---
- name: 'install certbot'
  apt:
    pkg:
      - 'certbot'
      - 'sendmail-bin'
      - 'cron'
    state: 'present'
    update_cache: true
    cache_valid_time: 3600
  tags:
    - 'packages'

- name: Shutdown webservers
  service:
    name: "{{ webserver_name }}"
    state: stopped
  ignore_errors: yes

- name: 'request certificate'
  command: >
    certbot
        certonly
        -a standalone
        --agree-tos
        --email {{ letsencrypt_email }}
        --preferred-challenges http
        -d {{ server_fqdn }}
        -d www.{{ server_fqdn }}
        -n
  args:
    creates: '/etc/letsencrypt/live/{{ server_fqdn }}/cert.pem'
  tags:
    - 'tls_pub'

- name: Restart webservers
  service:
    name: "{{ webserver_name }}"
    state: started
  ignore_errors: yes

- name: 'add systemd timer for cert renewal'
  template:
    src: 'certbot.timer'
    dest: '/etc/systemd/system/certbot.timer'
  tags:
    - 'tls_pub'

- name: 'add systemd service for cert renewal'
  template:
    src: 'certbot.service'
    dest: '/etc/systemd/system/certbot.service'
  tags:
    - 'tls_pub'

- name: 'enable timer'
  systemd:
    name: 'certbot.timer'
    state: 'started'
    enabled: true
    daemon_reload: true
  tags:
    - 'tls_pub'
...