diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e5184dfaa0142d2bfd29356c21e37b081b07949a..6ae4bc5d56924fdd530fd8607f305b03b3e4b246 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,5 @@
+---
+
 stages:
   - test
   - deploy
diff --git a/.yamllint b/.yamllint
index ad0be7608e23371e3cc7b8522eed2ccca5994317..60ffbc3ceca2d85bcad67baad8ce5bde030643c6 100644
--- a/.yamllint
+++ b/.yamllint
@@ -1,3 +1,5 @@
+---
+
 extends: default
 
 rules:
diff --git a/defaults/main.yml b/defaults/main.yml
index 2c673285cd6292b5399cfa78cd32eeffa7d6dd4a..006ce89a4cfa6e86aed99b7ccbdb9d7f7bc7106c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -23,7 +23,7 @@ funkwhale_database_port: 5432
 # ↓ Only needed if 'funkwhale_database_managed' == false
 # ↓ This is also assuming DB and user have already been set up, outside of the playbook.
 # ↓ Considering the playbook handles both local and remote PostGreSQL server types, this should typically not be required.
-#funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
+# funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
 
 funkwhale_nginx_managed: true
 # If you have an HTTPS reverse proxy higher up, set this to true
diff --git a/install.sh b/install.sh
index f89d08d533c89514222be7249217de1eec4bc1b7..66b98a8004966cfe76b6bd2fa361cfcda4d6adca 100644
--- a/install.sh
+++ b/install.sh
@@ -216,9 +216,9 @@ do_install() {
 
 init_ansible() {
     echo "[2/$total_steps] Installing ansible dependencies..."
-    install_packages  curl git python3-pip python3-apt sudo locales locales-all
+    install_packages  curl git python3-pip python3-apt python3-psycopg2 sudo locales locales-all
     echo "[2/$total_steps] Installing Ansible..."
-    pip3 install --user ansible=="$ansible_version" psycopg2-binary
+    pip3 install --user ansible=="$ansible_version"
 
     echo "[2/$total_steps] Creating ansible configuration files in $ansible_conf_path..."
     mkdir -p "$ansible_conf_path"
diff --git a/meta/main.yml b/meta/main.yml
index 524d70e5e275f4a2b5fd807979f722c15f4fd947..d478194c399f780075ada9780811ce383a7c33f5 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -54,12 +54,12 @@ galaxy_info:
     - nginx
     - letsencrypt
     - app
-  # List tags for your role here, one per line. A tag is a keyword that describes
-  # and categorizes the role. Users find roles by searching for tags. Be sure to
-  # remove the '[]' above, if you add tags to this list.
-  #
-  # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-  #       Maximum 20 tags per role.
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
 
 dependencies: []
 # List your role dependencies here, one per line. Be sure to remove the '[]' above,
diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2
index 4e7f4eaabadf77afe0d652f1d6fb82fa22653ca9..28579c097f451278231ae4d7d3160b448b954c71 100644
--- a/molecule/default/Dockerfile.j2
+++ b/molecule/default/Dockerfile.j2
@@ -6,7 +6,7 @@ FROM {{ item.registry.url }}/{{ item.image }}
 FROM {{ item.image }}
 {% endif %}
 
-RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python3 python3-setuptools sudo bash ca-certificates && apt-get clean; \
     elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
     elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
     elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
diff --git a/molecule/default/playbook.yml b/molecule/default/converge.yml
similarity index 100%
rename from molecule/default/playbook.yml
rename to molecule/default/converge.yml
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index e9b1cf4c606f3987ca8fd3ef42c7ee317d416a46..82ed03e55e0f92ffa779db61d68291c60e88256b 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -3,11 +3,13 @@ dependency:
   name: galaxy
 driver:
   name: docker
-lint:
-  name: yamllint
+lint: |
+  yamllint .
+  ansible-lint
+  #flake8
 platforms:
-  - name: debian-stretch
-    image: alehaa/debian-systemd:stretch
+  - name: debian-buster
+    image: alehaa/debian-systemd:buster
     command: /sbin/init
     tmpfs:
       - /run
@@ -17,11 +19,10 @@ platforms:
 
