diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000..5faf1ef
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,19 @@
+---
+offline: true
+profile: production
+strict: true
+
+# Additional rules to enable if no profile set
+enable_list:
+  - args
+  - empty-string-compare
+  - no-log-password
+  - no-same-owner
+  - yaml
+
+skip_list:
+  - fqcn[action-core]
+  - galaxy[no-changelog]
+  - no-handler
+  - var-naming[no-role-prefix]
+  - yaml[comments]
diff --git a/galaxy.yml b/galaxy.yml
index 663423a..34a8588 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -11,8 +11,10 @@ license:
   - GPL-3.0-or-later
 tags:
   - rhel
+  - linux
   - centos
   - configuration
+  - infrastructure
 dependencies:
   ansible.posix: ">=1.4.0"
   community.general: ">=5.5.0"
diff --git a/meta/runtime.yml b/meta/runtime.yml
index 18dabe9..460bbaf 100644
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9"
+requires_ansible: ">=2.9.10"
diff --git a/roles/aide_setup/tasks/main.yml b/roles/aide_setup/tasks/main.yml
index 5d8142f..7bba48c 100644
--- a/roles/aide_setup/tasks/main.yml
+++ b/roles/aide_setup/tasks/main.yml
@@ -30,10 +30,12 @@
 
 - name: Initialize new aide database
   command: /usr/sbin/aide --init
+  register: aide_database
+  changed_when: true
   when:
     - "'aide' in ansible_facts.packages"
-    - not aide_database.stat.exists
     - aide_setup_initialize_database | bool
+    - not aide_database.stat.exists
 
 - name: Copy new aide database as current aide database
   copy:
@@ -43,13 +45,13 @@
     remote_src: true
   when:
     - "'aide' in ansible_facts.packages"
-    - not aide_database.stat.exists
     - aide_setup_initialize_database | bool
+    - aide_database is changed
 
 # Configure cron in OpenSCAP-compatible manner
 - name: Update aide check cron configuration
   vars:
-    entry_prefix: "{{ '' if aide_setup_cron_setup|bool else '#' }}"
+    entry_prefix: "{{ '' if aide_setup_cron_setup | bool else '#' }}"
   lineinfile:
     path: /etc/crontab
     regexp: '^(#|)05 4 \* \* \* root /usr/sbin/aide --check'
diff --git a/roles/boot_parameters/tasks/main.yml b/roles/boot_parameters/tasks/main.yml
index 3e258a9..6f2bc05 100644
--- a/roles/boot_parameters/tasks/main.yml
+++ b/roles/boot_parameters/tasks/main.yml
@@ -39,15 +39,18 @@
     --args="{{ boot_parameters_enable | join(' ') }}"
     --remove-args="{{ boot_parameters_disable | join(' ') }}"
   register: boot_config
+  changed_when: true
   when: (0 in enable_check.results | map(attribute='found') | list) or
         (1 in disable_check.results | map(attribute='found') | list)
 
 - name: Fix default kernel boot parameters (RHEL 7)
   shell: |
+    set -o pipefail
     eval $(grubby --info=DEFAULT | awk '/^args/ {print $0}')
     sed -i -e "s,^GRUB_CMDLINE_LINUX=.*,GRUB_CMDLINE_LINUX=\"$args\"," /etc/default/grub
+  changed_when: true
   when:
-    - ansible_facts.distribution_major_version|int == 7
+    - ansible_facts.distribution_major_version | int == 7
     - boot_config is changed
 
 - name: Update boot loader timeout configuration
@@ -55,10 +58,10 @@
     path: /etc/default/grub
     regexp: '^GRUB_TIMEOUT=.*'
     replace: 'GRUB_TIMEOUT={{ boot_parameters_timeout }}'
+  register: boot_timeout
   when:
     - boot_parameters_timeout is integer
     - boot_parameters_timeout | int >= 1
-  register: boot_timeout
 
 - name: Determine platform type
   stat:
@@ -67,7 +70,7 @@
 
 - name: Set boot loader configuration files
   vars:
-    old_rhel: "{{ true if ansible_facts.distribution_major_version|int < 9 else false }}"
+    old_rhel: "{{ true if ansible_facts.distribution_major_version | int < 9 else false }}"
     efi_path: "{{ true if old_rhel and efi_dir.stat.exists else false }}"
   set_fact:
     grub_config: "{{ '/boot/grub2/grub.cfg' if not efi_path else '/boot/efi/EFI/redhat/grub.cfg' }}"
@@ -91,6 +94,7 @@
 
