diff --git a/tasks/main.yml b/tasks/main.yml
index ead0161..e126117 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -23,4 +23,6 @@
 
     - name: Deploy Nebula Node
       include_tasks: node.yml
-      when: inventory_hostname not in groups['nebula_lighthouse'] and nebula_internal_ip_addr is defined
+      when:
+        - inventory_hostname not in groups['nebula_lighthouse']
+        - nebula_internal_ip_addr is defined
diff --git a/tasks/nebula.yml b/tasks/nebula.yml
index 87d59f9..0adc53b 100644
--- a/tasks/nebula.yml
+++ b/tasks/nebula.yml
@@ -1,8 +1,14 @@
+---
+- name: Ensure cron is installed
+  package:
+    name: "{{ 'cron' if ansible_facts.os_family == 'Debian' else 'cronie' }}"
+    state: present
+
 - name: Ensure /opt/nebula directory exists
   file:
     path: /opt/nebula
     state: directory
-    mode: '0700'
+    mode: '0755'
     owner: root
     group: root
 
@@ -23,13 +29,22 @@
     installed_nebula_version: "{{ installed_nebula_version_out.stdout.split(' ')[1] }}"
   when: installed_nebula_stats.stat.exists
 
-- name: Download & Extract Nebula
+# ✅ FIX START
+- name: Download Nebula archive
+  get_url:
+    url: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-{{ nebula_architectures[ansible_facts.architecture] }}.tar.gz"
+    dest: "/tmp/nebula-{{ nebula_version }}.tar.gz"
+    mode: '0644'
+  when: (installed_nebula_version | default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)
+
+- name: Extract Nebula
   unarchive:
-    src: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-{{ nebula_architectures[ansible_facts.architecture] }}.tar.gz"
+    src: "/tmp/nebula-{{ nebula_version }}.tar.gz"
     dest: "/opt/nebula"
     remote_src: yes
-  when: (installed_nebula_version|default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)
+  when: (installed_nebula_version | default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)
   notify: restart nebula
+# ✅ FIX END
 
 - name: Ensure Nebula binaries permissions are correct
   file:
@@ -37,7 +52,7 @@
     owner: root
     group: root
     mode: '0700'
-  with_items:
+  loop:
     - nebula
     - nebula-cert
 
@@ -53,7 +68,7 @@
     owner: root
     group: root
     mode: '0600'
-  with_items:
+  loop:
     - /opt/nebula/ssh_host_ed25519_key
     - /opt/nebula/ssh_host_ed25519_key.pub
   when: nebula_sshd_enabled
@@ -77,4 +92,4 @@
       loop: "{{ ssh_key_files.results | selectattr('content', 'defined') | list }}"
       loop_control:
         loop_var: result
-  when: nebula_sshd_enabled
+  when: nebula_sshd_enabled
\ No newline at end of file
diff --git a/tasks/node.yml b/tasks/node.yml
index a74767c..eee713d 100644
--- a/tasks/node.yml
+++ b/tasks/node.yml
@@ -57,7 +57,7 @@
   delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
   when: nebula_lighthouse_build_hosts_file
 
-- name: Ensure all lighthouses have hosts file entry for node
+- name: Ensure all secondary lighthouses have hosts file entry for node
   lineinfile:
     path: /etc/hosts
     line: "{{ nebula_internal_ip_addr }} {{ inventory_hostname }}.neb"
diff --git a/templates/nebula-check.sh.j2 b/templates/nebula-check.sh.j2
index 092ca93..6d34016 100644
--- a/templates/nebula-check.sh.j2
+++ b/templates/nebula-check.sh.j2
@@ -4,4 +4,4 @@ test="$(ping -q -w10 -W2 {{ _nebula_lighthouses_computed[0].internal_ip }} 2>/de
 if [ "$test" == "100" ]; then
   logger -s -p user.emerg '!!! Unable to reach Nebula server. Bouncing tunnel neb0... !!!'
   systemctl restart nebula.service
-fi
\ No newline at end of file
+fi