diff --git a/tasks/backups.yml b/tasks/backups.yml
index 8ca7ca6..b6207b8 100644
--- a/tasks/backups.yml
+++ b/tasks/backups.yml
@@ -183,7 +183,7 @@
         - pdns
         - wg_vpn
     - name: Restore non-service tarball backups
-      when: vars[item ~ '_backup_path']  is defined }}"
+      when: vars[item ~ '_backup_path'] is defined
       ansible.builtin.unarchive:
         src: "{{ vars[item ~ '_backup_path'] }}"
         dest: /
diff --git a/tasks/dnsdist.yml b/tasks/dnsdist.yml
index 221a60c..28ad009 100644
--- a/tasks/dnsdist.yml
+++ b/tasks/dnsdist.yml
@@ -4,5 +4,8 @@
     src: dnsdist/dnsdist.conf.j2
     dest: /etc/dnsdist/dnsdist.conf
     backup: yes
+    owner: dnsdist
+    group: dnsdist
+    mode: u=rw,g=r,o=
   when: 'public_dns == "yes"'
   notify: Restart dnsdist
diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
index 507fdff..c8e489d 100644
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -3,6 +3,9 @@
   ansible.builtin.copy:
     src: "fail2ban/{{ item }}"
     dest: "/etc/fail2ban/filter.d/{{ item }}"
+    owner: root
+    group: root
+    mode: u=rw,go=r
   loop:
     - postfixadmin.conf
   notify: Restart fail2ban
diff --git a/tasks/gather_wireguard_config_sections.yml b/tasks/gather_wireguard_config_sections.yml
index b72d28a..4e21d2c 100644
--- a/tasks/gather_wireguard_config_sections.yml
+++ b/tasks/gather_wireguard_config_sections.yml
@@ -1,6 +1,6 @@
 ---
 - name: Set server config
-  when: '{{ "[Interface]" == wireguard_config_line }}'
+  when: wireguard_config_line == "[Interface]"
   ansible.builtin.set_fact:
     current_wireguard_section: server
 - name: Set server private key
@@ -8,7 +8,7 @@
   ansible.builtin.set_fact:
     wg_server_private_key: "{{ wireguard_config_line | split(' ') | last }}"
 - name: Set client config
-  when: '{{ "[Peer]" == wireguard_config_line }}'
+  when: wireguard_config_line == "[Peer]"
   ansible.builtin.set_fact:
     current_wireguard_section: client
     wg_client_count: "{{ wg_client_count | default(0) | int + 1 }}"
@@ -29,10 +29,10 @@
   ansible.builtin.set_fact:
     wg_server: '{{ wg_server | default({}) | combine({"privatekey": wg_server_private_key}) }}'
 - name: Set wireguard config client section
-  when: '{{ "[Peer]" == wireguard_config_line }}'
+  when: wireguard_config_line == "[Peer]"
   ansible.builtin.set_fact:
     last_wg_client: '{{ wg_client_count | default(0) }}'
 - name: Set wireguard config client section
   when: current_wireguard_section == 'client' and (wg_client_count < last_wg_client or ansible_loop.last) and wg_client_name is defined and wg_client_owner is defined and wg_client_psk is defined
   ansible.builtin.set_fact:
-    wg_clients: '{{ wg_clients | default([]) + {"name": wg_client_name, "owner": wg_client_owner, "psk": wg_server_psk} }}'
+    wg_clients: '{{ wg_clients | default([]) + [{"name": wg_client_name, "owner": wg_client_owner, "psk": wg_server_psk}] }}'
diff --git a/tasks/horde.yml b/tasks/horde.yml
index 75505a1..ceadee8 100644
--- a/tasks/horde.yml
+++ b/tasks/horde.yml
@@ -81,6 +81,7 @@
     dest: /tmp
     remote_src: yes
 - name: Install themes
-  shell: 'echo -e "/usr/share/horde\nroot\nroot\n755\n644\nYes\n"|./install.sh'
+  ansible.builtin.shell: 'set -o pipefail && echo -e "/usr/share/horde\nroot\nroot\n755\n644\nYes\n"|./install.sh'
   args:
     chdir: /tmp/combined-1.0.0
+    executable: /usr/bin/bash
diff --git a/tasks/httpd.yml b/tasks/httpd.yml
index c581aa0..b7c9e5c 100644
--- a/tasks/httpd.yml
+++ b/tasks/httpd.yml
@@ -14,7 +14,7 @@
     - http
     - https
 - name: Set up SELinux rules
-  when: "{{ getenforce.stdout != 'Disabled' }}"
+  when: getenforce.stdout != 'Disabled'
   block:
     - name: Set SELinux booleans
       seboolean:
@@ -27,11 +27,14 @@
         - httpd_read_user_content
         - httpd_mod_auth_pam
     - name: Generate SELinux policy
-      shell: |
+      ansible.builtin.shell: |
+        set -o pipefail &&
         sepolicy generate --init /usr/sbin/httpd
         echo 'dovecot_read_config(httpd_t)' >> httpd.te
         ./httpd.sh
         ausearch -m AVC -ts recent | audit2allow -R
+      args:
+        executable: /usr/bin/bash
 - name: Render web config templates
   tags:
     - dyndns
diff --git a/tasks/mariadb.yml b/tasks/mariadb.yml
index 053e35b..f9ecbb0 100644
--- a/tasks/mariadb.yml
+++ b/tasks/mariadb.yml
@@ -34,7 +34,7 @@
             state: stopped
         - name: Start MariaDB in safe mode
           when: reset == "yes" or forgotten_mariadb_root_password
-          shell: "mysqld_safe --skip-grant-tables --skip-networking &"
+          ansible.builtin.shell: "mysqld_safe --skip-grant-tables --skip-networking &"
         - name: "Generate MariaDB root password reset SQL"
           when: reset == "yes" or forgotten_mariadb_root_password
           ansible.builtin.template:
diff --git a/tasks/os.yml b/tasks/os.yml
index 7440d7d..8ea61aa 100644
--- a/tasks/os.yml
+++ b/tasks/os.yml
@@ -1,6 +1,6 @@
 ---
 - name: Check SELinux status
-  shell: getenforce
+  ansible.builtin.shell: getenforce
   register: getenforce
   tags: always
 - name: "Set hostname to {{ mailserver_hostname }}.{{ mailserver_domain }}" # noqa name[template] we need to be informative, even if we deviate from the standards
diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml
index 8f69f43..18f8f4a 100644
--- a/tasks/wireguard.yml
+++ b/tasks/wireguard.yml
@@ -169,7 +169,9 @@
   loop: "{{ wg_configs.keys() }}"
   when: item != "server"
 - name: Generate QR codes
-  shell: "cat {{ user_home[wg_configs[item]['owner']] }}/public_html/.vpn/{{ item }}/wg0.conf | qrencode -o {{ user_home[wg_configs[item]['owner']] }}/public_html/.vpn/{{ item }}/wg0.png"
+  ansible.builtin.shell: "set -o pipefail && cat {{ user_home[wg_configs[item]['owner']] }}/public_html/.vpn/{{ item }}/wg0.conf | qrencode -o {{ user_home[wg_configs[item]['owner']] }}/public_html/.vpn/{{ item }}/wg0.png"
+  args:
+    executable: /usr/bin/bash
   loop: "{{ wg_configs.keys() }}"
   when: item != "server"
 - name: Allow access to QR codes