diff --git a/ansible/playbooks/ringtail.yml b/ansible/playbooks/ringtail.yml
index 74c4f54..b05d67a 100644
--- a/ansible/playbooks/ringtail.yml
+++ b/ansible/playbooks/ringtail.yml
@@ -100,7 +100,8 @@
             --from-literal=1password-credentials.json='{{ _op_credentials.stdout }}' \
             --dry-run=client -o yaml | k3s kubectl apply -f -
         executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_credentials_apply
+      changed_when: "'configured' in _op_credentials_apply.stdout or 'created' in _op_credentials_apply.stdout"
       no_log: true
 
     - name: Create or update onepassword-token secret
@@ -112,5 +113,6 @@
             --from-literal=token={{ _op_token.stdout }} \
             --dry-run=client -o yaml | k3s kubectl apply -f -
         executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_token_apply
+      changed_when: "'configured' in _op_token_apply.stdout or 'created' in _op_token_apply.stdout"
       no_log: true
diff --git a/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md
new file mode 100644
index 0000000..6269f2d
--- /dev/null
+++ b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md
@@ -0,0 +1 @@
+Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.