diff --git a/deploy.yml b/deploy.yml
index 2481396..88a4379 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -5,3 +5,6 @@
 
 - name: Docker setup
   ansible.builtin.import_playbook: playbooks/deploy-docker.yml
+
+- name: Certbot certificate cloudflare setup
+  ansible.builtin.import_playbook: playbooks/deploy-certbot.yml
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
new file mode 100644
index 0000000..9d8a227
--- /dev/null
+++ b/group_vars/certbot.yml
@@ -0,0 +1,5 @@
+---
+
+cloudflare_credentials_destination: /root/.cloudflare-dns-api-key.ini
+certbot_post_hook_dir: /etc/letsencrypt/renewal-hooks/post
+certbot_live_dir: /etc/letsencrypt/live
diff --git a/group_vars/host_domains.yml b/group_vars/host_domains.yml
new file mode 100644
index 0000000..aa81c0f
--- /dev/null
+++ b/group_vars/host_domains.yml
@@ -0,0 +1,7 @@
+---
+
+host_domains:
+  fern.hatecomputers.club:
+    - fern.hatecomputers.club
+    - auth.hatecomputers.club
+    - vpn.hatecomputers.club
diff --git a/inventory b/inventory
index 2bdbbeb..5aedd72 100644
--- a/inventory
+++ b/inventory
@@ -1,2 +1,11 @@
 [docker]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[host_domains]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[certbot]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[kanidm]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
diff --git a/playbooks/deploy-certbot.yml b/playbooks/deploy-certbot.yml
new file mode 100644
index 0000000..1fa6cb1
--- /dev/null
+++ b/playbooks/deploy-certbot.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Certbot setup
+  hosts: certbot
+  roles:
+    - certbot
diff --git a/playbooks/roles/certbot/files/renewal_post_upgrade.sh b/playbooks/roles/certbot/files/renewal_post_upgrade.sh
new file mode 100755
index 0000000..ab9c5b1
--- /dev/null
+++ b/playbooks/roles/certbot/files/renewal_post_upgrade.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/sbin/service nginx restart
diff --git a/playbooks/roles/certbot/tasks/main.yml b/playbooks/roles/certbot/tasks/main.yml
new file mode 100644
index 0000000..deed32c
--- /dev/null
+++ b/playbooks/roles/certbot/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+
+- name: Install certbot deps
+  ansible.builtin.apt:
+    name:
+      - python3-certbot
+      - python3-certbot-dns-cloudflare
+    state: present
+
+- name: Install
+  ansible.builtin.template:
+    src: cloudflare-credentials.ini.j2
+    dest: "{{ cloudflare_credentials_destination }}"
+    mode: o=rw
+
+- name: Ensure existance of {{ certbot_post_hook_dir }}
+  ansible.builtin.file:
+    path: "{{ certbot_post_hook_dir }}"
+    state: directory
+    mode: o=rw,g=r,a+x
+
+- name: Add renewal_post_upgrade hook
+  ansible.builtin.copy:
+    src: renewal_post_upgrade.sh
+    dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"
+    mode: a+x
+    owner: root
+    group: root
+
+- name: Check for existence of certificates
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"
+  loop: "{{ host_domains[inventory_hostname] }}"
+  register: cert_check
+- name: Construct domains needing ACME requests list
+  ansible.builtin.set_fact:
+    domain_request_list: >
+      {% for domain in host_domains[inventory_hostname] %}
+      {% set domain_index = loop.index0 %}
+      {% if not cert_check.results[domain_index].stat.exists %}
+      {{ domain }}
+      {% endif %}
+      {% endfor %}
+
+- name: Request acmedns challenges if there are such domains that need certs
+  ansible.builtin.shell: >
+    certbot certonly --dns-cloudflare \
+      --dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \
+      --non-interactive \
+      --manual-public-ip-logging-ok \
+      --agree-tos -m {{ certbot_email }} \
+      --preferred-challenges dns --debug-challenges \
+      --dns-cloudflare-propagation-seconds 20 \
+      -d {{ item }}
+  loop: "{{ domain_request_list.split() }}"
+  changed_when: domain_request_list | trim != ''
+
+- name: Certbot daily renewal cron job
+  ansible.builtin.cron:
+    name: "letsencrypt_daily_renewal"
+    special_time: "daily"
+    job: "certbot renew --non-interactive"
+    cron_file: "certbot_renewal"
+    user: root
diff --git a/playbooks/roles/certbot/templates/cloudflare-credentials.ini.j2 b/playbooks/roles/certbot/templates/cloudflare-credentials.ini.j2
new file mode 100644
index 0000000..4e7d9ac
--- /dev/null
+++ b/playbooks/roles/certbot/templates/cloudflare-credentials.ini.j2
@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ cloudflare_api_token }}
diff --git a/secrets.txt b/secrets.txt
index c8e7c7c..57e0480 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -1 +1,2 @@
 cloudflare_api_token
+certbot_email