diff --git a/ansible/tasks/fix-ipv6-ndisc.yml b/ansible/tasks/fix-ipv6-ndisc.yml
index 8953fd880..1ea01bfb4 100644
--- a/ansible/tasks/fix-ipv6-ndisc.yml
+++ b/ansible/tasks/fix-ipv6-ndisc.yml
@@ -1,33 +1,30 @@
 ---
-- name: fix Network - systemd timer file
-  copy:
-    dest: /etc/systemd/system/systemd-networkd-check-and-fix.timer
-    src: "files/systemd-networkd/systemd-networkd-check-and-fix.timer"
-    owner: root
-    group: root
-    mode: 0644
-
-- name: fix Network - systemd service file
-  copy:
-    dest: /etc/systemd/system/systemd-networkd-check-and-fix.service
-    src: "files/systemd-networkd/systemd-networkd-check-and-fix.service"
-    owner: root
-    group: root
-    mode: 0644
+- name: fix Network - systemd timer and service file
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/systemd-networkd-check-and-fix.{{ network_item }}"
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: "files/systemd-networkd/systemd-networkd-check-and-fix.{{ network_item }}"
+  loop:
+    - service
+    - timer
+  loop_control:
+    loop_var: 'network_item'
 
 - name: fix Network - detect script
-  copy:
-    dest: /usr/local/bin/systemd-networkd-check-and-fix.sh
-    src: "files/systemd-networkd/systemd-networkd-check-and-fix.sh"
-    owner: root
-    group: root
-    mode: 0700
+  ansible.builtin.copy:
+    dest: '/usr/local/bin/systemd-networkd-check-and-fix.sh'
+    src: 'files/systemd-networkd/systemd-networkd-check-and-fix.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0700'
 
 - name: fix Network - reload systemd
-  systemd:
+  ansible.builtin.systemd_service:
     daemon_reload: false
 
 - name: fix Network - ensure systemd timer is installed but disabled
-  systemd:
-    name: systemd-networkd-check-and-fix.timer
+  ansible.builtin.systemd_service:
+    name: 'systemd-networkd-check-and-fix.timer'
     enabled: false
diff --git a/ansible/tasks/setup-docker.yml b/ansible/tasks/setup-docker.yml
index 7b37f70cc..6a3a12cc4 100644
--- a/ansible/tasks/setup-docker.yml
+++ b/ansible/tasks/setup-docker.yml
@@ -1,80 +1,87 @@
-- name: Copy extension packages
-  copy:
-    src: files/extensions/
-    dest: /tmp/extensions/
-  when: debpkg_mode
+- name: debpkg_mode actions
+  when:
+    - debpkg_mode
+  block:
+    - name: Copy extension packages
+      ansible.builtin.copy:
+        dest: '/tmp/extensions/'
+        src: 'files/extensions/'
 
-# Builtin apt module does not support wildcard for deb paths
-- name: Install extensions
-  shell: |
-    set -e
-    apt-get update
-    apt-get install -y --no-install-recommends /tmp/extensions/*.deb
-  when: debpkg_mode
+    - name: Install extensions
+      ansible.builtin.apt:
+        deb: "{{ deb_item }}"
+        force_apt_get: true
+        install_recommends: false
+        state: 'present'
+        update_cache: true
+      loop_control:
+        loop_var: 'deb_item'
+      with_fileglob:
+        - '/tmp/extensions/*.deb'
 
-- name: pgsodium - determine postgres bin directory
-  shell: pg_config --bindir
-  register: pg_bindir_output
-  when: debpkg_mode
-  
-- set_fact:
-    pg_bindir: "{{ pg_bindir_output.stdout }}"
-  when: debpkg_mode 
+    - name: pgsodium - determine PostgreSQL bin directory
+      ansible.builtin.command:
+        cmd:  pg_config --bindir
+      changed_when: false
+      register: 'pg_bindir_output'
+      
+    - name: store the PostgreSQL bin dir as a fact
+      ansible.builtin.set_fact:
+        pg_bindir: "{{ pg_bindir_output['stdout'] }}"
 
-- name: pgsodium - set pgsodium.getkey_script
-  become: yes
-  lineinfile:
-    path: /etc/postgresql/postgresql.conf
-    state: present
-    # script is expected to be placed by finalization tasks for different target platforms
-    line: pgsodium.getkey_script= '{{ pg_bindir }}/pgsodium_getkey.sh'
-  when: debpkg_mode
+    - name: pgsodium - set pgsodium.getkey_script
+      ansible.builtin.lineinfile:
+        path: '/etc/postgresql/postgresql.conf'
+        # script is expected to be placed by finalization tasks for different target platforms
+        line: pgsodium.getkey_script= '{{ pg_bindir }}/pgsodium_getkey.sh'
+        state: 'present'
+      become: true
 
-# supautils
-- name: supautils - add supautils to session_preload_libraries
-  become: yes
-  replace:
-    path: /etc/postgresql/postgresql.conf
-    regexp: "#session_preload_libraries = ''"
-    replace: session_preload_libraries = 'supautils'
-  when: debpkg_mode or stage2_nix
+- name: debpkg_mode or stage2_nix actions
+  when:
+    - (debpkg_mode or stage2_nix)
+  block:
+    # supautils
+    - name: supautils - add supautils to session_preload_libraries
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "#session_preload_libraries = ''"
+        replace: "session_preload_libraries = 'supautils'"
+      become: true
 
-- name: supautils - write custom supautils.conf
-  template:
-    src: "files/postgresql_config/supautils.conf.j2"
-    dest: /etc/postgresql-custom/supautils.conf
-    mode: 0664
-    owner: postgres
-    group: postgres
-  when: debpkg_mode or stage2_nix
+    - name: supautils - write custom supautils.conf
+      ansible.builtin.template:
+        dest: '/etc/postgresql-custom/supautils.conf'
+        mode: '0664'
+        group: 'postgres'
+        owner: 'postgres'
+        src: 'files/postgresql_config/supautils.conf.j2'
 
-- name: supautils - copy extension custom scripts
-  copy:
-    src: files/postgresql_extension_custom_scripts/
-    dest: /etc/postgresql-custom/extension-custom-scripts
-  become: yes
-  when: debpkg_mode or stage2_nix
+    - name: supautils - copy extension custom scripts
+      ansible.builtin.copy:
+        dest: '/etc/postgresql-custom/extension-custom-scripts'
+        src: 'files/postgresql_extension_custom_scripts/'
+      become: true
 
-- name: supautils - chown extension custom scripts
-  file:
-    mode: 0775
-    owner: postgres
-    group: postgres
-    path: /etc/postgresql-custom/extension-custom-scripts
-    recurse: yes
-  become: yes
-  when: debpkg_mode or stage2_nix
+    - name: supautils - chown extension custom scripts
+      ansible.builtin.file:
+        group: 'postgres'
+        mode: '0775'
+        owner: 'postgres'
+        path: '/etc/postgresql-custom/extension-custom-scripts'
+        recurse: true
+      become: true
 
-- name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
-  become: yes
-  replace:
-    path: /etc/postgresql/postgresql.conf
-    regexp: "#include = '/etc/postgresql-custom/supautils.conf'"
-    replace: "include = '/etc/postgresql-custom/supautils.conf'"
-  when: debpkg_mode or stage2_nix
+    - name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "#include = '/etc/postgresql-custom/supautils.conf'"
+        replace: "include = '/etc/postgresql-custom/supautils.conf'"
+      become: true
 
 - name: Cleanup - extension packages
-  file:
-    path: /tmp/extensions
-    state: absent
-  when: debpkg_mode
+  ansible.builtin.file:
+    path: '/tmp/extensions'
+    state: 'absent'
+  when:
+    - debpkg_mode