diff --git a/README.md b/README.md
index 6e85d17..009a16a 100644
--- a/README.md
+++ b/README.md
@@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
 
 The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
 
-## Global variables
+## Global tags
 
-- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example)
+- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
+- **global.uninstall**: activate the uninstall phase for specified tags and targets
 
 ## Authors & contributors
 
diff --git a/handbook.yml b/handbook.yml
index c245d0d..5e2468f 100644
--- a/handbook.yml
+++ b/handbook.yml
@@ -9,8 +9,8 @@
 
     - { role: hardening-basic, tags: [hardening, ips, ids] }
     - { role: iptables-basic, tags: [firewall, ips, ids] }
-    - { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
-    - { role: auditd, tags: [auditd] }
+    - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
+    - { role: auditd, tags: [hardening, auditd] }
     - { role: iptables-webserver, tags: [firewall, webserver] }
     - { role: iptables-kdeconnect, tags: [firewall] }
 
diff --git a/roles/auditd/meta/main.yml b/roles/auditd/meta/main.yml
index c572acc..f4841c8 100644
--- a/roles/auditd/meta/main.yml
+++ b/roles/auditd/meta/main.yml
@@ -39,7 +39,9 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - auditd
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.
diff --git a/roles/auditd/tasks/main.yml b/roles/auditd/tasks/main.yml
index 7dbe918..f018420 100644
--- a/roles/auditd/tasks/main.yml
+++ b/roles/auditd/tasks/main.yml
@@ -2,7 +2,9 @@
 # tasks file for auditd
 
 - name: Install and setup rules Auditd if enabled
-  when: 'auditd_enabled is true'
+  when:
+    - 'auditd_enabled is true'
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Install auditd
       ansible.builtin.package:
diff --git a/roles/dns-filter/meta/main.yml b/roles/dns-filter/meta/main.yml
index c572acc..67f6665 100644
--- a/roles/dns-filter/meta/main.yml
+++ b/roles/dns-filter/meta/main.yml
@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.
diff --git a/roles/dns-filter/tasks/main.yml b/roles/dns-filter/tasks/main.yml
index 64a0146..e719188 100644
--- a/roles/dns-filter/tasks/main.yml
+++ b/roles/dns-filter/tasks/main.yml
@@ -5,7 +5,5 @@
   when:
     - "dns_filter_enabled is true"
     - "dns_filter_selected in dns_filter_list"
-  block:
-    - name: Call DNS filter role
-      ansible.builtin.include_role:
-        name: "{{ dns_filter_selected }}"
+  ansible.builtin.include_role:
+    name: "{{ dns_filter_selected }}"
diff --git a/roles/fail2ban-basic/meta/main.yml b/roles/fail2ban-basic/meta/main.yml
index c572acc..21baad9 100644
--- a/roles/fail2ban-basic/meta/main.yml
+++ b/roles/fail2ban-basic/meta/main.yml
@@ -39,7 +39,11 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - fail2ban
+    - ips
+    - ids
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.
diff --git a/roles/fail2ban-basic/tasks/main.yml b/roles/fail2ban-basic/tasks/main.yml
index 9211aee..8a0961a 100644
--- a/roles/fail2ban-basic/tasks/main.yml
+++ b/roles/fail2ban-basic/tasks/main.yml
@@ -2,7 +2,9 @@
 # tasks file for fail2ban-basic
 #
 - name: Fail2ban Configuration
-  when: fail2ban_enabled is true
+  when:
+    - fail2ban_enabled is true
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Install Fail2ban
       ansible.builtin.package:
diff --git a/roles/pi-hole/README.md b/roles/pi-hole/README.md
index 882e47a..3aaef0a 100644
--- a/roles/pi-hole/README.md
+++ b/roles/pi-hole/README.md
@@ -11,19 +11,25 @@ Requirements
 Role Variables
 --------------
 
-- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
-- **pihole_update_gravity** (boolean): If true the dns database will be updated
 - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
+- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
+
+Role Tags
+--------------
+
+- **global.update_only**: `pihole -up`
+- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
 
 Dependencies
 ------------
 
-.
+- curl
+- sqlite3 required by `pihole.install_custom_list`
 
 Example Playbook
 ----------------
 
-`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
 
 License
 -------
diff --git a/roles/pi-hole/meta/main.yml b/roles/pi-hole/meta/main.yml
index c572acc..67f6665 100644
--- a/roles/pi-hole/meta/main.yml
+++ b/roles/pi-hole/meta/main.yml
@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.
diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml
index 749b527..58e2a59 100644
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@@ -2,6 +2,7 @@
 # tasks file for pi-hole
 
