diff --git a/play.yml b/play.yml
index 26123f2..8f11c6f 100644
--- a/play.yml
+++ b/play.yml
@@ -1,20 +1,17 @@
 ---
-# vim: ft=yaml.ansible
-- name: Deploy basics
-  hosts: all  # reminder: '--limit'
-  gather_facts: true
+- hosts: "{{ target | default('all') }}" # target inventory group, default all
+  gather_facts: yes
   vars:
-    #  auto_update: "true"  # would configure dnf-automatic
-    #  hardened_ssh_port: "1181" # tcp is assumed in selinux/firewalld allowance
+#    auto_update: "true"  # would configure dnf-automatic
+#    hardened_ssh_port: "1181" # tcp is assumed in selinux/firewalld allowance
+    URL_PUBKEYS: "https://github.com/joshlay.keys" # https://github.com/user.keys
   roles:
-    - {role: custom-facts, tags: ['facts', 'custom-facts']}
-    # - {role: btrfs, tags: ['btrfs']}  # sets up scrubbing
-    - {role: bootstrap, tags: ['boot', 'bootstrap']}
-    - {role: grub, tags: ['grub']}
-    - {role: tuned, tags: ['tuned']}
-    - {role: install-packages, tags: ['pkgs', 'install', 'install-pkgs']}
-    - {role: update-packages, tags: ['pkgs', 'install', 'update-pkgs']}
-    # - {role: fedora-upgrade}  # replacing w/ 'dist-upgrade', supporting more than fedora
-    - {role: create-user, tags: ['user']}  # should follow package-installing roles; provide groups the user may want to join
-    - {role: hardening, tags: ['harden', 'hardening']}
-#    - {role: docker}
+    - {role: btrfs}  # sets up scrubbing
+    - {role: bootstrap}
+    - {role: tuned}
+    - {role: install-packages}
+    - {role: update-packages} # depends on 'is_atomic' in bootstrap
+    - {role: fedora-upgrade} # consider renaming to dist-upgrade / supporting more than fedora
+    - {role: create-user}  # this should always follow packages; they often provide groups the user may want to join
+    - {role: hardening}
+    - {role: docker}
diff --git a/roles/fedora-upgrade/tasks/main.yml b/roles/fedora-upgrade/tasks/main.yml
index fdddbfa..9320435 100644
--- a/roles/fedora-upgrade/tasks/main.yml
+++ b/roles/fedora-upgrade/tasks/main.yml
@@ -1,7 +1,4 @@
 ---
 
-- name: Include Fedora-upgrading tasks
-  ansible.builtin.include_tasks: tasks.yml
-  when:
-    - (ansible_distribution in ["Fedora"] and not ansible_local.os.is_atomic)
-    - (ansible_distribution_version < fedora_target and ansible_distribution_version|int >= fedora_minimum)
+- include_tasks: tasks.yml
+  when: (ansible_distribution in ["Fedora"] and not is_atomic) and (ansible_distribution_version < fedora_target and ansible_distribution_version|int >= fedora_minimum)