diff --git a/tasks/main.yml b/tasks/main.yml
index a9fbc55..b9eb34e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,6 +7,9 @@
   template:
     src: node-exporter.j2
     dest: /etc/default/prometheus-node-exporter
+    owner: root
+    group: root
+    mode: 0644
 
 - name: handle blackbox exporter
   when: prometheus_agent.agents.blackbox.enable
@@ -19,6 +22,9 @@
     template:
       src: prometheus-blackbox.j2
       dest: /etc/default/prometheus-blackbox-exporter
+      owner: root
+      group: root
+      mode: 0644
   - name: wrtie blackbox exporter config
     notify: restart blackbox exporter
     copy:
@@ -31,7 +37,8 @@
 - name: manage tls
   when: prometheus_agent.tls.manage
   block:
-  - set_fact:
+  - name: store certificates
+    set_fact:
       inventory_certs: "{{ certificates.certs|d({}) }}"
       prometheus_certs: |
         {
@@ -40,7 +47,8 @@
             'backend': 'selfsigned'
           }
         }
-  - include_role:
+  - name: create certificates
+    include_role:
       name: certificates
     vars:
       certificates:
@@ -74,6 +82,7 @@
     template:
       src: stunnel-client.conf.j2
       dest: /etc/stunnel/prometheus-agent.conf
+      mode: 0644
     notify: restart stunnel
   - name: ensure stunnel is running
     failed_when: False
@@ -89,9 +98,11 @@
       dest: "/etc/prometheus/targetcerts/{{ inventory_hostname }}.crt"
       mode: 0644
 
-- set_fact:
-    labels_ansible_groups: '{ {% for g in group_names %}"ansible_group_{{g}}": 1{% if not loop.last %}, {% endif %}{% endfor %} }'
-- set_fact:
+- name: store ansible groups as labels
+  set_fact:
+    labels_ansible_groups: '{ {% for g in group_names %}"ansible_group_{{ g }}": 1{% if not loop.last %}, {% endif %}{% endfor %} }'
+- name: store combined labels
+  set_fact:
     merged_prometheus_labels: "{{ {}|combine((labels_ansible_groups if prometheus_agent.ansible_groups_as_labels else {}), prometheus_agent.labels) }}"
 - name: setup scraper
   loop: "{{ prometheus_agent.scrapers.keys()|list }}"