[UPD] ansible-lint

.ansible-lint

+---
+warn_list:  # or 'skip_list' to silence them completely
+    - git-latest  # Git checkouts must contain explicit version
+    - ignore-errors  # Use failed_when and specify error conditions instead of using ignore_errors
+    - no-changed-when  # Commands should not change things if nothing needs doing
+    - no-handler  # Tasks that run when changed should likely be handlers
+    - package-latest  # Package installs should not use latest

.yamllint

+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    colons:
+        max-spaces-after: -1
+        level: error
+    commas:
+        max-spaces-after: -1
+        level: error
+    # comments enable
+    comments: enable
+    comments-indentation: enable
+    document-start: enable
+    empty-lines:
+        max: 3
+        level: error
+    hyphens:
+        level: error
+    indentation:
+        level: warning
+        indent-sequences: consistent
+        spaces: 4
+        check-multi-line-strings: true
+    key-duplicates: enable
+    line-length: disable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    # trailing-spaces enable
+    trailing-spaces: enable
+    truthy: enable

handlers/main.yml

 ---
 
-- name: restart-sshd
-  service:
+- name: Restart SSHD
+  ansible.builtin.service:
       name: ssh
       state: restarted
 
-- name: restart-cron
+- name: Restart cron
   ansible.builtin.service:
       name: cron
       state: restarted
 
-- name: restart-apt-update-timer
+- name: Restart apt-update-timer
   ansible.builtin.systemd:
       name: apt-daily.timer
       daemon_reload: true
       state: restarted
       enabled: true
 
-- name: restart-apt-upgrade-timer
+- name: Restart apt-upgrade-timer
   ansible.builtin.systemd:
       name: apt-daily-upgrade.timer
       daemon_reload: true

meta/main.yml

 ---
 galaxy_info:
-  author: Rémi
+    author: lefilament
     description: Initialization role (upgrade packages, create users, configure sudoers, SSHD and public keys, collect facts, etc.)
     company: Le Filament (https://le-filament.com)
     license: AGPL-3.0-or-later
-  min_ansible_version: 2.1
+    min_ansible_version: "2.1"
     platforms:
         - name: EL
           versions:
-        - 7
+              - "7"
         - name: Ubuntu
           versions:
               - bionic

tasks/main.yml

 ---
 - name: Include OS-specific variables.
-  include_vars: "{{ ansible_os_family }}.yml"
+  ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
 
 - name: Set machine hostname
-  hostname:
+  ansible.builtin.hostname:
       name: "{{ inventory_hostname_short | lower | regex_replace('_', '') }}"
 
 - name: Set timezone to Europe/Paris
   community.general.timezone:
       name: Europe/Paris
   notify:
-    - restart-cron
+      - Restart cron
 
 - name: Never include APT phased update
-  copy:
+  ansible.builtin.copy:
       src: apt-phased-updates
       dest: /etc/apt/apt.conf.d/99-Phased-Updates
       owner: root
@@ -22,7 +22,7 @@
   when: ansible_os_family == "Debian"
 
 - name: Debian Update repo and upgrade installed packages
-  apt:
+  ansible.builtin.apt:
       update_cache: true
       upgrade: full
       autoremove: true
@@ -33,7 +33,7 @@
   when: not ansible_check_mode and ansible_os_family == "Debian"
 
 - name: Debian check Update repo and upgrade installed packages
-  apt:
+  ansible.builtin.apt:
       update_cache: true
       upgrade: full
       autoremove: true
@@ -42,14 +42,14 @@
   when: ansible_check_mode and ansible_os_family == "Debian"
 
 - name: RedHat Update repo and upgrade installed packages
-  yum:
+  ansible.builtin.yum:
       update_cache: true
       name: '*'
       state: latest
   when: ansible_os_family == "RedHat"
 
 - name: Remove unecessary packages if present
-  apt:
+  ansible.builtin.apt:
       name: "{{ packages_to_remove }}"
       autoremove: true
       purge: true
@@ -57,30 +57,30 @@
   when: ansible_os_family == "Debian"
 
 - name: Remove unecessary files if present
-  file:
+  ansible.builtin.file:
       path: "{{ item }}"
       state: absent
   when: ansible_os_family == "Debian"
   with_items: "{{ files_to_remove }}"
 
 - name: Remove unecessary users if present
-  user:
+  ansible.builtin.user:
       name: "{{ item }}"
       remove: true
       state: absent
   with_items: "{{ users_to_remove }}"
 
