diff --git a/roles/diagrams/defaults/main.yml b/roles/diagrams/defaults/main.yml
new file mode 100644
index 0000000..0f9d338
--- /dev/null
+++ b/roles/diagrams/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+
+# Veresion of diagrams to deploy
+diagrams_version: 13.8.8
+# URL of the WAR file to deploy
+diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war
+# Expected sha1 of the WAR file
+diagrams_war_sha1: 99bf8957ab3a4ea11a33387ccd824183007c3ddc
+# root directory of the installation
+diagrams_root_dir: /opt/diagrams
+# Should ansible manage upgrades, or just initial install ?
+diagrams_manage_upgrade: True
+# Port on which the tomcat instance will listen.
+# Note that it'll also use this port +1 for shutdown requests, but only on 127.0.0.1
+diagrams_port: 8182
+# List of IP addresses (or CIDR) allowed to access tomcat port
+diagrams_src_ip: []
diff --git a/roles/diagrams/handlers/main.yml b/roles/diagrams/handlers/main.yml
new file mode 100644
index 0000000..684b4b1
--- /dev/null
+++ b/roles/diagrams/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart diagrams
+  service: name=tomcat@diagrams state=restarted
diff --git a/roles/diagrams/meta/main.yml b/roles/diagrams/meta/main.yml
new file mode 100644
index 0000000..cd21505
--- /dev/null
+++ b/roles/diagrams/meta/main.yml
@@ -0,0 +1,2 @@
+---
+
diff --git a/roles/diagrams/tasks/archive_post.yml b/roles/diagrams/tasks/archive_post.yml
new file mode 100644
index 0000000..1443872
--- /dev/null
+++ b/roles/diagrams/tasks/archive_post.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ diagrams_root_dir }}/archives/{{ diagrams_current_version }}.tar.zst --use-compress-program=zstd ./
+  environment:
+    ZST_CLEVEL: 10
+  args:
+    chdir: "{{ diagrams_root_dir }}/archives/{{ diagrams_current_version }}"
+    warn: False
+  tags: diagrams
+
+- name: Remove the arachive directory
+  file: path={{ diagrams_root_dir }}/archives/{{ diagrams_current_version }} state=absent
+  tags: diagrams
diff --git a/roles/diagrams/tasks/archive_pre.yml b/roles/diagrams/tasks/archive_pre.yml
new file mode 100644
index 0000000..e627236
--- /dev/null
+++ b/roles/diagrams/tasks/archive_pre.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create the archive dir
+  file: path={{ diagrams_root_dir }}/archives/{{ diagrams_current_version }} state=directory
+  tags: diagrams
+
+- name: Copy the war archive
+  copy: src={{ diagrams_root_dir }}/tomcat/webapps/draw.war dest={{ diagrams_root_dir }}/archives/{{ diagrams_current_version }} remote_src=True
+  tags: diagrams
diff --git a/roles/diagrams/tasks/cleanup.yml b/roles/diagrams/tasks/cleanup.yml
new file mode 100644
index 0000000..6b73d1d
--- /dev/null
+++ b/roles/diagrams/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ diagrams_root_dir }}/tmp/draw.war"
+  tags: diagrams
diff --git a/roles/diagrams/tasks/conf.yml b/roles/diagrams/tasks/conf.yml
new file mode 100644
index 0000000..0f3b117
--- /dev/null
+++ b/roles/diagrams/tasks/conf.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Deploy sysconfig
+  template: src=sysconfig.j2 dest=/etc/sysconfig/tomcat@diagrams
+  notify: restart diagrams
+  tags: diagrams
+
+- name: Deploy tomcat configuration
+  template: src={{ item }}.j2 dest={{ diagrams_root_dir }}/conf/{{ item }} group=tomcat mode=640
+  loop:
+    - server.xml
+  notify: restart diagrams
+  tags: diagrams
+
+- name: Link configuration files
+  file: state=link src=/etc/tomcat/{{ item }} dest={{ diagrams_root_dir }}/conf/{{ item }}
+  loop:
+    - web.xml
+    - logging.properties
+  notify: restart diagrams
+  tags: diagrams
diff --git a/roles/diagrams/tasks/directories.yml b/roles/diagrams/tasks/directories.yml
new file mode 100644
index 0000000..6d78392
--- /dev/null
+++ b/roles/diagrams/tasks/directories.yml
@@ -0,0 +1,38 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ diagrams_root_dir }}/"
+      group: tomcat
+    - dir: "{{ diagrams_root_dir }}/webapps"
+      group: tomcat
+      mode: 770
+    - dir: "{{ diagrams_root_dir }}/conf"
+      group: tomcat
+    - dir: "{{ diagrams_root_dir }}/conf/Catalina"
+      owner: tomcat
+      mode: 700
+    - dir: "{{ diagrams_root_dir }}/tmp"
+      group: tomcat
+      mode: 770
+    - dir: "{{ diagrams_root_dir }}/logs"
+      owner: tomcat
+      mode: 700
+    - dir: "{{ diagrams_root_dir }}/work"
+      owner: tomcat
+      mode: 700
+    - dir: "{{ diagrams_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ diagrams_root_dir }}/archives"
+      mode: 700
+  tags: diagrams
+
+- name: Create symlinks
+  file: state=link src={{ item.src }} dest={{ item.dest }}
+  loop:
+    - src: /usr/share/tomcat/bin/
+      dest: "{{ diagrams_root_dir }}/bin"
+    - src: /usr/share/java/tomcat
+      dest: "{{ diagrams_root_dir }}/lib"
+  tags: diagrams
diff --git a/roles/diagrams/tasks/facts.yml b/roles/diagrams/tasks/facts.yml
new file mode 100644
index 0000000..12c2714
--- /dev/null
+++ b/roles/diagrams/tasks/facts.yml
@@ -0,0 +1,12 @@
+---
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ diagrams_root_dir }}"
+    - version: "{{ diagrams_version }}"
+  tags: diagrams
+
+- block:
+    - set_fact: diagrams_install_mode={{ (install_mode == 'upgrade' and not diagrams_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: diagrams_current_version={{ current_version | default('') }}
+  tags: diagrams
diff --git a/roles/diagrams/tasks/install.yml b/roles/diagrams/tasks/install.yml
new file mode 100644
index 0000000..5bc7de8
--- /dev/null
+++ b/roles/diagrams/tasks/install.yml
@@ -0,0 +1,14 @@
+---
+
+- when: diagrams_install_mode != 'none'
+  block:
+    - name: Download diagrams WAR
+      get_url:
+        url: "{{ diagrams_war_url }}"
+        dest: "{{ diagrams_root_dir }}/tmp/draw.war"
+        checksum: sha1:{{ diagrams_war_sha1 }}
+    
+    - name: Move WAR to the webapp dir
+      copy: src={{ diagrams_root_dir }}/tmp/draw.war dest={{ diagrams_root_dir }}/webapps/draw.war remote_src=True
+
+  tags: diagrams
diff --git a/roles/diagrams/tasks/iptables.yml b/roles/diagrams/tasks/iptables.yml
new file mode 100644
index 0000000..a4c6924
--- /dev/null
+++ b/roles/diagrams/tasks/iptables.yml
@@ -0,0 +1,9 @@
+---
+
+- name:  Handle diagrams port in the firewall
+  iptables_raw:
+    name: diagrams_port
+    state: "{{ (diagrams_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ diagrams_port }} -s {{ diagrams_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,diagrams
+
diff --git a/roles/diagrams/tasks/main.yml b/roles/diagrams/tasks/main.yml
new file mode 100644
index 0000000..c74213c
--- /dev/null
+++ b/roles/diagrams/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+
+- name: Install tomcat
+  yum:
+    name:
+      - tomcat
+  tags: diagrams
+
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: diagrams_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: diagrams_install_mode == 'upgrade'
+- include: cleanup.yml
diff --git a/roles/diagrams/tasks/selinux.yml b/roles/diagrams/tasks/selinux.yml
new file mode 100644
index 0000000..691db5c
--- /dev/null
+++ b/roles/diagrams/tasks/selinux.yml
@@ -0,0 +1,25 @@
+---
+
+- name: Allow tomcat to bind on diagrams' port
+  seport: ports={{ diagrams_port }},{{ diagrams_port + 1 }} proto=tcp setype=http_port_t state=present
+  tags: diagrams
+
+- name: Set SELinux context
+  sefcontext:
+    target: "{{ item.target }}"
+    setype: "{{ item.type }}"
+    state: present
+  loop:
+    - target: "{{ diagrams_root_dir }}/webapps(/.*)?"
+      type: tomcat_var_lib_t
+    - target: "{{ diagrams_root_dir }}/(work|tmp)(/.*)?"
+      type: tomcat_cache_t
+    - target: "{{ diagrams_root_dir }}/logs(/.*)?"
+      type: tomcat_log_t
+  register: diagrams_sefcontext
+  tags: diagrams
+
+- name: Restore file contexts
+  command: restorecon -R {{ diagrams_root_dir }}
+  when: diagrams_sefcontext.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: diagrams
diff --git a/roles/diagrams/tasks/services.yml b/roles/diagrams/tasks/services.yml
new file mode 100644
index 0000000..98bf198
--- /dev/null
+++ b/roles/diagrams/tasks/services.yml
@@ -0,0 +1,5 @@
+---
+
+- name: start and enable diagrams
+  service: name=tomcat@diagrams state=started enabled=True
+  tags: diagrams
diff --git a/roles/diagrams/tasks/write_version.yml b/roles/diagrams/tasks/write_version.yml
new file mode 100644
index 0000000..06669f1
--- /dev/null
+++ b/roles/diagrams/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ diagrams_version }} dest={{ diagrams_root_dir }}/meta/ansible_version
+  tags: diagrams
diff --git a/roles/diagrams/templates/server.xml.j2 b/roles/diagrams/templates/server.xml.j2
new file mode 100644
index 0000000..af5c60f
--- /dev/null
+++ b/roles/diagrams/templates/server.xml.j2
@@ -0,0 +1,22 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Server port="{{ diagrams_port | int + 1 }}" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <Listener className="org.apache.catalina.core.JasperListener" />
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <Service name="Catalina">
+    <Connector port="{{ diagrams_port }}" protocol="HTTP/1.1"
+               connectionTimeout="20000" />
+    <Engine name="Catalina" defaultHost="diagrams">
+      <Host name="diagrams"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+        <Context path="" docBase="draw"></Context>
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="diagrams_access_log." suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/roles/diagrams/templates/sysconfig.j2 b/roles/diagrams/templates/sysconfig.j2
new file mode 100644
index 0000000..5a15e03
--- /dev/null
+++ b/roles/diagrams/templates/sysconfig.j2
@@ -0,0 +1,3 @@
+CATALINA_BASE="{{ diagrams_root_dir }}"
+CATALINA_HOME="{{ diagrams_root_dir }}"
+CATALINA_TMPDIR="{{ diagrams_root_dir }}/tmp"
diff --git a/roles/funkwhale/defaults/main.yml b/roles/funkwhale/defaults/main.yml
index 3be4e2f..36febe4 100644
--- a/roles/funkwhale/defaults/main.yml
+++ b/roles/funkwhale/defaults/main.yml
@@ -1,12 +1,12 @@
 ---
 
-funkwhale_version: 1.0
+funkwhale_version: 1.0.1
 funkwhale_id: 1
 #funkwhale_archive_url: https://dev.funkwhale.audio/funkwhale/funkwhale/-/archive/{{ funkwhale_version }}/funkwhale-{{ funkwhale_version }}.tar.gz
 funkwhale_base_url: https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_version }}/download
 funkwhale_archive_sha1:
-  api: 9b97d4f5e6f2891fdbb9f51ca7fd066ec50d090d
-  front: bc07a1626949725356431d95fa2cabb180e6cce0
+  api: 4de71ffeaa0d34e45f8b835e0133374340446c93
+  front: 60ec82d807f9b14f3ea8738551714710eb42c006
 funkwhale_root_dir: /opt/funkwhale_{{ funkwhale_id }}
 
 # Should ansible manage upgrades of funkwhale, or only initial install
diff --git a/roles/funkwhale/tasks/archive_pre.yml b/roles/funkwhale/tasks/archive_pre.yml
index f168efd..e9cb3fe 100644
--- a/roles/funkwhale/tasks/archive_pre.yml
+++ b/roles/funkwhale/tasks/archive_pre.yml
@@ -19,7 +19,7 @@
 
 - name: Archive a database dump
   command: >
-    /usr/pgsql-12/bin/pg_dump
+    /usr/pgsql-13/bin/pg_dump
     --clean
     --host={{ funkwhale_db_server }}
     --port={{ funkwhale_db_port }}
diff --git a/roles/funkwhale/templates/pre-backup.sh.j2 b/roles/funkwhale/templates/pre-backup.sh.j2
index 9c0a546..8d383e6 100644
--- a/roles/funkwhale/templates/pre-backup.sh.j2
+++ b/roles/funkwhale/templates/pre-backup.sh.j2
@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-PGPASSWORD='{{ funkwhale_db_pass }}' /usr/pgsql-12/bin/pg_dump \
+PGPASSWORD='{{ funkwhale_db_pass }}' /usr/pgsql-13/bin/pg_dump \
   --clean \
   --username={{ funkwhale_db_user }} \
   --host={{ funkwhale_db_server }} \