diff --git a/ansible/roles/docker_node/tasks/docker.yml b/ansible/roles/docker_node/tasks/docker.yml
index e156819f..9e4181ae 100644
--- a/ansible/roles/docker_node/tasks/docker.yml
+++ b/ansible/roles/docker_node/tasks/docker.yml
@@ -69,56 +69,59 @@
     state: link
   changed_when: False
 
-- name: Reload systemd
-  ansible.builtin.systemd:
-    daemon_reload: yes
-  changed_when: False
-
-- name: Docker engine package
-  ansible.builtin.apt:
-    name: "{{ docker.apt_repo.package_name }}={{ docker.apt_repo.package_ver }}"
-    update_cache: yes
-
-- name: Options directory
-  ansible.builtin.file:
-    dest: /etc/docker
-    state: directory
-
-- name: Docker options
-  ansible.builtin.copy:
-    content: "{{ docker.options|to_nice_json }}"
-    dest: /etc/docker/daemon.json
-  notify: Restart docker
-
-- name: Systemd override path for docker.service
-  ansible.builtin.file:
-    dest: /lib/systemd/system/docker.service.d
-    state: directory
-
-- name: Deal with conflicting systemd-unit option, await vol mount
-  ansible.builtin.template:
-    dest: /lib/systemd/system/docker.service.d/docker.service.conf
-    src: docker.service.conf.j2
-  notify: Reload systemd
-
-- name: Systemd unit file for enabling /var/lib/docker/volumes monitoring
-  ansible.builtin.copy:
-    dest: /etc/systemd/system/docker-permissions.service
-    src: docker-permissions.service
-
-# TODO parse fstab seeking last luks line
-
-- name: Reenable systemctl start
-  ansible.builtin.file:
-    path: /usr/sbin/policy-rc.d
-    state: absent
-  changed_when: False
-
-- name: Unmask docker.service
-  ansible.builtin.file:
-    dest: /etc/systemd/system/docker.service
-    state: absent
-  changed_when: False
+- name: Configure docker service
+  block:
+    - name: Reload systemd
+      ansible.builtin.systemd:
+        daemon_reload: yes
+      changed_when: False
+
+    - name: Docker engine package
+      ansible.builtin.apt:
+        name: "{{ docker.apt_repo.package_name }}={{ docker.apt_repo.package_ver }}"
+        update_cache: yes
+
+    - name: Options directory
+      ansible.builtin.file:
+        dest: /etc/docker
+        state: directory
+
+    - name: Docker options
+      ansible.builtin.copy:
+        content: "{{ docker.options|to_nice_json }}"
+        dest: /etc/docker/daemon.json
+      notify: Restart docker
+
+    - name: Systemd override path for docker.service
+      ansible.builtin.file:
+        dest: /lib/systemd/system/docker.service.d
+        state: directory
+
+    - name: Deal with conflicting systemd-unit option, await vol mount
+      ansible.builtin.template:
+        dest: /lib/systemd/system/docker.service.d/docker.service.conf
+        src: docker.service.conf.j2
+      notify: Reload systemd
+
+    - name: Systemd unit file for enabling /var/lib/docker/volumes monitoring
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/docker-permissions.service
+        src: docker-permissions.service
+
+    # TODO parse fstab seeking last luks line
+
+  always:
+    - name: Reenable systemctl start
+      ansible.builtin.file:
+        path: /usr/sbin/policy-rc.d
+        state: absent
+      changed_when: False
+
+    - name: Unmask docker.service
+      ansible.builtin.file:
+        dest: /etc/systemd/system/docker.service
+        state: absent
+      changed_when: False
 
 - name: Suppress annoying error on subcontainer 'ia_addr' logs
   ansible.builtin.replace:
diff --git a/ansible/roles/fileserver/defaults/main.yml b/ansible/roles/fileserver/defaults/main.yml
index 37edfae2..228a0d9f 100644
--- a/ansible/roles/fileserver/defaults/main.yml
+++ b/ansible/roles/fileserver/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+instantlinux_legacy:
+  enabled: false
+
 nfs_exports:
   /var/ftp: "*(ro,root_squash,crossmnt,fsid=0,no_subtree_check)"
 
diff --git a/ansible/roles/fileserver/tasks/main.yml b/ansible/roles/fileserver/tasks/main.yml
index 129047e8..109258e0 100644
--- a/ansible/roles/fileserver/tasks/main.yml
+++ b/ansible/roles/fileserver/tasks/main.yml
@@ -32,6 +32,7 @@
   when: nfs_exports | length == 0
 
 - import_tasks: instantlinux.yml
+  when: instantlinux_legacy.enabled
 
 - import_tasks: samba.yml
   when: samba.enabled
diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml
index 8cbc3fda..d470fbd8 100644
--- a/ansible/roles/network/handlers/main.yml
+++ b/ansible/roles/network/handlers/main.yml
@@ -10,5 +10,5 @@
 
 - name: Restart sshd
   service:
-    name: sshd
+    name: ssh
     state: restarted
diff --git a/ansible/roles/network/tasks/sshd.yml b/ansible/roles/network/tasks/sshd.yml
index 7f11bb21..3b33ed9d 100644
--- a/ansible/roles/network/tasks/sshd.yml
+++ b/ansible/roles/network/tasks/sshd.yml
@@ -1,23 +1,12 @@
 ---
 # Tighten security in sshd: lock out brute-force scanners seeking weak ciphers
 
-- name: Set ciphers in sshd_config
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "(?i)^Ciphers .*"
-    line: Ciphers {{ sshd_opts.ciphers|join(',') }}
-  notify: Restart sshd
-
-- name: Set macs in sshd_config
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "(?i)^MACs .*"
-    line: MACs {{ sshd_opts.macs|join(',') }}
-  notify: Restart sshd
-
-- name: Set kexalgorithms in sshd_config
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "(?i)^KexAlgorithms .*"
-    line: KexAlgorithms {{ sshd_opts.kexalgorithms|join(',') }}
+- name: Lock out brute-force scanners 
+  ansible.builtin.copy:
+    content: |
+      # ansible managed
+      Ciphers {{ sshd_opts.ciphers|join(',') }}
+      MACs {{ sshd_opts.macs|join(',') }}
+      KexAlgorithms {{ sshd_opts.kexalgorithms|join(',') }}
+    dest: /etc/ssh/sshd_config.d/10_ciphers.conf
   notify: Restart sshd
diff --git a/ansible/roles/volumes/tasks/encrypted.yml b/ansible/roles/volumes/tasks/encrypted.yml
index e250d1cc..66075519 100644
--- a/ansible/roles/volumes/tasks/encrypted.yml
+++ b/ansible/roles/volumes/tasks/encrypted.yml
@@ -34,94 +34,97 @@
     state: mounted
   changed_when: False
 
