diff --git a/roles/ampache/defaults/main.yml b/roles/ampache/defaults/main.yml
index ded7bd1..c7775dc 100644
--- a/roles/ampache/defaults/main.yml
+++ b/roles/ampache/defaults/main.yml
@@ -3,10 +3,10 @@
 ampache_id: "1"
 ampache_manage_upgrade: True
 
-ampache_version: '5.4.1'
+ampache_version: '5.5.1'
 ampache_config_version: 62
 ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
-ampache_zip_sha256: 867a87d73a16386ff95d9b6474828917f9b03c23ec49d8f22c09ccbad987eb7b
+ampache_zip_sha256: 3e37839058c263be990915759eecab9b5da3ec324638a7ff7d8094516f56a85c
 
 ampache_root_dir: /opt/ampache_{{ ampache_id }}
 
diff --git a/roles/cni_plugins/tasks/main.yml b/roles/cni_plugins/tasks/main.yml
index f7e85f4..d6418fc 100644
--- a/roles/cni_plugins/tasks/main.yml
+++ b/roles/cni_plugins/tasks/main.yml
@@ -7,7 +7,7 @@
   tags: always
 
 - include_tasks: archive_pre.yml
-  when: cni_install_mode == 'upgrade'
+  when: cni_install_mode | default('none') == 'upgrade'
   tags: always
 
 - include_tasks: install.yml
@@ -17,7 +17,7 @@
   tags: always
 
 - include_tasks: archive_post.yml
-  when: cni_install_mode == 'upgrade'
+  when: cni_install_mode | default('none') == 'upgrade'
   tags: always
 
 - include_tasks: cleanup.yml
diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml
index 577efde..f1ed5cf 100644
--- a/roles/consul/defaults/main.yml
+++ b/roles/consul/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version of consul to deploy
-consul_version: 1.12.3
+consul_version: 1.13.1
 # URL from where the consul archive will be downloaded
 consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-consul_archive_sha256: 620a47cfba34bdf918b4c3238d22f6318b29403888cfd927c6006a4ac1b1c9f6
+consul_archive_sha256: 7f8f69b631114e0a021b602a1975e0221912b8b33ef20ead1589d6f6581c5579
 
 # user account under which consul will run (will be created if needed)
 consul_user: consul
diff --git a/roles/consul/tasks/archive_pre.yml b/roles/consul/tasks/archive_pre.yml
index 0c83f4c..e69a406 100644
--- a/roles/consul/tasks/archive_pre.yml
+++ b/roles/consul/tasks/archive_pre.yml
@@ -8,7 +8,7 @@
   command: "{{ consul_root_dir }}/bin/consul snapshot save {{ consul_root_dir }}/archives/{{ consul_current_version }}/consul.snap"
   args:
     creates: "{{ consul_root_dir }}/archives/{{ consul_current_version }}/consul.snap"
-  failed_when: False # If consul is not running, it'll fail, just continue
+  when: consul_conf.server
   environment:
     CONSUL_TOKEN: "{{ consul_mgm_token | default(omit) }}"
   tags: consul
diff --git a/roles/drbd/tasks/main.yml b/roles/drbd/tasks/main.yml
index 3e2dceb..fef2717 100644
--- a/roles/drbd/tasks/main.yml
+++ b/roles/drbd/tasks/main.yml
@@ -5,3 +5,7 @@
 
 - include_tasks: install.yml
   tags: always
+
+- include_tasks: iptables.yml
+  when: iptables_manage | default(True)
+  tags: always
diff --git a/roles/drbd/vars/RedHat-8.yml b/roles/drbd/vars/RedHat-8.yml
index e924d56..ccd5a8c 100644
--- a/roles/drbd/vars/RedHat-8.yml
+++ b/roles/drbd/vars/RedHat-8.yml
@@ -4,3 +4,4 @@ drbd_packages:
   - kmod-drbd90
   - drbd-utils
   - drbd-udev
+  - drbd-bash-completion
diff --git a/roles/linstor_controller/defaults/main.yml b/roles/linstor_controller/defaults/main.yml
new file mode 100644
index 0000000..5323d16
--- /dev/null
+++ b/roles/linstor_controller/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+
+# Port on which the controller will listen for plain (http) requests
+linctl_api_port: 3370
+
+# List of IP/CIDR for which the API port will be opened
+linctl_api_src_ip: []
+
+# List of linstor controllers. Default is only localhost:3370 but when using HA you can define
+# a list of controllers to try, the first answering will be used
+linctl_controllers:
+  - http://localhost:3370
+
+# When HA is enabled, ansible will not try to start or enabled the service
+# As this will be handled by drbd-reactor
+# It'll also restart the service on config change only if the service is already running
+linctl_ha: False
+
+# When running HA, set the name of the resource which holds the controller data
+linctl_ha_res: linstor_db
+
+# If set, and linctl_ha is True, this IP will be configured on the current active node
+# linctl_ha_ip: 10.99.5.23
diff --git a/roles/linstor_controller/handlers/main.yml b/roles/linstor_controller/handlers/main.yml
new file mode 100644
index 0000000..d8c83a6
--- /dev/null
+++ b/roles/linstor_controller/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: restart linstor-controller
+  service: name=linstor-controller state=restarted
+  # Only restart if the service wasn't just started, and if either HA is not used, or the service was running (so it's the current active instance)
+  when:
+    - not linctl_started.changed
+    - not linctl_ha or linctl_services.ansible_facts.services['linstor-controller.service'] is defined and linctl_services.ansible_facts.services['linstor-controller.service'].state == 'started'
diff --git a/roles/linstor_controller/meta/main.yml b/roles/linstor_controller/meta/main.yml
new file mode 100644
index 0000000..96aba1e
--- /dev/null
+++ b/roles/linstor_controller/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: drbd_reactor
diff --git a/roles/linstor_controller/tasks/conf.yml b/roles/linstor_controller/tasks/conf.yml
new file mode 100644
index 0000000..469205e
--- /dev/null
+++ b/roles/linstor_controller/tasks/conf.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Deploy linstor-controller conf
+  template: src=linstor.toml.j2 dest=/etc/linstor/linstor.toml mode=640
+  notify: restart linstor-controller
+  tags: drbd
+
+- name: Deploy linstor-client configuration
+  template: src=linstor-client.conf.j2 dest=/etc/linstor/linstor-client.conf
+  tags: drbd
+
+- name: Setup logrotate
+  template: src=logrotate.j2 dest=/etc/logrotate.d/linstor-controller
+  tags: drbd
+
+- name: Remove old reactor conf
+  file: path=/etc/drbd-reactor.d/linstor_db.toml state=absent
+  notify: restart drbd-reactor
+  tags: drbd
+
+- when: linctl_ha
+  name: Configure the drbd-reactor promoter
+  template: src=drbd-reactor.toml.j2 dest=/etc/drbd-reactor.d/linstor-controller.toml
+  notify: restart drbd-reactor
+  tags: drbd
+
diff --git a/roles/linstor_controller/tasks/directories.yml b/roles/linstor_controller/tasks/directories.yml
new file mode 100644
index 0000000..3ba6baa
--- /dev/null
+++ b/roles/linstor_controller/tasks/directories.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Create conf dir
+  file: path=/etc/linstor state=directory
+  tags: drbd
+
+#- name: Create data directory
+#  file: path=/var/lib/linstor state=directory owner=root group=linstor-controller mode=u=rwX,g=rwX,o=- recurse=True
+#  tags: drbd
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/linstor-controller.service.d state=directory
+  tags: drbd
+
+#- name: Set permission on log dir
+#  file: path=/var/log/linstor-controller state=directory owner=root group=linstor-controller mode=u=rwX,g=rwX,o=- recurse=True
+#  tags: drbd
diff --git a/roles/linstor_controller/tasks/facts.yml b/roles/linstor_controller/tasks/facts.yml
new file mode 100644
index 0000000..00c5183
--- /dev/null
+++ b/roles/linstor_controller/tasks/facts.yml
@@ -0,0 +1,16 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: drbd
+
+- name: Check the state of the service
+  service_facts:
+  register: linctl_service
+  tags: drbd
+
diff --git a/roles/linstor_controller/tasks/install.yml b/roles/linstor_controller/tasks/install.yml
new file mode 100644
index 0000000..d4cb4bf
--- /dev/null
+++ b/roles/linstor_controller/tasks/install.yml
@@ -0,0 +1,44 @@
+---
+
+- name: Install packages
+  package: name={{ linctl_packages }}
+  tags: drbd
+
+- name: Custimize systemd unit
+  copy:
+    content: |
+      [Service]
+      #User=linstor-controller
+      #Group=linstor-controller
+      PrivateDevices=yes
+      ProtectSystem=full
+      ProtectHome=yes
+      NoNewPrivileges=yes
+      SyslogIdentifier=linstor-controller
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=15
+    dest: /etc/systemd/system/linstor-controller.service.d/99-ansible.conf
