diff --git a/testsite/playbooks/tls.yml b/testsite/playbooks/tls.yml
index ac1857d309b21cb720c138df23229391b89e7a65..8fbdd731f1ce5503acfcb88e6b22b3d79e3150d3 100644
--- a/testsite/playbooks/tls.yml
+++ b/testsite/playbooks/tls.yml
@@ -1,6 +1,7 @@
 ---
 
-- hosts: preseed
+- name: Generate TLS private keys and certificates
+  hosts: preseed
   vars:
     host_tls_info:
       - hostname: ldap
@@ -31,23 +32,27 @@
           - "{{ testsite_domain }}"
   tasks:
     - name: Create GnuTLS certificate templates for all hosts
-      template: src="../tls/gnutls_server_certificate.cfg.j2" dest="../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg"
+      ansible.builtin.template:
+        src: "../tls/gnutls_server_certificate.cfg.j2"
+        dest: "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg"
+        mode: "0640"
       with_items: "{{ host_tls_info }}"
     - name: Create the CA key
-      command: certtool --sec-param high --generate-privkey --outfile ../tls/ca.key
+      ansible.builtin.command: certtool --sec-param high --generate-privkey --outfile ../tls/ca.key
       args:
         creates: ../tls/ca.key
     - name: Create the CA certificate
-      command: certtool --template ../tls/ca.cfg --generate-self-signed --load-privkey ../tls/ca.key --outfile ../tls/ca.pem
+      ansible.builtin.command: certtool --template ../tls/ca.cfg --generate-self-signed --load-privkey ../tls/ca.key --outfile ../tls/ca.pem
       args:
         creates: ../tls/ca.pem
     - name: Create private keys for all hosts
-      command: certtool --sec-param normal --generate-privkey --outfile "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"
+      ansible.builtin.command: |
+        certtool --sec-param normal --generate-privkey --outfile "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"
       with_items: "{{ host_tls_info }}"
       args:
         creates: "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"
     - name: Issue certificates for all hosts
-      shell: sleep 1 && certtool --generate-certificate
+      ansible.builtin.shell: sleep 1 && certtool --generate-certificate
              --load-ca-privkey "../tls/ca.key" --load-ca-certificate "../tls/ca.pem"
              --template "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg"
              --load-privkey "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"