-- name: LUKS format volumes
-  shell: >
-    cryptsetup isLuks /dev/{{ item.value.vg }}/{{ item.key }} ||
-    cryptsetup luksFormat --batch-mode --verbose --key-file={{
-      masterkey.path }}/keys/{{ ansible_hostname }}/{{
-      item.key }} /dev/{{ item.value.vg }}/{{ item.key }}
-  register: luks_format
-  changed_when: ("Command successful" in luks_format.stdout)
-  with_dict: "{{ luks_volumes }}"
-
-# Encountered bug in ansible crypttab module, lineinfile is good enough
-- name: Create crypttab
-  copy:
-    content: ""
-    dest: /etc/crypttab.setup
-    mode: 0644
-    force: no
-
-- name: Crypt table entries
-  lineinfile:
-    line: "{{ 'luks-%-16s /dev/mapper/%s-%-16s %s/keys/%s/%-12s luks' % (
-          item.key, item.value.vg, item.key, masterkey.path, ansible_hostname,
-          item.key) }}"
-    path: /etc/crypttab.setup
-    regexp: "^luks-{{ item.key }}.*"
-  with_dict: "{{ luks_volumes }}"
-
-# For unattended boot, we have a custom startup script, so we don't
-#  leave /etc/crypttab in place (Ubuntu systemd will otherwise
-#  insist on entering passphrase at reboot)
-
-- name: Temporary crypttab symlink
-  file:
-    path: /etc/crypttab
-    src: crypttab.setup
-    state: link
-    force: True
-  changed_when: False
-
-- name: LUKS start volumes
-  command: cryptdisks_start luks-{{ item.key }}
-  register: luks_start
-  changed_when: ("(started)" in luks_start.stdout)
-  with_dict: "{{ luks_volumes }}"
-
-- name: Create filesystem
-  filesystem:
-    dev: /dev/mapper/luks-{{ item.key }}
-    fstype: "{{ item.value.type if 'type' in item.value else fs_type }}"
-    opts: "{{ '-N %s000' % item.value.inodes if 'inodes' in item.value
-      else '' }} -m 0"
-  with_dict: "{{ luks_volumes }}"
-
-- name: Remove temporary crypttab symlink
-  file:
-    path: /etc/crypttab
-    state: absent
-  changed_when: False
-
-- name: crypt-setup boot script
-  template:
-    src: crypt-activate.sh.j2
-    dest: /etc/crypt-activate.sh
-    mode: 0755
-
-- name: Systemd unit file for crypt-vols
-  copy:
-    dest: /etc/systemd/system/crypt-vols.service
-    src: crypt-vols.service
-
-- name: Add fstab entries
-  mount:
-    fstype: "{{ item.value.type if 'type' in item.value else fs_type }}"
-    path: "{{ item.value.path }}"
-    src: "/dev/mapper/luks-{{ item.key }}"
-    opts: "{{ item.value.options if 'options' in item.value else '_netdev,noauto' }}"
-    state: present
-  with_dict: "{{ luks_volumes }}"
-
-- name: Enable crypt-vols
-  systemd:
-    name: crypt-vols
-    enabled: yes
-    state: restarted
-  changed_when: False
-
-- name: Unmount master key
-  mount:
-    path: "{{ masterkey.path }}"
-    state: unmounted
-  changed_when: False
+- name: Encrypted volume preparation
+  block:
+    - name: LUKS format volumes
+      shell: >
+        cryptsetup isLuks /dev/{{ item.value.vg }}/{{ item.key }} ||
+        cryptsetup luksFormat --batch-mode --verbose --key-file={{
+          masterkey.path }}/keys/{{ ansible_hostname }}/{{
+          item.key }} /dev/{{ item.value.vg }}/{{ item.key }}
+      register: luks_format
+      changed_when: ("Command successful" in luks_format.stdout)
+      with_dict: "{{ luks_volumes }}"
+
+    # Encountered bug in ansible crypttab module, lineinfile is good enough
+    - name: Create crypttab
+      copy:
+        content: ""
+        dest: /etc/crypttab.setup
+        mode: 0644
+        force: no
+
+    - name: Crypt table entries
+      lineinfile:
+        line: "{{ 'luks-%-16s /dev/mapper/%s-%-16s %s/keys/%s/%-12s luks' % (
+              item.key, item.value.vg, item.key, masterkey.path, ansible_hostname,
+              item.key) }}"
+        path: /etc/crypttab.setup
+        regexp: "^luks-{{ item.key }}.*"
+      with_dict: "{{ luks_volumes }}"
+
+    # For unattended boot, we have a custom startup script, so we don't
+    #  leave /etc/crypttab in place (Ubuntu systemd will otherwise
+    #  insist on entering passphrase at reboot)
+
+    - name: Temporary crypttab symlink
+      file:
+        path: /etc/crypttab
+        src: crypttab.setup
+        state: link
+        force: True
+      changed_when: False
+
+    - name: LUKS start volumes
+      command: cryptdisks_start luks-{{ item.key }}
+      register: luks_start
+      changed_when: ("(started)" in luks_start.stdout)
+      with_dict: "{{ luks_volumes }}"
+
+    - name: Create filesystem
+      filesystem:
+        dev: /dev/mapper/luks-{{ item.key }}
+        fstype: "{{ item.value.type if 'type' in item.value else fs_type }}"
+        opts: "{{ '-N %s000' % item.value.inodes if 'inodes' in item.value
+          else '' }} -m 0"
+      with_dict: "{{ luks_volumes }}"
+
+    - name: Remove temporary crypttab symlink
+      file:
+        path: /etc/crypttab
+        state: absent
+      changed_when: False
+
+    - name: crypt-setup boot script
+      template:
+        src: crypt-activate.sh.j2
+        dest: /etc/crypt-activate.sh
+        mode: 0755
+
+    - name: Systemd unit file for crypt-vols
+      copy:
+        dest: /etc/systemd/system/crypt-vols.service
+        src: crypt-vols.service
+
+    - name: Add fstab entries
+      mount:
+        fstype: "{{ item.value.type if 'type' in item.value else fs_type }}"
+        path: "{{ item.value.path }}"
+        src: "/dev/mapper/luks-{{ item.key }}"
+        opts: "{{ item.value.options if 'options' in item.value else '_netdev,noauto' }}"
+        state: present
+      with_dict: "{{ luks_volumes }}"
+
+    - name: Enable crypt-vols
+      systemd:
+        name: crypt-vols
+        enabled: yes
+        state: restarted
+      changed_when: False
+
+  always:
+    - name: Unmount master key
+      mount:
+        path: "{{ masterkey.path }}"
+        state: unmounted
+      changed_when: False
diff --git a/k8s/helm/snappymail/Chart.yaml b/k8s/helm/snappymail/Chart.yaml
index c49308e6..abaee719 100644
--- a/k8s/helm/snappymail/Chart.yaml
+++ b/k8s/helm/snappymail/Chart.yaml
@@ -6,7 +6,7 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/the-djmaze/snappymail
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: "v2.38.2"
 dependencies:
 - name: chartlib
diff --git a/k8s/helm/snappymail/values.yaml b/k8s/helm/snappymail/values.yaml
index 2b7117f2..1840c912 100644
--- a/k8s/helm/snappymail/values.yaml
+++ b/k8s/helm/snappymail/values.yaml
@@ -4,10 +4,16 @@ deployment:
   env:
     debug: "false"
     log_to_stdout: "true"
-    memory_limit: 128M
+    memory_limit: 256M
     upload_max_size: 25M
   containerPorts:
   - containerPort: 8888
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      cpu: 50m
+      memory: 256Mi
 volumeMounts:
 - mountPath: /var/lib/snappymail/_data_
   name: share
diff --git a/k8s/helm/splunk/Chart.yaml b/k8s/helm/splunk/Chart.yaml
index 1aec0c91..01e0005b 100644
--- a/k8s/helm/splunk/Chart.yaml
+++ b/k8s/helm/splunk/Chart.yaml
@@ -15,8 +15,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://hub.docker.com/r/splunk/splunk
 type: application
-version: 0.1.16
-appVersion: "10.0.2"
+version: 0.1.17
+appVersion: "10.2.1"
 dependencies:
 - name: chartlib
   version: 0.1.8
diff --git a/k8s/helm/splunk/values.yaml b/k8s/helm/splunk/values.yaml
index b67357da..9fb56fc8 100644
--- a/k8s/helm/splunk/values.yaml
+++ b/k8s/helm/splunk/values.yaml
@@ -31,10 +31,10 @@ statefulset:
     service.splunk: allow
   resources:
     limits:
-      memory: 4096Mi
+      memory: 8Gi
     requests:
       cpu: 200m
-      memory: 384Mi
+      memory: 1Gi
 volumeMounts:
 - mountPath: /opt/splunk/etc
   name: splunk