add role: x509/static

9 files changed, 449 insertions, 4 deletions

diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
index c7aaf754..c66601cb 100644
--- a/dan/sk-testvm.yml
+++ b/dan/sk-testvm.yml
@@ -11,9 +11,9 @@
 - name: Payload Setup
   hosts: sk-testvm
   vars:
-    acme_client: acmetool
+    cert_provider: static
   roles:
-  - role: "x509/{{ acme_client }}/base"
+  - role: "x509/{{ cert_provider }}/base"
   - role: nginx/base
   post_tasks:
   - name: make sure document root directories exist
@@ -46,7 +46,7 @@
         name: nosuchsite
         template: generic
         tls:
-          certificate_provider: "{{ acme_client }}"
+          certificate_provider: "{{ cert_provider }}"
           hsts: no
         hostnames:
         - testvm.elev8.at
@@ -54,6 +54,7 @@
           '/':
             root: /var/www/default
             index: index.html
+      static_cert_config: "{{ static_cert_config__default }}"
     include_role:
       name: nginx/vhost
 
@@ -79,7 +80,7 @@
         name: test
         template: generic
         tls:
-          certificate_provider: "{{ acme_client }}"
+          certificate_provider: "{{ cert_provider }}"
           hsts: no
         hostnames:
         - test.spreadspace.org
@@ -90,5 +91,6 @@
           '/':
             root: /var/www/test
             index: index.html
+      static_cert_config: "{{ static_cert_config__test }}"
     include_role:
       name: nginx/vhost
diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml
index 3eaf94c4..a6eed52d 100644
--- a/inventory/host_vars/sk-testvm.yml
+++ b/inventory/host_vars/sk-testvm.yml
@@ -38,3 +38,319 @@ external_ip: "{{ network.primary.overlay }}"
 # https://owncloud.org/news/upgrading-owncloud-on-debian-stable-to-official-packages/
 #
 nginx_server_names_hash_bucket_size: 64
+
+
+static_cert_config__default:
+  key:
+    content: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIJJwIBAAKCAgEAoUTEXyBSZhYWQs0wx6fLO6ZW+4DBp8+UJOGznJnxuU68HhSc
+      mPoDHXE9DP4uPq86s2eD3jCZYoUO+vdETOaJrq6vIA3WEAetNQmv6I9CfhWhryb9
+      QGDUFPtjTilG2GDA+j5oS7d9HYLfpDuJ+9by1I9rSIps85958d1TbuvptwL5RFB4
+      BBOdhsNaMKTscsVUd3SozZx4wwDMpjLjNig7VKlnqMVesnNDuQjtFMZZBjeXg1Df
+      3T0RXmpSRNICR/LT3vDnzFkf0hFOaUSPoEXwNxv4nepIr82d1IdqedTxc4RPYcui
+      5lMbYnwCig/NglH6AwBJBxGFjIGfGcBuemoGsKnu7ZpTbsxQ4qNt3vgsDDGscJ6o
+      d1REp27YSdfACtMm8Swn5ZAex18OwcibeFVq66fbVpq0iB+sNnezof6el06wTF1M
+      ex2BY7IkKpJeCuHCwT999Kq6521Ukg1OdgxLutNhlbJwLW8Lf6XYGaCydy/QM8Wi
+      PSUTLvRgj31/3RQOVA/w7z+moAyJO1//TBR5sWyKE/gZNUW4Am++L1+L7qQ6kTVp
+      hW8f89FIgDHLU2hOdv7MKN/GX7uHCVxesTKgU/DLp7w9iNjUeUaD46sLefKB+Ms4
+      KpvvGbrxLR21rDxuMquZ7VLG7/0CNVnsC/erggHiUTPjddRP2cz37cTWbJ0CAwEA
+      AQKCAgAhaMap0l9fqMm50xp88kUHOYGhnt3/ruBI970m/zl1o1sTfD+o7XqBufjk
+      3S+latXlXteRy02rfFdLJLiwmb4CQ0wifttO/NgkObqImk0zI7YYPCKRGL43DpFX
+      GvQDVaAE97LRpNS1rWw5cOA4HSK3aHLYV10U53/y3GAxhYwojuQnA+ipJ4sl5Qil
+      NTWK3ViPWsqxte3KsDq1X6t0h8cq1eGUtDbXD0wDZFcBS8oboJ6x5KpMAh+8CJi8
+      iylP0H2WHSBYVEpkUZOF+V8r2/FU6WWLCYM/cIB3DArB7JyMyudLIk3AG417zKcW
+      BQoVKnh58LAwV6/sGNpmEliQ4bA6yubg1hkLefvpIDCDKbjPLSg23IF9VudW6mQ7
+      2FAYxJhHb71FgvZKogP/fumG8bj4lj93H4MpmLqn24CGeSmRTKo/yknEIvaOTGyH
+      AN4PpSNwUjtT1NcimNv7h8OxAc27XZI8Qv6iRHA9cBiEfJhwfLGsLU84FemHQQeJ
+      mAZiuumO+OdV21EdHD6nKlolOsCqSJUwMsG548+YAOhDlhj45Okv1aulG821ftrb
+      sCfEn0YndW42SU/mKr5VL5ePsEIdLmE2tDWsDiU+9rh3+QxR8mWr3bebPmMpERfd
+      Ka087gFSn7V+HriCOR9J5+98LjXvZHNSoL/DtVM1jqsEWasYAQKCAQEAwuUGhcgo
+      5suXPKNakfaQd0hzuEl6g5Jo+axppq27GR3dHzL8LpitGZeFOKG/dnV3DOFL6XLw
+      BiKURNFqcKDK0+VGLwU3Icar+zM6PBj++L8eKdZTaYK31UJVlYNMvHCPKxYRdjl0
+      9y03WC+ANpXCbwNMlJrT2Fy8KxiOw5Gawntd82wOT3Gp2FgPLBKpLHx3CygsOM+r
+      dnZFzAHF/X4MJZbGsy3FRPV+VgUCmopimKtn3GT2mwLzymbjX9OZFXiEJy8iu8/E
+      W6Tl/kMM5f4k5ShPWlGfKlJraZ9hxPqt3BU/jPg5hqejzKbwkfnupNuvlc0O3yJ8
+      EHEWh+XYaglanQKCAQEA09TKuN8JbTwTro/Gokhlr84pktqRojRxrJDXkH/5F4UN
+      VnXqaeFofybFV17/T2BcIH2u7GtM3mIoe+wd130yM0OdZB50VW4ttlJ9GqXNiGDs
+      y+/Op8sn2DTY71oDqsz88mKslNrjxxuovhNPWSmaA30vUFcf5J6EiZxGWUc5OYco
+      +X+t2MBVOnmzpCVcgIM7mfCWnQdEqBqT4jLtcIZQf9hTuOeyhhbmc9jHDSEPc0mO
+      t80AiXgQ/Xdpn07dXSK7NPxNsNU9tsO9N6ItJ8+s1FayVVzc+Yh6bDo9NEtSCIOg
+      YakT+Y1NGdVgNiEjRMf8T8lTrTwhb2sWRg8kQaO6AQKCAQAUX6K9632zGsdVlHIM
+      Xi0d+xn1wuCmznBg4VAuF20+o+uQrmDEcjtuOHO5xtbgCEmItCieX+CNk6HSS94H
+      phdt7ULX+YCY7E7gNKu6ypYk5L2/e+M+XWbgSU3vEkm8TTv6MhVjOYBrsnNdqaGK
+      kz8/IaYoxsKslI0rKCcMdLUr7X+Vyc75KRWrQxFa9xxuRRigtvNggP0YpiaHvAu5
+      gyq75zYgVwGPQuaREXcDNsI12X1DAd7xt25K01SjmNgg8XdHLVtBLOgG+Ib+fH3l
+      sRqkRgF9nJi58OG/qeSrldUE88ev8eb5l5687xqo9+qlmz2QuF38n3s+sMO9Mx7b
+      ftzVAoIBAGun+rtIBwdv/+S4h0/UkXFuymwrDtar5pW4KwXyNAsDAMtPNCpJd40f
+      jC2iRwj1RPzyQyM+SRvAMSkB0AzDQO8SzvuiCqecTjkZ5SDU4QcNk2r13kYiloZo
+      HVRPoAt/EJKzGVixgg+f+/tV3v7GiNJ7Hb+r97Z95Yf2Vz5qVyfojCd4/0ZoQSht
+      z6F9p2xcxb6vqiv2FKuGjl/oWAnXCTRgIfSYNH+3RbnckxUWFz8VRCYfVsWGssPO
+      m2xubUw3KYN9MpLLXQj0o8aRcneIMSLdSNbfUiKzfNxiINbh7LgNBUZ84nzylhup
+      +LKp1r3PEWkPPaqOI8P3XaOPcHK3ngECggEAOsZmgZ+J2pfRhn0WoUHM60gHDLv5
+      wKPWidT3cEMDAWyZPwLMgXcXxwI1xqy/Mzq5li9ADAuSZ+1jv0UYty7KBQjBo83p
+      Z4dfDF29HbfifxjoTKx/1WkY73zdeUIooujb1S5H+V3YaRrfjh0Bhznv7azygCk7
+      VK92rvjnj6lOMhZUIoZ+r23ry2+wOLds6bJV+x1xi/i52KcVB+Lf4Ax9ayrBpyL7
+      SStc5Rcqou+UI/Bhoo+xsAYTVSg80eFBhKgXYFJiXJ3Bt5nf0vPruPVaHPiwIE5M
+      PwBlBUeMdTf6nQAEbn8kH5erJl454u1i2cMGTwkMBYp81oRmiaFHdaiFWg==
+      -----END RSA PRIVATE KEY-----
+  cert:
+    content: |
+      -----BEGIN CERTIFICATE-----
+      MIIGGzCCBQOgAwIBAgITAPqTv2Ggom9ksX9aLTLweB6M0DANBgkqhkiG9w0BAQsF
+      ADBZMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXKFNUQUdJTkcpIExldCdzIEVuY3J5
+      cHQxKDAmBgNVBAMTHyhTVEFHSU5HKSBBcnRpZmljaWFsIEFwcmljb3QgUjMwHhcN
+      MjMwODA5MTA1MzAwWhcNMjMxMTA3MTA1MjU5WjAaMRgwFgYDVQQDEw90ZXN0dm0u
+      ZWxldjguYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChRMRfIFJm
+      FhZCzTDHp8s7plb7gMGnz5Qk4bOcmfG5TrweFJyY+gMdcT0M/i4+rzqzZ4PeMJli
+      hQ7690RM5omurq8gDdYQB601Ca/oj0J+FaGvJv1AYNQU+2NOKUbYYMD6PmhLt30d
+      gt+kO4n71vLUj2tIimzzn3nx3VNu6+m3AvlEUHgEE52Gw1owpOxyxVR3dKjNnHjD
+      AMymMuM2KDtUqWeoxV6yc0O5CO0UxlkGN5eDUN/dPRFealJE0gJH8tPe8OfMWR/S
+      EU5pRI+gRfA3G/id6kivzZ3Uh2p51PFzhE9hy6LmUxtifAKKD82CUfoDAEkHEYWM
+      gZ8ZwG56agawqe7tmlNuzFDio23e+CwMMaxwnqh3VESnbthJ18AK0ybxLCflkB7H
+      Xw7ByJt4VWrrp9tWmrSIH6w2d7Oh/p6XTrBMXUx7HYFjsiQqkl4K4cLBP330qrrn
+      bVSSDU52DEu602GVsnAtbwt/pdgZoLJ3L9AzxaI9JRMu9GCPfX/dFA5UD/DvP6ag
+      DIk7X/9MFHmxbIoT+Bk1RbgCb74vX4vupDqRNWmFbx/z0UiAMctTaE52/swo38Zf
+      u4cJXF6xMqBT8MunvD2I2NR5RoPjqwt58oH4yzgqm+8ZuvEtHbWsPG4yq5ntUsbv
+      /QI1WewL96uCAeJRM+N11E/ZzPftxNZsnQIDAQABo4ICGTCCAhUwDgYDVR0PAQH/
+      BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
+      AjAAMB0GA1UdDgQWBBQ+nXoERS+3lz/+LksWdhlIRdBRZzAfBgNVHSMEGDAWgBTe
+      cnpI3zHDplDfn4Uj31c3S10uZTBdBggrBgEFBQcBAQRRME8wJQYIKwYBBQUHMAGG
+      GWh0dHA6Ly9zdGctcjMuby5sZW5jci5vcmcwJgYIKwYBBQUHMAKGGmh0dHA6Ly9z
+      dGctcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGCD3Rlc3R2bS5lbGV2OC5hdDAT
+      BgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1ALDM
+      g+Wl+X1rr3wJzChJBIcqx+iLEyxjULfG/SbhbGx3AAABidoknl8AAAQDAEYwRAIg
+      WtCJ8ld4R1f2KNpuMFrOjvjp08Tz4OFvZ0+HPHxcPfECIFoVZ4ZYsgg7Z+gUsP+N
+      auCUo3gnonymPzdyl8Mlg2WgAHcA7audHd2Dc5Wf9SqI5Gu0vMPEzE12imDM/042
+      LX+41mgAAAGJ2iSgVwAABAMASDBGAiEA6vwwJZROjqHlG6PAI3PBTgQvsPf1XDVn
+      HdTRg3lVfxQCIQDiyPNyJVAQJcjDYxRJZchP2GIs3pHbmY2qC8TrzpTA/DANBgkq
+      hkiG9w0BAQsFAAOCAQEArmQ+hx5+72piX+y27K+pFzWvYAJ9VjYULj+Un3N+Ta2U
+      y7nL89b0Hpy9/FlZz2joG10/1TQGC11M6Nq0fWmK5BTf0MPEkVLG3ChkhPZeHsWa
+      ok18WiHjy5jjgF4uPbAnSorYmR77ANnuKM1RNpF/xkPb1wQDvF7TmtEdfeMbLGM0
+      2Pa7cnrwEiq5dC2oyC+D2Qkfvr4Z1t28WepDHGG66VPes7puuL3XMZnor+8SGtCp
+      WfMrrIShXDSQcssxoD9XG6SM15lSCPHjKDT9lhellwvrbGOwKcX+PVJNZW9jGU7D
+      f/PRJpM9pJiz8KqUoVA0o3Sri6DPS6OEH7JPYXszqw==
+      -----END CERTIFICATE-----
+  chain:
+    content: |
+      -----BEGIN CERTIFICATE-----
+      MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBm
+      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+      ZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UE
+      BhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQD
+      Ex8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0B
+      AQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+
+      gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvO
+      L/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTS
+      nmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lS
+      nukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdL
+      biWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQww
+      DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS
+      BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10u
+      ZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQq
+      MCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1Ud
+      HwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQb
+      MBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCN
+      DLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1
+      vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczn
+      y2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZ
+      Uq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XB
+      yphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtA
+      xkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215
+      Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgy
+      zUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIY
+      qKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGW
+      xx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuG
+      hSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ==
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFVDCCBDygAwIBAgIRAO1dW8lt+99NPs1qSY3Rs8cwDQYJKoZIhvcNAQELBQAw
+      cTELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1
+      cml0eSBSZXNlYXJjaCBHcm91cDEtMCsGA1UEAxMkKFNUQUdJTkcpIERvY3RvcmVk
+      IER1cmlhbiBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQw
+      M1owZjELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBT
+      ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRl
+      bmQgUGVhciBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdD
+      Ta1QgGBWSYkyMhscZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPW
+      nL++fgehT0FbRHZgjOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigk
+      kmx8OiCO68a4QXg4wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZ
+      GTIf/oRt2/c+dYmDoaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6V
+      P19sTGy3yfqK5tPtTdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkL
+      YC0Ft2cYUyHtkstOfRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2
+      UPQFxmWFRQnFjaq6rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/
+      2dBZKmJqxHkxCuOQFjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRM
+      EeOXUYvbV4lqfCf8mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEm
+      QWUOTWIoDQ5FOia/GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eV
+      EGOIpn26bW5LKerumJxa/CFBaKi4bRvmdJRLAgMBAAGjgfEwge4wDgYDVR0PAQH/
+      BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLXzZfL+sAqSH/s8ffNE
+      oKxjJcMUMB8GA1UdIwQYMBaAFAhX2onHolN5DE/d4JCPdLriJ3NEMDgGCCsGAQUF
+      BwEBBCwwKjAoBggrBgEFBQcwAoYcaHR0cDovL3N0Zy1kc3QzLmkubGVuY3Iub3Jn
+      LzAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vc3RnLWRzdDMuYy5sZW5jci5vcmcv
+      MCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEB
+      CwUAA4IBAQB7tR8B0eIQSS6MhP5kuvGth+dN02DsIhr0yJtk2ehIcPIqSxRRmHGl
+      4u2c3QlvEpeRDp2w7eQdRTlI/WnNhY4JOofpMf2zwABgBWtAu0VooQcZZTpQruig
+      F/z6xYkBk3UHkjeqxzMN3d1EqGusxJoqgdTouZ5X5QTTIee9nQ3LEhWnRSXDx7Y0
+      ttR1BGfcdqHopO4IBqAhbkKRjF5zj7OD8cG35omywUbZtOJnftiI0nFcRaxbXo0v
+      oDfLD0S6+AC2R3tKpqjkNX6/91hrRFglUakyMcZU/xleqbv6+Lr3YD8PsBTub6lI
+      oZ2lS38fL18Aon458fbc0BPHtenfhKj5
+      -----END CERTIFICATE-----
+
+
+static_cert_config__test:
+  key:
+    content: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIJKAIBAAKCAgEAv2HL497QMVYNX7/0/+d++F9vqtBRS8E5pvyfOiL2r9KGgqt1
+      L25KpPYNkLfwv1ibMiMolLRD897UxyNd83THc7g4BDwEVf5EKYeEvpF1RXUh2BQR
+      yK8PvF6cG+tpsfE53nfLR+mMDQkxya5CGltEFRY6eC6JfPE514oZRznB6gibOv0s
+      +uhgVl7ilisZJAtSlQRWuEDBqsp0uGoVerYkAcXIdApSPQoo7DgKvR/EsxbzfBla
+      OpKQve9OIXndDWiU14/uxt5JouITuzxkZRbfGaRnNnp/pI108HpdnYUGK5CYIHoe
+      UTC/Ym2s0MpNBf3h9SnmydUPvHTSUjW5ueUsMY2RoRlO/oP7Vw6Y3Cwag8omKB70
+      NB47yvGW22ml6o7FLWYs9jpjJqBpwfqbHk7yj2P9ke0XmxoVgQL5A+PZosCUB32K
+      Q7OUWBT5h6nnzSwXnkYyZUKz8cMCLYvHb5MWyWLBj0fByn9XNIBzAi/IwZ9tdqKK
+      K2FWW/JsVX2crHaqkI86ez+Dxi6ircSUaty50JeItV3o92FoxMiVcknR9yZ4eTS1
+      P0RvKJngAuZ57jBvmc0VGsDWdL8pojpVNpZ1NfXrVtmvKJxHEMO0B8dVkKnUv7np
+      aUzk6FbDTnBZyUPfTt3yosizdQeyyOaXOGd8IFdIN1Lz1tiPQwFLi4eMzMcCAwEA
+      AQKCAgA/GNgm9aQAUBWyts/ouwMSkix3zZyv9DG0y18XxMU+LJOqaysEi0FS58iL
+      KQnXnDf2rL7JYDFzKslOKmvkQ2Eq1tapFrx7OYxxgLuUNNLMJpUU73D5kDYI7cxc
+      LB45y4U/wpEj0W0aMyjWDHzAwcxNg3mdfAJaThG67U3uPK2hIltDdIsq4gg5Eal0
+      xxrP1mfQt5B7yOXREFSxJFCWl4yBhRrUnz6D32CkmMl5lwq73NpD1Pv5ia7s4AQL
+      Z2ko7Yz9EPgxWsI+UHke5wdWiNbfVmOtA3An6XdffYh10ZC6Nj7hnkF2lTLUGcK7
+      R6djTVP9B2aOro80m/NnpUzpbBRIYq/chaBg6br+pNJ6qcvaAkOvWQjGDKUxvspo
+      5MVnwrU70iF8yhuH3sy1Bu7cffnMISgpjcwLBIcKr3f+y7TI1ckumL2+ykCYTGV2
+      /rdstm2c0wFDIdrRMMSjk0G165qLByTmPOlPrIkWRq3XdbRnvCR+OFUAQ4wtQ9wj
+      OzQfHvIeS44GOCP+a1e8ewhT1o4Ywf8Tsbwb0of5gTLhswCGPLbP/yY+4hE59oda
+      hXtS0vIz3a04/0LiWh3ILs/7SRpmFgMtJa7k6al40i+zVjXFHhhiorJ3dyMO8Aef
+      8l8JzUpCE0bfr9MFieuAQu3i4wk5ID3yMwRUR1OJv2il2KzLIQKCAQEAwB2jNqHB
+      WKtExrjlfJ9Ok0XA5Y2STJok0oYnebhcA49oC0/gL5VK/j6TN8MGNRz+KBCb439S
+      y1/ThiVZo5It/hghcbXpJ6u1uhOrkjCw+/zd7DZjHXpXl7Dp2FKN33y4yAzBGhP4
+      w8EKELXdGgViigP+ZQHcP/2pqCJhBhDou7cJFCZuoWkS0mW255HG58dV4uOKuFdK
+      Yo9xJ2O9JFuPunYDYSu+WrYfN+ozVVpb44MTtepf54VxBogPBb95/FI35a56vs/r
+      ykKSZb1mEYdXYp1zTt0sgDPIJsJ17+R1e7dlToXPmuuMT4oU7CXHQLn8WX6HjlvH
+      xdY07cFQcpIrFwKCAQEA/wWyNNgHDtrdzt6hgcDylGuWHzoqX8TnannblBoxnlUy
+      irnW1n3KEiAkchzzIxWIkt/ug7SKyq/DVExtvzArGAbDv0N7VHqqkNtGWvWpm4bN
+      YIL6tBbEvnjGBL4NiRXtqAlA5KQuDeXGWOT88wbB+PZTj5zk1dJv3qsqtACO9Vvx
+      YdaYqL3FINqjxqS/Gh174KOJBLX+w02gV+7u9ERU2m64DqHTwCWWeMCEkifrs8/O
+      cp7kQ4kJWVkMv0OR0WNA+eOnek6pPCXB0mM8eFAoMehGhFGCyl0NJY78kTMhYGPr
+      DwFN/K+p6euQrY9D/+I8JNmRzgTL4xueIw5haAy50QKCAQAH5/BUijmTtZCiAO/o
+      vgGUy/URPU88+cb0JvMu7ihTOS6V8JaQPruUVOzoCY2S1/uZmH1h0laM6gehaJ4U
+      vipIX6PYsxzCNi3HV5Hi9UADTrevRdm0V9mM84ncDiGqhc5w5R15PkMpgyMv5twP
+      exNADMQGUhpHQ+AcfDWz8zQwrWqhOqeo2tMcd3UceIJP/YMKUETgKy9zeOW2MkOR
+      YHc8vCiNcihmQUJtoaS1KX/IkBdakCecNoCdPTIpEWUqvhNwz0pb2eChNTYjG7U8
+      mW4+L66UG0P+jqL4/V2vHp67FaQEpDsT7AedKliME03s2vqIkE1xzVMeUB9jfWYb
+      IOrHAoIBAQDhrZzCftngH3didknelW0WQw8am1KcZZeU9jmGmpeGUkbj1Ql1zuNf
+      nuohwdS4G3o838Ym70JTk677jpcgNfQs0u+u9nzRiawffKyKGhP5+hUNb1uEuxFo
+      rWAvGjDIO4uQxH+U1mWbDte0GxBt0HEfbH0N/f3T6uHs3vRvTn80SiUWO93kles4
+      48NDKs+iwKy7Yn0CmjvVgYB/0IXNzBp7Irfm2vaUd67tNREcdg9zlFZRwKKn0UFg
+      vBk3uQf1kCwT945iAfJps9AN6pu8rNKlN7QPrEJd6nKT5jFEHUdQEZwWL0Vgc+Od
+      ikUCEmJOs1oeEhuhgUUcuXf79eHlPj3BAoIBAGhxbh5UZeSgXUEFdvLfHBFO6CMj
+      IeZMNORkQ3ZgRhzQ3aaQD4f0C/RMCrYrZORfPnDesodT0wUDgWqjXG9TAJFHMMo4
+      FBQdxCfah71kFnfWBXnrAZ4K7ltN7qDrb/IcfTHdEx3Tq0Xav6X2XgITTQz+LyMO
+      /XBoEeZkZDor1UoC1/QuZK8AziuaEvbfi90gw5Fys9xwhPRqeX0tF30VO9P5u9A9
+      dmCMbIjxkbGVV8bHIejXyiBEsc3MX0CQnJrsRD8Bq6TzP7v08BNwe5qcTy5hTTs0
+      dUOUDlCg68ezln1e7pjnhvAEIyB9Qhd1obhL9MEc+jDupu5pa2t7sOJcD+8=
+      -----END RSA PRIVATE KEY-----
+  cert:
+    content: |
+      -----BEGIN CERTIFICATE-----
+      MIIGaTCCBVGgAwIBAgITAPqbPyeH5GyeBBoPgHbVWlDC3TANBgkqhkiG9w0BAQsF
+      ADBZMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXKFNUQUdJTkcpIExldCdzIEVuY3J5
+      cHQxKDAmBgNVBAMTHyhTVEFHSU5HKSBBcnRpZmljaWFsIEFwcmljb3QgUjMwHhcN
+      MjMwODA5MTA1MzI3WhcNMjMxMTA3MTA1MzI2WjAfMR0wGwYDVQQDExR0ZXN0LnNw
+      cmVhZHNwYWNlLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9h
+      y+Pe0DFWDV+/9P/nfvhfb6rQUUvBOab8nzoi9q/ShoKrdS9uSqT2DZC38L9YmzIj
+      KJS0Q/Pe1McjXfN0x3O4OAQ8BFX+RCmHhL6RdUV1IdgUEcivD7xenBvrabHxOd53
+      y0fpjA0JMcmuQhpbRBUWOnguiXzxOdeKGUc5weoImzr9LProYFZe4pYrGSQLUpUE
+      VrhAwarKdLhqFXq2JAHFyHQKUj0KKOw4Cr0fxLMW83wZWjqSkL3vTiF53Q1olNeP
+      7sbeSaLiE7s8ZGUW3xmkZzZ6f6SNdPB6XZ2FBiuQmCB6HlEwv2JtrNDKTQX94fUp
+      5snVD7x00lI1ubnlLDGNkaEZTv6D+1cOmNwsGoPKJige9DQeO8rxlttppeqOxS1m
+      LPY6YyagacH6mx5O8o9j/ZHtF5saFYEC+QPj2aLAlAd9ikOzlFgU+Yep580sF55G
+      MmVCs/HDAi2Lx2+TFsliwY9Hwcp/VzSAcwIvyMGfbXaiiithVlvybFV9nKx2qpCP
+      Ons/g8Yuoq3ElGrcudCXiLVd6PdhaMTIlXJJ0fcmeHk0tT9EbyiZ4ALmee4wb5nN
+      FRrA1nS/KaI6VTaWdTX161bZryicRxDDtAfHVZCp1L+56WlM5OhWw05wWclD307d
+      8qLIs3UHssjmlzhnfCBXSDdS89bYj0MBS4uHjMzHAgMBAAGjggJiMIICXjAOBgNV
+      HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
+      EwEB/wQCMAAwHQYDVR0OBBYEFDy0lODy9HEp1M4FdG/YUjBBnQ0IMB8GA1UdIwQY
+      MBaAFN5yekjfMcOmUN+fhSPfVzdLXS5lMF0GCCsGAQUFBwEBBFEwTzAlBggrBgEF
+      BQcwAYYZaHR0cDovL3N0Zy1yMy5vLmxlbmNyLm9yZzAmBggrBgEFBQcwAoYaaHR0
+      cDovL3N0Zy1yMy5pLmxlbmNyLm9yZy8wZQYDVR0RBF4wXIIUdGVzdC5zcHJlYWRz
+      cGFjZS5jb22CFHRlc3Quc3ByZWFkc3BhY2UubmV0ghR0ZXN0LnNwcmVhZHNwYWNl
+      Lm9yZ4IYdGVzdC5zcHJlYWRzcGFjZS5zeXN0ZW1zMBMGA1UdIAQMMAowCAYGZ4EM
+      AQIBMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUA7audHd2Dc5Wf9SqI5Gu0vMPE
+      zE12imDM/042LX+41mgAAAGJ2iUJgAAABAMARjBEAiB2GccK+Wwc6m2JIsJ4PbrC
+      Y+UXnoi9v0VPzir4bVYMGwIgIonr7RaEhjJ8QiEfkcBc0j6k0AzM3Ee9raoNKx4l
+      rKcAdQCwzIPlpfl9a698CcwoSQSHKsfoixMsY1C3xv0m4WxsdwAAAYnaJQtyAAAE
+      AwBGMEQCIHPBuvYBtUfsYU6WTMoa1IuCD2TeTGbCySEW/ZHlYtkEAiBzTQNkThq8
+      tpregOqi7ypchg9JFS/JzMfjjuDlBnFndjANBgkqhkiG9w0BAQsFAAOCAQEAlG32
+      KRc6Ln3AwhodYdDB9+SC8/vouCzaRTcgPVWYX/dZuXCvsWCGQ9bi9/VAWRgR0IuF
+      yibvGQ7dgL8cTDzfVvXdNa52VlgIxJ8Zag7CPSSHrmoOwH7j00t6mZveujmHpg4o
+      mtaiC3NHAXJopkNJjJYNKUSLYO8xULhaHrkbA8m9khdlTesraMQQyv80H/ohE3J2
+      qWKB/qO2EpmlbolIVbFWJPvo6oynn4ELrVJBDbWLMoDqGq8suIIeWbSZvkoqm9O2
+      AYroae5qP5GjB47gceH2SmQwqP69GKJimJhGhO3WDE/9PGSCUQB5vUGuK/wNmYrj
+      VWVPzMLHuAhSryY9Fw==
+      -----END CERTIFICATE-----
+  chain:
+    content: |
+      -----BEGIN CERTIFICATE-----
+      MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBm
+      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+      ZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UE
+      BhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQD
+      Ex8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0B
+      AQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+
+      gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvO
+      L/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTS
+      nmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lS
+      nukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdL
+      biWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQww
+      DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS
+      BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10u
+      ZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQq
+      MCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1Ud
+      HwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQb
+      MBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCN
+      DLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1
+      vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczn
+      y2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZ
+      Uq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XB
+      yphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtA
+      xkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215
+      Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgy
+      zUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIY
+      qKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGW
+      xx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuG
+      hSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ==
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFVDCCBDygAwIBAgIRAO1dW8lt+99NPs1qSY3Rs8cwDQYJKoZIhvcNAQELBQAw
+      cTELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1
+      cml0eSBSZXNlYXJjaCBHcm91cDEtMCsGA1UEAxMkKFNUQUdJTkcpIERvY3RvcmVk
+      IER1cmlhbiBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQw
+      M1owZjELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBT
+      ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRl
+      bmQgUGVhciBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdD
+      Ta1QgGBWSYkyMhscZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPW
+      nL++fgehT0FbRHZgjOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigk
+      kmx8OiCO68a4QXg4wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZ
+      GTIf/oRt2/c+dYmDoaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6V
+      P19sTGy3yfqK5tPtTdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkL
+      YC0Ft2cYUyHtkstOfRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2
+      UPQFxmWFRQnFjaq6rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/
+      2dBZKmJqxHkxCuOQFjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRM
+      EeOXUYvbV4lqfCf8mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEm
+      QWUOTWIoDQ5FOia/GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eV
+      EGOIpn26bW5LKerumJxa/CFBaKi4bRvmdJRLAgMBAAGjgfEwge4wDgYDVR0PAQH/
+      BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLXzZfL+sAqSH/s8ffNE
+      oKxjJcMUMB8GA1UdIwQYMBaAFAhX2onHolN5DE/d4JCPdLriJ3NEMDgGCCsGAQUF
+      BwEBBCwwKjAoBggrBgEFBQcwAoYcaHR0cDovL3N0Zy1kc3QzLmkubGVuY3Iub3Jn
+      LzAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vc3RnLWRzdDMuYy5sZW5jci5vcmcv
+      MCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEB
+      CwUAA4IBAQB7tR8B0eIQSS6MhP5kuvGth+dN02DsIhr0yJtk2ehIcPIqSxRRmHGl
+      4u2c3QlvEpeRDp2w7eQdRTlI/WnNhY4JOofpMf2zwABgBWtAu0VooQcZZTpQruig
+      F/z6xYkBk3UHkjeqxzMN3d1EqGusxJoqgdTouZ5X5QTTIee9nQ3LEhWnRSXDx7Y0
+      ttR1BGfcdqHopO4IBqAhbkKRjF5zj7OD8cG35omywUbZtOJnftiI0nFcRaxbXo0v
+      oDfLD0S6+AC2R3tKpqjkNX6/91hrRFglUakyMcZU/xleqbv6+Lr3YD8PsBTub6lI
+      oZ2lS38fL18Aon458fbc0BPHtenfhKj5
+      -----END CERTIFICATE-----
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml
index c5e68732..55544733 100644
--- a/roles/nginx/vhost/tasks/main.yml
+++ b/roles/nginx/vhost/tasks/main.yml
@@ -7,6 +7,7 @@
   vars:
     x509_certificate_name: "{{ nginx_vhost.name }}"
     x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
+    x509_notify_on_change: reload nginx
 
 - name: install nginx configs from template
   when: "'template' in nginx_vhost"
@@ -43,3 +44,4 @@
     vars:
       x509_certificate_name: "{{ nginx_vhost.name }}"
       x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
+      x509_notify_on_change: reload nginx
diff --git a/roles/x509/acmetool/cert/meta/main.yml b/roles/x509/acmetool/cert/meta/main.yml
index 8e6ac88d..472f5a8c 100644
--- a/roles/x509/acmetool/cert/meta/main.yml
+++ b/roles/x509/acmetool/cert/meta/main.yml
@@ -1,3 +1,4 @@
+---
 dependencies:
   - role: x509/acmetool/cert/prepare
   - role: x509/acmetool/cert/finalize
diff --git a/roles/x509/static/base/tasks/main.yml b/roles/x509/static/base/tasks/main.yml
new file mode 100644
index 00000000..c5b6cafe
--- /dev/null
+++ b/roles/x509/static/base/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+# nothing to do here
diff --git a/roles/x509/static/cert/finalize/tasks/main.yml b/roles/x509/static/cert/finalize/tasks/main.yml
new file mode 100644
index 00000000..c5b6cafe
--- /dev/null
+++ b/roles/x509/static/cert/finalize/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+# nothing to do here
diff --git a/roles/x509/static/cert/meta/main.yml b/roles/x509/static/cert/meta/main.yml
new file mode 100644
index 00000000..c619208c
--- /dev/null
+++ b/roles/x509/static/cert/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: x509/static/cert/prepare
+  - role: x509/static/cert/finalize
diff --git a/roles/x509/static/cert/prepare/defaults/main.yml b/roles/x509/static/cert/prepare/defaults/main.yml
new file mode 100644
index 00000000..d632a5de
--- /dev/null
+++ b/roles/x509/static/cert/prepare/defaults/main.yml
@@ -0,0 +1,35 @@
+---
+static_cert_hostnames: "{{ x509_certificate_hostnames }}"
+static_cert_name: "{{ x509_certificate_name | default(static_cert_hostnames[0]) }}"
+
+static_cert_base_dir: "/etc/ssl"
+
+# static_cert_config:
+#   path: "{{ static_cert_base_dir }}/{{ static_cert_name }}"
+#   mode: "0750"
+#   owner: root
+#   group: www-data
+#   key:
+#     mode: "0640"
+#     owner: root
+#     group: www-data
+#     content: |
+#       -----BEGIN RSA PRIVATE KEY-----
+#       ...
+#       -----END RSA PRIVATE KEY-----
+#   cert:
+#     mode: "0644"
+#     owner: root
+#     group: www-data
+#     content: |
+#       -----BEGIN CERTIFICATE-----
+#       ...
+#       -----END CERTIFICATE-----
+#   chain:
+#     mode: "0644"
+#     owner: root
+#     group: www-data
+#     content: |
+#       -----BEGIN CERTIFICATE-----
+#       ...
+#       -----END CERTIFICATE-----
diff --git a/roles/x509/static/cert/prepare/tasks/main.yml b/roles/x509/static/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..1327c3b3
--- /dev/null
+++ b/roles/x509/static/cert/prepare/tasks/main.yml
@@ -0,0 +1,81 @@
+---
+- name: compute path to static certificate directory
+  set_fact:
+    static_cert_path: "{{ static_cert_config.path | default([static_cert_base_dir, static_cert_name] | path_join) }}"
+
+- name: create directory for static certificate
+  file:
+    path: "{{ static_cert_path }}"
+    state: directory
+    mode: "{{ static_cert_config.mode | default('0700') }}"
+    owner: "{{ static_cert_config.owner | default(omit) }}"
+    group: "{{ static_cert_config.group | default(omit) }}"
+  notify: "{{ x509_notify_on_change | default(omit) }}"
+
+- name: install key for static certificate
+  copy:
+    content: "{{ static_cert_config.key.content }}"
+    dest: "{{ static_cert_path }}/{{ static_cert_name }}-key.pem"
+    mode: "{{ static_cert_config.key.mode | default('0600') }}"
+    owner: "{{ static_cert_config.key.owner | default(omit) }}"
+    group: "{{ static_cert_config.key.group | default(omit) }}"
+  notify: "{{ x509_notify_on_change | default(omit) }}"
+
+- name: install static certificate
+  copy:
+    content: "{{ static_cert_config.cert.content }}"
+    dest: "{{ static_cert_path }}/{{ static_cert_name }}-crt.pem"
+    mode: "{{ static_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ static_cert_config.cert.owner | default(omit) }}"
+    group: "{{ static_cert_config.cert.group | default(omit) }}"
+  notify: "{{ x509_notify_on_change | default(omit) }}"
+
+- name: export paths to basic certificate files
+  set_fact:
+    x509_certificate_path_key: "{{ static_cert_path }}/{{ static_cert_name }}-key.pem"
+    x509_certificate_path_fullchain: "{{ static_cert_path }}/{{ static_cert_name }}-crt.pem"
+    x509_certificate_path_cert: "{{ static_cert_path }}/{{ static_cert_name }}-crt.pem"
+
+- name: install chain and fullchain for static certificate
+  when: "'chain' in static_cert_config"
+  block:
+  - name: install chain for static certificate
+    copy:
+      content: "{{ static_cert_config.chain.content }}"
+      dest: "{{ static_cert_path }}/{{ static_cert_name }}-chain.pem"
+      mode: "{{ static_cert_config.chain.mode | default('0644') }}"
+      owner: "{{ static_cert_config.chain.owner | default(omit) }}"
+      group: "{{ static_cert_config.chain.group | default(omit) }}"
+    notify: "{{ x509_notify_on_change | default(omit) }}"
+
+  - name: install fullchain for static certificate
+    copy:
+      content: |
+        {{ static_cert_config.cert.content | trim }}
+        {{ static_cert_config.chain.content }}
+      dest: "{{ static_cert_path }}/{{ static_cert_name }}-fullchain.pem"
+      mode: "{{ static_cert_config.cert.mode | default('0644') }}"
+      owner: "{{ static_cert_config.cert.owner | default(omit) }}"
+      group: "{{ static_cert_config.cert.group | default(omit) }}"
+    notify: "{{ x509_notify_on_change | default(omit) }}"
+
+  - name: export paths to additional certificate files
+    set_fact:
+      x509_certificate_path_chain: "{{ static_cert_path }}/{{ static_cert_name }}-chain.pem"
+      x509_certificate_path_fullchain: "{{ static_cert_path }}/{{ static_cert_name }}-fullchain.pem"
+
+- name: make sure chain and fullchain files are removed
+  when: "'chain' not in static_cert_config"
+  block:
+  - name: remove chain/fullchain files
+    loop:
+    - chain
+    - fullchain
+    file:
+      path: "{{ static_cert_path }}/{{ static_cert_name }}-{{ item }}.pem"
+      state: absent
+    notify: "{{ x509_notify_on_change | default(omit) }}"
+
+  - name: make sure variable that points to the chain certificate file is unset
+    set_fact:
+      x509_certificate_path_chain: ""