diff --git a/ansible/roles/common/tasks/security.yml b/ansible/roles/common/tasks/security.yml
index 44e9a41..f27aa4a 100644
--- a/ansible/roles/common/tasks/security.yml
+++ b/ansible/roles/common/tasks/security.yml
@@ -5,7 +5,7 @@
     path: /etc/ssh/sshd_config
     regexp: "{{ item.re }}"
     line: "{{ item.li }}"
-  with_items:
+  loop:
     - {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'}
     - {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'}
     - {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'}
@@ -18,7 +18,7 @@
     src: files/fail2ban/jails/{{ item }}
     dest: /etc/fail2ban/jail.d/{{ item }}
     mode: 0644
-  with_items: "{{ fail2ban_jails }}"
+  loop: "{{ fail2ban_jails }}"
   notify: restart_fail2ban
   tags: security
 
diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf
index e97d81f..8076812 100644
--- a/ansible/roles/http/files/nginx/nginx.conf
+++ b/ansible/roles/http/files/nginx/nginx.conf
@@ -1,24 +1,24 @@
 user http;
-worker_processes  1;
+worker_processes 1;
 
 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
 
-error_log  /var/log/nginx/error.log info;
+error_log /var/log/nginx/error.log notice;
 
 events {
-  worker_connections  1024;
+  worker_connections 1024;
 }
 
 http {
   include mime.types;
 
-  default_type  application/octet-stream;
+  default_type application/octet-stream;
 
-  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-    '$status $body_bytes_sent "$http_referer" '
-    '"$http_user_agent" "$http_x_forwarded_for"';
+  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for"';
 
-  access_log  /var/log/nginx/access.log  main;
+  access_log /var/log/nginx/access.log main;
 
   sendfile        on;
   server_tokens   off;
diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml
index 79f3ca6..fd8ca1e 100644
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -14,7 +14,7 @@
     path: "/etc/nginx/{{ item }}"
     state: directory
     mode: 0644
-  with_items:
+  loop:
     - sites-enabled
     - sites-available
   tags: http
@@ -43,7 +43,7 @@
     src: "templates/nginx/sites/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
     mode: 0644
-  with_items:
+  loop:
     - "{{ ci_server_name }}.http.conf"
   notify: restart_nginx
   tags: http
@@ -54,7 +54,7 @@
     src: "/etc/nginx/sites-available/{{ item }}"
     dest: "/etc/nginx/sites-enabled/{{ item }}"
     state: link
-  with_items:
+  loop:
     - "{{ ci_server_name }}.http.conf"
   notify: restart_nginx
   tags: http
diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml
index 567e44f..f6582c9 100644
--- a/ansible/roles/http/tasks/https.yml
+++ b/ansible/roles/http/tasks/https.yml
@@ -5,7 +5,7 @@
     src: "templates/nginx/sites/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
     mode: 0644
-  with_items:
+  loop:
     - "{{ ci_server_name }}.https.conf"
   notify: restart_nginx
   tags: https
@@ -16,7 +16,7 @@
     src: "/etc/nginx/sites-available/{{ item }}"
     dest: "/etc/nginx/sites-enabled/{{ item }}"
     state: link
-  with_items:
+  loop:
     - "{{ ci_server_name }}.https.conf"
   notify: restart_nginx
   tags: https
diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/http/tasks/modsec.yml
index 5827941..aa62128 100644
--- a/ansible/roles/http/tasks/modsec.yml
+++ b/ansible/roles/http/tasks/modsec.yml
@@ -7,7 +7,7 @@
     owner: root
     group: root
     mode: 0644
-  with_items:
+  loop:
     - "{{ nginx_conf_path }}"
     - "{{ modsec_rules_path }}"
   tags: modsec
@@ -28,7 +28,7 @@
     dest: "{{ item.dest }}"
     update: false
     version: "{{ item.ver }}"
-  with_items: "{{ modsec_git_urls }}"
+  loop: "{{ modsec_git_urls }}"
   notify: restart_nginx
   tags: modsec
 
@@ -40,7 +40,7 @@
     state: link
     force: true
     mode: 0644
-  with_items: "{{ modsec_conf_links }}"
+  loop: "{{ modsec_conf_links }}"
   notify: restart_nginx
   tags: modsec
 
@@ -52,7 +52,7 @@
     state: "{{ item.enabled | ternary('link', 'absent') }}"
     force: true
     mode: 0644
-  with_items: "{{ crs_rule_links }}"
+  loop: "{{ crs_rule_links }}"
   notify: restart_nginx
   tags: modsec, modsec_rules
 
@@ -64,14 +64,14 @@
     state: link
     force: true
     mode: 0644
-  with_items: "{{ crs_data_links }}"
+  loop: "{{ crs_data_links }}"
   notify: restart_nginx
   tags: modsec, modsec_rules
 
 - name: whitelist local ip addresses
   become: true
   lineinfile:
-    path: "{{ nginx_path }}/modsecurity.conf"
+    path: "{{ modsec_crs_before_rule_conf }}"
     regexp: "{{ modsec_whitelist_local_re }}"
     line: "{{ modsec_whitelist_local }}"
     mode: 0644
diff --git a/ansible/roles/ssl/tasks/cron.yml b/ansible/roles/ssl/tasks/cron.yml
index 9ca7831..e67509c 100644
--- a/ansible/roles/ssl/tasks/cron.yml
+++ b/ansible/roles/ssl/tasks/cron.yml
@@ -4,7 +4,7 @@
   cron:
     name: certbot_renew
     special_time: weekly
-    job: |
-      certbot renew --pre-hook "systemctl stop nginx" \
-       --post-hook "systemctl start nginx"
+    job: >-
+      certbot renew --pre-hook "systemctl stop nginx"
+      --post-hook "systemctl start nginx"
   tags: cron