diff --git a/playbooks/luna.yml b/playbooks/luna.yml
index 3617b546dabd3399e56bf0b90f1f74d11150f7fb..0441ad96a5a8c577db31f6c0895dfbd1be413a97 100644
--- a/playbooks/luna.yml
+++ b/playbooks/luna.yml
@@ -5,7 +5,7 @@
   remote_user: root
   tasks:
     - name: open firewall holes for services
-      firewalld: service={{ item }} permanent=true state=enabled immediate=yes
+      ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
       with_items:
         - http
         - https
@@ -17,7 +17,7 @@
         - firewall
 
     - name: open firewall holes for ports
-      firewalld: port={{ item }} permanent=true state=enabled immediate=yes
+      ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
       with_items:
         - 6969/tcp
         - 4949/tcp
diff --git a/playbooks/tasks/fetch-borg-keys.yml b/playbooks/tasks/fetch-borg-keys.yml
index 9ef97ce4a27b6f198422bdc56805e3f51d6f0d4f..778dd698e0927abeaacb4f8286b0eaab9da26f6d 100644
--- a/playbooks/tasks/fetch-borg-keys.yml
+++ b/playbooks/tasks/fetch-borg-keys.yml
@@ -4,7 +4,7 @@
   hosts: 127.0.0.1
   tasks:
       - name: create borg-keys directory
-        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory mode=preserve
+        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory mode=preserve  # noqa 208
 
 - name: fetch borg keys
   hosts: borg_clients
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index e4d34ee9412cd948f85cf3ec531ac62fab5aeee7..6b8d049608c10ed28906048794cd63a574f22eba 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -172,7 +172,12 @@
 - name: deploy new smartgit release
   become: true
   become_user: "{{ aurweb_user }}"
-  file: path=/etc/uwsgi/vassals/smartgit.ini state=touch mode=preserve
+  file:
+    path: /etc/uwsgi/vassals/smartgit.ini
+    state: touch
+    owner: "{{ aurweb_user }}"
+    group: http
+    mode: 0644
   when: git.changed
 
 - name: create git repo dir
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 8481c81c4868452bdca737ebfeea16356cbc9aad..1e74e004696a705962d11f24716c95c683f667c2 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -23,7 +23,7 @@
     daemon_reload: yes
 
 - name: open firewall holes for certbot standalone authenticator
-  firewalld: service={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
   with_items:
     - http
   when: configure_firewall
diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index b92b1d26e357e57117d7b1f73df94272293a1548..198b7b8171de5a23aab72aaf6ea290a310260c97 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -295,7 +295,7 @@
   service: name=rsyncd.socket enabled=yes state=started
 
 - name: open firewall holes for rsync
-  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall
@@ -307,7 +307,7 @@
   service: name=svnserve enabled=yes state=started
 
 - name: open firewall holes for svnserve
-  firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index 57b9662ee70f47288bd232ae18012829fb19da21..b6a3e34d2327fbdca69a6e3e5ea3c4e413088a21 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -21,7 +21,7 @@
   service: name=dovecot enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
   with_items:
     - pop3
     - pop3s
diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml
index 39de6c7418b33b80fe0d8206557826c5eef3dacd..c18233bd4a58a1cc78eeac6fbb3509f87b639336 100644
--- a/roles/firewalld/tasks/main.yml
+++ b/roles/firewalld/tasks/main.yml
@@ -17,7 +17,7 @@
     state: "{{ configure_firewall | ternary('started', 'stopped') }}"
 
 - name: disable default dhcpv6-client rule
-  firewalld:
+  ansible.posix.firewalld:
     service: dhcpv6-client
     state: disabled
     immediate: yes
diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml
index f6048f3168e48bdf826b092539f808f266a51b55..39860b0a15814793238b9e72cf48e90063d1cd95 100644
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -86,7 +86,7 @@
       - "/srv/gitlab/data:/var/opt/gitlab"
 
 - name: open firewall holes
-  firewalld: port={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
   when: configure_firewall
   with_items:
     - "80/tcp"
@@ -97,7 +97,7 @@
     - firewall
 
 - name: make docker0 interface trusted
-  firewalld: interface=docker0 zone=trusted permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: interface=docker0 zone=trusted permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
index f1a70b46cb7035311966dd3974cf9de978016026..cebed672cbab8ebb6e8a520c5943bd9a3914e85c 100644
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -8,7 +8,7 @@
   systemd: name=docker enabled=yes state=started daemon_reload=yes
 
 - name: make docker0 interface trusted
-  firewalld: interface=docker0 zone=trusted permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: interface=docker0 zone=trusted permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index a3d3a781e1e2a90a4a6658e3951031b8d1cd3565..5e6fc1e80f128c537393ef3ef7b1f20191e59e4d 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -27,7 +27,7 @@
   service: name=keycloak enabled=yes state=started
 
 - name: open firewall hole
-  firewalld: port={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
   when: configure_firewall
   with_items:
     - 80/tcp
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
index 3242ab0f9008f6980592c8f7518cc6140c30cdaa..125f563768dc16bdcf5c5c9f982722389ec0942a 100644
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -195,7 +195,7 @@
     - restart matrix-appservice-irc
 
