diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..464676d
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+letsencryt_email: 'admin@brainsys.io'
diff --git a/files/renew-hook b/files/renew-hook
new file mode 100644
index 0000000..c46fe53
--- /dev/null
+++ b/files/renew-hook
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+_logfile="/var/log/renew_ssl.txt"
+
+echo "Date: $(date +%Y%m%d)" | tee -a  $_logfile
+echo "Nb of args: $?" | tee -a  $_logfile
+
+if [ ! -z "$RENEWED_DOMAINS" ]; then
+    for domain in $RENEWED_DOMAINS; do
+        if [[ $domain = www.* ]]; then
+            domain=`echo $domain | sed 's/www.\(.*\)/\1/g'`
+        else
+            echo "Processing domain: $domain" | tee -a  $_logfile
+            mkdir -p /etc/haproxy/ssl/archives
+
+            if test -f /etc/haproxy/ssl/certs/$domain.pem; then
+                cp /etc/haproxy/ssl/certs/$domain.pem /etc/haproxy/ssl/archives/$domain.pem.$(date +%Y%m%d)
+            fi
+
+            cat /etc/letsencrypt/live/$domain/privkey.pem /etc/letsencrypt/live/$domain/fullchain.pem > /etc/haproxy/ssl/certs/$domain.pem
+
+            # check if pem file in haproxy dir is empty and rm it if it is
+            if [ ! -s /etc/haproxy/ssl/certs/$domain.pem ]; then
+                rm /etc/haproxy/ssl/certs/$domain.pem
+            fi
+
+            /usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg && /bin/systemctl reload haproxy.service
+            echo "$domain renewed at $(date)" | tee -a  $_logfile
+        fi
+    done
+else
+    echo "$domain renewal failed at $(date)" | tee -a  $_logfile
+    exit 0
+fi
+
+#/* vim: set tabstop=4:softtabstop=4:shiftwidth=4:noexpandtab */
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..36f1b36
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- name: letsencrypt | apt update cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 86400 #One day
+
+- name: letsencrypt | install packages
+  apt:
+    name:
+      - certbot
+    state: present
+
+- name: letsencrypt | copy configuration files
+  template:
+    src: "cli.ini.j2"
+    dest: "/etc/letsencrypt/cli.ini"
+    mode: "0644"
+    force: yes
+    backup: yes
+
+- name: letsencrypt | create hook directory
+  file:
+    path: /usr/local/bin/letsencrypt/
+    state: directory
+    owner: root
+    group: root
+
+- name: letsencrypt | copy renew hook
+  copy:
+    src: "renew-hook"
+    dest: "/usr/local/bin/letsencrypt/renew-hook"
+    mode: "0755"
diff --git a/templates/cli.ini.j2 b/templates/cli.ini.j2
new file mode 100644
index 0000000..c374db9
--- /dev/null
+++ b/templates/cli.ini.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0
+email = {{ letsencrypt_email }}
+deploy-hook = /usr/local/bin/letsencrypt/renew-hook
+#renew-before-expiry = 20
+agree-tos = True