+  notify: restart linstor-controller
+  register: linctl_unit
+  tags: drbd
+
+- name: Install mount unit
+  copy:
+    content: |
+      [Unit]
+      Description=Filesystem for the LINSTOR controller
+      
+      [Mount]
+      # you can use the minor like /dev/drbdX or the udev symlink
+      What=/dev/drbd/by-res/{{ linctl_ha_res }}/0
+      Where=/var/lib/linstor
+    dest: /etc/systemd/system/var-lib-linstor.mount
+  register: linctl_data_unit
+  when: linctl_ha
+  tags: drbd
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: linctl_unit.changed or (linctl_data_unit is defined and linctl_data_unit.changed)
+  tags: drbd
diff --git a/roles/linstor_controller/tasks/iptables.yml b/roles/linstor_controller/tasks/iptables.yml
new file mode 100644
index 0000000..921c56a
--- /dev/null
+++ b/roles/linstor_controller/tasks/iptables.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Handle API ports
+  iptables_raw:
+    name: linctl_api_port
+    state: "{{ (linctl_api_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ linctl_api_port }} -s {{ linctl_api_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,drbd
+
diff --git a/roles/linstor_controller/tasks/main.yml b/roles/linstor_controller/tasks/main.yml
new file mode 100644
index 0000000..2a324cc
--- /dev/null
+++ b/roles/linstor_controller/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+
+- include_tasks: facts.yml
+  tags: always
+
+#- include_tasks: user.yml
+#  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+#- include_tasks: directories.yml
+#  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: iptables.yml
+  when: iptables_manage | default(True)
+  tags: always
+
+- include_tasks: services.yml
+  tags: always
diff --git a/roles/linstor_controller/tasks/services.yml b/roles/linstor_controller/tasks/services.yml
new file mode 100644
index 0000000..c3744cf
--- /dev/null
+++ b/roles/linstor_controller/tasks/services.yml
@@ -0,0 +1,16 @@
+---
+
+- when: not linctl_ha
+  name: Start and enable the service
+  service: name=linstor-controller state=started enabled=True
+  register: linctl_started
+  tags: drbd
+
+- when: linctl_ha
+  block:
+    - name: Ensure the service is disabled and managed by drbd-reactor
+      service: name=linstor-controller enabled=False
+
+    - name: Ensure the data mount unit is disabled
+      systemd: name=var-lib-linstor.mount enabled=False
+  tags: drbd
diff --git a/roles/linstor_controller/tasks/user.yml b/roles/linstor_controller/tasks/user.yml
new file mode 100644
index 0000000..336a828
--- /dev/null
+++ b/roles/linstor_controller/tasks/user.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create linstor-controller user
+  user:
+    name: linstor-controller
+    system: True
+    shell: /sbin/nologin
+    home: /var/lib/linstor
+  tags: drbd
diff --git a/roles/linstor_controller/templates/drbd-reactor.toml.j2 b/roles/linstor_controller/templates/drbd-reactor.toml.j2
new file mode 100644
index 0000000..8f3c35e
--- /dev/null
+++ b/roles/linstor_controller/templates/drbd-reactor.toml.j2
@@ -0,0 +1,13 @@
+[[promoter]]
+  id = "{{ linctl_ha_res }}"
+
+  [promoter.resources.{{ linctl_ha_res }}]
+    start = [
+{% if linctl_ha_ip is defined %}
+      "ocf:heartbeat:IPaddr2 service_ip cidr_netmask=32 ip={{ linctl_ha_ip }}",
+{% endif %}
+      "var-lib-linstor.mount",
+      "linstor-controller.service"
+    ]
+    stop-services-on-exit = true
+
diff --git a/roles/linstor_controller/templates/linstor-client.conf.j2 b/roles/linstor_controller/templates/linstor-client.conf.j2
new file mode 100644
index 0000000..6b122d8
--- /dev/null
+++ b/roles/linstor_controller/templates/linstor-client.conf.j2
@@ -0,0 +1,2 @@
+[global]
+controllers={{ linctl_controllers | join(',') }}
diff --git a/roles/linstor_controller/templates/linstor.toml.j2 b/roles/linstor_controller/templates/linstor.toml.j2
new file mode 100644
index 0000000..32d4017
--- /dev/null
+++ b/roles/linstor_controller/templates/linstor.toml.j2
@@ -0,0 +1,16 @@
+[db]
+  user = "linstor"
+  password = "linstor"
+  connection_url = "jdbc:h2:/var/lib/linstor/linstordb"
+
+[http]
+  enabled = true
+  listen_addr = "0.0.0.0"
+  port = {{ linctl_api_port }}
+
+[logging]
+  level = "info"
+  linstor_level = "info"
+  rest_access_log_path = "/var/log/linstor-controller/rest-access.log"
+  rest_access_log_mode = "APPEND"
+
diff --git a/roles/linstor_controller/templates/logrotate.j2 b/roles/linstor_controller/templates/logrotate.j2
new file mode 100644
index 0000000..d4b048a
--- /dev/null
+++ b/roles/linstor_controller/templates/logrotate.j2
@@ -0,0 +1,8 @@
+/var/log/linstor/rest-access.log {
+  daily
+  rotate 180
+  compress
+  notifempty
+  missingok
+  copytruncate
+}
diff --git a/roles/linstor_controller/vars/RedHat-8.yml b/roles/linstor_controller/vars/RedHat-8.yml
new file mode 100644
index 0000000..53941f5
--- /dev/null
+++ b/roles/linstor_controller/vars/RedHat-8.yml
@@ -0,0 +1,5 @@
+---
+
+linctl_packages:
+  - linstor-controller
+  - linstor-client
diff --git a/roles/linstor_satellite/defaults/main.yml b/roles/linstor_satellite/defaults/main.yml
index 5bfec1f..638e586 100644
--- a/roles/linstor_satellite/defaults/main.yml
+++ b/roles/linstor_satellite/defaults/main.yml
@@ -15,9 +15,5 @@ linsat_nfs_src_ip: []
 # HA iSCSI Service
 linsat_iscsi_src_ip: []
 
-# Version of linstor-gateway to install
-linsat_gateway_version: 0.13.1
-# URL where linstor-gateway will be downloaded
-linsat_gateway_url: https://github.com/LINBIT/linstor-gateway/releases/download/v{{ linsat_gateway_version }}/linstor-gateway-linux-amd64
-# Expected sha256 of the binary
-linsat_gateway_sha256: 83d4d13154caeee79a0bec01db4a571cc417301fc001eb0ee9a6210279201934
+# List of resources to keep (and not delete/regenerate) on start. Usefull for the HA controller
+linsat_keep_res: [ "{{ linctl_ha_res | default('linstor_db') }}" ]
diff --git a/roles/linstor_satellite/tasks/install.yml b/roles/linstor_satellite/tasks/install.yml
index a868d6e..469cb50 100644
--- a/roles/linstor_satellite/tasks/install.yml
+++ b/roles/linstor_satellite/tasks/install.yml
@@ -8,7 +8,14 @@
   copy:
     content: |
       [Service]
-      Type=notify
+      Environment=LS_KEEP_RES={{ linsat_keep_res | join(',') }}
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+      PrivateTmp=yes
+      ProtectHome=yes
+      ProtectSystem=full
+      SyslogIdentifier=linstor-satellite
     dest: /etc/systemd/system/linstor-satellite.service.d/99-ansible.conf
   notify: restart linstor-satellite
   register: linsat_unit
diff --git a/roles/linstor_satellite/templates/linstor-gateway.toml.j2 b/roles/linstor_satellite/templates/linstor-gateway.toml.j2
index c1d1435..cea72df 100644
--- a/roles/linstor_satellite/templates/linstor-gateway.toml.j2
+++ b/roles/linstor_satellite/templates/linstor-gateway.toml.j2
@@ -1,6 +1,6 @@
 [linstor]
   controllers = [
 {% for url in linsat_controllers_url %}
-    "{{ url }}"
+    "{{ url }}",
 {% endfor %}
   ]
diff --git a/roles/linstor_satellite/vars/RedHat-8.yml b/roles/linstor_satellite/vars/RedHat-8.yml
index 164f4e1..6d206e0 100644
--- a/roles/linstor_satellite/vars/RedHat-8.yml
+++ b/roles/linstor_satellite/vars/RedHat-8.yml
@@ -3,3 +3,6 @@
 linsat_packages:
   - linstor-satellite
   - lvm2
+  - cryptsetup
+  - vdo
+  - kmod-kvdo
diff --git a/roles/metabase/defaults/main.yml b/roles/metabase/defaults/main.yml
index c31f443..af41877 100644
--- a/roles/metabase/defaults/main.yml
+++ b/roles/metabase/defaults/main.yml
@@ -1,15 +1,15 @@
 ---
 
 # Version to deploy
-metabase_version: 0.43.4
+metabase_version: 0.44.1
 # URL to fetch the jar
 metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar
 # Expected sha256 of the jar
-metabase_jar_sha256: c89644d013eced830fc02d1169b88708fc2105089b356f1c988875b05882c189
+metabase_jar_sha256: 4c842b9b374b0ffa7031b7757722e1dddd9b6aebbb5afe82d82b6eb9730d3791
 # When building from source
 metabase_archive_url: https://github.com/metabase/metabase/archive/refs/tags/v{{ metabase_version }}.tar.gz
 # Expected sha256 of the archive
-metabase_archive_sha256: 77ff4777f994675ab82756df2eca041736eb5596afa84b33120cb9a300c7690b
+metabase_archive_sha256: 522fb5a92234fb6bc1ed46819523271c51d4e3d2c13fa5230430cff3802d0ff1
 # Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled
 metabase_manage_upgrade: True
 
diff --git a/roles/miniflux/defaults/main.yml b/roles/miniflux/defaults/main.yml
index 2dd23b8..3fe02c2 100644
--- a/roles/miniflux/defaults/main.yml
+++ b/roles/miniflux/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-miniflux_version: 2.0.37
+miniflux_version: 2.0.38
 # URL of the binary to install
 miniflux_bin_url: https://github.com/miniflux/v2/releases/download/{{ miniflux_version }}/miniflux-linux-amd64
 # Expected sha256 of the binary
-miniflux_bin_sha256: d4f6e63cbeca895181e1c47180c70a75a0dedb636ed2a558d44dc26260557cba
+miniflux_bin_sha256: 310501e1fabd103607bda145874e7052271fe2028f628bbddefb3af86798b46f
 # Should ansible handle upgrades ? If false, only initial install will be done
 miniflux_manage_upgrade: True
 
diff --git a/roles/pgadmin4/defaults/main.yml b/roles/pgadmin4/defaults/main.yml
index b8fbfd7..3a4288d 100644
--- a/roles/pgadmin4/defaults/main.yml
+++ b/roles/pgadmin4/defaults/main.yml
@@ -10,7 +10,7 @@ pga_src_ip: []
 # Root dir where the app will be installed
 pga_root_dir: /opt/pgadmin4_{{ pga_id }}
 # Version to deploy
-pga_version: '6.12'
+pga_version: '6.13'
 
 # When pg_auth is an empty list, pgAdmin will be in single user mode
 # You can set it to a list, eg
diff --git a/roles/pmg/tasks/main.yml b/roles/pmg/tasks/main.yml
index 3f892c5..c53e90f 100644
--- a/roles/pmg/tasks/main.yml
+++ b/roles/pmg/tasks/main.yml
@@ -217,14 +217,14 @@
   file: path=/var/lib/spamassassin state=directory
   tags: pmg
 
-- name: Download fishtank feed
-  get_url:
-    url: https://data.phishtank.com/data/online-valid.csv
-    dest: /var/lib/spamassassin/phishtank.txt
-  notify: reload pmg-smtp-filter
-  environment:
-    - https_proxy: "{{ system_proxy | default('') }}"
-  tags: pmg
+#- name: Download fishtank feed
+#  get_url:
+#    url: https://data.phishtank.com/data/online-valid.csv
+#    dest: /var/lib/spamassassin/phishtank.txt
+#  notify: reload pmg-smtp-filter
+#  environment:
+#    - https_proxy: "{{ system_proxy | default('') }}"
+#  tags: pmg
 
 - name: Download openphish feed
   get_url: