lilik_playbook/roles/certbot/tasks/main.yaml

---
- name: 'install certbot'
  apt:
    pkg:
      - 'certbot'
      - 'sendmail-bin'
      - 'cron'
    state: 'present'
    update_cache: true
    cache_valid_time: 3600
  tags:
    - 'packages'

# Standard nginx installation should not listen on port 80
# -> This is probably not required.
#- name: 'shutdown webservers'
#  service:
#    name: '{{ webserver_name }}'
#    state: 'stopped'
#  ignore_errors: true

- name: 'request certificate'
  command: >
    certbot
        certonly
        -a standalone
        --agree-tos
        --email {{ letsencrypt_email }}
        --preferred-challenges http
        -d {{ certbot_site_fqdn }}
    {% for fqdn in certbot_site_alternate_fqdns %}
        -d {{ fqdn }}
    {% endfor %}
        -n
  args:
    creates: '/etc/letsencrypt/live/{{ certbot_site_fqdn }}/cert.pem'
  tags:
    - 'tls_pub'

#- name: 'restart webservers'
#  service:
#    name: '{{ webserver_name }}'
#    state: 'started'
#  ignore_errors: true

- name: 'add systemd timer for cert renewal'
  template:
    src: 'certbot.timer'
    dest: '/etc/systemd/system/certbot.timer'
  tags:
    - 'tls_pub'

- name: 'add systemd service for cert renewal'
  template:
    src: 'certbot.service'
    dest: '/etc/systemd/system/certbot.service'
  tags:
    - 'tls_pub'

- name: 'enable timer'
  systemd:
    name: 'certbot.timer'
    state: 'started'
    enabled: true
    daemon_reload: true
  tags:
    - 'tls_pub'
...