 - name: Write boot loader configuration
   command: grub2-mkconfig -o {{ grub_config }}
+  changed_when: true
   when: boot_timeout is changed or
         password_remove is changed or
         password_update is changed
diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml
index 5f6af49..1f11347 100644
--- a/roles/certificates/tasks/main.yml
+++ b/roles/certificates/tasks/main.yml
@@ -17,4 +17,5 @@
 
 - name: Write trusted certificate bundles
   command: update-ca-trust extract
+  changed_when: true
   when: ca_files is changed
diff --git a/roles/dns_cache/tasks/disable.yml b/roles/dns_cache/tasks/disable.yml
index 4f3378c..b7591f1 100644
--- a/roles/dns_cache/tasks/disable.yml
+++ b/roles/dns_cache/tasks/disable.yml
@@ -28,7 +28,7 @@
     - not dns_cache_enable | bool or
       dns_cache_component != 'nscd'
 
-- name: Check NetworkManager DNS configuration
+- name: Read NetworkManager DNS configuration
   slurp:
     src: /etc/NetworkManager/conf.d/50-dns.conf
   register: current_config
@@ -45,7 +45,7 @@
   when:
     - not dns_cache_enable | bool or
       (current_config.content is defined and
-       dns_cache_component not in current_config.content|b64decode)
+       dns_cache_component not in current_config.content | b64decode)
 
 - name: Disable systemd-resolved service
   service:
@@ -74,7 +74,7 @@
     state: absent
   register: resolved_package
   when:
-    - ansible_facts.distribution_major_version|int == 7
+    - ansible_facts.distribution_major_version | int == 7
     - not dns_cache_enable | bool or
       dns_cache_component != 'systemd-resolved'
 
diff --git a/roles/dns_cache/tasks/systemd_resolved.yml b/roles/dns_cache/tasks/systemd_resolved.yml
index 07995ac..8b8c7ab 100644
--- a/roles/dns_cache/tasks/systemd_resolved.yml
+++ b/roles/dns_cache/tasks/systemd_resolved.yml
@@ -11,7 +11,7 @@
   yum:
     name: systemd-resolved
     state: present
-  when: ansible_facts.distribution_major_version|int != 8
+  when: ansible_facts.distribution_major_version | int != 8
 
 - name: Gather service facts
   service_facts:
diff --git a/roles/insights_client/README.md b/roles/insights_client/README.md
index 89f7ecf..89ccacb 100644
--- a/roles/insights_client/README.md
+++ b/roles/insights_client/README.md
@@ -10,7 +10,7 @@ Below are the role default values from defaults/main.yml:
 
 <pre>
 ---
-# Register or unregister the system for Red Hat Insights
+# Register or unregister the system with Red Hat Insights
 # See https://access.redhat.com/products/red-hat-insights
 insights_client_register: true
 
@@ -20,7 +20,7 @@ insights_client_tags:
 #  security: strict
 #  network_performance: latency
 
-# Enable Red Hat connector (rhc) when needed
+# Enable remote host configuration (rhc)
 # See https://access.redhat.com/articles/rhc
 insights_client_rhc_enable: true
 
diff --git a/roles/insights_client/defaults/main.yml b/roles/insights_client/defaults/main.yml
index 3a283aa..edc736f 100644
--- a/roles/insights_client/defaults/main.yml
+++ b/roles/insights_client/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-# Register or unregister the system for Red Hat Insights
+# Register or unregister the system with Red Hat Insights
 # See https://access.redhat.com/products/red-hat-insights
 insights_client_register: true
 
@@ -9,7 +9,7 @@ insights_client_tags:
 #  security: strict
 #  network_performance: latency
 
-# Enable Red Hat connector (rhc) when needed
+# Enable remote host configuration (rhc)
 # See https://access.redhat.com/articles/rhc
 insights_client_rhc_enable: true
 
diff --git a/roles/insights_client/tasks/enable.yml b/roles/insights_client/tasks/enable.yml
index a8d3afb..88e23fe 100644
--- a/roles/insights_client/tasks/enable.yml
+++ b/roles/insights_client/tasks/enable.yml
@@ -13,7 +13,7 @@
   vars:
     rhc_packages:
       - "{{ 'rhc' if insights_client_rhc_enable | bool else '' }}"
-      - "{{ 'rhc-worker-playbook' if ansible_facts.distribution_major_version|int >= 8 else '' }}"
+      - "{{ 'rhc-worker-playbook' if ansible_facts.distribution_major_version | int >= 8 else '' }}"
     openscap_packages:
       - scap-security-guide
     required_packages:
@@ -59,6 +59,7 @@
 
