diff --git a/roles/baseconfig/tasks/apt-listchanges.yml b/roles/baseconfig/tasks/apt-listchanges.yml
index ddfebb7..ec68e1f 100644
--- a/roles/baseconfig/tasks/apt-listchanges.yml
+++ b/roles/baseconfig/tasks/apt-listchanges.yml
@@ -12,11 +12,20 @@
 
 # Send email when there is something new
 - name: Configure apt-listchanges
-  lineinfile:
-    dest: /etc/apt/listchanges.conf
-    regexp: "^{{ item.key }}="
-    line: "{{ item.value }}"
-  with_dict:
-    confirm: 'confirm=true'
-    email_address: "email_address={{ monitoring_mail }}"
-    which: 'which=both'
+  ini_file:
+    path: /etc/apt/listchanges.conf
+    no_extra_spaces: true
+    section: apt
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    state: present
+  loop:
+    - option: confirm
+      value: "true"
+
+    - option: email_address
+      value: "{{ monitoring_mail }}"
+
+    - option: which
+      value: both
+...
diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml
index 4fc922e..a08b869 100644
--- a/roles/basesecurity/tasks/main.yml
+++ b/roles/basesecurity/tasks/main.yml
@@ -47,11 +47,33 @@
   until: apt_result is succeeded
 
 - name: Configure fail2ban
-  template:
-    src: fail2ban/jail.d/local.conf.j2
-    dest: /etc/fail2ban/jail.d/local.conf
-    mode: 0644
+  ini_file:
+    path: /etc/fail2ban/jail.d/local.conf
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    state: present
   notify: Restart fail2ban service
+  loop:
+    - section: DEFAULT
+      option: ignoreip
+      value: 10.128.0.254  # Whitelist bastion
+
+    - section: sshd
+      option: enabled
+      value: "true"
+
+    - section: sshd
+      option: bantime
+      value: 600
+
+    - section: sshd
+      option: findtime
+      value: 600
+
+    - section: sshd
+      option: maxretry
+      value: 5
 
 # See altered packages and configurations with `debsums -ca`
 - name: Install debsums
diff --git a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2
deleted file mode 100644
index 844ace1..0000000
--- a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-# Ban a host for 10mn
-# if it has failed 5 times during the last 10mn
-[sshd]
-enabled = true
-bantime  = 600
-findtime  = 600
-maxretry = 5
-
-# Whitelist bastion
-ignoreip = 10.128.0.254