diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000000000000000000000000000000000000..cca80e2e16c9ee5298e8a5bcf9f77c130fdc3d8e
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,19 @@
+---
+
+extends: default
+
+rules:
+  comments-indentation:
+    level: warning
+  document-start:
+    level: error
+  empty-lines:
+    max: 1
+  empty-values:
+    forbid-in-flow-mappings: true
+    forbid-in-block-mappings: true
+  line-length:
+    level: warning
+  octal-values:
+    forbid-implicit-octal: true
+    level: warning
diff --git a/dhcp-server/defaults/main.yml b/dhcp-server/defaults/main.yml
index 061e510cc4f28113c71dec089cff04dd4d94288a..c82aae8385ae04558989f03a6ac7a935c2e20532 100644
--- a/dhcp-server/defaults/main.yml
+++ b/dhcp-server/defaults/main.yml
@@ -9,7 +9,7 @@ dhcp_fixed_hosts: []
 dhcp_options: []
 dhcp_default_lease_time: "12h"
 dhcp_max_leases: 150
-dhcp_authoritative: yes
+dhcp_authoritative: true
 
-tftp_active: yes
+tftp_active: true
 tftp_root: /srv/tftp
diff --git a/dhcp-server/tasks/main.yml b/dhcp-server/tasks/main.yml
index 0ac61a4508594b17dd7c32e745a801f1cbfe4b1c..14a78f4dda8ed7b2b62727295b476dd9ae7904ba 100644
--- a/dhcp-server/tasks/main.yml
+++ b/dhcp-server/tasks/main.yml
@@ -14,7 +14,7 @@
   group:
     name: dnsmasq
     state: present
-    system: yes
+    system: true
   tags:
     - dhcp-server
 
@@ -22,7 +22,7 @@
   user:
     name: dnsmasq
     state: present
-    system: yes
+    system: true
     group: dnsmasq
   tags:
     - dhcp-server
@@ -42,7 +42,7 @@
     state: directory
     owner: "{{ dnsmasq_user }}"
     group: "{{ dnsmasq_group }}"
-    mode: 0755
+    mode: '0755'
   when: tftp_active
   tags:
     - dhcp-server
@@ -51,6 +51,6 @@
   service:
     name: dnsmasq
     state: started
-    enabled: yes
+    enabled: true
   tags:
     - dhcp-server
diff --git a/mrtg/defaults/main.yml b/mrtg/defaults/main.yml
index 3c692a83738147617f115102a10328dff7d75f4e..3b9cc091cb7881f2e95dcef48d7890f0a58b3a12 100644
--- a/mrtg/defaults/main.yml
+++ b/mrtg/defaults/main.yml
@@ -5,7 +5,8 @@ mrtg_switches:
   - router: "switch"
     community: "public"
 
-use_weathermap: yes
+use_weathermap: true
 weathermap_placement_strategy: "graphviz"
 weathermap_colorscale: "viridis"
+# yamllint disable-line rule:line-length
 weathermap_colorscale_hash: "sha256:389c7a479cd64136ad5bf49daab59358437f69cf3c74cf74f958b093c7df50fd"
diff --git a/mrtg/tasks/main.yml b/mrtg/tasks/main.yml
index 72bb3693c1d1e1c1ebe63ce4ade25f1095a0baa3..64cffdcfc330c68464932e21c0855f0f3d18c6e7 100644
--- a/mrtg/tasks/main.yml
+++ b/mrtg/tasks/main.yml
@@ -2,31 +2,56 @@
 # file: shared-roles/network/mrtg
 
 - name: ensure mrtg is installed
-  apt: name=mrtg state=present
+  apt:
+    name: mrtg
+    state: present
   tags: mrtg
 
 - name: ensure there is a group
-  group: name=mrtg state=present system=yes
+  group:
+    name: mrtg
+    state: present
+    system: true
   tags: mrtg
 
 - name: ensure we have a user
-  user: name=mrtg group=mrtg state=present system=yes shell=/usr/sbin/nologin home=/var/www createhome=no
+  user:
+    name: mrtg
+    group: mrtg
+    state: present
+    system: true
+    shell: /usr/sbin/nologin
+    home: /var/www
+    createhome: false
   tags: mrtg
 
 - name: ensure we have the web directory
-  file: owner=mrtg group=www-data path=/var/www/mrtg state=directory mode="u+rwx,g+rxs"
+  file:
+    owner: mrtg
+    group: www-data
+    path: /var/www/mrtg
+    state: directory
+    mode: "u+rwx,g+rxs"
   tags: mrtg
 
 - name: create the config
+  # yamllint disable-line rule:line-length
   command: "cfgmaker --output /etc/mrtg.cfg {% for switch in mrtg_switches %} --ifdesc=alias {{switch['community']}}@{{switch['router']}}:::::2 {% endfor %}"
   tags: mrtg
 
 - name: ensure the mrtg user can read the mrtg config file
-  file: path=/etc/mrtg.cfg group=mrtg
+  file:
+    path: /etc/mrtg.cfg
+    group: mrtg
   tags: mrtg
 
 - name: ensure the mrtg user can read and write directories
-  file: path="{{item}}" state=directory owner=mrtg group=mrtg mode=0755
+  file:
+    path: "{{item}}"
+    state: directory
+    owner: mrtg
+    group: mrtg
+    mode: '0755'
   with_items:
     - /var/lib/mrtg
     - /var/log/mrtg
@@ -38,26 +63,31 @@
     dest: /etc/tmpfiles.d/10-mrtg.conf
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   notify:
     - create tmpfiles
   tags: mrtg
 
 - name: create an index HTML page
+  # yamllint disable-line rule:line-length
   command: "indexmaker --output /var/www/mrtg/index.html --title='Traffic of {{domain}}' --columns=3 --pagetop='{% for switch in mrtg_switches %}<a href=\"index-{{switch['router']}}.html\"><b>{{switch['router']}}</b>.{{domain}}</a> {% endfor %} {% if use_weathermap %}<a href=\"weathermap.html\">Weathermap</a>{%endif %}' /etc/mrtg.cfg"
-  become: yes
+  become: true
   become_user: mrtg
   tags: mrtg
 
 - name: create separate index HTML pages
+  # yamllint disable-line rule:line-length
   command: "indexmaker --output /var/www/mrtg/index-{{item['router']}}.html --title {{item['router']}}.{{domain}} --filter name=~{{item['router']}}_[0-9]+ --columns=3 --pagetop='<a href=\"index.html\">back</a>' /etc/mrtg.cfg"
   with_items: "{{mrtg_switches}}"
-  become: yes
+  become: true
   become_user: mrtg
   tags: mrtg
 
 - name: ensure we have our cron entry
-  copy: src=cron-entry dest=/etc/cron.d/mrtg mode=0544
+  copy:
+    src: cron-entry
+    dest: /etc/cron.d/mrtg
+    mode: '0544'
   tags: mrtg
 
 - import_tasks: weathermap.yml
diff --git a/mrtg/tasks/weathermap.yml b/mrtg/tasks/weathermap.yml
index 4ee13f675487f3f7223ab7c076f716fe50e96e72..b64833fba2e7a2c547da07f911005940fcb8afc0 100644
--- a/mrtg/tasks/weathermap.yml
+++ b/mrtg/tasks/weathermap.yml
@@ -20,23 +20,27 @@
   tags: weathermap
 
 - name: install rotten php requirements
-  pear: name=Console_Getopt state=present
+  pear:
+    name: Console_Getopt
+    state: present
   tags: weathermap
 
 - name: get the weathermap package
   get_url:
+    # yamllint disable-line rule:line-length
     url: https://github.com/howardjones/network-weathermap/releases/download/version-0.98/php-weathermap-0.98.zip
     dest: /opt/weathermap.zip
+    # yamllint disable-line rule:line-length
     checksum: sha256:ab058229392e9f314ee39fddb5d57a7127a53a7f21d2914f5d52e928bb321b7c
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   tags: weathermap
 
 - name: unpack the weathermap package
   unarchive:
     src: /opt/weathermap.zip
-    remote_src: yes
+    remote_src: true
     dest: /opt/
   tags: weathermap
 
@@ -48,18 +52,22 @@
   tags: weathermap
 
 - name: upload the weathermap script
-  copy: src=makeweather.py dest=/root/makeweather.py
+  copy:
+    src: makeweather.py
+    dest: /root/makeweather.py
   tags: weathermap
 
 - name: get the weathermap colorscale
   get_url:
     dest: /root/colorscale.pal
+    # yamllint disable-line rule:line-length
     url: "https://raw.githubusercontent.com/Gnuplotting/gnuplot-palettes/master/{{weathermap_colorscale}}.pal"
     checksum: "{{weathermap_colorscale_hash}}"
   when: weathermap_colorscale is not none
   tags: weathermap
 
 - name: create the weathermap config
+  # yamllint disable-line rule:line-length
   script: "makeweather.py {{weathermap_placement_strategy}} --colorscale /root/colorscale.pal"
   tags: weathermap
 
@@ -69,16 +77,16 @@
     dest: /var/www/mrtg/
     owner: mrtg
     group: www-data
-    mode: 0644
+    mode: '0644'
   tags: weathermap
 
 - name: create the weathermap regularly
   cron:
     name: "create weathermap"
     minute: "*/5"
+    # yamllint disable-line rule:line-length
     job: "cd /opt/weathermap && /opt/weathermap/weathermap --config /etc/weathermap.conf --output /var/www/mrtg/weathermap.png"
     state: present
     user: mrtg
     cron_file: weathermap
   tags: weathermap
-    
diff --git a/networkd/defaults/main.yml b/networkd/defaults/main.yml
index 00c368f17caf5ae1836fe7bdc28195c2dd3ea36c..da5c013aebf3745785ce2840c43bc4197e59bfeb 100644
--- a/networkd/defaults/main.yml
+++ b/networkd/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 
-networkd_type: 'dhcp' # or: 'static', 'bond'
+networkd_type: 'dhcp'  # or: 'static', 'bond'
 
 # for static type only
 networkd_address: 10.10.10.10/24
@@ -8,17 +8,19 @@ networkd_gateway: 10.10.10.1
 
 # for bond type only
 networkd_bond: bond1
-networkd_bond_devices: [ eth0, eth1 ]
+networkd_bond_devices:
+  - eth0
+  - eth1
 networkd_bond_vlans:
   - id: 23
     name: storage
-    bridge: no
+    bridge: false
     address: 10.10.10.10/24
   - id: 42
     name: public
-    bridge: yes
+    bridge: true
     address: 10.10.12.22/24
     gateway: 10.10.12.1
   - id: 69
     name: transport
-    bridge: yes
+    bridge: true
diff --git a/networkd/handlers/main.yml b/networkd/handlers/main.yml
index 19aee0c90bbf64005d14e5466cfc27b407657836..5d5ae547730975fd2c3158c3053675248776ea8a 100644
--- a/networkd/handlers/main.yml
+++ b/networkd/handlers/main.yml
@@ -2,4 +2,3 @@
 
 - name: restart networkd
   service: name=systemd-networkd state=restarted
-
diff --git a/networkd/tasks/main.yml b/networkd/tasks/main.yml
index dae9c5c4987109b2f2d31a546a5bbabc34849bb9..a52b1346521464b408502d85c3130464fc622a71 100644
--- a/networkd/tasks/main.yml
+++ b/networkd/tasks/main.yml
@@ -6,7 +6,7 @@
     dest: /etc/systemd/network/20-wired.network
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   notify:
     - restart networkd
 
@@ -43,16 +43,16 @@
         dest: /etc/systemd/network/{{ networkd_bond }}.netdev
         owner: root
         group: root
-        mode: 0644
+        mode: '0644'
       notify:
         - restart networkd
-    - name: ensure bond network is configured   
+    - name: ensure bond network is configured
       template:
         src: bond.network.j2
         dest: /etc/systemd/network/{{ networkd_bond }}.network
         owner: root
         group: root
-        mode: 0644
+        mode: '0644'
       notify:
         - restart networkd
     - name: ensure vlan netdevs are configured
@@ -61,7 +61,7 @@
         dest: /etc/systemd/network/vl-{{ item.name }}.netdev
         owner: root
         group: root
-        mode: 0644
+        mode: '0644'
       with_items: "{{ networkd_bond_vlans }}"
       notify:
         - restart networkd
@@ -71,7 +71,7 @@
         dest: /etc/systemd/network/vl-{{ item.name }}.network
         owner: root
         group: root
-        mode: 0644
+        mode: '0644'
       with_items: "{{ networkd_bond_vlans }}"
       notify:
         - restart networkd
@@ -81,7 +81,7 @@
         dest: /etc/systemd/network/vmbr-{{ item.name }}.netdev
         owner: root
         group: root
-        mode: 0644
+        mode: '0644'
       with_items: "{{ networkd_bond_vlans }}"
       when: item.bridge == True
       notify:
@@ -92,7 +92,7 @@
         dest: /etc/systemd/network/vmbr-{{ item.name }}.network
         owner: root
         group: root
-        mode: 0644
+        mode: '0644'
       with_items: "{{ networkd_bond_vlans }}"
       when: item.bridge == True
       notify:
@@ -103,13 +103,13 @@
   service:
     name: systemd-networkd
     state: started
-    enabled: yes
+    enabled: true
 
 - name: ensure legacy methods are disabled
   systemd:
     name: networking
-    enabled: no
-  ignore_errors: yes
+    enabled: false
+  ignore_errors: true
 
 - name: ensure legacy methods are really disabled
   apt:
@@ -119,5 +119,4 @@
 - name: ensure we wait for network to be online
   service:
     name: systemd-networkd-wait-online
-    enabled: yes
-
+    enabled: true
diff --git a/radius-client/handlers/main.yml b/radius-client/handlers/main.yml
index 2fcdc8e9fe784c6e1510c4f750a54f31bd925879..e5bc998f1f78bb7c1f7fd6c70a2b8a2ef93a10e3 100644
--- a/radius-client/handlers/main.yml
+++ b/radius-client/handlers/main.yml
@@ -14,4 +14,3 @@
 
 - name: restart wpasupplicant@enp2s0
   service: name=wpa_supplicant-wired@enp2s0 state=restarted
-
diff --git a/radius-client/tasks/main.yml b/radius-client/tasks/main.yml
index 7675c3b26c5d05c7137da2526c1fe6b2cf0deab8..0780ca31f10e66c3b99db046a8d79c82e626fd87 100644
--- a/radius-client/tasks/main.yml
+++ b/radius-client/tasks/main.yml
@@ -6,14 +6,14 @@
     state: present
   tags:
     - 8021x
- 
+
 - name: copy host certificate
   copy:
     src: "{{ radius_certs_dir }}/{{ inventory_hostname }}.{{ item }}"
     dest: "/etc/wpa_supplicant/{{ inventory_hostname }}.{{ item }}"
     owner: root
     group: root
-    mode: 0400
+    mode: '0400'
   with_items:
     - pem
     - key
@@ -23,10 +23,11 @@
 - name: configure wpasupplicant
   template:
     src: wpa_supplicant.j2
+    # yamllint disable-line rule:line-length
     dest: "/etc/wpa_supplicant/wpa_supplicant-wired-{{ ansible_default_ipv4.interface }}.conf"
     owner: root
     group: root
-    mode: 0640
+    mode: '0640'
   notify:
     - "restart wpasupplicant@{{ ansible_default_ipv4.interface }}"
   tags:
@@ -48,7 +49,7 @@
     dest: /usr/local/bin/wpa_wait.sh
     owner: root
     group: root
-    mode: 0755
+    mode: '0755'
   tags:
     - 8021x
 
@@ -58,7 +59,7 @@
     path: /etc/systemd/system/systemd-networkd.service.d
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   tags:
     - 8021x
 
@@ -68,7 +69,7 @@
     dest: /etc/systemd/system/systemd-networkd.service.d/override.conf
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   notify:
     - reload systemd service files
   tags:
@@ -80,7 +81,6 @@
   service:
     name: "wpa_supplicant-wired@{{ ansible_default_ipv4.interface }}"
     state: started
-    enabled: yes
+    enabled: true
   tags:
     - 8021x
-
diff --git a/radius-server/defaults/main.yml b/radius-server/defaults/main.yml
index 1c7ce992972762a2654e93c029876833b1cda3e8..017fa5cea4473e8ab336bc3fd7dfde6abba271f4 100644
--- a/radius-server/defaults/main.yml
+++ b/radius-server/defaults/main.yml
@@ -40,8 +40,9 @@ radius_vlan_assignments:
 
 radius_tunnel_checks:
   - station: OtherStationSSID
+    # yamllint disable-line rule:line-length
     condition: '(Ldap-Group == "CN=vlan42,CN=Users,DC=asta,DC=rwth-aachen,DC=de") || (&User-Name =~ /^host\/.*\.example\.com$/ )'
     error: 'Not allowed to use this SSID'
+  # yamllint disable-line rule:line-length
   - condition: '(&User-Name =~ /^host\/.*\.example\.com$/ ) || (Ldap-Group == "CN=foobar,CN=Users,DC=asta,DC=rwth-aachen,DC=de")'
     error: 'User not allowed'
-
diff --git a/radius-server/tasks/main.yml b/radius-server/tasks/main.yml
index 1bf1e3dc7d1f8bd40a438f712eb4f649b7dc6db3..d1f0a96616b485fb228a34e2c99e660f9dae5598 100644
--- a/radius-server/tasks/main.yml
+++ b/radius-server/tasks/main.yml
@@ -21,7 +21,7 @@
     dest: /etc/freeradius/3.0/certs/
     owner: root
     group: freerad
-    mode: 0640
+    mode: '0640'
   with_items:
     - dh
     - cacert.pem
@@ -39,7 +39,7 @@
     dest: "/etc/freeradius/3.0/{{ item }}"
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   with_items:
     - mods-available/eap
     - mods-available/ldap
@@ -55,7 +55,7 @@
     dest: "/etc/freeradius/3.0/{{ item }}"
     owner: root
     group: freerad
-    mode: 0640
+    mode: '0640'
   with_items:
     - mods-available/mschap
     - mods-available/realm
@@ -71,7 +71,7 @@
     - reload freeradius
   tags:
     - freeradius
-      
+
 - name: enable freeradius server modules
   file:
     src: "/etc/freeradius/3.0/mods-available/{{ item }}"