-- name: disable dynamic motd news
-  lineinfile:
+- name: Disable dynamic motd news
+  ansible.builtin.lineinfile:
       name: "/etc/default/motd-news"
       regexp: "ENABLED=1"
       line: "ENABLED=0"
       mode: '0644'
   when: ansible_os_family == "Debian"
-  ignore_errors: yes
+  ignore_errors: true
 
 - name: Copy nosnap file
-  copy:
+  ansible.builtin.copy:
       src: nosnap
       dest: /etc/apt/preferences.d/nosnap
       owner: root
@@ -89,7 +89,7 @@
   when: ansible_os_family == "Debian"
 
 - name: Remove Unattended Upgrades
-  apt:
+  ansible.builtin.apt:
       name: "unattended-upgrades"
       autoremove: true
       purge: true
@@ -98,14 +98,14 @@
   tags: unattended-upgrade
 
 - name: Install Unattended Upgrades
-  apt:
+  ansible.builtin.apt:
       name: "unattended-upgrades"
       state: present
   when: ansible_os_family == "Debian" and inventory_hostname in groups.maintenance_contract
   tags: unattended-upgrade
 
-- name: enable apt auto upgrades
-  copy:
+- name: Enable apt auto upgrades
+  ansible.builtin.copy:
       src: apt-auto-upgrades
       dest: /etc/apt/apt.conf.d/20auto-upgrades
       owner: root
@@ -114,7 +114,7 @@
   when: ansible_os_family == "Debian"
 
 - name: Copy Unattended Upgrades configuration
-  template:
+  ansible.builtin.template:
       src: 'apt-unattended-upgrades.j2'
       dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
       owner: root
@@ -133,7 +133,7 @@
   when: inventory_hostname in groups.maintenance_contract
   tags: unattended-upgrade
 
-- name: override apt-daily timer
+- name: Override apt-daily timer
   ansible.builtin.copy:
       src: 'apt-daily.timer'
       dest: '/etc/systemd/system/apt-daily.timer.d/override.conf'
@@ -143,7 +143,7 @@
   when: inventory_hostname in groups.maintenance_contract
   tags: unattended-upgrade
   notify:
-    - restart-apt-update-timer
+      - Restart apt-update-timer
 
 - name: Create apt-daily-upgrade timer directory if it does not exist
   ansible.builtin.file:
@@ -155,7 +155,7 @@
   when: inventory_hostname in groups.maintenance_contract
   tags: unattended-upgrade
 
-- name: override apt-daily-upgrade timer
+- name: Override apt-daily-upgrade timer
   ansible.builtin.copy:
       src: 'apt-daily-upgrade.timer'
       dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf'
@@ -165,14 +165,14 @@
   when: inventory_hostname in groups.maintenance_contract
   tags: unattended-upgrade
   notify:
-    - restart-apt-upgrade-timer
+      - Restart apt-upgrade-timer
 
-- name: Create {{ host_user }} group
-  group:
+- name: Create group {{ host_user }}
+  ansible.builtin.group:
       name: "{{ host_user }}"
 
-- name: Create {{ host_user }} user
-  user:
+- name: Create user {{ host_user }}
+  ansible.builtin.user:
       name: "{{ host_user }}"
       group: "{{ host_user }}"
       password: "{{ host_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
@@ -183,7 +183,7 @@
   register: publickey
 
 - name: Save public key to hostvars for SFTP
-  lineinfile:
+  ansible.builtin.lineinfile:
       name: "host_vars/{{ inventory_hostname }}"
       regexp: "host_user_public_key:"
       line: "host_user_public_key: {{ publickey.ssh_public_key }}"
@@ -192,13 +192,13 @@
   become: false
   delegate_to: localhost
 
-- name: Create {{ host_user2 }} group
-  group:
+- name: Create group {{ host_user2 }}
+  ansible.builtin.group:
       name: "{{ host_user2 }}"
   when: host_user2 is defined
 
-- name: Create {{ host_user2 }} user
-  user:
+- name: Create user {{ host_user2 }}
+  ansible.builtin.user:
       name: "{{ host_user2 }}"
       group: "{{ host_user2 }}"
       password: "{{ host_password2 | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
@@ -208,8 +208,8 @@
       shell: /bin/bash
   when: host_user2 is defined
 
-- name: add user(s) in sudoers
-  template:
+- name: Add user(s) in sudoers
+  ansible.builtin.template:
       src: sudoers.j2
       dest: /etc/sudoers
       owner: root
@@ -218,7 +218,7 @@
       validate: /usr/sbin/visudo -cf %s
   tags: sudoers
 
-- name: quiet nagios authentification
+- name: Quiet nagios authentification
   ansible.builtin.copy:
       src: 'pam-sudo'
       dest: '/etc/pam.d/sudo'
@@ -226,50 +226,50 @@
       group: root
       mode: '0644'
 
