diff --git a/CHANGELOG.md b/CHANGELOG.md
index d58532af..33998f64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,28 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [10.2.0] 2020-09-17
+
+### Added
+
+* evoacme: remount /usr if necessary
+* evolinux-base: swappiness is customizable
+* evolinux-base: install wget
+* tomcat: root directory owner/group are configurable
+
+### Changed
+
+* Change default public SSH/SFTP port from 2222 to 22222
+
+### Fixed
+
+* certbot: an empty change shouldn't raise an exception
+* certbot: fix "no-self-upgrade" option
+
+### Removed
+
+* evoacme: remove Debian 9 support
+
 ## [10.1.0] 2020-08-21
 
 ### Added
diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml
index f1b0c52c..17ac35db 100644
--- a/amazon-ec2/defaults/main.yml
+++ b/amazon-ec2/defaults/main.yml
@@ -122,6 +122,10 @@ ec2_evolinux_security_group:
       from_port: 2222
       to_port: 2222
       cidr_ip: 0.0.0.0/0
+    - proto: tcp
+      from_port: 22222
+      to_port: 22222
+      cidr_ip: 0.0.0.0/0
     - proto: tcp
       from_port: 2223
       to_port: 2223
diff --git a/certbot/files/cron_jessie b/certbot/files/cron_jessie
index 0ed929fc..7e9966af 100644
--- a/certbot/files/cron_jessie
+++ b/certbot/files/cron_jessie
@@ -8,4 +8,4 @@
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
+0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew
diff --git a/certbot/files/hooks/z-commit-etc.sh b/certbot/files/hooks/z-commit-etc.sh
index e543b4ad..c83a4039 100644
--- a/certbot/files/hooks/z-commit-etc.sh
+++ b/certbot/files/hooks/z-commit-etc.sh
@@ -22,7 +22,7 @@ main() {
           message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
           ${git_bin} commit --message "${message}" --quiet
       else
-          error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
+          debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
       fi
     fi
 }
diff --git a/evoacme/meta/main.yml b/evoacme/meta/main.yml
index 77d83e2b..ea0c5551 100644
--- a/evoacme/meta/main.yml
+++ b/evoacme/meta/main.yml
@@ -11,8 +11,8 @@ galaxy_info:
   platforms:
   - name: Debian
     versions:
-    - jessie
     - stretch
+    - buster
 
 dependencies: []
   # List your role dependencies here, one per line.
diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml
index c7481ba0..bd8cc055 100644
--- a/evoacme/tasks/main.yml
+++ b/evoacme/tasks/main.yml
@@ -1,9 +1,11 @@
 ---
 
-- fail:
-    msg: only compatible with Debian >= 8
-  when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
+- name: Verify Debian version
+  assert:
+    that:
+      - ansible_distribution == "Debian"
+      - ansible_distribution_major_version is version('9', '>=')
+    msg: only compatible with Debian >= 9
 
 - include: certbot.yml
 
diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml
index 77e7b75a..50d95890 100644
--- a/evoacme/tasks/scripts.yml
+++ b/evoacme/tasks/scripts.yml
@@ -1,4 +1,8 @@
 ---
+
+- include_role:
+    name: evolix/remount-usr
+
 - name: Create CSR dir
   file:
     path: "{{ evoacme_csr_dir }}"
@@ -36,5 +40,5 @@
     path: "/usr/local/bin/{{ item }}"
     state: absent
   with_items:
-  - 'make-csr'
-  - 'evoacme'
+    - 'make-csr'
+    - 'evoacme'
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 2a85ecc5..98ff43ef 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -50,7 +50,8 @@ evolinux_kernel_include: True
 
 evolinux_kernel_reboot_after_panic: True
 evolinux_kernel_disable_tcp_timestamps: True
-evolinux_kernel_reduce_swapiness: True
+evolinux_kernel_customize_swappiness: True
+evolinux_kernel_swappiness: 20
 evolinux_kernel_cve20165696: True
 
 # fstab
diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml
index 9dc66c42..95912855 100644
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@@ -32,14 +32,14 @@
     reload: yes
   when: evolinux_kernel_disable_tcp_timestamps
 
-- name: Reduce the swapiness
+- name: Customize the swappiness
   sysctl:
     name: vm.swappiness
-    value: 20
+    value: "{{ evolinux_kernel_swappiness }}"
     sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
     state: present
     reload: yes
-  when: evolinux_kernel_reduce_swapiness
+  when: evolinux_kernel_customize_swappiness
 
 - name: Patch for TCP stack vulnerability CVE-2016-5696
   sysctl:
diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml
index bbacfa98..ed2b1cd2 100644
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@@ -30,6 +30,7 @@
       - tcpdump
       - mtr-tiny
       - curl
+      - wget
       - telnet
       - traceroute
       - man
diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2
index 088e85d4..7e097e4f 100644
--- a/fail2ban/templates/jail.local.j2
+++ b/fail2ban/templates/jail.local.j2
@@ -28,7 +28,7 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
 action = %(action_mwl)s
 
 [sshd]
-port    = ssh,2222
+port    = ssh,2222,22222
 logpath = %(sshd_log)s
 backend = %(sshd_backend)s
 maxretry = 10
diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index f5719e3c..5489b06a 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -19,7 +19,7 @@ minifirewall_privilegied_ips: []
 
 minifirewall_protected_ports_tcp: [22]
 minifirewall_protected_ports_udp: []
-minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
+minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 22222]
 minifirewall_public_ports_udp: [53]
 minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
 minifirewall_semipublic_ports_udp: []
diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf
index 8f535230..7285822a 100644
--- a/minifirewall/files/minifirewall.conf
+++ b/minifirewall/files/minifirewall.conf
@@ -29,7 +29,7 @@ SERVICESTCP1p='22'
 SERVICESUDP1p=''
 
 # Public services (IPv4/IPv6)
-SERVICESTCP1='25 53 443 993 995 2222'
+SERVICESTCP1='25 53 443 993 995 22222'
 SERVICESUDP1='53'
 
 # Semi-public services (IPv4)
diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml
index f955cd39..80edecd2 100644
--- a/proftpd/defaults/main.yml
+++ b/proftpd/defaults/main.yml
@@ -9,6 +9,6 @@ proftpd_ftps_port: 990
 proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
 proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
 proftpd_sftp_enable: False
-proftpd_sftp_port: 2222
+proftpd_sftp_port: 22222
 proftpd_accounts: []
 proftpd_accounts_final: []
diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml
index e555e2cd..03302455 100644
--- a/tomcat/defaults/main.yml
+++ b/tomcat/defaults/main.yml
@@ -1,2 +1,5 @@
 ---
 tomcat_instance_root: '/srv/tomcat'
+
+tomcat_root_dir_owner: root
+tomcat_root_dir_group: root
diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml
index 1d26f176..900dffd0 100644
--- a/tomcat/tasks/packages.yml
+++ b/tomcat/tasks/packages.yml
@@ -33,8 +33,8 @@
   file:
     path: "{{ tomcat_instance_root }}"
     state: directory
-    owner: 'root'
-    group: 'root'
+    owner: "{{ tomcat_root_dir_owner | default('root') }}"
+    group: "{{ tomcat_root_dir_group | default('root') }}"
     mode: "0755"
 
 - name: Copy systemd unit