[UPD] ansible-lint

.ansible-lint

+---
+warn_list:  # or 'skip_list' to silence them completely
+    - git-latest  # Git checkouts must contain explicit version
+    - ignore-errors  # Use failed_when and specify error conditions instead of using ignore_errors
+    - no-changed-when  # Commands should not change things if nothing needs doing
+    - no-handler  # Tasks that run when changed should likely be handlers
+    - package-latest  # Package installs should not use latest

.yamllint

+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    colons:
+        max-spaces-after: -1
+        level: error
+    commas:
+        max-spaces-after: -1
+        level: error
+    # comments enable
+    comments: enable
+    comments-indentation: enable
+    document-start: enable
+    empty-lines:
+        max: 3
+        level: error
+    hyphens:
+        level: error
+    indentation:
+        level: warning
+        indent-sequences: consistent
+        spaces: 4
+        check-multi-line-strings: true
+    key-duplicates: enable
+    line-length: disable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    # trailing-spaces enable
+    trailing-spaces: enable
+    truthy: enable

handlers/main.yml

 ---
 
-- name: restore-iptables
-  service: name=netfilter-persistent state=restarted
+- name: Restore iptables
+  ansible.builtin.service:
+      name: netfilter-persistent
+      state: restarted
 
-- name: restart fail2ban
-  service: name=fail2ban state=restarted
+- name: Restart fail2ban
+  ansible.builtin.service:
+      name: fail2ban
+      state: restarted
 
-- name: restart docker
-  service: name=docker state=restarted
+- name: Restart docker
+  ansible.builtin.service:
+      name: docker
+      state: restarted
   when: inventory_hostname in groups.docker
 
-- name: restart auditd
-  service: name=auditd state=restarted
+- name: Restart auditd
+  ansible.builtin.service:
+      name: auditd
+      state: restarted
 
-- name: restart rsyslog
-  service: name=rsyslog state=restarted
+- name: Restart rsyslog
+  ansible.builtin.service:
+      name: rsyslog
+      state: restarted

meta/main.yml

 ---
 galaxy_info:
-  author: Rémi
+    author: lefilament
     description: This role installs and configures security on servers (iptables, fail2ban, auditd)
     company: Le Filament (https://le-filament.com)
     license: AGPL-3.0-or-later
-  min_ansible_version: 2.1
+    min_ansible_version: "2.1"
     platforms:
         - name: Ubuntu
           versions:

tasks/mail.yml

 ---
-- name: remove mail packages not necessary
-  apt:
+- name: Remove mail packages not necessary
+  ansible.builtin.apt:
       name: [bsd-mailx mailutils postfix]
       autoremove: true
       state: absent
   when: ansible_os_family == "Debian"
 
-- name: check that ssmtp is installed
-  package: name=ssmtp state=present
+- name: Check that ssmtp is installed
+  ansible.builtin.package:
+      name: ssmtp
+      state: present
 
 - name: Check that sendmail redirects to ssmtp
-  file:
+  ansible.builtin.file:
       src: ssmtp
       dest: /usr/sbin/sendmail
       force: true
@@ -18,8 +20,8 @@
       group: mail
       state: link
 
-- name: configuration file for ssmtp
-  template:
+- name: Configuration file for ssmtp
+  ansible.builtin.template:
       src: ssmtp.conf.j2
       dest: /etc/ssmtp/ssmtp.conf
       owner: root

tasks/main.yml

 ---
-- name: import mail tasks
-  import_tasks: mail.yml
+- name: Import mail tasks
+  ansible.builtin.import_tasks: mail.yml
   when: server_security__manage_mail == 'enabled'
 
-- name: install fail2ban, iptables-persistent and auditd
-  package:
+- name: Install fail2ban, iptables-persistent and auditd
+  ansible.builtin.package:
       name:
           - fail2ban
           - iptables-persistent
@@ -14,8 +14,8 @@
   poll: 10
   when: not ansible_check_mode
 
-- name: check presence of fail2ban, iptables-persistent and auditd packages
-  package:
+- name: Check presence of fail2ban, iptables-persistent and auditd packages
+  ansible.builtin.package:
       name:
           - fail2ban
           - iptables-persistent
@@ -23,28 +23,37 @@
       state: present
   when: ansible_check_mode
 
-- name: make fail2ban persistent
-  service: name=fail2ban enabled=yes state=started
+- name: Make fail2ban persistent
+  ansible.builtin.service:
+      name: fail2ban
+      enabled: true
+      state: started
 
-- name: make sure netfilter-persistent is enabled
-  service: name=netfilter-persistent enabled=yes state=started
+- name: Make sure netfilter-persistent is enabled
+  ansible.builtin.service:
+      name: netfilter-persistent
+      enabled: true
+      state: started
 
-- name: make sure auditd is enabled
-  service: name=auditd enabled=yes state=started
+- name: Make sure auditd is enabled
+  ansible.builtin.service:
+      name: auditd
+      enabled: true
+      state: started
 
-- name: push specific fail2ban jail configuration file
-  template:
+- name: Push specific fail2ban jail configuration file
+  ansible.builtin.template:
       src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2"
       dest: "/etc/fail2ban/jail.local"
       owner: 'root'
       group: 'root'
       mode: '0644'
   when: ansible_os_family == "Debian"
-  notify: restart fail2ban
+  notify: Restart fail2ban
   tags: fail2ban
 
-- name: push specific fail2ban actions
-  template:
+- name: Push specific fail2ban actions
+  ansible.builtin.template:
       src: "{{ item }}.j2"
       dest: "/etc/fail2ban/{{ item }}.local"
       owner: 'root'
@@ -54,67 +63,67 @@
       - action.d/sendmail-common
       - action.d/sendmail-whois-lines
   when: ansible_os_family == "Debian"
-  notify: restart fail2ban
+  notify: Restart fail2ban
   tags: fail2ban
 
-- name: push specific fail2ban filters
-  copy:
+- name: Push specific fail2ban filters
+  ansible.builtin.copy:
       src: traefik-auth
       dest: "/etc/fail2ban/filter.d/traefik-auth.conf"
       owner: 'root'
       group: 'root'
       mode: '0644'
-    force: no
+      force: false
   when: inventory_hostname in groups.docker
-  notify: restart fail2ban
+  notify: Restart fail2ban
   tags: fail2ban
 
-- name: create iptables configuration
-  template:
+- name: Create iptables configuration
+  ansible.builtin.template:
       src: iptables.conf.j2
       dest: /etc/iptables/rules.v4
       owner: root
       group: root
       mode: '0600'
   notify:
-    - restore-iptables
-    - restart fail2ban
-    - restart docker
+      - Restore iptables
+      - Restart fail2ban
+      - Restart docker
 
-- name: create ip6tables configuration
-  template:
+- name: Create ip6tables configuration
+  ansible.builtin.template:
       src: ip6tables.conf.j2
       dest: "/etc/iptables/rules.v6"
       owner: root
       group: root
       mode: '0600'
   notify:
-    - restore-iptables
-    - restart fail2ban
-    - restart docker
+      - Restore iptables
+      - Restart fail2ban
+      - Restart docker
 
-- name: push iptables rsyslog configuration
-  copy:
+- name: Push iptables rsyslog configuration
+  ansible.builtin.copy:
       src: rsyslog.d-iptables
       dest: /etc/rsyslog.d/33-iptables.conf
       owner: root
       group: root
       mode: '0644'
-  notify: restart rsyslog
+  notify: Restart rsyslog
 
-- name: push iptables logrotate configuration
-  copy:
+- name: Push iptables logrotate configuration
+  ansible.builtin.copy:
       src: logrotate.d-iptables
       dest: /etc/logrotate.d/iptables
       owner: root
       group: root
       mode: '0644'
 
-- name: configuration file for auditd
-  template:
+- name: Configuration file for auditd
+  ansible.builtin.template:
       src: audit.rules.j2
       dest: /etc/audit/rules.d/audit.rules
       owner: root
       group: root
       mode: '0640'
-  notify: restart auditd
+  notify: Restart auditd