Improve ansible code so that ansibe-lint shows fewer errors

lmn-client.yml

@@ -20,16 +20,17 @@
 - name: Apply common configuration to the machines
   hosts: all # desktop:laptop
   remote_user: ansible
-  become: yes
+  become: true
   pre_tasks:
-    - pause:
+    - name: Ask for global-admin AD password
+      ansible.builtin.pause:
         prompt: "Enter global-admin AD password. Leave empty to skip domain join"
         echo: false
       register: adpw
       no_log: true
       when: "ansible_cmdline.adpw is not defined"
     - name: Preseed apparmor
-      debconf:
+      ansible.builtin.debconf:
         name: apparmor
         question: apparmor/homedirs
         value: >-
@@ -38,7 +39,7 @@
           /srv/samba/schools/default-school/examusers/
         vtype: string
     - name: Preseed unattended-upgrades
-      debconf:
+      ansible.builtin.debconf:
         name: unattended-upgrades
         question: unattended-upgrades/enable_auto_updates
         value: true
@@ -115,13 +116,13 @@
   tasks:
     ## Temporary fixes and quirks:
     - name: Remove disturbing NetworkManager connection
-      file:
+      ansible.builtin.file:
         path: "/etc/NetworkManager/system-connections/Wired connection 1"
         state: absent
       when: ansible_interfaces | select('search', '^en[pso].+') | length > 1
 
     - name: Fix 8086:4909 external graphics card
-      replace:
+      ansible.builtin.replace:
         dest: "/etc/default/grub"
         regexp: 'GRUB_CMDLINE_LINUX=""$'
         replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
@@ -129,7 +130,7 @@
       when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
 
     - name: Fix sound on 312A
-      replace:
+      ansible.builtin.replace:
         dest: "/etc/default/grub"
         regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
         replace: 'GRUB_CMDLINE_LINUX=""'
@@ -137,7 +138,7 @@
       when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"
 
     - name: Fix sound on 312A and 312D
-      apt:
+      ansible.builtin.apt:
         name: firmware-sof-signed
         state: latest
       when: >
@@ -145,31 +146,32 @@
         (ansible_board_name == "312D" or ansible_board_name == "312A")
 
     - name: Install customized CodeBlocks packages
+      when: "'PCroom' in group_names"
       block:
         - name: Check for old CodeBlocks
-          command:
+          ansible.builtin.command:
             cmd: dpkg -l codeblocks
           register: codeblocks_version
-          changed_when: False
+          changed_when: false
 
         - name: Download codeblocks zip archive
           ansible.builtin.get_url:
             url: "http://livebox.pn.steinbeis.schule/codeblocks/CodeBlocks.zip"
             dest: /tmp/CodeBlocks.zip
-            use_proxy: False
+            mode: '0644'
+            use_proxy: false
           register: new_codeblocks
           when: codeblocks_version.stdout is not search('svn13544')
 
         - name: Unpack zip archive and install packages manually
-          shell:
+          ansible.builtin.shell:
             cmd: unzip -d /tmp/cb/ CodeBlocks.zip && dpkg -i cb/*.deb
             chdir: /tmp/
           when: new_codeblocks.changed | default(false)
-      when: "'PCroom' in group_names"
 
 ## Clean up stuff from obsolete/faulty tasks:
     - name: Remove sddm login screen patch with deprecated marker (homeondisk)
-      blockinfile:
+      ansible.builtin.blockinfile:
         path: /usr/share/sddm/themes/debian-breeze/Main.qml
         marker: // {mark} ANSIBLE MANAGED BLOCK homeondisk
         state: absent
@@ -180,15 +182,15 @@
           - cachefilesd
           - mosquitto
         state: absent
-        purge: True
+        purge: true
 
     - name: Remove virtiofs service
-      file:
+      ansible.builtin.file:
         path: /etc/systemd/system/virtiofs@.service
         state: absent
 
     - name: Fix mount point permissions and owner
-      file:
+      ansible.builtin.file:
         path: "{{ item }}"
         mode: '0755'
         owner: root
@@ -198,7 +200,7 @@
         - /srv/samba/schools
 
     - name: Remove pam_mount sysvol mount
-      blockinfile:
+      ansible.builtin.blockinfile:
         dest: /etc/security/pam_mount.conf.xml
         marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (SysVol) -->"
         block: |
@@ -212,28 +214,30 @@
           </volume>
         state: absent
 
-    - name: check if rmlpr.timer is installed
+    - name: Check if rmlpr.timer is installed
-      stat: path=/etc/systemd/system/rmlpr.timer
+      ansible.builtin.stat:
+        path: /etc/systemd/system/rmlpr.timer
       register: rmlpr
 
-    - name: disable rmlpr.timer
+    - name: Disable rmlpr.timer
-      systemd:
+      ansible.builtin.systemd:
         name: rmlpr.timer
         enabled: false
       when: rmlpr.stat.exists
 
-    - name: check if vmimage-torrent.service is installed
+    - name: Check if vmimage-torrent.service is installed
-      stat: path=/etc/systemd/system/vmimage-torrent.service
+      ansible.builtin.stat:
+        path: /etc/systemd/system/vmimage-torrent.service
       register: vmimagetorrent
 
-    - name: disable vmimage-torrent.service
+    - name: Disable vmimage-torrent.service
-      systemd:
+      ansible.builtin.systemd:
         name: vmimage-torrent.service
         enabled: false
       when: vmimagetorrent.stat.exists
 
     - name: Remove deprecated files and directories
-      file:
+      ansible.builtin.file:
         path: "{{ item }}"
         state: absent
       with_items:
@@ -269,12 +273,13 @@
         - /etc/NetworkManager/system-connections/macvlan-vm-macvtap.nmconnection
         - /etc/tmpfiles.d/clean-exam.conf
 
-    - name: check if vm_usage_information.txt exists
+    - name: Check if vm_usage_information.txt exists
-      stat: path=/lmn/vm/vm_usage_information.txt
+      ansible.builtin.stat:
+        path: /lmn/vm/vm_usage_information.txt
       register: vm_usage_information
 
-    - name: pre-fill vm_usage_information.txt
+    - name: Pre-fill vm_usage_information.txt
-      shell:
+      ansible.builtin.shell:
         cmd: |
           ls -tr *.qcow2 > vm_usage_information.txt || touchvm_usage_information.txt
           chown lmnsynci:lmnsynci vm_usage_information.txt
@@ -285,11 +290,11 @@
       ansible.builtin.shell:
         cmd: grep "IPP Everywhere" /etc/cups/printers.conf
       register: ipp_everywhere
-      failed_when: False
+      failed_when: false
-      changed_when: False
+      changed_when: false
 
     - name: Delete old IPP-Everywhere printers
-      shell:
+      ansible.builtin.shell:
         cmd: |
           for p in $(lpstat -p | cut -d" " -f2); do
             lpadmin -x "$p"
@@ -297,17 +302,17 @@
       when: not ipp_everywhere.rc
 
     - name: Remove old VM-printerlists
-      shell:
+      ansible.builtin.shell:
         cmd: rm -f /lmn/media/*/.printerlist.csv
 
     - name: Remove Listen on VMBridge
-      lineinfile:
+      ansible.builtin.lineinfile:
         dest: /etc/cups/cupsd.conf
         line: 'Listen 192.168.122.1:631'
         state: absent
 
     - name: Remove NetworkManager Ansible-Block for non-laptops
-      blockinfile:
+      ansible.builtin.blockinfile:
         path: /etc/NetworkManager/NetworkManager.conf
         state: absent
       when: "'laptop' not in group_names"
@@ -343,7 +348,7 @@
     - name: Timestamp successfull run and send up-to-date report
       ansible.builtin.shell:
         cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter
-      changed_when: False
+      changed_when: false
       tags: upgrade
 
     - name: Force ansible-run after install trough emitter by setting timestamp in the past
@@ -356,7 +361,7 @@
 - name: Apply additional laptop configuration
   hosts: laptop
   remote_user: ansible
-  become: yes
+  become: true
   vars_files: lmn-vault
   vars:
     localuser: "{{ vault_localuser }}"
@@ -366,7 +371,7 @@
       when: "'teacherlaptop' not in group_names"
   tasks:
     - name: Remove deprecated files and directories (laptop-class)
-      file:
+      ansible.builtin.file:
         path: "{{ item }}"
         state: absent
       with_items:
@@ -380,7 +385,7 @@
     - name: Enable wpa-supplicant
       ansible.builtin.systemd:
         name: wpa_supplicant.service
-        enabled: True
+        enabled: true
       tags:
         - never
         - wlan_8021x
@@ -388,13 +393,13 @@
     - name: Disable iwd
       ansible.builtin.systemd:
         name: iwd.service
-        enabled: False
+        enabled: false
       tags:
         - never
         - wlan_8021x
 
     - name: Remove deprecated NetworkManager config
-      blockinfile:
+      ansible.builtin.blockinfile:
         path: /etc/NetworkManager/NetworkManager.conf
         state: absent
       tags:
@@ -405,7 +410,7 @@
 - name: Apply roles that must run serial
   hosts: all
   remote_user: ansible
-  become: yes
+  become: true
   serial: 1
   ignore_unreachable: true
 

roles/kerberize/handlers/main.yml

@@ -1,5 +1,5 @@
-- name: reload sshd
+- name: Reload sshd
-  systemd:
+  ansible.builtin.systemd:
     name: sshd
     state: reloaded
   when: not run_in_installer|default(false)|bool

roles/kerberize/tasks/main.yml

@@ -1,28 +1,30 @@
 - name: Install kerberos packages
-  apt:
+  ansible.builtin.apt:
     name: krb5-user
-    state: latest
 
 - name: Kerberize sshd server
   ansible.builtin.copy:
     dest: /etc/ssh/sshd_config.d/kerberize.conf
+    mode: '0644'
     content: |
       GSSAPIAuthentication yes
-  notify: "reload sshd"
+  notify: "Reload sshd"
 
 - name: Kerberize ssh client, authenticate and delegate credentials
   ansible.builtin.copy:
     dest: /etc/ssh/ssh_config.d/kerberize.conf
+    mode: '0644'
     content: |
       GSSAPIAuthentication yes
       GSSAPIDelegateCredentials yes
 
 - name: Check if firefox is available
-  stat: path=/etc/firefox-esr/firefox-esr.js
+  ansible.builtin.stat:
+    path: /etc/firefox-esr/firefox-esr.js
   register: firefox
 
 - name: Kerberize firefox for sites in the local domain
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/firefox-esr/firefox-esr.js
     line: "{{ item }}"
   with_items:
@@ -32,13 +34,15 @@
   when: firefox.stat.exists
 
 - name: Ensures /etc/chromium/policies/managed dir exists
-  file:
+  ansible.builtin.file:
     path: "/etc/chromium/policies/managed"
     state: directory
+    mode: '0755'
 
 - name: Kerberize chromium for sites in the local domain
-  copy:
+  ansible.builtin.copy:
     dest: /etc/chromium/policies/managed/idam.json
+    mode: '0644'
     content: |
       {
         "AuthServerAllowlist": "idam.steinbeis.schule"

roles/lmn_exam/tasks/main.yml

@@ -10,7 +10,7 @@
   ansible.builtin.systemd:
     name: firewalld
     state: stopped
-  when: result.changed
+  when: result.changed # noqa: no-handler
 
 - name: Disable firewalld-service
   ansible.builtin.systemd:

roles/lmn_fvs/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Run update-desktop-database
-  command: update-desktop-database "{{ item }}"
+  ansible.builtin.command: update-desktop-database "{{ item }}"
   loop:
     - /usr/local/share/applications
     - /usr/local/share/desktop-directories

roles/lmn_fvs/tasks/main.yml

@@ -14,9 +14,8 @@
     vtype: string
   when: mirror_msfonts is defined and mirror_msfonts | length > 0
 
-
 - name: Install desktop EDU packages and some more
-  apt:
+  ansible.builtin.apt:
     name:
       - atftp
       - audacity
@@ -90,7 +89,7 @@
     http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher
 
 - name: Remove update notifications from plasma-discover
-  apt:
+  ansible.builtin.apt:
     name:
       - plasma-discover
     autoremove: true
@@ -100,6 +99,7 @@
 - name: Make sure wireshark works for all users after installation and upgrades
   ansible.builtin.copy:
     dest: /etc/apt/apt.conf.d/92wireshark4all
+    mode: '0644'
     content: |
       ## Modify permissions after installation/upgrade to allow all
       ## users dumping packages on network interfaces for wireshark
@@ -122,6 +122,7 @@
   ansible.builtin.copy:
     src: policies.json
     dest: /etc/firefox-esr/policies/
+    mode: '0644'
 
 - name: Create chromium policies directory
   ansible.builtin.file:
@@ -130,8 +131,9 @@
     mode: '0755'
 
 - name: Set chromium proxy-policy to auto_detect
-  copy:
+  ansible.builtin.copy:
     dest: /etc/chromium/policies/managed/proxy.json
+    mode: '0644'
     content: |
       {
         "ProxyMode": "auto_detect"
@@ -144,20 +146,20 @@
     replace: '  \1'
 
 - name: Copy some scripts
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: /usr/local/sbin/
-    mode: 0755
+    mode: '0755'
   loop:
     - pwroff
     - bootorder.sh
     - reporter
 
 - name: Provide services and timers for some scripts
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
+    mode: '0644'
   loop:
     - pwroff.service
     - pwroff.timer
@@ -166,7 +168,7 @@
   when: "'teacherlaptop' not in group_names"
 
 - name: Enable pwroff.timer
-  systemd:
+  ansible.builtin.systemd:
     name: "{{ item }}"
     enabled: true
   loop:
@@ -175,7 +177,7 @@
   when: "'teacherlaptop' not in group_names"
 
 - name: PXE first boot order
-  command: /usr/local/sbin/bootorder.sh
+  ansible.builtin.command: /usr/local/sbin/bootorder.sh
   register: cmd_result
   changed_when: cmd_result.stdout is not search('Nothing to do.')
   when: "'PCroom' in group_names"
@@ -184,7 +186,7 @@
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: /usr/local/bin/
-    mode: 0755
+    mode: '0755'
   loop:
     - lmn-reset-dolphin.sh
     - lmn-patch-dolphin.sh
@@ -194,19 +196,21 @@
   ansible.builtin.copy:
     src: lmn-dolphin.sh
     dest: /etc/profile.d/
+    mode: '0644'
 
 
 - name: Copy fvs-config.js to configure plasma
   ansible.builtin.copy:
     src: fvs-config.js
     dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
-    mode: 0644
+    mode: '0644'
 
 
 - name: Configure some KDE aspects
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: /etc/xdg/kdeglobals
     create: true
+    mode: '0644'
     block: |
       [KDE]
       SingleClick=false
@@ -219,6 +223,7 @@
 - name: Shut down when idle for too long
   ansible.builtin.copy:
     dest: /etc/xdg/powermanagementprofilesrc
+    mode: '0644'
     content: |
       [AC][SuspendSession]
       idleTime=7200000
@@ -228,20 +233,22 @@
 - name: Start with empty session by default
   ansible.builtin.copy:
     dest: /etc/xdg/ksmserverrc
+    mode: '0644'
     content: |
       [General]
       loginMode=emptySession
 
 - name: Fix primary screen for class room PCs with projector
+  when: "'CloneScreen' in group_names"
   block:
     - name: Set primary screen for login
-      blockinfile:
+      ansible.builtin.blockinfile:
         path: /usr/share/sddm/scripts/Xsetup
         block: |
           xrandr --output {{ dual_screen[0] }} --primary
       when: dual_screen is defined
     - name: Reset primary screen for login
-      blockinfile:
+      ansible.builtin.blockinfile:
         path: /usr/share/sddm/scripts/Xsetup
         state: absent
       when: dual_screen is not defined
@@ -253,13 +260,13 @@
     - name: Deploy fix-screen autostarter
       ansible.builtin.copy:
         dest: /etc/xdg/autostart/lmn-fix-screen.desktop
+        mode: '0644'
         content: |
           [Desktop Entry]
           Name=fix-screen
           Exec=lmn-fix-screen
           Type=Application
           NoDisplay=true
-  when: "'CloneScreen' in group_names"
 
 # - name: Avoid starting kscreen (confusing autodetection)
 #   ansible.builtin.copy:
@@ -281,7 +288,8 @@
   ansible.builtin.get_url:
     url: "{{ mirror_dvdcss }}/libdvdcss.so.2.2.0"
     dest: /usr/lib/x86_64-linux-gnu/libdvdcss.so.2.2.0
-    use_proxy: False
+    mode: '0644'
+    use_proxy: false
   when: mirror_dvdcss is defined and mirror_dvdcss | length > 0
 
 - name: Link library so name
@@ -292,7 +300,7 @@
   when: mirror_dvdcss is defined and mirror_dvdcss | length > 0
 
 - name: Patch sddm login screen to show hostname
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK
     insertbefore: '\s+//Footer'
@@ -311,6 +319,7 @@
 - name: Set git default-branch to main
   ansible.builtin.copy:
     dest: /etc/gitconfig
+    mode: '0644'
     content: |
       [init]
         defaultBranch = main
@@ -318,7 +327,7 @@
 - name: Adjust mmcblk-device gid to allow users to access SD-cards
   ansible.builtin.copy:
     dest: /etc/udev/rules.d/80-mmcblk.rules
-    mode: "0644"
+    mode: '0644'
     content: |
       KERNEL=="mmcblk[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users"
       KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users"

roles/lmn_fvs/tasks/sync.yml

@@ -3,7 +3,7 @@
   ansible.builtin.file:
     path: "{{ item }}"
     state: directory
-    mode: 0755
+    mode: '0755'
   loop:
     - /usr/local/share/applications
     - /usr/local/share/desktop-directories
@@ -13,24 +13,26 @@
   ansible.builtin.copy:
     src: fvs.directory
     dest: /usr/local/share/desktop-directories/
+    mode: '0644'
   notify: Run update-desktop-database
 
 - name: Copy fvs.menu
   ansible.builtin.copy:
     src: fvs.menu
     dest: /etc/xdg/menus/applications-merged/
+    mode: '0644'
   notify: Run update-desktop-database
 
 - name: Copy lmn-sync script
   ansible.builtin.copy:
     src: lmn-sync
     dest: /usr/local/sbin/
-    mode: 0755
+    mode: '0755'
   register: lmn_sync
 
 - name: Run lmn-sync script
   ansible.builtin.shell: /usr/local/sbin/lmn-sync
-  when: lmn_sync.changed
+  when: lmn_sync.changed # noqa: no-handler
 
 - name: Deploy sudo configurations (lmn-sync for role-teacher)
   ansible.builtin.copy:
@@ -42,15 +44,15 @@
       %role-teacher ALL=(root) NOPASSWD: /usr/local/sbin/lmn-sync
 
 - name: Provide lmn-sync service and timer
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
+    mode: '0644'
   loop:
     - lmn-sync.service
     - lmn-sync.timer
 
 - name: Enable lmn-sync.timer
-  systemd:
+  ansible.builtin.systemd:
     name: lmn-sync.timer
     enabled: true

roles/lmn_kde/handlers/main.yml

@@ -1,2 +1,2 @@
 - name: Run update-grub
-  command: update-grub
+  ansible.builtin.command: update-grub

roles/lmn_kde/tasks/main.yml

@@ -39,7 +39,7 @@
     autoremove: true
     state: latest
 
-- name: Add {{ ansible_distribution_release }}-backports
+- name: Add backports {{ ansible_distribution_release }}
   ansible.builtin.apt_repository:
     repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
     state: present
@@ -69,6 +69,7 @@
   ansible.builtin.blockinfile:
     path: /etc/xdg/akonadi/akonadiserverrc
     create: true
+    mode: '0644'
     block: |
       [%General]
       Driver=QSQLITE3
@@ -83,10 +84,11 @@
       /srv/samba/schools/default-school/examusers/
 
 
-- name: tune SDDM login
+- name: Tune SDDM login
   ansible.builtin.blockinfile:
     path: /etc/sddm.conf
     create: true
+    mode: '0644'
     block: |
       [Users]
       MaximumUid=999
@@ -96,6 +98,7 @@
 - name: Enable wake-on-lan for all ethernet connections
   ansible.builtin.copy:
     dest: /etc/NetworkManager/conf.d/wake-on-lan.conf
+    mode: '0644'
     content: |
       [connection]
       ethernet.wake-on-lan=64
@@ -103,12 +106,14 @@
 - name: Prepare directory for apt-daily override
   ansible.builtin.file:
     path: /etc/systemd/system/apt-daily.timer.d/
-    recurse: True
+    recurse: true
+    mode: '0755'
     state: directory
 
 - name: Run apt update early to avoid outdated package lists
   ansible.builtin.copy:
     dest: /etc/systemd/system/apt-daily.timer.d/override.conf
+    mode: '0644'
     content: |
       [Timer]
       RandomizedDelaySec=30m
@@ -124,6 +129,7 @@
   ansible.builtin.blockinfile:
     path: /etc/systemd/sleep.conf.d/nosuspend.conf
     create: true
+    mode: '0644'
     block: |
       [Sleep]
       AllowSuspend=no
@@ -175,7 +181,7 @@
     dest: /etc/default/grub
     regexp: '^(GRUB_TIMEOUT=).*'
     line: '\g<1>1'
-    backrefs: yes
+    backrefs: true
   notify: Run update-grub
 
 - name: Keyboard compose key
@@ -183,10 +189,11 @@
     dest: /etc/default/keyboard
     regexp: '^(XKBOPTIONS=).*'
     line: '\1"compose:caps"'
-    backrefs: yes
+    backrefs: true
 
 - name: Default KDE filepicker
   ansible.builtin.lineinfile:
     path: /etc/environment.d/90lmn-filepicker.conf
     create: true
+    mode: '0644'
     line: GTK_USE_PORTAL=1

roles/lmn_localhome/tasks/main.yml

@@ -1,12 +1,12 @@
 ---
-- name: enable pam_mkhomedir.so
+- name: Enable pam_mkhomedir.so
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/pam.d/common-session
     line: "session optional        pam_mkhomedir.so  umask=0077"
     insertbefore: '^session\s*optional\s*pam_mount.so'
 
 - name: Patch sddm login screen to inform about localhome
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK localhome
     insertbefore: '\s+//Footer'
@@ -26,11 +26,12 @@
   ansible.builtin.copy:
     src: lmn-create-unisonconfig.sh
     dest: /usr/local/bin/
-    mode: 0755
+    mode: '0755'
 
 - name: Install auto-logout-script for first login in /etc/profile.d/
-  copy:
+  ansible.builtin.copy:
     dest: /etc/profile.d/lmn-logout.sh
+    mode: '0755'
     content: |
       [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
       {% if 'teacherlaptop' not in group_names %}

roles/lmn_mount/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Install needed packages
-  apt:
+  ansible.builtin.apt:
     name:
       - libpam-mount
       - cifs-utils
@@ -10,7 +10,7 @@
     state: latest
 
 - name: Configure pam_mount for Webdav Nextcloud
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount Nextcloud) -->"
     block: |
@@ -25,7 +25,7 @@
   when: web_dav is defined and web_dav | length > 0
 
 - name: Configure pam_mount for LMN homes
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
     block: |
@@ -55,6 +55,7 @@
   ansible.builtin.file:
     path: /etc/systemd/user-environment-generators/
     state: directory
+    mode: '0755'
 
 - name: Prepare generator for persistent user cache directory
   ansible.builtin.copy:

roles/lmn_network/tasks/main.yml

@@ -1,7 +1,8 @@
 ---
 - name: Deploy http proxy config
-  copy:
+  ansible.builtin.copy:
     dest: /etc/environment.d/10-lmn-proxy.conf
+    mode: '0644'
     content: |
       http_proxy="{{ proxy }}"
       https_proxy="{{ proxy }}"
@@ -12,6 +13,7 @@
 - name: Set aptcache
   ansible.builtin.copy:
     dest: /etc/apt/apt.conf
+    mode: '0644'
     content: >
       {{ apt_conf }}
 
@@ -22,7 +24,7 @@
     line: NTP={{ ntp_serv }}
 
 - name: Add proposed-updates repository
-  apt_repository:
+  ansible.builtin.apt_repository:
     repo: >
       deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-proposed-updates
       main non-free-firmware

roles/lmn_printer/tasks/main.yml

@@ -1,26 +1,25 @@
 ---
 - name: Install cups
-  apt:
+  ansible.builtin.apt:
     name:
       - cups
-    state: latest
 
 - name: Disable cups printer browsing
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/cups/cupsd.conf
     regexp: '^(Browsing ).*'
     line: '\1No'
-    backrefs: yes
+    backrefs: true
 
 - name: Listen on all Interfaces
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/cups/cupsd.conf
     line: 'Listen *:631'
     regexp: '^Listen localhost'
     state: present
 
 - name: Allow access from localhost and from VM
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/cups/cupsd.conf
     block: |
       Allow localhost
@@ -33,7 +32,7 @@
     - "/admin"
 
 - name: Allow group role-teacher to manage printers
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/cups/cups-files.conf
     line: 'SystemGroup root lpadmin role-teacher'
     regexp: '^SystemGroup'
@@ -44,24 +43,25 @@
   ansible.builtin.systemd:
     name: cups-browsed.service
     state: stopped
-    enabled: no
+    enabled: false
 
 - name: Install install-printers.sh
-  template:
+  ansible.builtin.template:
     src: install-printers.sh.j2
     dest: /usr/local/bin/install-printers.sh
-    mode: 0755
+    mode: '0755'
 
 - name: Install lmn-install-printers sudoers
-  copy:
+  ansible.builtin.copy:
     src: 90-lmn-install-printers
     dest: /etc/sudoers.d/
-    mode: 0660
+    mode: '0660'
     owner: root
     group: root
 
 - name: Run printer script from /etc/profile.d/
-  copy:
+  ansible.builtin.copy:
     dest: /etc/profile.d/lmn-printer.sh
+    mode: '0644'
     content: |
       [[ "${UID}" -gt 10000 ]] && (sudo /usr/local/bin/install-printers.sh > /dev/null &)

roles/lmn_security/handlers/main.yml

@@ -1,5 +1,5 @@
 - name: Reload sshd
-  systemd:
+  ansible.builtin.systemd:
     name: sshd
     state: reloaded
   when: not run_in_installer|default(false)|bool

roles/lmn_security/tasks/main.yml

@@ -9,7 +9,7 @@
   ansible.builtin.lineinfile:
     path: /etc/sudoers.d/95-lmn-ansible
     line: 'ansible ALL=(root) NOPASSWD: ALL'
-    create: True
+    create: true
     owner: root
     group: root
     mode: '0700'
@@ -17,12 +17,13 @@
 - name: Disable ansible user login
   ansible.builtin.user:
     name: ansible
-    password_lock: True
+    password_lock: true
 
 - name: Limit SSH access to user ansible
   ansible.builtin.blockinfile:
     dest: /etc/ssh/sshd_config.d/local.conf
     create: true
+    mode: '0644'
     block: |
       PasswordAuthentication no
       AllowUsers ansible

roles/lmn_sssd/handlers/main.yml

@@ -1,3 +1,6 @@
-- name: restart sssd
+- name: Restart sssd
-  service: name=sssd state=restarted enabled=yes
+  ansible.builtin.service:
-  listen: "restart sssd"
+    name: sssd
+    state: restarted
+    enabled: true
+  listen: "Restart sssd"

roles/lmn_sssd/tasks/main.yml

@@ -1,22 +1,21 @@
 ---
 - name: Install needed packages
-  apt:
+  ansible.builtin.apt:
     name:
       - sssd-ad
       - sssd-tools
       - adcli
-    state: latest
 
 - name: Provide user identities from AD
-  template:
+  ansible.builtin.template:
     src: sssd.conf.j2
     dest: /etc/sssd/sssd.conf
-    mode: 0600
+    mode: '0600'
-  notify: restart sssd
+  notify: Restart sssd
 
   ## Either one of the variables is defined:
 - name: Join the domain
-  shell:
+  ansible.builtin.shell:
     cmd: >
       echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
       adcli join --stdin-password -U global-admin {{ domain | upper }}

roles/lmn_vm/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 vm_support: false
+torrent_srv: "seedbox.{{ domain }}"

roles/lmn_vm/handlers/main.yml

@@ -1,5 +1,5 @@
 - name: Reload libvirtd
-  systemd:
+  ansible.builtin.systemd:
     name: libvirtd.service
   listen: reload libvirtd
 

roles/lmn_vm/tasks/main.yml

@@ -4,22 +4,21 @@
 - name: Allow users to attach to bridge
   ansible.builtin.copy:
     dest: /etc/apt/apt.conf.d/94qemu-bridge-suid
+    mode: '0644'
     content: |
       ## Modify permissions after installation/upgrade
       ## to run qemu-bridge as root
       DPkg::Post-Invoke {"/usr/bin/chmod 4755 /usr/lib/qemu/qemu-bridge-helper || true"; };
 
 
-- name: install libvirt packages
+- name: Install libvirt packages
-  apt:
+  ansible.builtin.apt:
     name:
       - aria2
       - mktorrent
       - libvirt-daemon-system
       - virt-manager
       - dialog # for vm-netboot menu
-    state: latest
-    autoremove: true
 
     # - name: allow all users to use VMs
     #   lineinfile:
@@ -29,7 +28,7 @@
     #   notify: reload libvirtd
 
 - name: Configure pam_mount for VM bind mounts
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
     block: |
@@ -49,7 +48,7 @@
     insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
 
 - name: Configure pam_mount for VM bind mounts
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mount school for VMs) -->"
     block: |
@@ -63,7 +62,7 @@
   when: localhome is defined and localhome
 
 - name: Use umount script for proper cleanup
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
     block: |
@@ -75,16 +74,16 @@
   ansible.builtin.copy:
     src: pam-umount.sh
     dest: /usr/local/sbin/pam-umount.sh
-    mode: "0755"
+    mode: '0755'
 
 - name: Insert domain in default-network
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/libvirt/qemu/networks/default.xml
     line: '  <domain name="{{ ansible_domain }}" localOnly="no"/>'
     insertafter: '</ip>'
 
 - name: Autostart default network for VMs
-  file:
+  ansible.builtin.file:
     src: /etc/libvirt/qemu/networks/default.xml
     dest: /etc/libvirt/qemu/networks/autostart/default.xml
     state: link
@@ -97,56 +96,57 @@
     create_home: false
 
 - name: Create /etc/lmn directory
-  file:
+  ansible.builtin.file:
     path: /etc/lmn
     state: directory
+    mode: '0755'
 
 - name: Create /lmn directory
-  file:
+  ansible.builtin.file:
     path: /lmn
     state: directory
+    mode: '0755'
 
 - name: Create /lmn/media directory
-  file:
+  ansible.builtin.file:
     path: /lmn/media
     state: directory
     mode: '1777'
 
 - name: Create /var/vm directory
-  file:
+  ansible.builtin.file:
     path: /var/vm
     state: directory
     mode: '1777'
 
 - name: Create vm directory
-  file:
+  ansible.builtin.file:
     path: /lmn/vm
     state: directory
     owner: lmnsynci
     group: lmnsynci
-    mode: 0755
+    mode: '0755'
 
 - name: Create cleanup-vm.conf
   ansible.builtin.copy:
     dest: /etc/tmpfiles.d/clean-vm.conf
+    mode: '0644'
     content: |
       D /var/tmp/vm 1777 root root -
 
 - name: Install squid
-  apt:
+  ansible.builtin.apt:
     name:
       - squid
-    state: latest
-    autoremove: true
 
 - name: Disable squid
-  systemd:
+  ansible.builtin.systemd:
     name: squid
     enabled: false
     state: stopped
 
 - name: Deploy squid user mode configuration
-  template:
+  ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "/etc/squid/{{ item }}"
     mode: '0644'
@@ -155,16 +155,16 @@
     - squid-usermode-external.conf
 
 - name: Deploy startusersquid script
-  template:
+  ansible.builtin.template:
     src: startusersquid.sh.j2
     dest: /usr/local/bin/startusersquid.sh
     mode: '0755'
 
 - name: Provide usersquid service
-  copy:
+  ansible.builtin.copy:
     src: usersquid.service
     dest: /etc/systemd/user/usersquid.service
-    mode: 0644
+    mode: '0644'
 
 - name: Enable usersquid service
   ansible.builtin.systemd:
@@ -173,7 +173,7 @@
     enabled: true
 
 - name: Deploy sudo configurations
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: "/etc/sudoers.d/90-{{ item }}"
     owner: root
@@ -184,7 +184,7 @@
     - lmn-vm
 
 - name: Deploy vmimages scripts
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: /usr/local/bin/
     owner: root
@@ -210,6 +210,7 @@
     dest: /etc/lmn/vm.conf
     owner: root
     group: root
+    mode: '0644'
 
 - name: Deploy aria2 RPC password file
   ansible.builtin.copy:
@@ -226,15 +227,18 @@
     state: directory
     owner: lmnsynci
     group: lmnsynci
+    mode: '0755'
 
 - name: Prepare directory for qemu bridge config
   ansible.builtin.file:
     path: /etc/qemu/
     state: directory
+    mode: '0755'
 
 - name: Deploy bridge.conf needed for qemu session mode
   ansible.builtin.copy:
     dest: /etc/qemu/bridge.conf
+    mode: '0644'
     content: |
       allow virbr0
       allow virbr1
@@ -263,6 +267,7 @@
 - name: Adjust interface permissions for user mode VMs
   ansible.builtin.copy:
     dest: /etc/udev/rules.d/80-macvlan.rules
+    mode: '0644'
     content: |
       {% for interface in (ansible_interfaces | select('search', '^en[pso].+')) %}
       SUBSYSTEMS=="net", KERNELS=="macvtap-{{ interface[3:9] }}", MODE="0666"

roles/lmn_vpn/defaults/main.yml

@@ -1,6 +1,5 @@
 ---
 vpn: none
- 
 # Wireguad config
 wg_endpoint: "203.0.113.1:51820"
 wg_allowed_ips: "10.0.0.0/16;"

roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml

@@ -50,4 +50,3 @@
       ( not cert_client_active.stat.exists ) or
       (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or
       wlan_force_issue
-

roles/up2date_debian/tasks/main.yml

@@ -1,39 +1,40 @@
 # Update lists and upgrade packages.
 
-- name: update apt package lists
+- name: Update apt package lists
-  apt:
+  ansible.builtin.apt:
     update_cache: true
     cache_valid_time: 86400
 
-- block:
+- name: Try to upgrade packages
-    - name: upgrade packages
+  block:
-      apt:
+    - name: Upgrade packages
+      ansible.builtin.apt:
         upgrade: dist
         autoremove: true
         autoclean: true
   rescue:
     - name: Looks like dpkg was interrupted, configure manually
-      command:
+      ansible.builtin.command:
         cmd: dpkg --configure -a
     - name: Try again to upgrade packages
-      apt:
+      ansible.builtin.apt:
         upgrade: dist
         autoremove: true
         autoclean: true
 
-- name: install etckeeper
+- name: Install etckeeper
-  apt:
+  ansible.builtin.apt:
     name: etckeeper
     state: latest # noqa package-latest
 
-- name: install extra packages from stable
+- name: Install extra packages from stable
-  apt:
+  ansible.builtin.apt:
     name: "{{ extra_pkgs }}"
     state: latest # noqa package-latest
   when: extra_pkgs|length
 
-- name: add {{ ansible_distribution_release }}-backports
+- name: Add backports for {{ ansible_distribution_release }}
-  apt_repository:
+  ansible.builtin.apt_repository:
     repo: >
       deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports
       main non-free-firmware
@@ -41,8 +42,8 @@
     update_cache: true
   when: extra_pkgs_bpo|length
 
-- name: install extra packages from backports
+- name: Install extra packages from backports
-  apt:
+  ansible.builtin.apt:
     name: "{{ extra_pkgs_bpo }}"
     state: latest # noqa package-latest
     default_release: "{{ ansible_distribution_release }}-backports"