diff --git a/roles/ipsilon/handlers/main.yml b/roles/ipsilon/handlers/main.yml
index c52037cae3..7f857ab06a 100644
--- a/roles/ipsilon/handlers/main.yml
+++ b/roles/ipsilon/handlers/main.yml
@@ -1,5 +1,13 @@
 ---
 - name: Restart sssd
-  service:
+  ansible.builtin.service:
     name: sssd
     state: restarted
+
+- name: Install Fedora-specific code
+  ansible.builtin.command:
+    cmd: ./install.sh
+    chdir: /opt/ipsilon-fedora
+  changed_when: true
+  notify:
+  - Restart apache
diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 9653931a9c..5e7bfe5938 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -31,24 +31,15 @@
   - packages
 
 - name: Download Fedora-specific code
-  git:
+  ansible.builtin.git:
     repo: https://pagure.io/fedora-infra/ipsilon-fedora
     dest: /opt/ipsilon-fedora
     version: "{{ env }}"
     force: yes
-  register: git_update
   tags:
   - ipsilon
-
-- name: Install Fedora-specific code if it changed
-  ansible.builtin.command:
-    cmd: ./install.sh
-    chdir: /opt/ipsilon-fedora
-  when: git_update is changed
   notify:
-  - Restart apache
-  tags:
-  - ipsilon
+  - Install Fedora-specific code
 
 - name: Install Fedora-specific code on initial run
   ansible.builtin.command:
@@ -60,12 +51,14 @@
   tags:
   - ipsilon
 
-- include_role:
+- name: Include ipa/client role
+  ansible.builtin.include_role:
     name: ipa/client
 
 - name: Get admin ticket
-  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
+  ansible.builtin.shell: set -o pipefail && echo "{{ ipa_admin_password }}" | kinit admin
   check_mode: no
+  changed_when: true
   no_log: true
   tags:
   - ipsilon
@@ -87,10 +80,12 @@
 
 - name: Destroy admin ticket
   ansible.builtin.command: kdestroy -A
+  changed_when: true
   tags:
   - ipsilon
 
-- import_tasks: patches.yml
+- name: Import patches.yml tasks
+  ansible.builtin.import_tasks: patches.yml
   tags:
   - ipsilon
   - patches
@@ -134,7 +129,7 @@
 
 - name: Copy ipsilon OIDC client config
   ansible.builtin.copy:
-    src: "{{ private }}/files/ipsilon/openidc.{{env}}.static"
+    src: "{{ private }}/files/ipsilon/openidc.{{ env }}.static"
     dest: /etc/ipsilon/root/openidc.static.cfg
     owner: ipsilon
     group: ipsilon
@@ -149,7 +144,7 @@
 
 - name: Template ipsilon OIDC client config
   ansible.builtin.template:
-    src: "openidc.{{env}}.static.j2"
+    src: "openidc.{{ env }}.static.j2"
     dest: /etc/ipsilon/root/openidc.static.cfg
     owner: ipsilon
     group: ipsilon
@@ -166,6 +161,7 @@
   ansible.builtin.template:
     src: "httpd.conf.j2"
     dest: /etc/ipsilon/root/idp.conf
+    mode: "0644"
   tags:
   - ipsilon
   - config
@@ -233,7 +229,7 @@
   - ipsilon
 
 - name: Set sebooleans so ipsilon can talk to the db
-  seboolean:
+  ansible.posix.seboolean:
     name: httpd_can_network_connect_db
     state: true
     persistent: true
@@ -241,7 +237,7 @@
   - ipsilon
 
 - name: Set sebooleans so ipsilon can talk to IPA for the openid extension
-  seboolean:
+  ansible.posix.seboolean:
     name: httpd_can_network_connect
     state: true
     persistent: true
@@ -249,7 +245,7 @@
   - ipsilon
 
 - name: Set sebooleans so ipsilon can talk to sssd
-  seboolean:
+  ansible.posix.seboolean:
     name: httpd_dbus_sssd
     state: true
     persistent: true
@@ -257,7 +253,7 @@
   - ipsilon
 
 - name: Set sebooleans so ipsilon can use python-pam
-  seboolean:
+  ansible.posix.seboolean:
     name: "{{ item }}"
     state: true
     persistent: true
diff --git a/roles/ipsilon/tasks/patches.yml b/roles/ipsilon/tasks/patches.yml
index d28a40a327..561b974aba 100644
--- a/roles/ipsilon/tasks/patches.yml
+++ b/roles/ipsilon/tasks/patches.yml
@@ -1,6 +1,6 @@
 ---
 - name: Install patch and filterdiff
-  dnf:
+  ansible.builtin.dnf:
     name:
       - patch
       - patchutils
@@ -9,17 +9,21 @@
   ansible.builtin.file:
     path: /opt/ipsilon-patches
     state: directory
+    mode: "0755"
 
 - name: Download patches
-  ansible.builtin.copy: >
-     src=/srv/web/infra/bigfiles/hotfixes/ipsilon/{{ item }} dest=/opt/ipsilon-patches/{{item}}.patch
-     owner=root group=root mode=0644
+  ansible.builtin.copy:
+    src: /srv/web/infra/bigfiles/hotfixes/ipsilon/{{ item }}
+    dest: /opt/ipsilon-patches/{{ item }}.patch
+    owner: root
+    group: root
+    mode: "0644"
   loop: "{{ ipsilon_patches }}"
 
 - name: Apply patches
   ansible.builtin.shell:
     chdir: "{{ ansible_facts['python3']['sitelib'] }}"
-    cmd: filterdiff --include '?/ipsilon/*' /opt/ipsilon-patches/{{item}}.patch | patch -p1 --forward --fuzz=0 --reject-file=- --batch
+    cmd: filterdiff --include '?/ipsilon/*' /opt/ipsilon-patches/{{ item }}.patch | patch -p1 --forward --fuzz=0 --reject-file=- --batch
   loop: "{{ ipsilon_patches }}"
   register: result
   ignore_errors: true