diff --git a/roles/bootstrap/tasks/almalinux.yml b/roles/bootstrap/tasks/almalinux.yml
index 5187f5a..276cda0 100644
--- a/roles/bootstrap/tasks/almalinux.yml
+++ b/roles/bootstrap/tasks/almalinux.yml
@@ -14,7 +14,7 @@
         --setopt=install_weak_deps=False groupinstall -y base core
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
     - >-
-        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
         install -y {{ bootstrap_alma_extra }}
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0
diff --git a/roles/bootstrap/tasks/debian.yml b/roles/bootstrap/tasks/debian.yml
index 42fa306..8b6f5ff 100644
--- a/roles/bootstrap/tasks/debian.yml
+++ b/roles/bootstrap/tasks/debian.yml
@@ -23,7 +23,7 @@
     - >-
         debootstrap --include={{ bootstrap_debian_base }}
         {{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/
-    - "arch-chroot /mnt apt install -y {{ bootstrap_debian_extra }}"
-    - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
+    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_debian_extra }}"
+    - "{{ chroot_command }} /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data"
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0
diff --git a/roles/bootstrap/tasks/fedora.yml b/roles/bootstrap/tasks/fedora.yml
index f1b132d..8f8a17b 100644
--- a/roles/bootstrap/tasks/fedora.yml
+++ b/roles/bootstrap/tasks/fedora.yml
@@ -15,8 +15,8 @@
         groupinstall -y critical-path-base core
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
     - >-
-        arch-chroot /mnt dnf --releasever=43 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=43 --setopt=install_weak_deps=False
         install -y {{ bootstrap_fedora_extra }}
-    - arch-chroot /mnt dnf reinstall -y kernel-core
+    - "{{ chroot_command }} /mnt dnf reinstall -y kernel-core"
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0
diff --git a/roles/bootstrap/tasks/rhel.yml b/roles/bootstrap/tasks/rhel.yml
index 2c0f140..d155808 100644
--- a/roles/bootstrap/tasks/rhel.yml
+++ b/roles/bootstrap/tasks/rhel.yml
@@ -34,12 +34,7 @@
         state: mounted
 
     - name: Rebuild RPM database inside chroot
-      ansible.builtin.command:
-        argv:
-          - arch-chroot
-          - /mnt
-          - rpm
-          - --rebuilddb
+      ansible.builtin.command: "{{ chroot_command }} /mnt rpm --rebuilddb"
       register: bootstrap_rpm_rebuild_result
       changed_when: bootstrap_rpm_rebuild_result.rc == 0
 
@@ -60,7 +55,7 @@
             | join(' ')
           }}
       ansible.builtin.command: >-
-        arch-chroot /mnt dnf --releasever={{ bootstrap_rhel_release }}
+        {{ chroot_command }} /mnt dnf --releasever={{ bootstrap_rhel_release }}
         --setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
       register: bootstrap_result
       changed_when: bootstrap_result.rc == 0
diff --git a/roles/bootstrap/tasks/rocky.yml b/roles/bootstrap/tasks/rocky.yml
index 453b556..3f2a288 100644
--- a/roles/bootstrap/tasks/rocky.yml
+++ b/roles/bootstrap/tasks/rocky.yml
@@ -15,7 +15,7 @@
         groupinstall -y base core
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
     - >-
-        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
         install -y {{ bootstrap_rocky_extra }}
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0
diff --git a/roles/bootstrap/tasks/ubuntu.yml b/roles/bootstrap/tasks/ubuntu.yml
index 4b6913a..41f3553 100644
--- a/roles/bootstrap/tasks/ubuntu.yml
+++ b/roles/bootstrap/tasks/ubuntu.yml
@@ -20,8 +20,8 @@
         debootstrap --include={{ bootstrap_ubuntu_base }}
         {{ bootstrap_ubuntu_release }} /mnt http://archive.ubuntu.com/ubuntu/
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
-    - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
-    - arch-chroot /mnt apt update
-    - "arch-chroot /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
+    - "{{ chroot_command }} /mnt sed -i '1s|$| universe|' /etc/apt/sources.list"
+    - "{{ chroot_command }} /mnt apt update"
+    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0
diff --git a/roles/cis/tasks/crypto.yml b/roles/cis/tasks/crypto.yml
index f12a627..bf546e5 100644
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,12 +1,12 @@
 ---
 - name: Configure System Cryptography Policy
   when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
-  ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
+  ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
   register: cis_crypto_policy_result
   changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
 
 - name: Mask Systemd Services
   ansible.builtin.command: >
-    arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
+    {{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
   register: cis_mask_services_result
   changed_when: cis_mask_services_result.rc == 0
diff --git a/roles/configuration/tasks/bootloader.yml b/roles/configuration/tasks/bootloader.yml
index 2593900..6c9f7b2 100644
--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -18,7 +18,7 @@
           --bootloader-id={{ configuration_bootloader_id }}
         configuration_bootloader_cmd: >-
           {{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_bootloader_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
       register: configuration_bootloader_result
       changed_when: configuration_bootloader_result.rc == 0
 
@@ -43,7 +43,7 @@
               else '/usr/bin/dracut --regenerate-all --force'
             )
           }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_initramfs_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
       register: configuration_initramfs_result
       changed_when: configuration_initramfs_result.rc == 0
 
@@ -59,6 +59,6 @@
             if is_rhel | bool
             else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
           }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
       register: configuration_grub_result
       changed_when: configuration_grub_result.rc == 0
diff --git a/roles/configuration/tasks/encryption/tpm2.yml b/roles/configuration/tasks/encryption/tpm2.yml
index 28668a8..0d4a873 100644
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -35,9 +35,9 @@
                if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
             + [configuration_luks_device]
           }}
-        configuration_luks_enroll_chroot_args: "{{ ['arch-chroot', '/mnt'] + configuration_luks_enroll_args }}"
-      ansible.builtin.command:
-        argv: "{{ configuration_luks_enroll_chroot_args }}"
+        configuration_luks_enroll_chroot_cmd: >-
+          {{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
+      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
       register: configuration_luks_tpm2_enroll_chroot
       changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
       failed_when: false
diff --git a/roles/configuration/tasks/locales.yml b/roles/configuration/tasks/locales.yml
index f1f4245..6b7b501 100644
--- a/roles/configuration/tasks/locales.yml
+++ b/roles/configuration/tasks/locales.yml
@@ -23,7 +23,7 @@
 
     - name: Generate locales
       when: not is_rhel | bool
-      ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
+      ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
       register: configuration_locale_result
       changed_when: configuration_locale_result.rc == 0
 
diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml
index 0c2176e..f57de6f 100644
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -5,7 +5,7 @@
     - name: Fix SELinux by pre-labeling the filesystem before first boot
       when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
       ansible.builtin.command: >
-        arch-chroot /mnt /sbin/setfiles -v -F
+        {{ chroot_command }} /mnt /sbin/setfiles -v -F
         -e /dev -e /proc -e /sys -e /run
         /etc/selinux/targeted/contexts/files/file_contexts /
       register: configuration_setfiles_result
diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml
index a018814..a5fc816 100644
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -1,7 +1,7 @@
 ---
 - name: Enable Systemd Services
   ansible.builtin.command: >
-    arch-chroot /mnt systemctl enable NetworkManager
+    {{ chroot_command }} /mnt systemctl enable NetworkManager
     {{ ' firewalld' if firewalld_enabled | bool else '' }}
     {{
       ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
@@ -16,7 +16,7 @@
 
 - name: Disable firewalld when disabled
   when: not firewalld_enabled | bool
-  ansible.builtin.command: arch-chroot /mnt systemctl disable --now firewalld
+  ansible.builtin.command: "{{ chroot_command }} /mnt systemctl disable --now firewalld"
   register: configuration_disable_firewalld_result
   changed_when: configuration_disable_firewalld_result.rc == 0
   failed_when: false
diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml
index a05235e..43a87a5 100644
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -4,11 +4,11 @@
     configuration_user_group: >-
       {{ "sudo" if is_debian | bool else "wheel" }}
     configuration_useradd_cmd: >-
-      arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
+      {{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
       --groups {{ configuration_user_group }} {{ user_name }}
       --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
     configuration_root_cmd: >-
-      arch-chroot /mnt /usr/sbin/usermod --password
+      {{ chroot_command }} /mnt /usr/sbin/usermod --password
       '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
   ansible.builtin.command: "{{ item }}"
   loop:
diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index 18102fe..db582b2 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -7,6 +7,7 @@ vmware_ssh: false
 firewalld_enabled: true
 zstd_enabled: true
 swap_enabled: true
+chroot_command: "arch-chroot"
 
 cis_enabled: "{{ cis | bool }}"