diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index e0103243ade4cefb0b9f4675e24e64258b16f6b0..082cf3f686652d981eb9aaa8df963424250ec09e 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -222,6 +222,12 @@ admin_user = admin
 # used for signing
 secret_key = {{ vault_grafana_secret_key }}
 
+# current key provider used for envelope encryption, default to static value specified by secret_key
+;encryption_provider = secretKey
+
+# list of configured key providers, space separated (Enterprise only): e.g., awskms.v1 azurekv.v1
+;available_encryption_providers =
+
 # disable gravatar profile images
 ;disable_gravatar = false
 
@@ -243,7 +249,6 @@ cookie_samesite = strict
 # Set to true if you want to enable http strict transport security (HSTS) response header.
 # This is only sent when HTTPS is enabled in this configuration.
 # HSTS tells browsers that the site should only be accessed using HTTPS.
-# The default version will change to true in the next minor release, 6.3.
 strict_transport_security = true
 
 # Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
@@ -296,9 +301,11 @@ strict_transport_security_max_age_seconds = 86400
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ;min_refresh_interval = 5s
 
-{% if grafana_anonymous_access %}
 # Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
+{% if grafana_anonymous_access %}
 default_home_dashboard_path = /var/lib/grafana/public-dashboards/home.json
+{% else %}
+;default_home_dashboard_path =
 {% endif %}
 
 #################################### Users ###############################
@@ -386,9 +393,7 @@ oauth_auto_login = true
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
-{% if grafana_anonymous_access %}
-enabled = true
-{% endif %}
+enabled = {% if grafana_anonymous_access %}true{% else %}false{% endif %}
 
 # specify organization name that should be used for unauthenticated users
 ;org_name = Main Org.
@@ -397,7 +402,7 @@ enabled = true
 org_role = Viewer
 
 # mask the Grafana version number for unauthenticated users
-;hide_version = false
+hide_version = true
 
 #################################### GitHub Auth ##########################
 [auth.github]
@@ -507,6 +512,7 @@ role_attribute_strict = true
 ;tls_client_cert =
 ;tls_client_key =
 ;tls_client_ca =
+;use_pkce = false
 {% endif %}
 
 #################################### Basic Auth ##########################
@@ -719,7 +725,7 @@ mode = syslog
 enabled = true
 
 # Comma-separated list of organization IDs for which to disable unified alerting. Only supported if unified alerting is enabled.
-;disabled_orgs = 
+;disabled_orgs =
 
 # Specify the frequency of polling for admin config changes.
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
@@ -940,14 +946,16 @@ enabled = false
 ;disable_sanitize_html = false
 
 [plugins]
-enable_alpha = true
+;enable_alpha = false
 ;app_tls_skip_verify_insecure = false
 # Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.
 ;allow_loading_unsigned_plugins =
-# Enable or disable installing plugins directly from within Grafana.
+# Enable or disable installing / uninstalling / updating plugins directly from within Grafana.
 ;plugin_admin_enabled = false
 ;plugin_admin_external_manage_enabled = false
 ;plugin_catalog_url = https://grafana.com/grafana/plugins/
+# Enter a comma-separated list of plugin identifiers to hide in the plugin catalog.
+;plugin_catalog_hidden_plugins =
 
 #################################### Grafana Live ##########################################
 [live]
@@ -1013,12 +1021,14 @@ enable_alpha = true
 # Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
 ;rendering_mode =
 
-# When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
+# When rendering_mode = clustered, you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
 # and will cluster using browser instances.
 # Mode 'context' will cluster using incognito pages.
 ;rendering_clustering_mode =
-# When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
+# When rendering_mode = clustered, you can define the maximum number of browser instances/incognito pages that can execute concurrently. Default is '5'.
 ;rendering_clustering_max_concurrency =
+# When rendering_mode = clustered, you can specify the duration a rendering request can take before it will time out. Default is `30` seconds.
+;rendering_clustering_timeout =
 
 # Limit the maximum viewport width, height and device scale factor that can be requested.
 ;rendering_viewport_max_width =
@@ -1061,3 +1071,16 @@ enable_alpha = true
 [expressions]
 # Enable or disable the expressions functionality.
 ;enabled = true
+
+[geomap]
+# Set the JSON configuration for the default basemap
+;default_baselayer_config = `{
+;  "type": "xyz",
+;  "config": {
+;    "attribution": "Open street map",
+;    "url": "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
+;  }
+;}`
+
+# Enable or disable loading other base map layers
+;enable_custom_baselayers = true
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index 111dbcba4032e065040c78fd3ad06fe29e4910e2..1a96ddd8bf02853c34392aa0f4048d522b8c1dd9 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -1,9 +1,9 @@
-#      $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
@@ -16,7 +16,6 @@
 #ListenAddress ::
 
 #HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
@@ -59,7 +58,7 @@ PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -73,13 +72,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
+# PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 {% if 'buildservers' in group_names %}
@@ -97,7 +96,6 @@ AllowTcpForwarding no
 PrintMotd no # pam does that
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0