diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml
index a21f38d..4672dec 100644
--- a/roles/apt/tasks/main.yml
+++ b/roles/apt/tasks/main.yml
@@ -13,8 +13,3 @@
       - ca-certificates
       - gnupg
     state: present
-
-- name: Ensure unattended-upgrades is runing
-  service:
-    name: unattended-upgrades
-    enabled: true
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 7e6ec80..2d4967f 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,12 +1,12 @@
 ---
 - name: Add apt key for docker
   apt_key:
-    url: https://download.docker.com/linux/ubuntu/gpg
+    url: https://download.docker.com/linux/debian/gpg
     state: present
 
 - name: Add docker repository into sources list
   apt_repository:
-    repo: deb https://download.docker.com/linux/ubuntu jammy stable
+    repo: deb https://download.docker.com/linux/debian bullseye stable
     state: present
 
 - name: Install docker packages
@@ -15,5 +15,6 @@
       - docker-ce
       - docker-ce-cli
       - containerd.io
+      - docker-buildx-plugin
       - docker-compose-plugin
     state: present
diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml
deleted file mode 100644
index 5c58746..0000000
--- a/roles/firewall/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: Persist iptables
-  shell:
-    cmd: iptables-save > /etc/iptables/rules.v4
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
deleted file mode 100644
index 00d276d..0000000
--- a/roles/firewall/tasks/main.yml
+++ /dev/null
@@ -1,97 +0,0 @@
----
-- name: Install iptables packages
-  apt:
-    name: iptables-persistent
-    state: present
-
-# TURN IT OFF
-- name: Turn iptables off for now
-  service:
-    name: iptables
-    state: stopped
-    enabled: no
-
-- name: Allow all loopback traffic
-  iptables:
-    chain: INPUT
-    in_interface: lo
-    jump: ACCEPT
-  notify: Persist iptables
-
-- name: Allow port ping traffic
-  iptables:
-    chain: INPUT
-    jump: ACCEPT
-    protocol: icmp
-  notify: Persist iptables
-
-- name: Allow related and established connections
-  iptables:
-    chain: INPUT
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-  notify: Persist iptables
-
-- name: Allow SSH
-  iptables:
-    chain: INPUT
-    destination_port: 22
-    jump: ACCEPT
-    protocol: tcp
-  notify: Persist iptables
-
-- name: Allow web
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: 80
-    jump: ACCEPT
-  notify: Persist iptables
-
-- name: Allow admin web (nginx proxy)
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: 81
-    jump: ACCEPT
-  notify: Persist iptables
-
-- name: Allow dns
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: 53
-    jump: ACCEPT
-  notify: Persist iptables
-
-- name: Allow dns (udp)
-  iptables:
-    chain: INPUT
-    protocol: udp
-    destination_port: 53
-    jump: ACCEPT
-  notify: Persist iptables
-
-- name: Allow related and established connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-
-- name: Set the policy for the INPUT chain to DROP
-  iptables:
-    chain: INPUT
-    policy: DROP
-  notify: Persist iptables
-
-- name: Set the policy for the FORWARD chain to DROP
-  iptables:
-    chain: FORWARD
-    policy: DROP
-  notify: Persist iptables
-
-- name: Set the policy for the OUTPUT chain to ACCEPT
-  iptables:
-    chain: OUTPUT
-    policy: ACCEPT
-  notify: Persist iptables
diff --git a/roles/nginx-proxy-manager/files/docker-compose.yml b/roles/nginx-proxy-manager/files/docker-compose.yml
index 13df478..9ccdb6e 100644
--- a/roles/nginx-proxy-manager/files/docker-compose.yml
+++ b/roles/nginx-proxy-manager/files/docker-compose.yml
@@ -1,7 +1,7 @@
 version: "3"
 services:
   app:
-    image: jc21/nginx-proxy-manager:2.9.22
+    image: jc21/nginx-proxy-manager:latest
     restart: unless-stopped
     ports:
       - 80:80 # Public HTTP Port
@@ -10,8 +10,5 @@ services:
     volumes:
       - ./data:/data
       - ./letsencrypt:/etc/letsencrypt
-      - ./default.conf:/etc/nginx/conf.d/default.conf
-      # hack to avoid sed on default.conf
-      - /dev/null:/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
     environment:
       - AWS_CONFIG_FILE=/etc/letsencrypt/credentials/credentials-6
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
index f4534de..23fd385 100644
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@@ -9,28 +9,6 @@
   with_items:
     - regexp: '^PasswordAuthentication'
       line: 'PasswordAuthentication no'
-    - regexp: '^PermitRootLogin'
+    - regexp: '^#PermitRootLogin'
       line: 'PermitRootLogin no'
   notify: Restart ssh
-
-- name: Install fail2ban
-  apt:
-    name: fail2ban
-    state: present
-
-- name: Configure fail2ban
-  blockinfile:
-    path: /etc/fail2ban/jail.local
-    create: yes
-    mode: 0644
-    block: |
-      [sshd]
-      enabled = true
-      filter = sshd
-      #  notify: Restart fail2ban
-
-- name: Turn fail2ban off for now
-  service:
-    name: fail2ban
-    enabled: false
-    state: stopped
diff --git a/site.yml b/site.yml
index f95045b..458b89d 100644
--- a/site.yml
+++ b/site.yml
@@ -10,7 +10,6 @@
     - role: instance
       tags: instance
     - role: apt
-    - role: firewall
     - role: administrators
     - role: ssh
 - hosts: dns