diff --git a/acmetool/defaults/main.yml b/acmetool/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..44070a08d88e9edfe9a6ac7135a52be177f26c46
--- /dev/null
+++ b/acmetool/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# file: acmetool/defaults/main.yml
+
+acmetool_endpoint: "https://acme-v01.api.letsencrypt.org/directory"
+acmetool_key_type: rsa
+acmetool_rsa_key_size: 4096
diff --git a/acmetool/files/reload-config b/acmetool/files/reload-config
new file mode 100644
index 0000000000000000000000000000000000000000..69e9fdf51ede4a9e8a69f58a3d74f2e7f14d5dbd
--- /dev/null
+++ b/acmetool/files/reload-config
@@ -0,0 +1 @@
+SERVICES="nginx-proxy"
diff --git a/acmetool/files/service-after.conf b/acmetool/files/service-after.conf
new file mode 100644
index 0000000000000000000000000000000000000000..a54ec72b702a5b82200d813310d1f8f5fc2fe5e0
--- /dev/null
+++ b/acmetool/files/service-after.conf
@@ -0,0 +1,2 @@
+[Unit]
+After=nginx-proxy.service
diff --git a/acmetool/handlers/main.yml b/acmetool/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..77446560d0582e1529f59e0aa4ce58cac8e721eb
--- /dev/null
+++ b/acmetool/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+# file: acmetool/handlers/main.yml
+
+- name: reload systemd service files
+  systemd: daemon_reload=yes
+
+- name: update certificates
+  systemd: name=acmetool.service state=started
diff --git a/acmetool/tasks/main.yml b/acmetool/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5cc6ef4cd67433f654ca73037bcf8ab3e9521f4e
--- /dev/null
+++ b/acmetool/tasks/main.yml
@@ -0,0 +1,91 @@
+---
+# file: acmetool/tasks/main.yml
+
+- name: ensure acmetool is installed
+  apt: name=acmetool state=present
+  tags:
+    - acmetool
+    - packages
+
+- name: ensure we have our response file
+  template:
+    src: response-file.yml
+    dest: /var/lib/acme/quickstart-reponses.yml
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - acmetool
+    - config
+
+- name: check if acmetool is configured
+  command: acmetool status
+  register: acmetool_status
+  changed_when: no
+  tags:
+    - acmetool
+    - config
+
+- name: initially configure acmetool
+  command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
+  when: not acmetool_status.stdout|search(acmetool_endpoint)
+  tags:
+    - acmetool
+    - config
+
+- name: ensure acmetool reloads the right service 
+  copy:
+    src: reload-config
+    dest: /etc/default/acme-reload
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - acmetool
+    - config
+
+- name: ensure we can modify the systemd unit
+  file:
+    path: /etc/systemd/system/acmetool.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  notify:
+    - reload systemd service files
+  tags:
+    - acmetool
+    - services
+
+- name: ensure systemd waits for the right service
+  copy:
+    src: service-after.conf
+    dest: /etc/systemd/system/acmetool.service.d/nginx-proxy.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload systemd service files
+  tags:
+    - acmetool
+    - services
+
+- name: ensure the desired certificates are configured
+  template:
+    src: desired.conf
+    dest: "/var/lib/acme/desired/{{item.hostnames[0]}}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items: "{{acmetool_certificates}}"
+  notify:
+    - update certificates
+  tags:
+    - acmetool
+    - certificates
+
+- name: ensure certificates are updated regularly
+  systemd: name=acmetool.timer enabled=yes state=started
+  tags:
+    - acmetool
+    - services
diff --git a/acmetool/templates/desired.conf b/acmetool/templates/desired.conf
new file mode 100644
index 0000000000000000000000000000000000000000..eae3c4032c524081e03e7ca5b2491882d6fbd120
--- /dev/null
+++ b/acmetool/templates/desired.conf
@@ -0,0 +1,6 @@
+satisfy:
+  names:
+{% for hostname in item.hostnames %}
+    - {{hostname}}
+{% endfor %}
+    
diff --git a/acmetool/templates/response-file.yml b/acmetool/templates/response-file.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ab5538b0a383847bc27e75b1d251eb4110306a5c
--- /dev/null
+++ b/acmetool/templates/response-file.yml
@@ -0,0 +1,14 @@
+"acme-enter-email": "{{adminaddr}}"
+"acme-agreement:{{(lookup('url', acmetool_endpoint, split_lines=False)|from_json)['meta']['terms-of-service']}}": true
+"acmetool-quickstart-choose-server": "{{acmetool_endpoint}}"
+"acmetool-quickstart-choose-method": webroot
+"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge"
+"acmetool-quickstart-key-type": {{acmetool_key_type}}
+{% if acmetool_key_type == "rsa" %}
+"acmetool-quickstart-rsa-key-size": {{acmetool_rsa_key_size}}
+{% endif %}
+"acmetool-quickstart-install-haproxy-script": false
+# systemd does that
+"acmetool-quickstart-install-cronjob": false
+# we use webroot
+"acmetool-quickstart-install-redirector-systemd": false