diff --git a/roles/bitwarden/tasks/main.yaml b/roles/bitwarden/tasks/main.yaml
index 60abf1e..b129c52 100644
--- a/roles/bitwarden/tasks/main.yaml
+++ b/roles/bitwarden/tasks/main.yaml
@@ -4,6 +4,7 @@
   file:
     path: "{{ bitwarden_data }}"
     state: directory
+    mode: 0755
     recurse: yes
 
 
diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml
index 4c1dabf..955093d 100644
--- a/roles/common/handlers/main.yaml
+++ b/roles/common/handlers/main.yaml
@@ -1,10 +1,12 @@
 ---
 
 - name: reload ssh
-  service: name=ssh state=reloaded
+  service:
+    name: ssh
+    state: reloaded
 
 - name: update trusted ca debian
-  shell: /usr/sbin/update-ca-certificates
+  command: /usr/sbin/update-ca-certificates
   when: ansible_os_family == "Debian"
 
 # handlers for etckeeper
diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml
index a4e9bca..f743b0d 100644
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -1,6 +1,6 @@
 ---
 
+- import_tasks: packages.yaml
+
 # Install unattended Upgrades
 - import_tasks: updates.yaml
-
-- import_tasks: packages.yaml
diff --git a/roles/common/tasks/packages.yaml b/roles/common/tasks/packages.yaml
index 6a18a62..37ce23b 100644
--- a/roles/common/tasks/packages.yaml
+++ b/roles/common/tasks/packages.yaml
@@ -7,4 +7,6 @@
       - htop
       - telnet
       - aptitude
-    state: latest
+      - apt-listchanges
+      - unattended-upgrades
+    state: present
diff --git a/roles/common/tasks/updates.yaml b/roles/common/tasks/updates.yaml
index cd75ff4..574347e 100644
--- a/roles/common/tasks/updates.yaml
+++ b/roles/common/tasks/updates.yaml
@@ -1,19 +1,10 @@
 ---
 
-- name: Install unattended Upgrades
-  apt:
-    name:
-      - unattended-upgrades
-      - apt-listchanges
-    state: latest
-  notify: Record changes in etckeeper
-
-
 - name: update Package lists
   cron:
     name: update Package lists
-    hour: "{{3|random(seed=inventory_hostname+'updates')}}"
-    minute: "{{59|random(seed=inventory_hostname+'updates')}}"
+    hour: "{{ 3|random(seed=inventory_hostname+'updates') }}"
+    minute: "{{ 59|random(seed=inventory_hostname+'updates') }}"
     job: /usr/bin/apt-get update > /dev/null
 
 
@@ -21,6 +12,7 @@
   template:
     src: "{{ item }}"
     dest: "/etc/apt/apt.conf.d/{{ item }}"
+    mode: 0644
   with_items:
     - 20auto-upgrades
   notify: Record changes in etckeeper
@@ -30,6 +22,7 @@
   template:
     src: "{{ item }}"
     dest: "/etc/apt/apt.conf.d/{{ item }}"
+    mode: 0644
   with_items:
     - 50unattended-upgrades
   notify: Record changes in etckeeper
diff --git a/roles/haproxy/handlers/main.yaml b/roles/haproxy/handlers/main.yaml
index f690a00..1b359f2 100644
--- a/roles/haproxy/handlers/main.yaml
+++ b/roles/haproxy/handlers/main.yaml
@@ -1,17 +1,18 @@
 ---
 
 - name: restart haproxy
-  service:
+  systemd:
     name: haproxy
     state: restarted
 
 - name: reload haproxy
-  service:
+  systemd:
     name: haproxy
     state: reloaded
 
 - name: reload systemd config
-  shell: systemctl daemon-reload
+  systemd:
+    state: daemon-reload
 
 - name: update certs
-  shell: /usr/local/bin/update_haproxy_certs.sh
+  command: /usr/local/bin/update_haproxy_certs.sh
diff --git a/roles/haproxy/tasks/main.yaml b/roles/haproxy/tasks/main.yaml
index 64b14d0..a4408df 100644
--- a/roles/haproxy/tasks/main.yaml
+++ b/roles/haproxy/tasks/main.yaml
@@ -5,7 +5,7 @@
     name:
       - liblua5.3-0
       - libpcre3
-    state: latest
+    state: present
 
 - name: conflicted with haproxy package
   apt:
@@ -24,6 +24,7 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: 0755
   with_items:
     - /etc/haproxy/
     - /etc/haproxy/certs/
@@ -33,6 +34,7 @@
   copy:
     src: errorfiles
     dest: /etc/haproxy/
+    mode: 0644
 
 - name: copy haproxy binary
   copy:
@@ -91,13 +93,13 @@
   cron:
     name: renew certificates
     weekday: SUN
-    minute: "{{59|random(seed=inventory_hostname+'renew certificates')}}"
-    hour: "{{23|random(seed=inventory_hostname+'renew certificates')}}"
+    minute: "{{ 59|random(seed=inventory_hostname+'renew certificates') }}"
+    hour: "{{ 23|random(seed=inventory_hostname+'renew certificates') }}"
     job: /usr/local/bin/update_haproxy_certs.sh
 
 - name: renew ocsp information
   cron:
     name: renew ocsp
-    minute: "{{59|random(seed=inventory_hostname+'renew ocsp')}}"
-    hour: "{{23|random(seed=inventory_hostname+'renew ocsp')}}"
+    minute: "{{ 59|random(seed=inventory_hostname+'renew ocsp') }}"
+    hour: "{{ 23|random(seed=inventory_hostname+'renew ocsp') }}"
     job: /usr/local/bin/ocsp_update.sh
diff --git a/roles/nextcloud/tasks/main.yaml b/roles/nextcloud/tasks/main.yaml
index feff359..83b2a79 100644
--- a/roles/nextcloud/tasks/main.yaml
+++ b/roles/nextcloud/tasks/main.yaml
@@ -4,6 +4,7 @@
   file:
     path: "{{ nextcloud_data }}"
     state: directory
+    mode: 0755
     recurse: yes