diff --git a/group_vars/all/versions.yml b/group_vars/all/versions.yml
index 0339c77..ff87010 100644
--- a/group_vars/all/versions.yml
+++ b/group_vars/all/versions.yml
@@ -1,5 +1,4 @@
 ---
-
 elastic_elasticsearch_version: "7.16.1"
 elastic_elasticsearch_exporter_version: "v1.5.0"
 elastic_filebeat_version: "7.16.3"
@@ -13,16 +12,16 @@ prom_grafana_version: "9.1.5"
 
 harbor_version: "v2.4.1"
 
-keycloak_version: "20.0.2.1"
+keycloak_version: "21.0.2.7"
 
-pgadmin4_version: "6.14"
+pgadmin4_version: "7.1"
 
-prom_alertmanager_version: "v0.24.0"
-prom_blackbox_exporter_version: "v0.22.0"
-prom_prometheus_version: "v2.38.0"
-prom_prom2teams_version: "3.2.3"
+prom_alertmanager_version: "v0.25.0"
+prom_blackbox_exporter_version: "v0.23.0"
+prom_prometheus_version: "v2.44.0"
+prom_prom2teams_version: "3.2.3" # TODO 4.2.1
 
-traefik_version: "v2.8.5"
+traefik_version: "v2.10.1"
 
 connect_version: "10.5"
 iam_version: "10.5"
diff --git a/group_vars/stage_demompmx/versions.yml b/group_vars/stage_demompmx/versions.yml
deleted file mode 100644
index f009dd2..0000000
--- a/group_vars/stage_demompmx/versions.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-keycloak_version: "21.0.2.7"
-
-pgadmin4_version: "7.1"
-
-prom_alertmanager_version: "v0.25.0"
-prom_blackbox_exporter_version: "v0.23.0"
-prom_prometheus_version: "v2.44.0"
-prom_prom2teams_version: "3.2.3" # TODO 4.2.1
-
-traefik_version: "v2.10.1"
-
-connect_version: "10.5"
-iam_version: "10.5"
diff --git a/roles/keycloak/tasks/_configure_realm.yml b/roles/keycloak/tasks/_configure_realm.yml
index 4a593e6..29ed075 100644
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@@ -13,11 +13,7 @@
     account_theme: "{{ keycloak_default_theme }}"
     admin_theme: "{{ keycloak_default_theme }}"
     login_theme: "{{ keycloak_default_theme }}"
-    registration_allowed: no
-    reset_password_allowed: yes
-    login_with_email_allowed: no
-    duplicate_emails_allowed: yes
-    internationalization_enabled: yes
+    internationalization_enabled: true
     default_locale: "de"
     brute_force_protected: yes
     password_policy: "{{ current_realm_password_policy | default('forceExpiredPasswordChange(60) and passwordHistory(3) and length(8) and notUsername(undefined) and upperCase(2) and lowerCase(2) and specialChars(2) and digits(1)') }}"
diff --git a/roles/postgres/tasks/master-requirements.yml b/roles/postgres/tasks/master-requirements.yml
index 20f93b2..df5ed23 100644
--- a/roles/postgres/tasks/master-requirements.yml
+++ b/roles/postgres/tasks/master-requirements.yml
@@ -1,13 +1,12 @@
 ---
 
-- name: Check role exists
+- name: Check role exists # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql -Atc "SELECT count(rolname) FROM pg_roles where rolname=''replicator''"' # noqa command-instead-of-shell
   register: role_check
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Create role if necessary
+- name: Create role if necessary # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: "/usr/bin/psql -c 'CREATE ROLE replicator WITH REPLICATION LOGIN;'"
@@ -15,7 +14,7 @@
   register: cmd_ret
   changed_when: cmd_ret.rc != 0
 
-- name: Change password with scram-sha-256! for replicator and set password
+- name: Change password with scram-sha-256! for replicator and set password # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: >-
@@ -123,39 +122,34 @@
     wal_keep_size.changed or
     ansible_facts.services["postgresql.service"].state != "active"
 
-- name: Create extension pgcrypto for template1
+- name: Create extension pgcrypto for template1 # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql template1 -c "create extension if not exists pgcrypto;"'
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Check database replication_cron exists
+- name: Check database replication_cron exists # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''replication_cron''"'
   register: database_replication_check
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Create replication_cron update database
+- name: Create replication_cron update database # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql -c "CREATE DATABASE replication_cron;"'
   when: database_replication_check.stdout == "0"
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Create replication update schema
+- name: Create replication update schema # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql replication_cron -c "CREATE SCHEMA IF NOT EXISTS replication_cron;"'
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Create replication update table
+- name: Create replication update table # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql replication_cron -c "CREATE TABLE IF NOT EXISTS replication_cron.replication_cron (dt timestamp);"'
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Create dummy update data
+- name: Create dummy update data # noqa command-instead-of-shell
   become: true
   become_user: postgres
   ansible.builtin.shell: >-
@@ -163,11 +157,9 @@
     "INSERT INTO replication_cron.replication_cron
     SELECT NOW()
     WHERE NOT EXISTS
-    (SELECT 1
-    FROM replication_cron.replication_cron)"
+    (SELECT 1 FROM replication_cron.replication_cron)"
   register: cmd_ret
   changed_when: cmd_ret.rc != 0
-  ignore_errors: true # noqa command-instead-of-shell
 
 - name: Ensure a cron runs every 5 minutes and update replication check table"
   ansible.builtin.cron:
@@ -175,21 +167,19 @@
     minute: "*/5"
     job: su - postgres -c "/usr/bin/psql replication_cron -c \"UPDATE replication_cron.replication_cron SET dt=now();\""
 
-- name: Check replication slot exists
+- name: Check replication slot exists # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql -Atc "select count(*) from pg_replication_slots where slot_name=''pgstandby1''"'
   register: replication_slot_check
-  ignore_errors: true # noqa ignore-errors no-changed-when
 
-- name: Create replication-slot
+- name: Create replication-slot # noqa no-changed-when
   become: true
   become_user: postgres
   ansible.builtin.shell: '/usr/bin/psql -Atc "SELECT pg_create_physical_replication_slot(''pgstandby1'');"'
   when: replication_slot_check.stdout == "0"
   register: cmd_ret
   changed_when: cmd_ret.rc != 0
-  ignore_errors: true # noqa command-instead-of-shell
 
 # only needed in case of install from scratch
 - name: "Ensure test db stuff"
diff --git a/tasks/autodiscover_pre_tasks.yml b/tasks/autodiscover_pre_tasks.yml
index 4181d38..59a709b 100644
--- a/tasks/autodiscover_pre_tasks.yml
+++ b/tasks/autodiscover_pre_tasks.yml
@@ -132,7 +132,7 @@
   tags:
     - always
 
-- name: "Reading hetzner loadbalancer infos for stage <{{ stage }}/{{ stage_kube }}>"
+- name: "Reading hetzner loadbalancer infos for stage <{{ stage }}/{{ stage_kube }}>" # noqa var-naming
   set_fact:
     "stage_public_{{ item.name | replace(stage_kube + '-', '') | replace('-','_') }}_loadbalancer_ip": "{{ item.public_net.ipv4.ip }}"
     "stage_private_{{ item.name | replace(stage_kube + '-', '') | replace('-','_') }}_loadbalancer_ip": "{{ item.private_net[0].ip if item.private_net | length > 0 else 'Not Available' }}"
diff --git a/tasks/constraints_check.yml b/tasks/constraints_check.yml
index ea915db..bce730f 100644
--- a/tasks/constraints_check.yml
+++ b/tasks/constraints_check.yml
@@ -22,9 +22,19 @@
   tags:
     - always
 
+- name: "Read galaxy-requirements file"
+  ansible.builtin.command: "cat galaxy-requirements.yml"
+  register: galaxy_requirements_txt
+  changed_when: false
+  connection: local
+
+- name: "Parse galaxy-requirements file into variable"
+  set_fact:
+    galaxy_requirements_json: "{{ galaxy_requirements_txt.stdout | from_yaml }}"
+
 - name: "Reading all role versions and set versions as facts (galaxy-requirements)" # noqa var-naming
   set_fact:
-    {"{{ item | replace('-','_') }}_current_version":"{{ lookup('file', 'galaxy-requirements.yml') | regex_search('- name:\\s+' + item + '\\s+src:\\s+.*?\\s+scm:\\s+git\\s+version:\\s+(.*)', '\\1') }}"}
+    {"{{ item | replace('-','_') }}_current_version":"{{ galaxy_requirements_json.roles | selectattr('name','equalto',item) | map(attribute='version') | first | default('version_not_available') }}"}
   loop: "{{ hetzner_ansible_roles }}"
   tags:
     - always
@@ -47,7 +57,7 @@
 - name: "Check role versions"
   assert:
     that:
-      - "'{{ lookup('vars', item | replace('-','_') + '_version') }}' in {{ lookup('vars', item | replace('-','_') + '_current_version') }}" 
+      - "'{{ lookup('vars', item | replace('-', '_') + '_version') }}' == '{{ lookup('vars', item | replace('-', '_') + '_current_version') }}'"
     msg: "The current {{ item }} version has to be {{ lookup('vars', item | replace('-','_') + '_current_version') }}"
   loop: "{{ hetzner_ansible_roles }}"
   tags: