diff --git a/.codespell_ignores b/.codespell_ignores
new file mode 100644
index 00000000..e69de29b
diff --git a/.codespellrc b/.codespellrc
new file mode 100644
index 00000000..8f96f52a
--- /dev/null
+++ b/.codespellrc
@@ -0,0 +1,8 @@
+[codespell]
+check-hidden = true
+# Note that `-w` doesn't work when ignore-multiline-regex is set
+# https://github.com/codespell-project/codespell/issues/3642
+ignore-multiline-regex = codespell:ignore-begin.*codespell:ignore-end
+ignore-words = .codespell_ignores
+# skip-file is not available https://github.com/codespell-project/codespell/pull/2759
+skip = .pandoc_template.html5,.README.html
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
new file mode 100644
index 00000000..8eadb612
--- /dev/null
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,17 @@
+# Codespell configuration is within .codespellrc
+---
+name: Codespell
+on:  # yamllint disable-line rule:truthy
+  - pull_request
+permissions:
+  contents: read
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Codespell
+        uses: codespell-project/actions-codespell@v2
diff --git a/.github/workflows/tft_citest_bad.yml b/.github/workflows/tft_citest_bad.yml
index 85db1f44..9f48f353 100644
--- a/.github/workflows/tft_citest_bad.yml
+++ b/.github/workflows/tft_citest_bad.yml
@@ -36,7 +36,7 @@ jobs:
           RUN_ID=$(gh api "repos/$REPO/actions/workflows/tft.yml/runs?event=issue_comment" \
             | jq -r "[.workflow_runs[] | select( .display_title == \"$PR_TITLE\" ) | select( .conclusion == \"failure\" ) | .id][0]")
           if [ "$RUN_ID" = "null" ]; then
-            echo "Failed workflow not found, exitting"
+            echo "Failed workflow not found, exiting"
             exit 1
           fi
           echo "Re-running workflow $RUN_ID"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 515562e6..eff57e70 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -161,7 +161,7 @@ Changelog
 
 ### Other Changes
 
-- tests: test_ping: fix compatability issues (#171)
+- tests: test_ping: fix compatibility issues (#171)
 
 [1.6.0] - 2023-08-08
 --------------------
diff --git a/README.md b/README.md
index c677f1a6..b85d3d34 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # firewall
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-test.yml) [![codeql.yml](https://github.com/linux-system-roles/firewall/actions/workflows/codeql.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/codeql.yml) [![markdownlint.yml](https://github.com/linux-system-roles/firewall/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/markdownlint.yml) [![python-unit-test.yml](https://github.com/linux-system-roles/firewall/actions/workflows/python-unit-test.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/python-unit-test.yml) [![shellcheck.yml](https://github.com/linux-system-roles/firewall/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/firewall/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/firewall/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/firewall/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/ansible-test.yml) [![codeql.yml](https://github.com/linux-system-roles/firewall/actions/workflows/codeql.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/codeql.yml) [![codespell.yml](https://github.com/linux-system-roles/firewall/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/firewall/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/markdownlint.yml) [![python-unit-test.yml](https://github.com/linux-system-roles/firewall/actions/workflows/python-unit-test.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/python-unit-test.yml) [![shellcheck.yml](https://github.com/linux-system-roles/firewall/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/firewall/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/firewall/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/firewall/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/firewall/actions/workflows/woke.yml)
 
 This role configures the firewall on machines that are using firewalld.
 If firewalld is not in use, the role will install (if not already installed),
@@ -218,7 +218,7 @@ permanent change was made to each setting:
 ### firewall_disable_conflicting_services
 
 By default, the firewall role does not attempt to disable conflicting services due to the
-overhead associated with enumerating the services when disabling services is potentially unecessary.
+overhead associated with enumerating the services when disabling services is potentially unnecessary.
 To enable this feature, set the variable `firewall_disable_conflicting_services` to `true`:
 
 ```yaml
@@ -475,7 +475,7 @@ See `ipset` for more usage information
 List of addresses to add or remove from an ipset
 Used with `ipset`
 
-Entrys must be compatible with the ipset type of the `ipset`
+Entries must be compatible with the ipset type of the `ipset`
 being created or modified.
 
 ```yaml
diff --git a/library/firewall_lib.py b/library/firewall_lib.py
index dfa186d0..6a1548f1 100644
--- a/library/firewall_lib.py
+++ b/library/firewall_lib.py
@@ -119,7 +119,7 @@
     default: []
   interface_pci_id:
     description:
-      List of inteface PCI device ID strings.
+      List of interface PCI device ID strings.
       PCI device ID needs to correspond to a named network interface.
     required: false
     type: list
diff --git a/pylintrc b/pylintrc
index e9160fe2..b9904a60 100644
--- a/pylintrc
+++ b/pylintrc
@@ -52,7 +52,7 @@ confidence=
 # can either give multiple identifiers separated by comma (,) or put this
 # option multiple times (only on the command line, not in the configuration
 # file where it should appear only once).You can also use "--disable=all" to
-# disable everything first and then reenable specific checks. For example, if
+# disable everything first and then re-enable specific checks. For example, if
 # you want to run only the similarities checker, you can use "--disable=all
 # --enable=similarities". If you want to run only the classes checker, but have
 # no Warning level messages displayed, use"--disable=all --enable=classes
diff --git a/tests/files/test_ping.sh b/tests/files/test_ping.sh
index 94b51141..2c549996 100755
--- a/tests/files/test_ping.sh
+++ b/tests/files/test_ping.sh
@@ -47,7 +47,7 @@ TIMEOUT=2
 # The following ping should have 100% packet loss
 ping -c "$NUM_PINGS" -W "$TIMEOUT" -i 0.01 "$ip" 1>/tmp/ping0 || :
 
-# Begin downtime comparision #
+# Begin downtime comparison #
 ping -c "$NUM_PINGS" -W "$TIMEOUT" -i 0.01 "$ip" 1>/tmp/ping1 || : &
 pid="$!"
 podman exec test-firewalld systemctl reload firewalld.service
diff --git a/tests/tests_ansible.yml b/tests/tests_ansible.yml
index 90f7c3d6..98944964 100644
--- a/tests/tests_ansible.yml
+++ b/tests/tests_ansible.yml
@@ -249,7 +249,7 @@
           register: result
           failed_when: result.failed or result.changed
 
-        - name: Allow masquerading in permament dmz zone
+        - name: Allow masquerading in permanent dmz zone
           firewall_lib:
             masquerade: true
             permanent: true
@@ -257,7 +257,7 @@
           register: result
           failed_when: result.failed or not result.changed
 
-        - name: Allow masquerading in permament dmz zone, again
+        - name: Allow masquerading in permanent dmz zone, again
           firewall_lib:
             masquerade: true
             permanent: true
diff --git a/tests/tests_interface_pci.yml b/tests/tests_interface_pci.yml
index d66ec5e4..691b2660 100644
--- a/tests/tests_interface_pci.yml
+++ b/tests/tests_interface_pci.yml
@@ -68,7 +68,7 @@
               zone: internal
               interface_pci_id: 1af4:0001
               state: disabled
-              permament: true
+              permanent: true
       always:
         - name: Cleanup
           tags:
diff --git a/tests/tests_ipsets.yml b/tests/tests_ipsets.yml
index e1099c6c..7fd30cf1 100644
--- a/tests/tests_ipsets.yml
+++ b/tests/tests_ipsets.yml
@@ -38,7 +38,7 @@
                   - 127.0.0.1
                   - 8.8.8.8
                 short: Custom
-                desciption: Custom IPSet for testing purposes
+                description: Custom IPSet for testing purposes
                 state: present
                 permanent: true
 
@@ -63,7 +63,7 @@
             firewall:
               - ipset: customipset
                 short: Custom
-                desciption: Custom IPSet for testing purposes
+                description: Custom IPSet for testing purposes
                 state: present
                 permanent: true
           register: result
diff --git a/tests/tests_service.yml b/tests/tests_service.yml
index a6c85507..151d0c69 100644
--- a/tests/tests_service.yml
+++ b/tests/tests_service.yml
@@ -31,7 +31,7 @@
 
         - name: Fail if systemroletest present prior to test run
           fail:
-            msg: test service present after reseting defaults
+            msg: test service present after resetting defaults
           when: result.stdout.find("systemroletest") != -1
 
         - name: Ensure http has default configuration
@@ -233,7 +233,7 @@
                   - 1::1
                 helper_module: ftp
                 protocol: icmp
-                permament: true
+                permanent: true
                 state: absent
 
         # Verify nothing is removed in this case
@@ -256,7 +256,7 @@
                   - 1::1
                 helper_module: ftp
                 protocol: icmp
-                permament: true
+                permanent: true
                 state: absent
 
         - name: Fail if custom service elements changed
@@ -284,7 +284,7 @@
           vars:
             firewall:
               - service: systemroletest
-                permament: true
+                permanent: true
                 state: absent
 
         - name: Get all services
@@ -303,7 +303,7 @@
           vars:
             firewall:
               - service: systemroletest
-                permament: true
+                permanent: true
                 state: absent
 
         - name: Fail if second removal changes anything