 - name: Upload new data to Red Hat Insights
   command: insights-client --silent
+  changed_when: true
   when: tags_file is changed
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=2175793
diff --git a/roles/multipath_setup/tasks/main.yml b/roles/multipath_setup/tasks/main.yml
index 9596b95..80a0e5c 100644
--- a/roles/multipath_setup/tasks/main.yml
+++ b/roles/multipath_setup/tasks/main.yml
@@ -38,6 +38,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: multipath_config is changed
 
 - name: Reboot system
diff --git a/roles/packages_remove/tasks/main.yml b/roles/packages_remove/tasks/main.yml
index 169b82a..9183077 100644
--- a/roles/packages_remove/tasks/main.yml
+++ b/roles/packages_remove/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Remove unwanted packages
   yum:
-    name: "{{ packages_remove }}"
+    name: "{{ packages_remove | select() | list }}"
     autoremove: "{{ packages_remove_autoremove }}"
     #cacheonly: true
     state: absent
diff --git a/roles/performance_tuning/tasks/main.yml b/roles/performance_tuning/tasks/main.yml
index 32aeecb..c8363fe 100644
--- a/roles/performance_tuning/tasks/main.yml
+++ b/roles/performance_tuning/tasks/main.yml
@@ -27,7 +27,7 @@
     state: started
   when: "'tuned' in ansible_facts.packages"
 
-- name: Check current tuned profile
+- name: Read current tuned profile
   slurp:
     src: /etc/tuned/active_profile
   register: active_profile
@@ -35,6 +35,7 @@
 
 - name: Configure tuned profile
   command: tuned-adm profile {{ tuned_profile }}
+  changed_when: true
   when:
     - "'tuned' in ansible_facts.packages"
-    - active_profile.content|b64decode|trim != tuned_profile
+    - active_profile.content | b64decode | trim != tuned_profile
diff --git a/roles/rescue_image/tasks/disable.yml b/roles/rescue_image/tasks/disable.yml
index a75f43c..26d46d9 100644
--- a/roles/rescue_image/tasks/disable.yml
+++ b/roles/rescue_image/tasks/disable.yml
@@ -47,10 +47,11 @@
 
 - name: Write boot loader configuration
   vars:
-    old_rhel: "{{ true if ansible_facts.distribution_major_version|int < 9 else false }}"
+    old_rhel: "{{ true if ansible_facts.distribution_major_version | int < 9 else false }}"
     efi_path: "{{ true if old_rhel and efi_dir.stat.exists else false }}"
     grub_config: "{{ '/boot/grub2/grub.cfg' if not efi_path else '/boot/efi/EFI/redhat/grub.cfg' }}"
   command: grub2-mkconfig -o {{ grub_config }}
+  changed_when: true
   when:
     - not entries_dir.stat.exists
     - remove_images is changed
diff --git a/roles/splunk_forwarder/README.md b/roles/splunk_forwarder/README.md
index 026c0cd..1d5ea39 100644
--- a/roles/splunk_forwarder/README.md
+++ b/roles/splunk_forwarder/README.md
@@ -10,7 +10,7 @@ Below are the role default values from defaults/main.yml:
 
 <pre>
 ---
-splunk_deployment_server: splunk.example.com
+splunk_deployment_server:
 splunk_deployment_server_port: 8089
 splunk_deployment_server_check: true
 
diff --git a/roles/splunk_forwarder/defaults/main.yml b/roles/splunk_forwarder/defaults/main.yml
index 6bd5583..8aa3db7 100644
--- a/roles/splunk_forwarder/defaults/main.yml
+++ b/roles/splunk_forwarder/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-splunk_deployment_server: splunk.example.com
+splunk_deployment_server:
 splunk_deployment_server_port: 8089
 splunk_deployment_server_check: true
 
diff --git a/roles/splunk_forwarder/tasks/main.yml b/roles/splunk_forwarder/tasks/main.yml
index f8e2fd3..c11e05f 100644
--- a/roles/splunk_forwarder/tasks/main.yml
+++ b/roles/splunk_forwarder/tasks/main.yml
@@ -73,10 +73,12 @@
 
 - name: Stop Splunk legacy service
   command: /opt/splunkforwarder/bin/splunk stop
+  changed_when: true
   when: legacy_init.stat.exists
 
 - name: Disable Splunk legacy service
   command: /opt/splunkforwarder/bin/splunk disable boot-start
+  changed_when: true
   when: legacy_init.stat.exists
 
 - name: Check Splunk Forwarder systemd service file
@@ -89,6 +91,7 @@
     /opt/splunkforwarder/bin/splunk enable boot-start
     -systemd-managed 1 -user splunk -group splunk
     --accept-license --no-prompt --answer-yes
+  changed_when: true
   when: not systemd_service.stat.exists
 
 - name: Enable Splunk Forwarder service
diff --git a/roles/system_init/tasks/init.yml b/roles/system_init/tasks/init.yml
index 51f677f..7fe4841 100644
--- a/roles/system_init/tasks/init.yml
+++ b/roles/system_init/tasks/init.yml
@@ -12,12 +12,14 @@
 
 - name: Remove old kernel packages (RHEL 7)
   command: package-cleanup -C --oldkernels --count=1 -y
+  changed_when: true
   when:
     - ansible_facts.pkg_mgr == 'yum'
     - ansible_facts.packages['kernel'] | length > 1
 
 - name: Remove old kernel packages
   command: dnf -C remove --oldinstallonly -y
+  changed_when: true
   when:
     - ansible_facts.pkg_mgr == 'dnf'
     - ansible_facts.packages['kernel'] | length > 1
@@ -41,6 +43,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: nic_config is changed
 
 - name: Check installer log directory
@@ -123,6 +126,7 @@
     cmd: subscription-manager facts --update
     removes: /var/lib/rhsm/facts/facts.json
   failed_when: false
+  changed_when: true
 
 - name: Mark system initialized
   copy:
@@ -131,6 +135,6 @@
     mode: '0644'
 
 - name: Log initialization message
-  syslogger:
+  community.general.syslogger:
     msg: "System initialized by system_init role."
   when: "'syslog' in system_init_final_actions"
diff --git a/roles/system_keyboard/tasks/main.yml b/roles/system_keyboard/tasks/main.yml
index 5c049cd..3f5e65c 100644
--- a/roles/system_keyboard/tasks/main.yml
+++ b/roles/system_keyboard/tasks/main.yml
@@ -19,6 +19,7 @@
 - name: Configure system keyboard
   command: localectl set-keymap {{ system_keyboard }}
   register: keyboard_config
+  changed_when: true
   when: not keyboard_check.found
 
 - name: Check system console font configuration
@@ -40,10 +41,12 @@
 
 - name: Configure system console font
   command: setfont {{ system_font }}
+  changed_when: true
   when: font_config is changed
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: package_install is changed or
         keyboard_config is changed or
         font_config is changed
diff --git a/roles/system_locale/tasks/main.yml b/roles/system_locale/tasks/main.yml
index decb692..a970bc9 100644
--- a/roles/system_locale/tasks/main.yml
+++ b/roles/system_locale/tasks/main.yml
@@ -9,11 +9,11 @@
 
 - name: Check langpack support
   set_fact:
-    langpacks: "{{ true if ansible_facts.distribution_major_version|int >= 8 else false }}"
+    langpacks: "{{ true if ansible_facts.distribution_major_version | int >= 8 else false }}"
 
 - name: Check C.UTF-8 support
   set_fact:
-    c_utf_8: "{{ true if ansible_facts.distribution_major_version|int >= 9 else false }}"
+    c_utf_8: "{{ true if ansible_facts.distribution_major_version | int >= 9 else false }}"
 
 - name: Install locale packages
   vars:
@@ -36,6 +36,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: locale_config is changed
 
 - name: Reboot system
diff --git a/roles/system_unregister/tasks/main.yml b/roles/system_unregister/tasks/main.yml
index 496981d..28ad31c 100644
--- a/roles/system_unregister/tasks/main.yml
+++ b/roles/system_unregister/tasks/main.yml
@@ -30,10 +30,11 @@
 