 provisioner:
   name: ansible
-  lint:
-    name: ansible-lint
+  inventory:
+    host_vars:
+      debian-buster:
+        ansible_python_interpreter: "/usr/bin/python3"
 
 verifier:
   name: testinfra
-  lint:
-    name: flake8
-    enabled: False
diff --git a/tasks/db.yml b/tasks/db.yml
index 23844b20d6f6ac87fd3c58a9686145dc5a6798e4..fefe542949d5a9f11791316a04ced58e6d1b5832 100644
--- a/tasks/db.yml
+++ b/tasks/db.yml
@@ -31,7 +31,7 @@
     login_user: postgres
   delegate_to: "{{ funkwhale_database_host_ansible or inventory_hostname }}"
 
-- name: "Create {{ funkwhale_database_name }} database on {{ funkwhale_database_host_ansible or inventory_hostname}}"
+- name: "Create {{ funkwhale_database_name }} database on {{ funkwhale_database_host_ansible or inventory_hostname }}"
   become: true
   become_user: postgres
   when: funkwhale_database_managed
diff --git a/tasks/funkwhale.yml b/tasks/funkwhale.yml
index 4a5eb82ba5480d2c10926ec36854500d0359ae84..e0416756635836102d8ae273da56413fb8cdd204 100644
--- a/tasks/funkwhale.yml
+++ b/tasks/funkwhale.yml
@@ -18,7 +18,9 @@
   file:
     path: "{{ item }}"
     owner: "{{ funkwhale_username }}"
+    group: "{{ funkwhale_username }}"
     state: directory
+    mode: '755'
   with_items:
     - "{{ funkwhale_install_path }}"
     - "{{ funkwhale_media_path }}"
@@ -26,25 +28,26 @@
     - "{{ funkwhale_music_path }}"
     - "{{ funkwhale_config_path }}"
 
-- name: Check if django_secret_key file is setup
+- name: Check if django_secret_key file is set up
   stat:
     path: "{{ funkwhale_config_path }}/django_secret_key"
   register: "result_django_secret_key"
 
 - name: "Generate a random secret key"
-  when: result_django_secret_key.stat.exists == False
+  when: not result_django_secret_key.stat.exists
   become: true
   become_user: "{{ funkwhale_username }}"
   command: "openssl rand -hex 25"
   register: result_secret_key_generation
 
 - name: "Create django_secret_key file"
-  when: not ansible_check_mode and result_django_secret_key.stat.exists == False
+  when: not ansible_check_mode and not result_django_secret_key.stat.exists
   become: true
   become_user: "{{ funkwhale_username }}"
   copy:
     content: "{{ result_secret_key_generation.stdout }}"
     dest: "{{ funkwhale_config_path }}/django_secret_key"
+    mode: '600'
 
 - name: "Setup a dummy secret key"
   when: ansible_check_mode
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
index 73c5da17b428f440088c80ccf0adc0f09eb5da3c..1f4932bf13afa5e5d57f498178e5cf323b006988 100644
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@@ -26,12 +26,12 @@
   when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
   become: true
   command: snap install core
-  
+
 - name: Refresh core snap before installing certbot
   when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
   become: true
   command: snap refresh core
-  
+
 - name: Install certbot snap
   when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
   become: true
@@ -40,7 +40,7 @@
 - name: Link certbot snap installation
   when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
   become: true
-  file: 
+  file:
     src: /snap/bin/certbot
     dest: /usr/bin/certbot
     state: link
@@ -66,6 +66,7 @@
   template:
     src: funkwhale_proxy.conf.j2
     dest: "/etc/nginx/funkwhale_proxy.conf"
+    mode: '644'
   notify:
     - reload nginx
 
@@ -75,5 +76,6 @@
   template:
     src: nginx.conf.j2
     dest: "/etc/nginx/sites-enabled/{{ funkwhale_hostname }}.conf"
+    mode: '644'
   notify:
     - reload nginx