 - name: Pi-Hole setup
+  when: "'global.update_only' not in ansible_run_tags"
   block:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -17,28 +18,6 @@
           ansible.builtin.debug:
             msg: "curl -sSL https://install.pi-hole.net | bash"
 
-    - name: Check if can install custom list
-      when: 'pihole_install_custom_list is true'
-      block:
-        - name: Check if pi-hole db exists
-          stat:
-            path: /etc/pihole/gravity.db
-          register: pihole_db
-
-        - name: Install sqlite3 package
-          ansible.builtin.package:
-            name: sqlite3
-
-        - name: Install more lists than default
-          when: pihole_db.stat.exists
-          ansible.builtin.shell:
-            cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
-          loop: "{{ pihole_custom_list }}"
-
-    - name: Update Gravity
-      when: 'pihole_update_gravity is true'
-      ansible.builtin.shell: pihole updateGravity
-
     - name: iptables-webserver
       ansible.builtin.include_role:
         name: iptables-webserver
@@ -55,3 +34,31 @@
     - name: iptables-persistent
       ansible.builtin.include_role:
         name: iptables-persistent
+
+- name: Update pihole FTL
+  when: "'global.update_only' in ansible_run_tags"
+  ansible.builtin.shell: pihole -up
+
+- block:
+  - name: Check if pi-hole db exists
+    stat:
+      path: /etc/pihole/gravity.db
+    register: pihole_db
+
+  - name: Install sqlite3 package
+    ansible.builtin.package:
+      name: sqlite3
+
+  - name: Install more lists than default
+    when: pihole_db.stat.exists
+    ansible.builtin.shell:
+      cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
+    loop: "{{ pihole_custom_list }}"
+  when: "pihole_install_custom_list is true"
+
+- name: Update Gravity
+  ansible.builtin.shell: pihole updateGravity
+  when: "
+    (pihole_install_custom_list is true) or
+    ('pihole.update_gravity' in ansible_run_tags)
+    "
diff --git a/roles/wakeonlan/README.md b/roles/wakeonlan/README.md
index 8505d1e..cf167db 100644
--- a/roles/wakeonlan/README.md
+++ b/roles/wakeonlan/README.md
@@ -1,7 +1,7 @@
 wakeonlan
 =========
 
-This role install/ uninstall Wake on LAN support for target
+This role install Wake on LAN support for target
 
 Requirements
 ------------
diff --git a/roles/yggdrasil/README.md b/roles/yggdrasil/README.md
index 49d5b0e..b79dc26 100644
--- a/roles/yggdrasil/README.md
+++ b/roles/yggdrasil/README.md
@@ -12,13 +12,16 @@ Role Variables
 --------------
 
 Respond to:
-- **update_only** (boolean)
-
 - **yggdrasil_enabled** (boolean): If true install yggdrasil
 - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
-- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
 - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
 
+Role Tags
+--------------
+
+- **global.update_only**: If present will update only the peers
+- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
+
 Dependencies
 ------------
 
diff --git a/roles/yggdrasil/defaults/main.yml b/roles/yggdrasil/defaults/main.yml
index 433c8a8..bdacbcb 100644
--- a/roles/yggdrasil/defaults/main.yml
+++ b/roles/yggdrasil/defaults/main.yml
@@ -3,5 +3,4 @@
 
 yggdrasil_enabled: false
 yggdrasil_sshd_enabled: false
-yggdrasil_uninstall: false
 yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
diff --git a/roles/yggdrasil/meta/main.yml b/roles/yggdrasil/meta/main.yml
index c572acc..b5bcf01 100644
--- a/roles/yggdrasil/meta/main.yml
+++ b/roles/yggdrasil/meta/main.yml
@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - yggdrasil
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.
diff --git a/roles/yggdrasil/tasks/main.yml b/roles/yggdrasil/tasks/main.yml
index e7dea70..81e46d7 100644
--- a/roles/yggdrasil/tasks/main.yml
+++ b/roles/yggdrasil/tasks/main.yml
@@ -1,7 +1,7 @@
 - name: Install and configure yggdrasil
   when:
     - "yggdrasil_enabled is true"
-    - "update_only is false"
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Gather package facts
       package_facts:
@@ -64,8 +64,8 @@
 - name: Remove yggdrasil if not enabled
   when:
     - "yggdrasil_enabled is false"
-    - "yggdrasil_uninstall is true"
-    - "update_only is false"
+    - "'global.uninstall' in ansible_run_tags"
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Gather package facts
       package_facts: