*: Fix or document ansible-lint violations

.ansible-lint-ignore

+# This file contains ignores rule violations for ansible-lint
+hostkey-provider/tasks/main.yml ignore-errors
+shell/tasks/shell.yml schema[moves]
+ssh-server/tasks/main.yml no-changed-when

apt/defaults/main.yml

 ---
-# file: common/apt/defaults/main.yml
 
 apt_mirror: 'http://ftp.halifax.rwth-aachen.de/debian/'
 apt_mirror_security: 'http://security.debian.org/debian-security/'

apt/handlers/main.yml

 ---
-# file: roles/common/handlers/main.yml
 
 - name: update apt cache
-  apt: update_cache=yes
+  apt:
+    update_cache: true

apt/tasks/repositories.yml

 ---
-# file: roles/common/tasks/repositories.yml
 # yamllint disable rule:line-length
 
 - name: enable debian repositories

basic-system/handlers/main.yml

 ---
-# file: roles/common/handlers/main.yml
 
 - name: restart rsyslogd
-  service: name=rsyslog state=restarted
+  service:
+    name: rsyslog
+    state: restarted
 
 - name: restart systemd-journald
-  systemd: name=systemd-journald.service state=restarted
+  systemd:
+    name: systemd-journald.service
+    state: restarted
 
 - name: configure journal directory
   command: systemd-tmpfiles --create --prefix /var/log/journal
@@ -14,14 +17,16 @@
   command: update-initramfs -u
 
 - name: gather network facts once again
-  setup: gather_subset=network
+  setup:
+    gather_subset: network
 
 - name: gather minimal standard facts once again
-  setup: gather_subset=min
+  setup:
+    gather_subset: min
 
 - name: Remove pve directory from etckeeper repo
-  # 303 wants us to use the ansible git module, but it doesn’t
+  # ansible-lint wants us to use the ansible git module, but it doesn’t
   # provide that feature
-  shell:  # noqa 303
+  shell:  # noqa: command-instead-of-module
     chdir: /etc
     cmd: git rm --cached -r -- pve && git commit -m "'Remove pve directory'"

basic-system/tasks/logging.yml

 ---
-# file: roles/common/task/logging.yml
 
 - name: restrict dmesg access to only root
   sysctl:
@@ -24,7 +23,9 @@
     - journal
 
 - name: ensure systemd journal is persistent
-  file:
+  # Not setting permissions here is okay because the handler will correct it via
+  # tmpfiles
+  file:  # noqa: risky-file-permissions
     path: /var/log/journal
     state: directory
   when:

basic-system/tasks/main.yml

@@ -32,6 +32,9 @@
     path: /etc/.gitignore
     line: /pve
     create: true
+    owner: root
+    group: root
+    mode: "0600"
   when: etckeeper and pve_present.stat.exists
   notify:
     - Remove pve directory from etckeeper repo

basic-system/tasks/network.yml

@@ -52,6 +52,9 @@
   template:
     src: hosts.j2
     dest: /etc/hosts
+    owner: root
+    group: root
+    mode: "0644"
   when: not hosts_precious
   notify:
     - gather network facts once again

hostkey-provider/handlers/main.yml

 ---
 
 - name: re-read local facts for new hostkeys
-  setup: filter=ansible_local
+  setup:
+    filter: ansible_local

hostkey-provider/tasks/main.yml

@@ -6,6 +6,9 @@
     section: collected
     option: "{{ item.key }}"
     value: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0644"
   with_items:
     - {key: 'ipv4', value: "{{ ansible_all_ipv4_addresses|join(',') }}"}
     - {key: 'ipv6', value: "{{ ansible_all_ipv6_addresses|join(',') }}"}

localization/handlers/main.yml

 ---
-# file: roles/common/handlers/main.yml
 
 - name: restart ntpd
-  service: name=ntp state=restarted
+  service:
+    name: ntp
+    state: restarted
 
 - name: restart timesyncd
-  service: name=systemd-timesyncd state=restarted
+  service:
+    name: systemd-timesyncd
+    state: restarted
 
 - name: update timezone
   command: dpkg-reconfigure --frontend noninteractive tzdata

localization/tasks/ntpd.yml

 ---
-# file: localization/tasks/ntpd.yml
 
 - name: ensure ntpd is installed
   apt:
@@ -29,6 +28,9 @@
   template:
     src: ntp.conf.j2
     dest: /etc/ntp.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - restart ntpd
   tags:

localization/tasks/timesyncd.yml

 ---
-# file: roles/common/tasks/ntp.yml
 
 - name: ensure there is no ntpd interfering
   apt:
@@ -13,6 +12,9 @@
   template:
     src: timesyncd.conf.j2
     dest: /etc/systemd/timesyncd.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - restart timesyncd
   tags:

shell/handlers/main.yml

 ---
-# file: roles/common/handlers/main.yml
 
 - name: rerun depmod
   command: depmod -ae

shell/tasks/shell.yml

 ---
-# file: roles/common/tasks/shell.yml
 
 - name: ensure installation of basic shell commands
   apt:
@@ -69,7 +68,9 @@
     - shell
 
 - name: ensure we have an up-to-date version of grml-zsh-config
-  get_url:
+  # Skip risky-file-permissions check because this runs locally, and we don’t
+  # even know who the local user running Ansible is.
+  get_url:  # noqa: risky-file-permissions
     url: https://www.archlinux.org/packages/extra/any/grml-zsh-config/download/
     dest: "{{ role_path }}/files/"
   delegate_to: localhost
@@ -99,6 +100,9 @@
   copy:
     src: /etc/skel/.zshrc
     dest: /root/.zshrc
+    owner: root
+    group: root
+    mode: "0644"
     remote_src: true
   tags:
     - config

shell/tasks/sudo.yml

 ---
-# file: roles/common/tasks/sudo.yml
 
 - name: ensure sudo is installed
   apt:

ssh-server/defaults/main.yml

 ---
-# file: common/ssh-server/defaults/main.yml
 
 ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
 ssh_mkhomedir: true

ssh-server/tasks/main.yml

 ---
-# file: roles/common/tasks/sshd.yml
 
 - name: ensure sshd is installed
   apt: