Ansible playbook configuração do certbot para gerar e renovar certificador usando dns do cloudflare

ansible-letsencrypt-cloudflare.yml

# CloudFlare cloudflare.ini
# dns_cloudflare_email = ""
# dns_cloudflare_api_key = ""

- name: Let's Encrypt SSL certificates
  hosts: all
  become: yes
  vars:
    letsencrypt_account_email: example@email.com
    secrets_path: /root/.secrets
  tasks:
    - name: Adicionando repo Certbot
      apt_repository:
        repo: ppa:certbot/certbot
        state: present

    - name: Instalando o Certbot
      apt: name={{ item }} update_cache=yes state=latest
      loop:
        - certbot
        - python3-certbot-dns-cloudflare
      notify:
          - start certbot

    - name: Criar pasta .secrets
      file:
        path: "{{ secrets_path }}"
        state: directory
        mode: 0400

    - name: Copiar credenciais Cloudflare
      copy:
        src: ./cloudflare.ini
        dest: "{{secrets_path}}/cloudflare.ini"

    - name: Criar cron para renvação automatica
      cron:
        name: letsencrypt_renewal
        special_time: weekly
        job: /usr/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
        state: present

    - name: Gerar certificados com Cloudflare
      shell: >
        certbot certonly --dns-cloudflare --dns-cloudflare-propagation-seconds 60 --dns-cloudflare-credentials {{ secrets_path }}/cloudflare.ini --agree-tos --email {{ letsencrypt_account_email }} -d {{ item | join(',') }}
      loop:
        - ["example.com.br", "*.example.com.br"]

  handlers:
    - name: start certbot
      service: name=certbot state=started enabled=yes
      tags: install-certbot