diff --git a/roles/certbot/tasks/main.yaml b/roles/certbot/tasks/main.yaml
index e4749b4..6b14567 100644
--- a/roles/certbot/tasks/main.yaml
+++ b/roles/certbot/tasks/main.yaml
@@ -1,11 +1,15 @@
+---
 - name: ensure certbot installation
+  tags: [ "certbot" ]
   ansible.builtin.import_tasks:
     file: main/install.yaml
 
 - name: ensure new cert commands
+  tags: [ "certbot" ]
   ansible.builtin.import_tasks:
     file: main/new_cert_commands.yaml
 
 - name: ensure certificates
+  tags: [ "certbot" ]
   ansible.builtin.import_tasks:
     file: main/certs.yaml
diff --git a/roles/certbot/tasks/main/cert.yaml b/roles/certbot/tasks/main/cert.yaml
index 61f6d45..c179dee 100644
--- a/roles/certbot/tasks/main/cert.yaml
+++ b/roles/certbot/tasks/main/cert.yaml
@@ -1,4 +1,6 @@
+---
 - name: get expiry date before
+  tags: [ "certbot" ]
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
   ignore_errors: true
   become: true
@@ -6,6 +8,7 @@
   register: certbot__cert_expiry_before
 
 - name: ensure directory for cert configs exists
+  tags: [ "certbot" ]
   ansible.builtin.file:
     path: "/etc/ansible_certbot/cert_configs/"
     state: directory
@@ -15,6 +18,7 @@
   become: true
 
 - name: ensure cert config is stored
+  tags: [ "certbot" ]
   ansible.builtin.copy:
     content: "{{ cert_config_defaults[item.challengeType] | combine(item, recursive=True) | ansible.builtin.to_nice_json }}"
     dest: "/etc/ansible_certbot/cert_configs/{{ item.commonName }}.json"
@@ -30,17 +34,20 @@
 
 # # https://eff-certbot.readthedocs.io/en/stable/using.html#manual
 - name: obtain the certificate using certbot and the manual auth hook
+  tags: [ "certbot" ]
   ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --manual --preferred-challenge dns --manual-auth-hook "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item.challengeType }}.sh" -d "{{ item.commonName }}"
   become: true
   changed_when: false
 
 - name: get expiry date after
+  tags: [ "certbot" ]
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
   become: true
   changed_when: false
   register: certbot__cert_expiry_after
 
 - name: potentially report changed
+  tags: [ "certbot" ]
   ansible.builtin.debug:
     msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
   changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
diff --git a/roles/certbot/tasks/main/certs.yaml b/roles/certbot/tasks/main/certs.yaml
index 16271b7..71a42a5 100644
--- a/roles/certbot/tasks/main/certs.yaml
+++ b/roles/certbot/tasks/main/certs.yaml
@@ -1,14 +1,18 @@
+---
 - name: obtain http-01 challenge certificates
+  tags: [ "certbot" ]
   loop: "{{ certbot__certificate_domains }}"
   ansible.builtin.include_tasks:
     file: main/http_01_cert.yaml
 
 - name: validate certs config
+  tags: [ "certbot" ]
   loop: "{{ certbot__certs }}"
   ansible.builtin.include_tasks:
     file: main/validate_cert.yaml
 
 - name: obtain certs
+  tags: [ "certbot" ]
   loop: "{{ certbot__certs }}"
   ansible.builtin.include_tasks:
     file: main/cert.yaml
diff --git a/roles/certbot/tasks/main/http_01_cert.yaml b/roles/certbot/tasks/main/http_01_cert.yaml
index d829fb1..a2fb4b6 100644
--- a/roles/certbot/tasks/main/http_01_cert.yaml
+++ b/roles/certbot/tasks/main/http_01_cert.yaml
@@ -1,4 +1,6 @@
+---
 - name: get expiry date before
+  tags: [ "certbot" ]
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
   ignore_errors: true
   become: true
@@ -6,11 +8,13 @@
   register: certbot__cert_expiry_before
 
 - name: obtain the certificate using certbot
+  tags: [ "certbot" ]
   ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
   become: true
   changed_when: false
 
 - name: get expiry date after
+  tags: [ "certbot" ]
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
   become: true
   changed_when: false
diff --git a/roles/certbot/tasks/main/install.yaml b/roles/certbot/tasks/main/install.yaml
index d0fa58d..14c6430 100644
--- a/roles/certbot/tasks/main/install.yaml
+++ b/roles/certbot/tasks/main/install.yaml
@@ -1,4 +1,6 @@
+---
 - name: ensure relevant packages are installed
+  tags: [ "certbot" ]
   ansible.builtin.apt:
     name:
       - openssl
@@ -8,8 +10,10 @@
   become: true
 
 - name: ensure manual auth scripts are deployed
+  tags: [ "certbot" ]
   block:
     - name: ensure manual auth scripts directory exists
+      tags: [ "certbot" ]
       ansible.builtin.file:
         path: "/usr/local/lib/ansible_certbot/manual_auth_scripts"
         state: directory
@@ -19,6 +23,7 @@
       become: true
 
     - name: ensure manual auth scripts are deployed
+      tags: [ "certbot" ]
       ansible.builtin.copy:
         src: "manual_auth_scripts/{{ item }}.sh"
         dest: "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item }}.sh"
diff --git a/roles/certbot/tasks/main/new_cert_commands.yaml b/roles/certbot/tasks/main/new_cert_commands.yaml
index 42bc255..70c003b 100644
--- a/roles/certbot/tasks/main/new_cert_commands.yaml
+++ b/roles/certbot/tasks/main/new_cert_commands.yaml
@@ -1,4 +1,6 @@
+---
 - name: ensure existence of renewal deploy hooks directory
+  tags: [ "certbot" ]
   ansible.builtin.file:
     path: /etc/letsencrypt/renewal-hooks/deploy
     state: directory
@@ -8,6 +10,7 @@
   become: true
 
 - name: ensure renewal deploy hook commands
+  tags: [ "certbot" ]
   ansible.builtin.template:
     src: renewal_deploy_hook_commands.sh.j2
     dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
diff --git a/roles/certbot/tasks/main/validate_cert.yaml b/roles/certbot/tasks/main/validate_cert.yaml
index a13b3b9..c8e9dfb 100644
--- a/roles/certbot/tasks/main/validate_cert.yaml
+++ b/roles/certbot/tasks/main/validate_cert.yaml
@@ -1,11 +1,15 @@
+---
 - name: validate dns-01-acme-dns challenge type config
+  tags: [ "certbot" ]
   when: item.challengeType == "dns-01-acme-dns"
   block:
     - name: assert dns_01_acme_dns config exists
+      tags: [ "certbot" ]
       ansible.builtin.assert:
         that: item.dns_01_acme_dns is defined
 
     - name: assert dns_01_acme_dns config is valid
+      tags: [ "certbot" ]
       ansible.builtin.validate_argument_spec:
         argument_spec: "{{ required_data }}"
         provided_arguments: