diff --git a/manifests/controller.pp b/manifests/controller.pp
index 793eb00..e991dd1 100644
--- a/manifests/controller.pp
+++ b/manifests/controller.pp
@@ -2,7 +2,7 @@
 # This can be used to build out the simplest openstack controller
 #
 #
-# $export_resources - rather resources should be exported
+# $export_resources - Whether resources should be exported
 #
 # [public_interface] Public interface used to route public traffic. Required.
 # [public_address] Public address for public endpoints. Required.
@@ -43,6 +43,8 @@
 #   Each app is defined in two parts, the display name, and the URI
 # [horizon_app_links]     array as in '[ ["Nagios","http://nagios_addr:port/path"],["Ganglia","http://ganglia_addr"] ]'
 #
+# [enabled] Whether services should be enabled. This parameter can be used to
+#   implement services in active-passive modes for HA. Optional. Defaults to true.
 class openstack::controller(
   # my address
   $public_address,
@@ -84,6 +86,7 @@ class openstack::controller(
   $swift                   = false,
   $quantum                 = false,
   $horizon_app_links       = false,
+  $enabled                 = true
 ) {
 
   $glance_api_servers = "${internal_address}:9292"
@@ -116,21 +119,25 @@ class openstack::controller(
       # TODO I should make sure that this works
       # 'root_password' => $mysql_root_password,
       'bind_address'  => '0.0.0.0'
+    },
+    enabled => $enabled,
+  }
+  if ($enabled) {
+    # set up all openstack databases, users, grants
+    class { 'keystone::db::mysql':
+      password => $keystone_db_password,
+    }
+    Class['glance::db::mysql'] -> Class['glance::registry']
+    class { 'glance::db::mysql':
+      host     => '127.0.0.1',
+      password => $glance_db_password,
+    }
+    # TODO should I allow all hosts to connect?
+    class { 'nova::db::mysql':
+      password      => $nova_db_password,
+      host          => $internal_address,
+      allowed_hosts => '%',
     }
-  }
-  # set up all openstack databases, users, grants
-  class { 'keystone::db::mysql':
-    password => $keystone_db_password,
-  }
-  class { 'glance::db::mysql':
-    host     => '127.0.0.1',
-    password => $glance_db_password,
-  }
-  # TODO should I allow all hosts to connect?
-  class { 'nova::db::mysql':
-    password      => $nova_db_password,
-    host          => $internal_address,
-    allowed_hosts => '%',
   }
 
   ####### KEYSTONE ###########
@@ -144,36 +151,42 @@ class openstack::controller(
     log_verbose  => $verbose,
     log_debug    => $verbose,
     catalog_type => 'sql',
+    enabled      => $enabled,
   }
   # set up keystone database
   # set up the keystone config for mysql
   class { 'keystone::config::mysql':
     password => $keystone_db_password,
   }
-  # set up keystone admin users
-  class { 'keystone::roles::admin':
-    email    => $admin_email,
-    password => $admin_password,
-  }
-  # set up the keystone service and endpoint
-  class { 'keystone::endpoint':
-    public_address   => $public_address,
-    internal_address => $internal_address,
-    admin_address    => $admin_address,
-  }
-  # set up glance service,user,endpoint
-  class { 'glance::keystone::auth':
-    password         => $glance_user_password,
-    public_address   => $public_address,
-    internal_address => $internal_address,
-    admin_address    => $admin_address,
-  }
-  # set up nova serice,user,endpoint
-  class { 'nova::keystone::auth':
-    password         => $nova_user_password,
-    public_address   => $public_address,
-    internal_address => $internal_address,
-    admin_address    => $admin_address,
+  
+  if ($enabled) {
+    # set up keystone admin users
+    class { 'keystone::roles::admin':
+      email    => $admin_email,
+      password => $admin_password,
+    }
+    # set up the keystone service and endpoint
+    class { 'keystone::endpoint':
+      public_address   => $public_address,
+      internal_address => $internal_address,
+      admin_address    => $admin_address,
+    }
+    # set up glance service,user,endpoint
+    class { 'glance::keystone::auth':
+      password         => $glance_user_password,
+      public_address   => $public_address,
+      internal_address => $internal_address,
+      admin_address    => $admin_address,
+      before           => [Class['glance::api'], Class['glance::registry']]
+    }
+    # set up nova serice,user,endpoint
+    class { 'nova::keystone::auth':
+      password         => $nova_user_password,
+      public_address   => $public_address,
+      internal_address => $internal_address,
+      admin_address    => $admin_address,
+      before           => Class['nova::api'],
+    }
   }
 
   ######## END KEYSTONE ##########
@@ -190,7 +203,7 @@ class openstack::controller(
     keystone_tenant   => 'services',
     keystone_user     => 'glance',
     keystone_password => $glance_user_password,
-    require => Keystone_user_role["glance@services"],
+    enabled           => $enabled,
   }
   class { 'glance::backend::file': }
 
@@ -204,7 +217,7 @@ class openstack::controller(
     keystone_user     => 'glance',
     keystone_password => $glance_user_password,
     sql_connection    => "mysql://glance:${glance_db_password}@127.0.0.1/glance",
-    require           => [Class['Glance::Db::Mysql'], Keystone_user_role['glance@services']]
+    enabled           => $enabled,
   }
 
   ######## END GLANCE ###########
@@ -215,6 +228,7 @@ class openstack::controller(
   class { 'nova::rabbitmq':
     userid   => $rabbit_user,
     password => $rabbit_password,
+    enabled  => $enabled,
   }
 
   # TODO I may need to figure out if I need to set the connection information
@@ -231,7 +245,7 @@ class openstack::controller(
   }
 
   class { 'nova::api':
-    enabled           => true,
+    enabled           => $enabled,
     # TODO this should be the nova service credentials
     #admin_tenant_name => 'openstack',
     #admin_user        => 'admin',
@@ -239,7 +253,6 @@ class openstack::controller(
     admin_tenant_name => 'services',
     admin_user        => 'nova',
     admin_password    => $nova_user_password,
-    require => Keystone_user_role["nova@services"],
   }
 
   class { [
@@ -249,14 +262,24 @@ class openstack::controller(
     'nova::objectstore',
     'nova::vncproxy'
   ]:
-    enabled => true,
+    enabled => $enabled,
   }
 
   if $multi_host {
     nova_config { 'multi_host':   value => 'True'; }
     $enable_network_service = false
   } else {
-    $enable_network_service = true
+    if $enabled == true {
+      $enable_network_service = true
+    } else {
+      $enable_network_service = false
+    }
+  }
+
+  if $enabled {
+    $really_create_networks = $create_networks 
+  } else {
+    $really_create_networks = false
   }
 
   # set up networking
@@ -267,7 +290,7 @@ class openstack::controller(
     floating_range    => $floating_range,
     network_manager   => $network_manager,
     config_overrides  => $network_config,
-    create_networks   => $create_networks,
+    create_networks   => $really_create_networks,
     num_networks      => $num_networks,
     enabled           => $enable_network_service,
     install_service   => $enable_network_service,
@@ -279,6 +302,8 @@ class openstack::controller(
 
   ######## Horizon ########
 
+  # TOOO - what to do about HA for horizon?
+
   class { 'memcached':
     listen_ip => '127.0.0.1',
   }