diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000000000000000000000000000000000000..29a4403d06fd38b8a65908ecb43b92efb20849dd
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,2 @@
+skip_list:
+  - 208
\ No newline at end of file
diff --git a/roles/base/tasks/gwvpn.yml b/roles/base/tasks/gwvpn.yml
index c83b9691085b2d494fe7f8579f6be67620af96ce..df0f4af202aca85c69057a5e39108cd830d8144b 100644
--- a/roles/base/tasks/gwvpn.yml
+++ b/roles/base/tasks/gwvpn.yml
@@ -41,6 +41,7 @@
 # download public keys to your local machine
 - name: create public key files
   shell:
+    creates: /etc/fastd/ffhl_mesh_gwvpn/pubkey.key
     cmd: fastd --show-key -c /etc/fastd/ffhl_mesh_gwvpn/fastd.conf > /etc/fastd/ffhl_mesh_gwvpn/pubkey.key
 
 - name: fetch public keys
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 15e810404c592b2035044b0e7c9e1a1ca38b40e2..d20097caad601a39ef885f5b58c0a7cab3cb85b2 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -54,8 +54,10 @@
 - name: networkd templates
   tags: [systemd-networkd]
   block:
-    - template: src=network/10-ffhl.netdev.j2 dest=/etc/systemd/network/10-ffhl.netdev
-    - template: src=network/12-ffhl.network.j2 dest=/etc/systemd/network/12-ffhl.network
+    - name: apply network templates
+      template: src=network/10-ffhl.netdev.j2 dest=/etc/systemd/network/10-ffhl.netdev
+    - name: apply netowrk templates
+      template: src=network/12-ffhl.network.j2 dest=/etc/systemd/network/12-ffhl.network
     - name: copy network configs
       copy: src=systemd-networkd/ dest=/etc/systemd/network/
     - name: restart systemd-networkd
@@ -66,8 +68,10 @@
 - name: template iptables
   tags: [iptables, network]
   block:
-    - template: src=iptables/rules.v4 dest=/etc/iptables/rules.v4
-    - template: src=iptables/rules.v6 dest=/etc/iptables/rules.v6
+    - name: iptables4 template
+      template: src=iptables/rules.v4 dest=/etc/iptables/rules.v4
+    - name: iptables6 template
+      template: src=iptables/rules.v6 dest=/etc/iptables/rules.v6
     - name: reload iptables
       systemd:
         state: restarted
diff --git a/roles/base/tasks/mesh-vpn.yml b/roles/base/tasks/mesh-vpn.yml
index 7734778dc6849eb47780e413ed275615d38a3783..97216ee67ac50b2836a2cd521d3a65414d8e9f0a 100644
--- a/roles/base/tasks/mesh-vpn.yml
+++ b/roles/base/tasks/mesh-vpn.yml
@@ -32,6 +32,7 @@
     repo: git@git.luebeck.freifunk.net:FreifunkLuebeck/fastd-keys.git
     dest: /var/local/ffhl-mesh-vpn-peers
     accept_hostkey: yes
+    version: HEAD
 
 - name: add post-merge hook
   template:
diff --git a/roles/base/tasks/powerdns.yml b/roles/base/tasks/powerdns.yml
index fc3158c986539791069dd1b90ae6137bb9f4dd7d..e55664ff762fcaabda29338e7085498ab9a98430 100644
--- a/roles/base/tasks/powerdns.yml
+++ b/roles/base/tasks/powerdns.yml
@@ -26,6 +26,7 @@
     repo: "{{ dns_repo_url }}"
     dest: /var/local/ffhl-dns
     accept_hostkey: yes
+    version: HEAD
 
 - name: remove default bind-backend config
   file:
diff --git a/roles/base/tasks/units.yml b/roles/base/tasks/units.yml
index 3441b35909b203fec5d16f95e42341f666f2ba63..ce214107aad456ccb3ebe1ed5e61173fff8b6424 100644
--- a/roles/base/tasks/units.yml
+++ b/roles/base/tasks/units.yml
@@ -1,7 +1,13 @@
 ---
-- command: systemctl mask display-manager.service
 
-- command: systemctl daemon-reload
+- name: mask display-manager
+  systemd:
+    masked: yes
+    name: display-manager.service
+
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
 
 # - name: stop bird
 #   systemd:
diff --git a/roles/base/tasks/update.yml b/roles/base/tasks/update.yml
index 2dd4d0168e682b09f004fb3ff69d33df97ddf85f..1dbf223d0d222ff37b02d3f7bda5308b39b874d3 100644
--- a/roles/base/tasks/update.yml
+++ b/roles/base/tasks/update.yml
@@ -1,8 +1,12 @@
 ---
-- lineinfile:
+
+- name: check and add apt sources.list contents
+  lineinfile:
     path: /etc/apt/sources.list
     regexp: '^deb .* main'
-    line: deb http://deb.debian.org/debian stable main
+    line: deb http://deb.debian.org/debian bullseye main
+
 - name: update the system
   apt:
     update_cache: yes
+    upgrade: safe
diff --git a/roles/ffrhein-uplink/tasks/main.yml b/roles/ffrhein-uplink/tasks/main.yml
index 11f43e233d62596bd732990f47d8f6923362b470..4373961f498c384d345a28a09acc93beea4eed5a 100644
--- a/roles/ffrhein-uplink/tasks/main.yml
+++ b/roles/ffrhein-uplink/tasks/main.yml
@@ -1,6 +1,9 @@
 ---
-- lineinfile: state=present dest=/etc/iptables/iptables.rules line="-A POSTROUTING -o {{ snat_dev }} -j SNAT --to-source {{ snat_ip4 }}" insertafter="^\*nat$"
-- template: src=03-public-ip.network.j2 dest=/etc/systemd/network/03-public-ip.network
-- template: src=bird_ffrhein.conf.j2 dest=/etc/bird/bird_ffrhein.conf
+- name: add iptables rules
+  lineinfile: state=present dest=/etc/iptables/iptables.rules line="-A POSTROUTING -o {{ snat_dev }} -j SNAT --to-source {{ snat_ip4 }}" insertafter="^\*nat$"
+- name: add systemd-networkd .network configs
+  template: src=03-public-ip.network.j2 dest=/etc/systemd/network/03-public-ip.network
+- name: brid routing config
+  template: src=bird_ffrhein.conf.j2 dest=/etc/bird/bird_ffrhein.conf
   tags:
     - bird
diff --git a/roles/icvpn/tasks/main.yml b/roles/icvpn/tasks/main.yml
index 3fe5d8ebcf4c3b367452f708b9b420579fffad1e..032a84a5a97a8304130197ae1ec109b714b50c6f 100644
--- a/roles/icvpn/tasks/main.yml
+++ b/roles/icvpn/tasks/main.yml
@@ -30,6 +30,7 @@
   git:
     repo: https://github.com/freifunk/icvpn.git
     dest: /etc/tinc/icvpn
+    version: HEAD
 
 - name: apply config template
   tags: [icvpn]
diff --git a/roles/icvpn/tasks/units.yml b/roles/icvpn/tasks/units.yml
index 5c645e86be995d9f38c894565f0df480da333918..c03a999533c73e325cf01a02715ccc05e193729f 100644
--- a/roles/icvpn/tasks/units.yml
+++ b/roles/icvpn/tasks/units.yml
@@ -1,5 +1,6 @@
 ---
-- systemd:
+- name: restart and enable units
+  systemd:
     enabled: yes
     state: restarted
     name: "{{ item }}"