diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 52a90e1b53e59d88b64911bc77b91afce2d210f5..67d656f5d95364dec98819cf8a8bcc515b096258 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -83,6 +83,14 @@
     state: present
   when: "testing|default(True)"
 
+# mtail 3.0.0~rc19-2 on Buster is broken when reading from named pipes
+# Pin mtail to ai3 repo that ships mtail 3.0.0~rc5-1~bpo9+1
+- name: Force mtail version on buster
+  copy:
+    src: "mtail.apt-preferences"
+    dest: "/etc/apt/preferences.d/99float-syslog"
+  when: float_debian_dist == 'buster'
+
 - name: Install base packages
   apt:
     name: "{{ packages }}"
@@ -108,6 +116,13 @@
       - man-db
       - jq
       - gpg
+      - firewall
+      - rsyslog
+      - rsyslog-gnutls
+      - mtail
+      - auditd
+      - audisp-json
+      - prometheus-node-exporter
 
 - name: Install extra packages
   apt:
diff --git a/roles/float-base/tasks/firewall.yml b/roles/float-base/tasks/firewall.yml
index 849eee76a11bbed586ce66a8551bfa792b47368d..84b34d902989ad841a5366e45b53f41577f9a39f 100644
--- a/roles/float-base/tasks/firewall.yml
+++ b/roles/float-base/tasks/firewall.yml
@@ -1,9 +1,5 @@
 ---
 
-- apt:
-    name: firewall
-    state: present
-
 - template:
     src: firewall/10float.j2
     dest: /etc/firewall/filter.d/10float
diff --git a/roles/float-base/tasks/harden.yml b/roles/float-base/tasks/harden.yml
index b9e19588887a18420314ab4f5ea7d7f90522c7f7..ec7950bf7049ac8e7d46c79b7ba6044c8b1f9ebf 100644
--- a/roles/float-base/tasks/harden.yml
+++ b/roles/float-base/tasks/harden.yml
@@ -39,18 +39,6 @@
 - name: Restrict core dumps (PAM)
   lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present
 
-# Audit configuration on Debian stretch uses augenrules by default, so
-# we copy our rules in /etc/audit/rules.d.
-# TODO: evaluate whether we still need this.
-- name: Auditd installed
-  apt:
-    name: "{{ packages }}"
-    state: present
-  vars:
-    packages:
-      - auditd
-      - audisp-json
-
 - name: Auditd default config removed
   file:
     path: /etc/audit/rules.d/audit.rules
diff --git a/roles/float-base/tasks/prometheus.yml b/roles/float-base/tasks/prometheus.yml
index b713f22a612edea6e57fca83ae23c35e11d46ce9..8fd76e922be1df3b87f4250960a14420f7437cdb 100644
--- a/roles/float-base/tasks/prometheus.yml
+++ b/roles/float-base/tasks/prometheus.yml
@@ -7,11 +7,6 @@
   notify:
     - reload prometheus-node-exporter
 
-- name: Install prometheus node package
-  apt:
-    name: prometheus-node-exporter
-    state: present
-
 - name: Install prometheus node extra package
   apt:
     name:
diff --git a/roles/float-base/tasks/service_discovery.yml b/roles/float-base/tasks/service_discovery.yml
index a39c90fa3258b4293d681e2c052fa4371d3c7811..bd6e4158b515eed58e1e6e7c88934da82b922989 100644
--- a/roles/float-base/tasks/service_discovery.yml
+++ b/roles/float-base/tasks/service_discovery.yml
@@ -8,5 +8,5 @@
 - name: Create /etc/host.conf
   copy:
     dest: /etc/host.conf
-    content: "multi on"
+    content: "multi on\n"
 
diff --git a/roles/float-base/tasks/syslog.yml b/roles/float-base/tasks/syslog.yml
index 3adc81972da8a79b1d616e834f5abdc8fef8be7c..1a1ff4f727c2b118f6a67f13772877f4b5b13b30 100644
--- a/roles/float-base/tasks/syslog.yml
+++ b/roles/float-base/tasks/syslog.yml
@@ -1,23 +1,5 @@
 ---
 
-# mtail 3.0.0~rc19-2 on Buster is broken when reading from named pipes
-# Pin mtail to ai3 repo that ships mtail 3.0.0~rc5-1~bpo9+1
-- name: Force mtail version on buster
-  copy:
-    src: "mtail.apt-preferences"
-    dest: "/etc/apt/preferences.d/99float-syslog"
-  when: float_debian_dist == 'buster'
-
-- name: Install rsyslog packages
-  apt:
-    name: "{{ packages }}"
-    state: present
-  vars:
-    packages:
-      - rsyslog
-      - rsyslog-gnutls
-      - mtail
-
 - name: Install mtail systemd socket unit
   copy:
     src: "mtail.socket"