diff --git a/installer/inventory b/installer/inventory
index e8609a9b9c..daa6ba6b7d 100644
--- a/installer/inventory
+++ b/installer/inventory
@@ -119,6 +119,11 @@ create_preload_data=True
 # your credentials
 secret_key=awxsecret
 
+# By default a broadcast websocket secret will be generated.
+# If you would like to *rerun the playbook*, you need to set a unique password.
+# Otherwise it would generate a new one every playbook run.
+# broadcast_websocket_secret=
+
 # Build AWX with official logos
 # Requires cloning awx-logos repo as a sibling of this project.
 # Review the trademark guidelines at https://github.com/ansible/awx-logos/blob/master/TRADEMARKS.md
diff --git a/installer/roles/kubernetes/tasks/main.yml b/installer/roles/kubernetes/tasks/main.yml
index bb4065f211..6a9d9a2deb 100644
--- a/installer/roles/kubernetes/tasks/main.yml
+++ b/installer/roles/kubernetes/tasks/main.yml
@@ -4,6 +4,7 @@
     broadcast_websocket_secret: "{{ lookup('password', '/dev/null', length=128) }}"
   run_once: true
   no_log: true
+  when: broadcast_websocket_secret is not defined
 
 - fail:
     msg: "Only set one of kubernetes_context or openshift_host"
diff --git a/installer/roles/local_docker/tasks/compose.yml b/installer/roles/local_docker/tasks/compose.yml
index 120b81cc1a..9a95ddabc3 100644
--- a/installer/roles/local_docker/tasks/compose.yml
+++ b/installer/roles/local_docker/tasks/compose.yml
@@ -12,22 +12,22 @@
 
 - name: Create Docker Compose Configuration
   template:
-    src: "{{ item }}.j2"
-    dest: "{{ docker_compose_dir }}/{{ item }}"
-    mode: 0600
-  with_items:
-    - environment.sh
-    - credentials.py
-    - docker-compose.yml
-    - nginx.conf
-    - redis.conf
+    src: "{{ item.file }}.j2"
+    dest: "{{ docker_compose_dir }}/{{ item.file }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - file: environment.sh
+      mode: "0600"
+    - file: credentials.py
+      mode: "0600"
+    - file: docker-compose.yml
+      mode: "0600"
+    - file: nginx.conf
+      mode: "0600"
+    - file: redis.conf
+      mode: "0664"
   register: awx_compose_config
 
-- name: Set redis config to other group readable to satisfy redis-server
-  file:
-    path: "{{ docker_compose_dir }}/redis.conf"
-    mode: 0666
-
 - name: Render SECRET_KEY file
   copy:
     content: "{{ secret_key }}"
diff --git a/installer/roles/local_docker/tasks/main.yml b/installer/roles/local_docker/tasks/main.yml
index ad87f16fb4..aab1260a36 100644
--- a/installer/roles/local_docker/tasks/main.yml
+++ b/installer/roles/local_docker/tasks/main.yml
@@ -4,6 +4,7 @@
     broadcast_websocket_secret: "{{ lookup('password', '/dev/null', length=128) }}"
   run_once: true
   no_log: true
+  when: broadcast_websocket_secret is not defined
 
 - import_tasks: upgrade_postgres.yml
   when: