diff --git a/collections/requirements.yml b/collections/requirements.yml
index 483ed156a..05ea9b2d5 100644
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@@ -1,4 +1,8 @@
 ---
 collections:
+  # community.docker >= 3.6.0 is required for:
+  # - community.docker.docker_image_pull module (pull-only operations)
+  # - community.docker.docker_image_build module (build with BuildKit support)
   - name: community.general
   - name: community.docker
+    version: ">=3.6.0"
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
index 6cc6fa9b7..d2f1ce31e 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -22,7 +22,6 @@ matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream: "{{
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}{{ matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier }}:{{ matrix_appservice_draupnir_for_all_version }}"
 matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier: "the-draupnir-project/draupnir"
-matrix_appservice_draupnir_for_all_container_image_force_pull: "{{ matrix_appservice_draupnir_for_all_container_image.endswith(':latest') }}"
 
 matrix_appservice_draupnir_for_all_base_path: "{{ matrix_base_data_path }}/draupnir-for-all"
 matrix_appservice_draupnir_for_all_config_path: "{{ matrix_appservice_draupnir_for_all_base_path }}/config"
@@ -47,6 +46,15 @@ matrix_appservice_draupnir_for_all_systemd_required_services_list_custom: []
 # List of systemd services that matrix-bot-draupnir.service wants
 matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 
+# Force restart tag is used to control if the tag that is used is rolling or not.
+# When both Draupnir roles are enabled, we only force restart if they are on the same
+# version string and that version string matches the moving tag.
+matrix_appservice_draupnir_for_all_force_restart_tag: "latest"
+
+# Force restart the service on all runs only when both roles are enabled, both roles
+# are using the same version string, and that version is the moving tag.
+matrix_appservice_draupnir_for_all_force_restart: "if {{ matrix_bot_draupnir_enabled | bool and matrix_appservice_draupnir_for_all_enabled | bool and matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and matrix_appservice_draupnir_for_all_version == matrix_appservice_draupnir_for_all_force_restart_tag }} then true else false end"
+
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
index 21a1e6f4e..ba01a0b81 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
@@ -26,11 +26,9 @@
   when: "item.when | bool"
 
 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
     name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_appservice_draupnir_for_all_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_draupnir_for_all_container_image_force_pull }}"
+    pull: always
   when: "not matrix_appservice_draupnir_for_all_container_image_self_build | bool"
   register: matrix_appservice_draupnir_for_all_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -49,15 +47,16 @@
   when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
 
 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
+  # docker_image_build automatically rebuilds when the Dockerfile or build context changes.
+  # The git_pull_results will show if the source was updated above.
+  community.docker.docker_image_build:
     name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: build
-    force_source: "{{ matrix_appservice_draupnir_for_all_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
-      pull: true
-  when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
+    dockerfile: Dockerfile
+    path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
+    pull: true
+  when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool and matrix_appservice_draupnir_for_all_git_pull_results.changed"
+  register: matrix_appservice_draupnir_for_all_container_image_build_result
 
 - name: Ensure matrix-appservice-draupnir-for-all appservice config installed
   ansible.builtin.copy:
@@ -120,7 +119,8 @@
         or matrix_appservice_draupnir_for_all_registration_config_result.changed | default(false)
         or matrix_appservice_draupnir_for_all_systemd_service_result.changed | default(false)
         or matrix_appservice_draupnir_for_all_container_image_pull_result.changed | default(false)
-        or matrix_appservice_draupnir_for_all_container_image_force_pull | bool
+        or matrix_appservice_draupnir_for_all_container_image_build_result.changed | default(false)
+        or matrix_appservice_draupnir_for_all_force_restart | bool
       }}
 
 - name: Ensure matrix-appservice-draupnir-for-all.service restarted, if necessary
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
index 5b41a4a75..40a8fca54 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
@@ -23,6 +23,7 @@
     - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream'}
     - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream_default', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default'}
     - {'old': 'matrix_appservice_draupnir_for_all_docker_src_files_path', 'new': 'matrix_appservice_draupnir_for_all_container_src_files_path'}
+    - {'old': 'matrix_appservice_draupnir_for_all_container_image_force_pull', 'new': '<removed>'}
 
 - name: Fail if required matrix-bot-draupnir variables are undefined
   ansible.builtin.fail:
diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml
index 77e9a9273..a52ca7b55 100644
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -22,13 +22,21 @@ matrix_bot_draupnir_container_image_registry_namespace_identifier: "the-draupnir
 matrix_bot_draupnir_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_bot_draupnir_container_image_registry_prefix_upstream }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream: "{{ matrix_bot_draupnir_container_image_registry_prefix_upstream_default }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_draupnir_container_image_force_pull: "{{ matrix_bot_draupnir_container_image.endswith(':latest') }}"
 
 matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir"
 matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_container_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
 
+# Force restart tag is used to control if the tag that is used is rolling or not.
+# When both Draupnir roles are enabled, we only force restart if they are on the same
+# version string and that version string matches the moving tag.
+matrix_bot_draupnir_force_restart_tag: "latest"
+
+# Force restart the service on all runs only when both roles are enabled, both roles
+# are using the same version string, and that version is the moving tag.
+matrix_bot_draupnir_force_restart: "if {{ matrix_bot_draupnir_enabled | bool and matrix_appservice_draupnir_for_all_enabled | bool and matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and matrix_bot_draupnir_version == matrix_bot_draupnir_force_restart_tag }} then true else false end"
+
 matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting or matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}"  # noqa var-naming
 
 matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming
diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
index 3936521ae..8ddb58af5 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
@@ -38,11 +38,9 @@
   register: matrix_bot_draupnir_support_files_result
 
 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
     name: "{{ matrix_bot_draupnir_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_draupnir_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_container_image_force_pull }}"
+    pull: always
   when: "not matrix_bot_draupnir_container_image_self_build | bool"
   register: matrix_bot_draupnir_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -61,15 +59,16 @@
   when: "matrix_bot_draupnir_container_image_self_build | bool"
 
 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
+  # docker_image_build automatically rebuilds when the Dockerfile or build context changes.
+  # The git_pull_results will show if the source was updated above.
+  community.docker.docker_image_build:
     name: "{{ matrix_bot_draupnir_container_image }}"
-    source: build
-    force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_bot_draupnir_container_src_files_path }}"
-      pull: true
-  when: "matrix_bot_draupnir_container_image_self_build | bool"
+    dockerfile: Dockerfile
+    path: "{{ matrix_bot_draupnir_container_src_files_path }}"
+    pull: true
+  when: "matrix_bot_draupnir_container_image_self_build | bool and matrix_bot_draupnir_git_pull_results.changed"
+  register: matrix_bot_draupnir_container_image_build_result
 
 - name: Ensure matrix-bot-draupnir config installed
   ansible.builtin.copy:
@@ -113,7 +112,8 @@
         or matrix_bot_draupnir_config_result.changed | default(false)
         or matrix_bot_draupnir_systemd_service_result.changed | default(false)
         or matrix_bot_draupnir_container_image_pull_result.changed | default(false)
-        or matrix_bot_draupnir_container_image_force_pull | bool
+        or matrix_bot_draupnir_container_image_build_result.changed | default(false)
+        or matrix_bot_draupnir_force_restart | bool
       }}
 
 - name: Ensure matrix-bot-draupnir.service restarted, if necessary
diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
index 624cc2cdb..3fbc6a9c3 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@@ -37,6 +37,7 @@
     - {'old': 'matrix_bot_draupnir_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_draupnir_container_image_registry_prefix_upstream'}
     - {'old': 'matrix_bot_draupnir_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_draupnir_container_image_registry_prefix_upstream_default'}
     - {'old': 'matrix_bot_draupnir_docker_src_files_path', 'new': 'matrix_bot_draupnir_container_src_files_path'}
+    - {'old': 'matrix_bot_draupnir_container_image_force_pull', 'new': '<removed>'}
 
 - name: Fail if required matrix-bot-draupnir variables are undefined
   ansible.builtin.fail: