diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml
index b596b85f..c8ea52c7 100644
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -36,6 +36,7 @@ matrix_host_command_docker: "/usr/bin/env docker"
 matrix_host_command_sleep: "/usr/bin/env sleep"
 matrix_host_command_chown: "/usr/bin/env chown"
 matrix_host_command_fusermount: "/usr/bin/env fusermount"
+matrix_host_command_openssl: "/usr/bin/env openssl"
 
 matrix_ntpd_package: "ntp"
 matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"
diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
index d736fa7c..3678b35b 100644
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
@@ -60,7 +60,7 @@
 # We intentionally suppress Ansible changes.
 - name: Generate AppService Discord invite link
   shell: >-
-    /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen
+    {{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord-link-gen
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
     --cap-drop=ALL
     -v {{ matrix_appservice_discord_config_path }}:/cfg
diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
index 7206d25e..5e313347 100644
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@@ -58,7 +58,7 @@
   register: irc_passkey_file
 
 - name: Generate Appservice IRC passkey if it doesn't exist
-  shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
+  shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
   become: true
   become_user: "{{ matrix_user_username }}"
   when: "not irc_passkey_file.stat.exists"
@@ -93,7 +93,7 @@
 # to produce a final registration.yaml file, as we desire.
 - name: Generate Appservice IRC registration-template.yaml
   shell: >-
-    /usr/bin/docker run --rm --name matrix-appservice-irc-gen
+    {{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc-gen
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
     --cap-drop=ALL
     -v {{ matrix_appservice_irc_config_path }}:/config:z
diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
index 19500b15..e80b655d 100644
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@@ -16,7 +16,7 @@
 # We suppress the error, as we'll try another method below.
 - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
   shell: >-
-    /usr/bin/docker run
+    {{ matrix_host_command_docker }} run
     --rm
     --name=matrix-certbot
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
@@ -43,7 +43,7 @@
 # and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
 - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
   shell: >-
-    /usr/bin/docker run
+    {{ matrix_host_command_docker }} run
     --rm
     --name=matrix-certbot
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml
index ba237d6a..e58711f1 100644
--- a/roles/matrix-postgres/tasks/import_postgres.yml
+++ b/roles/matrix-postgres/tasks/import_postgres.yml
@@ -63,7 +63,7 @@
 - name: Generate Postgres database import command
   set_fact:
     matrix_postgres_import_command: >-
-      /usr/bin/docker run --rm --name matrix-postgres-import
+      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
       --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
       --cap-drop=ALL
       --network={{ matrix_docker_network }}
diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml
index 41484d79..d7f283be 100644
--- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml
+++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml
@@ -66,7 +66,7 @@
 - name: Generate Postgres database synapse-janitor command
   set_fact:
     matrix_postgres_synapse_janitor_command: >-
-      /usr/bin/docker run --rm --name matrix-postgres-synapse-janitor
+      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-janitor
       --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
       --cap-drop=ALL
       --network={{ matrix_docker_network }}
diff --git a/roles/matrix-postgres/tasks/run_vacuum.yml b/roles/matrix-postgres/tasks/run_vacuum.yml
index 3c3292ff..19a27562 100644
--- a/roles/matrix-postgres/tasks/run_vacuum.yml
+++ b/roles/matrix-postgres/tasks/run_vacuum.yml
@@ -45,7 +45,7 @@
 - name: Generate Postgres database vacuum command
   set_fact:
     matrix_postgres_vacuum_command: >-
-      /usr/bin/docker run --rm --name matrix-postgres-synapse-vacuum
+      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum
       --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
       --cap-drop=ALL
       --network={{ matrix_docker_network }}
diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml
index 8a3886b3..73263695 100644
--- a/roles/matrix-postgres/tasks/upgrade_postgres.yml
+++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml
@@ -79,7 +79,7 @@
 # we need to remove these from the dump, or we'll get errors saying these already exist.
 - name: Perform Postgres database dump
   command: >-
-    /usr/bin/docker run --rm --name matrix-postgres-dump
+    {{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
     --network={{ matrix_docker_network }}
     --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
@@ -123,7 +123,7 @@
 - name: Generate Postgres database import command
   set_fact:
     matrix_postgres_import_command: >-
-      /usr/bin/docker run --rm --name matrix-postgres-import
+      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
       --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
       --cap-drop=ALL
       --network={{ matrix_docker_network }}
diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml
index 1e86bd49..78136785 100644
--- a/roles/matrix-synapse/tasks/update_user_password.yml
+++ b/roles/matrix-synapse/tasks/update_user_password.yml
@@ -36,7 +36,7 @@
   when: "start_result.changed or postgres_start_result.changed"
 
 - name: Generate password hash
-  shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}"
+  shell: "{{ matrix_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}"
   register: password_hash
 
 - name: Update user password hash