Improved performance by executing tasks just once per host

roles/nginx-certbot/handlers/main.yml

@@ -0,0 +1,12 @@
+- name: "reload certbot service"
+  systemd:
+    name: certbot.service
+    state: reloaded
+    enabled: yes
+    daemon_reload: yes
+- name: "restart certbot timer"
+  systemd:
+    name: certbot.timer
+    state: restarted
+    enabled: yes
+    daemon_reload: yes

roles/nginx-certbot/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- nginx
+- systemd-notifier

roles/nginx-certbot/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: install certbot
+  pacman:
+    name: [certbot,certbot-nginx]
+    state: present
+  when: run_once_nginx_certbot is not defined
+
+- name: configure certbot.service.tpl
+  template: 
+    src:  certbot.service.j2
+    dest: /etc/systemd/system/certbot.service
+  notify: reload certbot service
+  when: run_once_nginx_certbot is not defined
+
+- name: configure certbot.timer.tpl
+  template:
+    src:  certbot.timer.j2
+    dest: /etc/systemd/system/certbot.timer
+  register: certbot_timer
+  changed_when: certbot_timer.changed or activate_all_timers | default(false) | bool
+  notify: restart certbot timer
+  when: run_once_nginx_certbot is not defined
+
+- name: run the nginx_certbot tasks once
+  set_fact:
+    run_once_nginx_certbot: true
+  when: run_once_nginx_certbot is not defined

roles/nginx-certbot/templates/certbot.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Let's Encrypt renewal
+OnFailure=systemd-notifier@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos
+ExecStartPost=/bin/systemctl reload nginx.service

roles/nginx-certbot/templates/certbot.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Renewal of Let's Encrypt's certificates
+
+[Timer]
+OnCalendar=0/12:00:00
+RandomizedDelaySec={{randomized_delay_sec}}
+Persistent=true
+
+[Install]
+WantedBy=timers.target