-- name: add public key to authorized keys for {{ host_user }}
-  authorized_key:
+- name: Add public key to authorized keys for {{ host_user }}
+  ansible.posix.authorized_key:
       key: "{{ default_ssh_public_keys }}"
       user: "{{ host_user }}"
       exclusive: true
   tags: sshd
 
-- name: add public key to authorized keys for {{ host_user2 }}
-  authorized_key:
+- name: Add public key to authorized keys for {{ host_user2 }}
+  ansible.posix.authorized_key:
       key: "{{ host_user2_pubkey }}"
       user: "{{ host_user2 }}"
       exclusive: true
   when: host_user2 is defined and host_user2_pubkey is defined
   tags: sshd
 
-- name: make sure /etc/ssh/ssh_host_ed25519_key exists
-  stat:
+- name: Make sure /etc/ssh/ssh_host_ed25519_key exists
+  ansible.builtin.stat:
       path: /etc/ssh/ssh_host_ed25519_key
   register: ssh_host_exists
   tags: sshd
 
 - name: Generate /etc/ssh/ssh_host_ed25519_key if missing
-  command: ssh-keygen -A
+  ansible.builtin.command: ssh-keygen -A
   when: not ssh_host_exists.stat.exists and not ansible_check_mode
   tags: sshd
 
 - name: Copy sshd_config file
-  template:
+  ansible.builtin.template:
       src: sshd_config.j2
       dest: /etc/ssh/sshd_config
       owner: root
       group: root
       mode: '0644'
       validate: /usr/sbin/sshd -t -f %s
-  notify: restart-sshd
+  notify: Restart SSHD
   tags: sshd
 
 - name: Enable SSH daemon service
-  service:
+  ansible.builtin.service:
       name: ssh
       enabled: true
 
 - name: Copy bashrc file with session timeout
-  copy:
+  ansible.builtin.copy:
       src: bash.bashrc
       dest: /etc/bash.bashrc
       owner: root
@@ -278,7 +278,7 @@
   when: ansible_os_family == "Debian"
 
 - name: Add session timeout
-  blockinfile:
+  ansible.builtin.blockinfile:
       path: /etc/bashrc
       block: |
           TMOUT=900
@@ -286,14 +286,14 @@
           export TMOUT
   when: ansible_os_family == "RedHat"
 
-- name: disable ipv6
-  sysctl:
+- name: Enable ipv6 forwarding
+  ansible.posix.sysctl:
       name: "net.ipv6.conf.all.forwarding"
       value: '1'
       sysctl_set: true
 
-- name: setup ipv6
-  template:
+- name: Setup ipv6
+  ansible.builtin.template:
       src: 51-ipv6.yaml.j2
       dest: /etc/netplan/51-ipv6.yaml
       owner: root
@@ -301,8 +301,8 @@
       mode: '0644'
   when: ipv6_address is defined and inventory_hostname in groups['manual_ipv6']
 
-- name: set default path
-  template:
+- name: Set default path
+  ansible.builtin.template:
       src: environment.j2
       dest: /etc/environment
       owner: root
@@ -311,7 +311,7 @@
   when: ansible_os_family == "Debian"
 
 - name: Check if backup servers present in root known hosts
-  lineinfile:
+  ansible.builtin.lineinfile:
       path: /root/.ssh/known_hosts
       regexp: "{{ hostvars[item].host_server_public_key }}"
       state: absent
@@ -321,7 +321,7 @@
   with_items: "{{ groups.backup_server }}"
 
 - name: Add backup servers in root known host
-  known_hosts:
+  ansible.builtin.known_hosts:
       hash_host: true
       key: "{{ hostvars[item['item']].host_server_known_entry }}"
       name: "[{{ hostvars[item['item']].ansible_host }}]:{{ default_sshd_port }}"
@@ -329,21 +329,21 @@
   with_items: "{{ known_hosts_line.results }}"
 
 - name: Copy Installed Package Listing script on server
-  template:
+  ansible.builtin.template:
       src: collect_installed_packages_facts_{{ ansible_os_family }}.sh.j2
       dest: /root/collect_installed_packages_facts.sh
       owner: root
       group: root
       mode: '0700'
 
-- name: disable e-mailing of crontab
-  cron:
+- name: Disable e-mailing of crontab
+  ansible.builtin.cron:
       name: MAILTO
       env: true
       job: ""
 
-- name: add cron job to check installed packages every day
-  cron:
+- name: Add cron job to check installed packages every day
+  ansible.builtin.cron:
       name: collect installed packages facts
       minute: "43"
       hour: "0"