diff --git a/reset.yml b/reset.yml
index 18846bb95..2cf6efbd9 100644
--- a/reset.yml
+++ b/reset.yml
@@ -13,3 +13,11 @@
       become: true
       reboot:
         reboot_timeout: 3600
+
+- hosts: proxmox
+  gather_facts: true
+  become: yes
+  remote_user: "{{ proxmox_lxc_ssh_user }}"
+  roles:
+    - role: reset_proxmox_lxc
+      when: proxmox_lxc_configure
diff --git a/roles/lxc/handlers/main.yml b/roles/lxc/handlers/main.yml
index 1bba5c881..20013cc54 100644
--- a/roles/lxc/handlers/main.yml
+++ b/roles/lxc/handlers/main.yml
@@ -1,3 +1,4 @@
 ---
 - name: reboot server
+  become: true
   reboot:
diff --git a/roles/lxc/tasks/main.yml b/roles/lxc/tasks/main.yml
index d47200a51..5a792a4fc 100644
--- a/roles/lxc/tasks/main.yml
+++ b/roles/lxc/tasks/main.yml
@@ -1,7 +1,21 @@
 ---
-- name: configure rc.local for proxmox lxc containers
-  copy:
-    src: "{{ playbook_dir }}/scripts/rc.local"
-    dest: "/etc/rc.local"
+- name: Check for rc.local file
+  stat:
+    path: /etc/rc.local
+  register: rcfile
+
+- name: Create rc.local if needed
+  lineinfile:
+    path: /etc/rc.local
+    line: "#!/bin/sh -e"
+    create: true
+    insertbefore: BOF
     mode: "u=rwx,g=rx,o=rx"
+  when: not rcfile.stat.exists
+
+- name: Write rc.local file
+  blockinfile:
+    path: /etc/rc.local
+    content: "{{ lookup('template', 'templates/rc.local.j2') }}"
+    state: present
   notify: reboot server
diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml
index 537839d48..b9cdd6ed8 100644
--- a/roles/reset/tasks/main.yml
+++ b/roles/reset/tasks/main.yml
@@ -54,3 +54,31 @@
   file:
     path: /tmp/k3s
     state: absent
+
+- name: Check if rc.local exists
+  stat:
+    path: /etc/rc.local
+  register: rcfile
+
+- name: Remove rc.local modifications for proxmox lxc containers
+  become: true
+  blockinfile:
+    path: /etc/rc.local
+    content: "{{ lookup('template', 'templates/rc.local.j2') }}"
+    create: false
+    state: absent
+  when: proxmox_lxc_configure and rclocal.stat.exists
+
+- name: Check rc.local for cleanup
+  become: true
+  slurp:
+    src: /etc/rc.local
+  register: rcslurp
+  when: proxmox_lxc_configure and rclocal.stat.exists
+
+- name: Cleanup rc.local if we only have a Shebang line
+  become: true
+  file:
+    path: /etc/rc.local
+    state: absent
+  when: proxmox_lxc_configure and rclocal.stat.exists and ((rcslurp.content | b64decode).splitlines() | length) <= 1
diff --git a/roles/reset_proxmox_lxc/handlers/main.yml b/roles/reset_proxmox_lxc/handlers/main.yml
new file mode 100644
index 000000000..9b99cb2f5
--- /dev/null
+++ b/roles/reset_proxmox_lxc/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reboot containers
+  command:
+    "pct reboot {{ item }}"
+  loop: "{{ proxmox_lxc_filtered_ids }}"
diff --git a/roles/reset_proxmox_lxc/tasks/main.yml b/roles/reset_proxmox_lxc/tasks/main.yml
new file mode 100644
index 000000000..d9f402d98
--- /dev/null
+++ b/roles/reset_proxmox_lxc/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+- name: check for container files that exist on this host
+  stat:
+    path: "/etc/pve/lxc/{{ item }}.conf"
+  loop: "{{ proxmox_lxc_ct_ids }}"
+  register: stat_results
+
+- name: filter out files that do not exist
+  set_fact:
+    proxmox_lxc_filtered_files:
+      '{{ stat_results.results | rejectattr("stat.exists", "false") | map(attribute="stat.path") }}'
+
+# used for the reboot handler
+- name: get container ids from filtered files
+  set_fact:
+    proxmox_lxc_filtered_ids:
+      '{{ proxmox_lxc_filtered_files | map("split", "/") | map("last") | map("split", ".") | map("first") }}'
+
+- name: Remove LXC apparmor profile
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: "^lxc.apparmor.profile"
+    line: "lxc.apparmor.profile: unconfined"
+    state: absent
+  loop: "{{ proxmox_lxc_filtered_files }}"
+  notify: reboot containers
+
+- name: Remove lxc cgroups
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: "^lxc.cgroup.devices.allow"
+    line: "lxc.cgroup.devices.allow: a"
+    state: absent
+  loop: "{{ proxmox_lxc_filtered_files }}"
+  notify: reboot containers
+
+- name: Remove lxc cap drop
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: "^lxc.cap.drop"
+    line: "lxc.cap.drop: "
+    state: absent
+  loop: "{{ proxmox_lxc_filtered_files }}"
+  notify: reboot containers
+
+- name: Remove lxc mounts
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: "^lxc.mount.auto"
+    line: 'lxc.mount.auto: "proc:rw sys:rw"'
+    state: absent
+  loop: "{{ proxmox_lxc_filtered_files }}"
+  notify: reboot containers
diff --git a/site.yml b/site.yml
index f6f0b092c..d8e4325fa 100644
--- a/site.yml
+++ b/site.yml
@@ -12,6 +12,7 @@
   gather_facts: yes
   roles:
     - role: lxc
+      become: true
       when: proxmox_lxc_configure
     - role: prereq
       become: true
diff --git a/scripts/rc.local b/templates/rc.local.j2
similarity index 95%
rename from scripts/rc.local
rename to templates/rc.local.j2
index daa6c7782..16ca666ea 100644
--- a/scripts/rc.local
+++ b/templates/rc.local.j2
@@ -1,5 +1,3 @@
-#!/bin/sh -e
-
 # Kubeadm 1.15 needs /dev/kmsg to be there, but it's not in lxc, but we can just use /dev/console instead
 # see: https://github.com/kubernetes-sigs/kind/issues/662
 if [ ! -e /dev/kmsg ]; then