 # Use removes: to only run on registered systems
 - name: Clean package manager caches (RHEL 7)
+  # noqa: command-instead-of-module
   command:
     cmd: yum -C clean all
     removes: /etc/rhsm/ca/katello-server-ca.pem
-  when: ansible_facts.distribution_major_version|int < 8
+  when: ansible_facts.distribution_major_version | int < 8
 
 - name: Unregister from Red Hat Subscription Management
   command: subscription-manager unregister
@@ -78,7 +79,8 @@
 
 - name: Clean package manager caches
   command: dnf -C clean all
-  when: ansible_facts.distribution_major_version|int >= 8
+  changed_when: true
+  when: ansible_facts.distribution_major_version | int >= 8
 
 - name: Check RHSM configuration backup file
   stat:
diff --git a/roles/timesync/tasks/main.yml b/roles/timesync/tasks/main.yml
index 2ce2149..f6ce53d 100644
--- a/roles/timesync/tasks/main.yml
+++ b/roles/timesync/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Set timesync configuration
   set_fact:
-    timesync_ntp_servers: "{{ timesync_ntp_servers | default([]) + [{ 'hostname': item, 'iburst': true }] }}"
+    timesync_ntp_servers: "{{ timesync_ntp_servers | default([]) + [{'hostname': item, 'iburst': true}] }}"
   loop: "{{ ntp_servers }}"
 
 - name: Configure timesync
diff --git a/roles/troubleshooting_tools/README.md b/roles/troubleshooting_tools/README.md
index 41a052a..5a5b5b5 100644
--- a/roles/troubleshooting_tools/README.md
+++ b/roles/troubleshooting_tools/README.md
@@ -23,7 +23,7 @@ troubleshooting_tools:
   #- numactl
   - pcp-system-tools
   #- perf
-  - "{{ 'policycoreutils-python-utils' if ansible_facts.distribution_major_version|int >= 8 else 'policycoreutils-python' }}"
+  - "{{ 'policycoreutils-python-utils' if ansible_facts.distribution_major_version | int >= 8 else 'policycoreutils-python' }}"
   - procps-ng
   - psmisc
   #- setroubleshoot-server
diff --git a/roles/troubleshooting_tools/defaults/main.yml b/roles/troubleshooting_tools/defaults/main.yml
index bf21f37..a51c6d3 100644
--- a/roles/troubleshooting_tools/defaults/main.yml
+++ b/roles/troubleshooting_tools/defaults/main.yml
@@ -12,7 +12,7 @@ troubleshooting_tools:
   #- numactl
   - pcp-system-tools
   #- perf
-  - "{{ 'policycoreutils-python-utils' if ansible_facts.distribution_major_version|int >= 8 else 'policycoreutils-python' }}"
+  - "{{ 'policycoreutils-python-utils' if ansible_facts.distribution_major_version | int >= 8 else 'policycoreutils-python' }}"
   - procps-ng
   - psmisc
   #- setroubleshoot-server
diff --git a/roles/troubleshooting_tools/tasks/main.yml b/roles/troubleshooting_tools/tasks/main.yml
index f2ce158..6e35723 100644
--- a/roles/troubleshooting_tools/tasks/main.yml
+++ b/roles/troubleshooting_tools/tasks/main.yml
@@ -9,7 +9,7 @@
 
 - name: Install troubleshooting tools
   yum:
-    name: "{{ troubleshooting_tools }}"
+    name: "{{ troubleshooting_tools | select() | list }}"
     state: present
 
 - name: Gather package facts
@@ -22,8 +22,8 @@
     enabled: true
   when:
     - "'pcp' in ansible_facts.packages"
-    - troubleshooting_tools_enable_perf_metrics | bool
     - "'pcp-system-tools' in troubleshooting_tools"
+    - troubleshooting_tools_enable_perf_metrics | bool
 
 - name: Enable performance metrics archiving
   service:
@@ -32,5 +32,5 @@
     enabled: true
   when:
     - "'pcp' in ansible_facts.packages"
-    - troubleshooting_tools_enable_perf_metrics | bool
     - "'pcp-system-tools' in troubleshooting_tools"
+    - troubleshooting_tools_enable_perf_metrics | bool
diff --git a/roles/watchdog/meta/main.yml b/roles/watchdog/meta/main.yml
index c741442..076d370 100644
--- a/roles/watchdog/meta/main.yml
+++ b/roles/watchdog/meta/main.yml
@@ -5,13 +5,13 @@ galaxy_info:
   company: Red Hat, Inc.
   description: watchdog role
   license: GPLv3+
-  min_ansible_version: '2.9'
+  min_ansible_version: "2.9"
   platforms:
     - name: EL
       versions:
-        - '7'
-        - '8'
-        - '9'
+        - "7"
+        - "8"
+        - "9"
   galaxy_tags:
     - rhel
     - centos
diff --git a/roles/watchdog/tasks/disable.yml b/roles/watchdog/tasks/disable.yml
index d234c5a..01b4ede 100644
--- a/roles/watchdog/tasks/disable.yml
+++ b/roles/watchdog/tasks/disable.yml
@@ -1,7 +1,7 @@
 ---
 - name: Disable system runtime watchdog configuration
   vars:
-    option_value: "{{ 'off' if ansible_facts.distribution_major_version|int >= 9 else '0' }}"
+    option_value: "{{ 'off' if ansible_facts.distribution_major_version | int >= 9 else '0' }}"
   lineinfile:
     path: /etc/systemd/system.conf
     regexp: '^(#|)RuntimeWatchdogSec=.*'
@@ -10,7 +10,7 @@
 
 - name: Restore system reboot watchdog default configuration
   vars:
-    option_name: "{{ 'RebootWatchdogSec' if ansible_facts.distribution_major_version|int >= 9 else 'ShutdownWatchdogSec' }}"
+    option_name: "{{ 'RebootWatchdogSec' if ansible_facts.distribution_major_version | int >= 9 else 'ShutdownWatchdogSec' }}"
   lineinfile:
     path: /etc/systemd/system.conf
     regexp: '^(#|){{ option_name }}=.*'
@@ -19,7 +19,7 @@
 
 - name: Disable system kexec watchdog configuration
   vars:
-    option_state: "{{ 'present' if ansible_facts.distribution_major_version|int >= 9 else 'absent' }}"
+    option_state: "{{ 'present' if ansible_facts.distribution_major_version | int >= 9 else 'absent' }}"
   lineinfile:
     path: /etc/systemd/system.conf
     regexp: '^(#|)KExecWatchdogSec=.*'
@@ -29,7 +29,7 @@
 
 - name: Restore system watchdog device default configuration
   vars:
-    option_state: "{{ 'present' if ansible_facts.distribution_major_version|int >= 9 else 'absent' }}"
+    option_state: "{{ 'present' if ansible_facts.distribution_major_version | int >= 9 else 'absent' }}"
   lineinfile:
     path: /etc/systemd/system.conf
     regexp: '^(#|)WatchdogDevice=.*'
@@ -47,6 +47,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: watchdog_runtime is changed or
         watchdog_reboot is changed or
         watchdog_kexec is changed or
diff --git a/roles/watchdog/tasks/enable.yml b/roles/watchdog/tasks/enable.yml
index c02edff..f7eaa34 100644
--- a/roles/watchdog/tasks/enable.yml
+++ b/roles/watchdog/tasks/enable.yml
@@ -8,7 +8,7 @@
 
 - name: Update system reboot watchdog configuration
   vars:
-    option_name: "{{ 'RebootWatchdogSec' if ansible_facts.distribution_major_version|int >= 9 else 'ShutdownWatchdogSec' }}"
+    option_name: "{{ 'RebootWatchdogSec' if ansible_facts.distribution_major_version | int >= 9 else 'ShutdownWatchdogSec' }}"
   lineinfile:
     path: /etc/systemd/system.conf
     regexp: '^(#|){{ option_name }}=.*'
@@ -23,7 +23,7 @@
     line: 'KExecWatchdogSec={{ watchdog_kexec_sec }}'
   register: watchdog_kexec
   when:
-    - ansible_facts.distribution_major_version|int >= 9
+    - ansible_facts.distribution_major_version | int >= 9
     - watchdog_kexec_sec | default(false)
 
 - name: Update system watchdog device configuration
@@ -33,7 +33,7 @@
     line: 'WatchdogDevice={{ watchdog_device }}'
   register: watchdog_device
   when:
-    - ansible_facts.distribution_major_version|int >= 9
+    - ansible_facts.distribution_major_version | int >= 9
     - watchdog_device | default(false)
 
 - name: Reload systemd to apply watchdog configuration changes
@@ -46,6 +46,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: watchdog_runtime is changed or
         watchdog_reboot is changed or
         watchdog_kexec is changed or