diff --git a/tasks/rke2.yml b/tasks/rke2.yml
index ebec8b6..c97cc5a 100644
--- a/tasks/rke2.yml
+++ b/tasks/rke2.yml
@@ -5,7 +5,7 @@
     url: "{{ rke2_install_bash_url }}"
     dest: "{{ rke2_install_script_dir }}/rke2.sh"
     mode: 0700
-  when: (not rke2_airgap_mode) or rke2_airgap_implementation == 'download'
+  when: not rke2_airgap_mode
 
 - name: Copy local RKE2 installation script
   ansible.builtin.copy:
@@ -13,45 +13,94 @@
     dest: "{{ rke2_install_script_dir }}/rke2.sh"
     mode: 0700
     force: yes
-  when: rke2_airgap_mode and rke2_airgap_implementation == 'copy'
+  when:
+    - rke2_airgap_mode
+    - rke2_airgap_implementation == 'copy'
 
 - name: Create RKE2 artifacts folder
   ansible.builtin.file:
     path: "{{ rke2_artifact_path }}"
     state: directory
     mode: 0700
-  when: rke2_airgap_mode
+  when:
+    - rke2_airgap_mode
+    - rke2_airgap_implementation != 'exists'
 
-- name: Download RKE2 checksum and artifacts
-  when: rke2_airgap_mode and rke2_airgap_implementation == 'download'
+- name: Download RKE2 checksum and artifacts (try to download remotely first - fallback to local download and push)
+  when:
+    - rke2_airgap_mode
+    - rke2_airgap_implementation == 'download'
   block:
   - name: Download sha256 checksum file
     ansible.builtin.get_url:
       url: "{{ rke2_artifact_url }}/{{ rke2_version }}/sha256sum-{{ rke2_architecture }}.txt"
       dest: "{{ rke2_artifact_path }}/sha256sum-{{ rke2_architecture }}.txt"
       force: yes
-      mode: 0644
+      mode: 0640
       timeout: 30
   - name: Download RKE2 artifacts and compare with checksums
     ansible.builtin.get_url:
       url: "{{ rke2_artifact_url }}/{{ rke2_version }}/{{ item }}"
       dest: "{{ rke2_artifact_path }}/{{ item }}"
-      mode: 0644
+      mode: 0640
       checksum: "sha256:{{ rke2_artifact_url }}/{{ rke2_version }}/sha256sum-{{ rke2_architecture }}.txt"
       timeout: 30
     with_items: "{{ rke2_artifact | reject('search', 'sha256sum') | list }}"
+  rescue:
+  - name: "Remote downloading failed: Downloading locally and pushing to remote hosts"
+    ansible.builtin.pause: # Slight delay to make sure you know it's gonna happen and have time to cancel
+      seconds: 7
+  - name: "Create {{ rke2_airgap_copy_sourcepath }}"
+    delegate_to: localhost
+    run_once: true
+    ansible.builtin.file:
+      path: "{{ rke2_airgap_copy_sourcepath }}"
+      state: directory
+  - name: Download RKE2 checksum locally
+    delegate_to: localhost
+    run_once: true
+    register: checksum_file
+    ansible.builtin.get_url:
+      url: "{{ rke2_artifact_url }}/{{ rke2_version }}/sha256sum-{{ rke2_architecture }}.txt"
+      dest: "{{ rke2_airgap_copy_sourcepath }}/"
+      force: yes
+      mode: 0640
+      timeout: 30
+  - name: Downloading RKE2 artifacts locally
+    delegate_to: localhost
+    run_once: true
+    ansible.builtin.get_url:
+      force: yes
+      url: "{{ item }}"
+      dest: "{{ rke2_airgap_copy_sourcepath }}/"
+    with_items: "{{ [rke2_artifact_url+'/'+rke2_version+'/'] | product(rke2_artifact) | map('join') | list + [rke2_install_bash_url] }}"
+  - name: Copy local RKE2 files to remote hosts
+    ansible.builtin.copy:
+      src: "{{ rke2_airgap_copy_sourcepath }}/{{ item }}"
+      dest: "{{ rke2_artifact_path }}/{{ item }}"
+      mode: 0640
+    with_items: "{{ rke2_artifacts + ['rke2.sh'] }}"
+  - name: Set RKE2 install script permissions
+    ansible.builtin.file:
+      path: "{{ rke2_artifact_path }}/rke2.sh"
+      mode: 0750
 
 - name: Copy local RKE2 artifacts
   ansible.builtin.copy:
     src: "{{ rke2_airgap_copy_sourcepath }}/{{ item }}"
     dest: "{{ rke2_artifact_path }}/{{ item }}"
-    mode: 0644
+    mode: 0640
     force: yes
   with_items: "{{ rke2_artifact }}"
-  when: rke2_airgap_mode and rke2_airgap_implementation == 'copy'
+  when:
+    - rke2_airgap_mode
+    - rke2_airgap_implementation == 'copy'
 
 - name: Airgap mode - additional images tarballs
-  when: rke2_airgap_mode and ( rke2_airgap_copy_additional_tarballs | length > 0 )
+  when:
+    - rke2_airgap_mode
+    - ( rke2_airgap_copy_additional_tarballs | length > 0 )
+    - rke2_airgap_implementation != 'exists'
   block:
   - name: Create additional images tarballs folder
     ansible.builtin.file:
@@ -62,10 +111,45 @@
     ansible.builtin.copy:
       src: "{{ rke2_airgap_copy_sourcepath }}/{{ item }}"
       dest: "{{ rke2_tarball_images_path }}/{{ item }}"
-      mode: 0644
+      mode: 0640
       force: yes
     with_items: "{{ rke2_airgap_copy_additional_tarballs }}"
 
+- name: Airgap mode - ensure artifacts exist and have acceptable permissions # only modifies permissions if they are overprivileged
+  when:
+    - rke2_airgap_mode
+    - rke2_airgap_implementation == 'exists'
+  block:
+    - name: Register artifacts
+      ansible.builtin.stat:
+        path: "{{ rke2_artifact_path }}/{{ item }}"
+      with_items:  "{{ rke2_artifact }}"
+      register: artifacts
+    - name: Register install script
+      ansible.builtin.stat:
+        path: "{{ rke2_install_script_dir }}/rke2.sh"
+      register: install_script
+    - name: Register artifact facts
+      ansible.builtin.set_fact:
+        artifacts_writeable: "{{ artifacts.values() | map(attribute='writeable') | list | bool }}"
+    - name: Make the artifacts read-only
+      ansible.builtin.file:
+        path: "{{ rke2_artifact_path }}/{{ item }}"
+        mode: 0640
+      with_items: "{{ rke2_artifact }}"
+      when: artifacts_writeable
+    - name: Make the install script executable.
+      ansible.builtin.file:
+        path: "{{ rke2_install_script_dir }}/rke2.sh"
+        mode: 0700
+      when:
+        - install_script.stat.writeable
+        - not install_script.stat.executable
+    - name: Install script must be executable
+      ansible.builtin.fail:
+        msg: "The install script at {{ rke2_install_script_dir }}/rke2.sh must be executable."
+      when: not install_script.stat.executable
+
 - name: Populate service facts
   ansible.builtin.service_facts:
 
@@ -119,26 +203,28 @@
   vars:
     versions: "{{ versions_check.stdout | from_json }}"
 