 - name: open firewall holes
-  firewalld: port={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
   with_items:
     - 113/tcp
   when: configure_firewall
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 1a882844e7c2ee84e4f666c0c45599588f675274..44302870162eb96fa70d8da877669d6925579b98 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -56,7 +56,7 @@
   service: name=nginx enabled=yes
 
 - name: open firewall holes
-  firewalld: service={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
   with_items:
     - http
     - https
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index b2dbd6a6369a1560802462922ef643221ded9cef..256b398fd27a74b01cb342a42f97a4f8facc2646 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -104,7 +104,7 @@
     create_home: no
 
 - name: open firewall holes
-  firewalld: service={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
   with_items:
     - smtp
     - smtp-submission
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index c6a801e58f87bd77063e3d9aa55e8373d78253ad..043cf87da9428c3659cd15dd51bd19aa1a1d5096 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -67,7 +67,7 @@
   when: postgres_ssl == 'on'
 
 - name: open firewall holes to known postgresql ipv4 clients
-  firewalld: permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
     rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
   with_items: "{{ postgres_ssl_hosts4 }}"
   when: configure_firewall
@@ -75,7 +75,7 @@
     - firewall
 
 - name: open firewall holes to known postgresql ipv6 clients
-  firewalld: permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
     rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
   with_items: "{{ postgres_ssl_hosts6 }}"
   when: configure_firewall
diff --git a/roles/prometheus_exporters/tasks/main.yml b/roles/prometheus_exporters/tasks/main.yml
index cfb743e6baee22dafff3a4b297002762638096b4..93af5f68b097a6b8c723a3f0d1ea1bde47e5d098 100644
--- a/roles/prometheus_exporters/tasks/main.yml
+++ b/roles/prometheus_exporters/tasks/main.yml
@@ -110,21 +110,21 @@
   when: "'memcached' in group_names"
 
 - name: open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
-  firewalld: state=enabled permanent=true immediate=yes
+  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
         rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
   when: "'prometheus' not in group_names"
 
 - name: open gitlab exporter ipv4 port for monitoring.archlinux.org
-  firewalld: state=enabled permanent=true immediate=yes
+  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
         rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
   when: "'gitlab_runners' in group_names"
 
 - name: open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
-  firewalld: state=enabled permanent=true immediate=yes
+  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
         rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
   when: "'mysql_servers' in group_names"
 
 - name: open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
-  firewalld: state=enabled permanent=true immediate=yes
+  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
         rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
   when: "'memcached' in group_names"
diff --git a/roles/quassel/tasks/main.yml b/roles/quassel/tasks/main.yml
index d825bbfb18d76df5879abc8ad2cf440cc80d7d3b..0b92884bdb0fd299747022ffa6f044d78b3f4e34 100644
--- a/roles/quassel/tasks/main.yml
+++ b/roles/quassel/tasks/main.yml
@@ -57,7 +57,7 @@
     - clean-quassel.timer
 
 - name: open firewall holes
-  firewalld: port={{ item }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
   with_items:
     - 4242/tcp
     - 113/tcp
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 1c889b302a37d710ac9d19f637ea91ca984c65e1..821a1f29ec6fffacbfa5eac4d5c87b73a059c4c9 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -22,7 +22,7 @@
   service: name=sshd enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service=ssh permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service=ssh permanent=true state=enabled immediate=yes
   when: configure_firewall is defined and configure_firewall
   tags:
     - firewall
diff --git a/roles/syncrepo/tasks/main.yml b/roles/syncrepo/tasks/main.yml
index 5e42a837c5eced00dd148f0b8bec40015207e7dd..9f7f8b902e7803028394847c77a4d23c12fbc6ae 100644
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -51,7 +51,7 @@
   tags: ['nginx']
 
 - name: open firewall holes
-  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/zabbix_agent/tasks/main.yml b/roles/zabbix_agent/tasks/main.yml
index a888bef04ba7b86d851a57b8d4fb6ac24d72c562..7476329a31c0c0e183174a5f7ccf57b6af6508ad 100644
--- a/roles/zabbix_agent/tasks/main.yml
+++ b/roles/zabbix_agent/tasks/main.yml
@@ -122,7 +122,7 @@
   service: name=zabbix-agent enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service=zabbix-agent permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service=zabbix-agent permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/zabbix_server/tasks/main.yml b/roles/zabbix_server/tasks/main.yml
index f3c7fe6ee194fb8e9b4ac6f656e35d11d5d54968..35aeb15bc36c4b2dfa25ee9ca150203c2c9f6369 100644
--- a/roles/zabbix_server/tasks/main.yml
+++ b/roles/zabbix_server/tasks/main.yml
@@ -75,7 +75,7 @@
   service: name=php-fpm@zabbix-web.socket state=started enabled=true
 
 - name: open firewall holes
-  firewalld: service=zabbix-server permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service=zabbix-server permanent=true state=enabled immediate=yes
   when: configure_firewall
   tags:
     - firewall