diff --git a/handlers/main.yml b/handlers/main.yml
index 65af478..5ba4a49 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -14,3 +14,62 @@
 - name: Reload systemd
   ansible.builtin.systemd_service:
     daemon_reexec: true
+
+- name: patch legacy proxmoxlib.js
+  block:
+    - name: Patch legacy proxmoxlib.js
+      ansible.builtin.replace:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+        regexp: "if \\(data.status !== 'Active'\\)"
+        replace: "if (false)"
+      register: patch_legacy
+      failed_when: patch_legacy.matched == 0
+      notify: Restart pveproxy
+
+    - name: Re-stat proxmoxlib.js
+      ansible.builtin.stat:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+        checksum_algorithm: sha256
+      register: proxmoxlib_js_after
+
+    - name: Store patched checksum (legacy)
+      ansible.builtin.copy:
+        dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
+        owner: root
+        group: root
+        mode: "0644"
+        content: "{{ proxmoxlib_js_after.stat.checksum }}\n"
+
+    - name: Restart pveproxy
+      systemd:
+        name: pveproxy
+        state: restarted
+
+- name: patch minified proxmoxlib.js
+  block:
+    - name: Patch minified proxmoxlib.min.js
+      ansible.builtin.replace:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
+        regexp: "data.status!=='Active'"
+        replace: "false"
+      register: patch_minified
+      failed_when: patch_minified.matched == 0
+
+    - name: Re-stat proxmoxlib.min.js
+      ansible.builtin.stat:
+        path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
+        checksum_algorithm: sha256
+      register: proxmoxlib_min_after
+
+    - name: Store patched checksum (minified)
+      ansible.builtin.copy:
+        dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
+        owner: root
+        group: root
+        mode: "0644"
+        content: "{{ proxmoxlib_min_after.stat.checksum }}\n"
+
+    - name: Restart pveproxy
+      systemd:
+        name: pveproxy
+        state: restarted
diff --git a/tasks/subscription.yml b/tasks/subscription.yml
index 4f19557..9f061d3 100644
--- a/tasks/subscription.yml
+++ b/tasks/subscription.yml
@@ -10,12 +10,6 @@
 ############################
 # Legacy proxmoxlib.js
 ############################
-- name: subscription | Read stored checksum (legacy)
-  ansible.builtin.slurp:
-    src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
-  register: proxmoxlib_js_checksum_stored
-  when: proxmoxlib_js.stat.exists
-  failed_when: false
 
 - name: subscription | Check for legacy proxmoxlib.js
   ansible.builtin.stat:
@@ -23,39 +17,21 @@
     checksum_algorithm: sha256
   register: proxmoxlib_js
 
-- name: subscription | Remove subscription nag (legacy proxmoxlib.js)
-  ansible.builtin.replace:
-    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
-    regexp: "if \\(data.status !== 'Active'\\)"
-    replace: "if (false)"
+- name: subscription | Read stored checksum (legacy)
+  ansible.builtin.slurp:
+    src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
+  register: proxmoxlib_js_checksum_stored
+  when: proxmoxlib_js.stat.exists
+  failed_when: false
+
+- name: Trigger legacy nag patch if needed
+  meta: flush_handlers
   when:
     - proxmoxlib_js.stat.exists
     - proxmoxlib_js_checksum_stored.content is not defined
-      or (proxmoxlib_js.stat.checksum
-        != (proxmoxlib_js_checksum_stored.content | b64decode | trim))
-  register: patch_legacy
-  failed_when:
-    - proxmoxlib_js.stat.exists
-    - patch_legacy.matched == 0
-  notify: restart pveproxy
-
-- name: subscription | Read checksum after patch (legacy proxmoxlib.js)
-  ansible.builtin.stat:
-    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
-    checksum_algorithm: sha256
-  register: proxmoxlib_js_after
-  when: patch_legacy is changed
-
-- name: subscription | Store patched checksum (legacy)
-  ansible.builtin.copy:
-    dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
-    owner: root
-    group: root
-    mode: "0644"
-    content: "{{ proxmoxlib_js_after.stat.checksum }}\n"
-  when:
-    - proxmoxlib_js.stat.exists
-    - patch_legacy is changed
+      or proxmoxlib_js.stat.checksum
+         != (proxmoxlib_js_checksum_stored.content | b64decode | trim)
+  notify: patch legacy proxmoxlib.js
 
 ############################
 # Minified proxmoxlib.min.js (VE 8/9)
@@ -74,36 +50,11 @@
   when: proxmoxlib_min_js.stat.exists
   failed_when: false
 
-- name: subscription | Remove subscription nag (minified bundle for VE 8/9)
-  ansible.builtin.replace:
-    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
-    regexp: "data.status!=='Active'"
-    replace: "false"
+- name: Trigger minified nag patch if needed
+  meta: flush_handlers
   when:
     - proxmoxlib_min_js.stat.exists
     - proxmoxlib_min_checksum_stored.content is not defined
-      or (proxmoxlib_min_js.stat.checksum
-        != (proxmoxlib_min_checksum_stored.content | b64decode | trim))
-  register: patch_minified
-  failed_when:
-    - proxmoxlib_min_js.stat.exists
-    - patch_minified.matched == 0
-  notify: restart pveproxy
-
-- name: subscription | Re-stat proxmoxlib.min.js after patch
-  ansible.builtin.stat:
-    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
-    checksum_algorithm: sha256
-  register: proxmoxlib_min_js_after
-  when: patch_legacy is changed
-
-- name: subscription | Store patched checksum (minified)
-  ansible.builtin.copy:
-    dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
-    owner: root
-    group: root
-    mode: "0644"
-    content: "{{ proxmoxlib_min_js.stat.checksum }}\n"
-  when:
-    - proxmoxlib_min_js_after.stat.exists
-    - patch_minified is changed
+      or proxmoxlib_min_js.stat.checksum
+         != (proxmoxlib_min_checksum_stored.content | b64decode | trim)
+  notify: patch minified proxmoxlib.js