-- name: Run AirGap RKE2 script
-  ansible.builtin.command:
-    cmd: "{{ rke2_install_script_dir }}/rke2.sh"
-  environment:
-    INSTALL_RKE2_ARTIFACT_PATH: "{{ rke2_artifact_path }}"
-    INSTALL_RKE2_AGENT_IMAGES_DIR: "{{ rke2_data_path }}/agent/images"
-  changed_when: false
-  when: not ansible_check_mode and rke2_version != installed_version and rke2_airgap_mode
-
-- name: Run RKE2 script
-  ansible.builtin.command:
-    cmd: "{{ rke2_install_script_dir }}/rke2.sh"
-  environment:
-    INSTALL_RKE2_VERSION: "{{ rke2_version }}"
-    INSTALL_RKE2_CHANNEL_URL: "{{ rke2_channel_url }}"
-    INSTALL_RKE2_CHANNEL: "{{ rke2_channel }}"
-    INSTALL_RKE2_METHOD: "{{ rke2_method }}"
-    INSTALL_RKE2_TYPE: "{{ rke2_type }}"
-  changed_when: false
-  when: not ansible_check_mode and rke2_version != installed_version and not rke2_airgap_mode
+- name: Run RKE2 install script
+  when: rke2_version != installed_version
+  block:
+  - name: Run the script with airgap variables
+    ansible.builtin.command:
+      cmd: "{{ rke2_install_script_dir }}/rke2.sh"
+    environment:
+      INSTALL_RKE2_ARTIFACT_PATH: "{{ rke2_artifact_path }}"
+      INSTALL_RKE2_AGENT_IMAGES_DIR: "{{ rke2_data_path }}/agent/images"
+      INSTALL_RKE2_METHOD: "{{ rke2_method }}"
+    changed_when: false
+    when: rke2_airgap_mode
+  - name: Run RKE2 script without airgap variables
+    ansible.builtin.command:
+      cmd: "{{ rke2_install_script_dir }}/rke2.sh"
+    environment:
+      INSTALL_RKE2_VERSION: "{{ rke2_version }}"
+      INSTALL_RKE2_CHANNEL_URL: "{{ rke2_channel_url }}"
+      INSTALL_RKE2_CHANNEL: "{{ rke2_channel }}"
+      INSTALL_RKE2_METHOD: "{{ rke2_method }}"
+    changed_when: false
+    when: not ansible_check_mode and not rke2_airgap_mode
 
 - name: Copy Custom Manifests
   ansible.builtin.template:
@@ -150,15 +236,34 @@
   with_items: "{{ rke2_custom_manifests }}"
   when: rke2_custom_manifests
 
-- name: Copy Static Pods
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ rke2_data_path }}/agent/pod-manifests/"
-    owner: root
-    group: root
-    mode: 0644
-  with_items: "{{ rke2_static_pods }}"
-  when: rke2_static_pods
+- name: Create /server/manifests directory
+  when: rke2_custom_manifests or rke2_static_pods
+  block:
+  - name: Create directory
+    ansible.builtin.file:
+      path: "{{ rke2_data_path }}/server/manifests"
+      state: directory
+      mode: 0755
+  - name: Copy Custom Manifests
+    ansible.builtin.template:
+      src: "{{ item }}"
+      dest: "{{ rke2_data_path }}/server/manifests/{{ item | basename | regex_replace('\\.j2$', '') }}"
+      owner: root
+      group: root
+      mode: 0644
+    with_fileglob: "{{ rke2_custom_manifests }}/*"
+    when:
+      - rke2_custom_manifests
+      - inventory_hostname == groups[rke2_servers_group_name].0
+  - name: Copy Static Pods
+    ansible.builtin.copy:
+      src: "{{ item }}"
+      dest: "{{ rke2_data_path }}/agent/pod-manifests/{{ item | basename | regex_replace('\\.j2$', '') }}"
+      owner: root
+      group: root
+      mode: 0644
+    with_fileglob: "{{ rke2_static_pods }}/*"
+    when: rke2_static_pods
 
 - name: Copy RKE2 environment file
   ansible.builtin.template:
@@ -167,4 +272,6 @@
     owner: root
     group: root
     mode: 0644
-  when: rke2_environment_options is defined and rke2_environment_options|length > 0
+  when:
+    - rke2_environment_options is defined
+    - rke2_environment_options|length > 0
diff --git a/tasks/summary.yml b/tasks/summary.yml
index 88dc321..d482190 100644
--- a/tasks/summary.yml
+++ b/tasks/summary.yml
@@ -19,6 +19,7 @@
   become: false
   when:
   - not ansible_check_mode
+  - not rke2_airgap_mode
   - rke2_download_kubeconf | bool
 
 - name: Summary