selinux.yml
-  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
 
-- name: include SELinux package tasks for Fedora (non-atomic)
-  include_tasks: fedora-selinux.yml
-  when: (ansible_distribution in ["Fedora"] and not is_atomic)
-
-# likely to break on non-RHEL/derivatives, could use improvement.
-- name: enable firewalld
+# untested on debian/ubuntu
+- name: disable services
   service:
-    name: firewalld
-    state: started
-    enabled: yes
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  with_items:
+    - postfix
+    - rpcbind
+    - rsyncd.service
+    - rsyncd.socket
+  ignore_errors: true
 
-- name: SSH - disable password auth
+- name: disable password auth
   lineinfile:
     dest: /etc/ssh/sshd_config 
     regexp: "^PasswordAuthentication" 
@@ -23,27 +29,4 @@
     state: present
   notify: restart sshd
 
-- name: SSH - config port 1181
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^Port '
-    line: 'Port 1181'
-    insertbefore: "(^|#)AddressFamily.*"
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: restart sshd
 
-- name: allow custom SSH port in selinux
-  seport:
-    ports: 1181
-    proto: tcp
-    setype: ssh_port_t
-    state: present
-  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')
-
-# also likely to break on non-RHEL/derivatives, could use improvement too.
-- name: allow custom SSH port in firewalld
-  firewalld:
-    port: 1181/tcp
-    permanent: yes
-    immediate: yes
-    state: enabled
diff --git a/roles/install-packages/defaults/main.yml b/roles/install-packages/defaults/main.yml
index 3369ece..6dd9710 100644
--- a/roles/install-packages/defaults/main.yml
+++ b/roles/install-packages/defaults/main.yml
@@ -12,7 +12,6 @@ COMMON_PKGS:
   - rsync
   - lsof
   - firewalld
-  - mosh
 EL_PKGS:
   - iperf3
   - nmap
@@ -21,6 +20,5 @@ EL_PKGS:
   - psmisc # may work on deb/ubuntu also? - provides killall
   - wget
   - cockpit
-  - ioping
 DEB_PKGS:
   - dnsutils
diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml
index 62b1542..4ae643c 100644
--- a/roles/tuned/tasks/main.yml
+++ b/roles/tuned/tasks/main.yml
@@ -1,10 +1,5 @@
 ---
 
-- name: update apt caches
-  apt:
-    update_cache: yes
-  when: (ansible_os_family in ["Debian"] )
-
 - name: install packages
   package:
     name: "{{ item }}"
@@ -12,7 +7,6 @@
   with_items:
   - tuned
   - tuned-utils
-#  - tuned-profiles-realtime # only on Fedora?  not on centos 8 stream
 
 - name: start service
   service:
@@ -28,4 +22,4 @@
 
 - name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }}
   include: configure-custom-profile.yml
-  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
+  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ] and not is_atomic)
diff --git a/roles/zfs/defaults/main.yml b/roles/zfs/defaults/main.yml
index 3c0c98c..1be7c4d 100644
--- a/roles/zfs/defaults/main.yml
+++ b/roles/zfs/defaults/main.yml
@@ -6,10 +6,6 @@ EL_ZFS_PKGS:
   - kernel-devel
   - "@Development tools"
   - dkms
-  - libuuid-devel
-  - libblkid-devel
-  - libtirpc-devel
-  - openssl-devel
   - zfs
 UBUNTU_ZFS_PKGS:
   - zfsutils-linux
diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml
index 0fb926c..e975e34 100644
--- a/roles/zfs/tasks/main.yml
+++ b/roles/zfs/tasks/main.yml
@@ -2,7 +2,7 @@
 
 - name: include zfs-release tasks (CentOS/RHEL/Fedora)
   include_tasks: zfs-release.yml
-  when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ])
+  when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ])
 
 - name: include zfs installation tasks (Ubuntu)
   include_tasks: ubuntu.yml
@@ -10,7 +10,7 @@
 
 - name: include zfs installation tasks (CentOS/RHEL/Fedora)
   include_tasks: el.yml
-  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
+  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ] and not is_atomic)
 
 - name: load zfs module
   modprobe: