We should consider switching to UsePrivilegeSeparation sandbox for SSH; it does not seem to be Ansibilized yet.

/etc/fail2ban/jail.conf should be managed more completely, It is possible to split it. Work underway around Elwing.

The SSH config should be managed by Ansible completely. Here are the warnings:

/etc/ssh/sshd_config line 13: Deprecated option KeyRegenerationInterval                                                                                        
/etc/ssh/sshd_config line 14: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 25: Deprecated option UseLogin
/etc/ssh/sshd_config line 34: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 36: Deprecated option RhostsRSAAuthentication

Postfix changes would be needed but we can do that afterwards:

postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" 

apt-file --non-interactive update does not work anymore as this option was removed, using apt update instead.
(should be Ansibilized one day too)

Changed to apt-get update because:

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

As for fail2ban, the configuration changed a bit, the list of jails is different. Previously the configuration was manual and only the whitelist was updated by the dc-base role. So I was forced to look into merging the configuration and that was utterly boring. So I decided to push things further and do something more satisfying: I created a role for fail2ban. As we have no reason to keep an old Debian, this role is then Stretch-only, and integration has been made into the migration branch.

phpsysinfo is not in Stretch: https://tracker.debian.org/news/832561
also it is really useless as we have better means to gather information using supervision and Ansible inventory, so removing globally.