diff --git a/CHANGELOG.md b/CHANGELOG.md
index a116e21d..d4de0391 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release.
 * nagios-nrpe: add check_postgrey
 
 ### Changed
+* etc-git: some entries of .gitignore are mandatory
 * evocheck: update upstream script
 * evolinux-base: improve hostname configuration (real vs. internal)
 * evolinux-base: use the "evolinux-todo" role
diff --git a/etc-git/files/gitignore b/etc-git/files/gitignore
index 7f8a0e4a..39002e32 100644
--- a/etc-git/files/gitignore
+++ b/etc-git/files/gitignore
@@ -1,5 +1 @@
-aliases.db
-*.swp
-postfix/sa-blacklist.access
-postfix/*.db
-postfix/spamd.cidr
+# Default /etc/.gitignore file
diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml
index 39f97e4d..452711c9 100644
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@@ -26,7 +26,7 @@
   tags:
     - etc-git
 
-- name: /etc/.git is secure
+- name: /etc/.git is restricted to root
   file:
     path: /etc/.git
     owner: root
@@ -41,6 +41,20 @@
     dest: /etc/.gitignore
     owner: root
     mode: "0600"
+    force: no
+  tags:
+    - etc-git
+
+- name: Some entries MUST be in the /etc/.gitignore file
+  lineinfile:
+    dest: /etc/.gitignore
+    line: "{{ item }}"
+  with_items:
+    - "aliases.db"
+    - "*.swp"
+    - "postfix/sa-blacklist.access"
+    - "postfix/*.db"
+    - "postfix/spamd.cidr"
   tags:
     - etc-git