diff --git a/basics.yml b/basics.yml
index 58772c7..6d0b9dd 100644
--- a/basics.yml
+++ b/basics.yml
@@ -5,6 +5,11 @@
     - ffhh-basics
   tags: basics
 
+- hosts: certbot
+  roles:
+    - certbot
+  tags: certbot
+
 - hosts: certsync
   roles:
     - certsync
diff --git a/host_vars/srv01 b/host_vars/srv01
index eab5688..db05b9e 100644
--- a/host_vars/srv01
+++ b/host_vars/srv01
@@ -5,6 +5,5 @@ basics_ssh_match_blocks:
       - ChrootDirectory /home/certsync/root
       - ForceCommand internal-sftp
 nginx_resolver: 192.76.134.90 212.12.50.158
-updates_letsencrypt_local: true
-updates_ssl_certificate: /etc/letsencrypt/live/updates.hamburg.freifunk.net/fullchain.pem
-updates_ssl_certificate_key: /etc/letsencrypt/live/updates.hamburg.freifunk.net/privkey.pem
+updates_tls_crt: /etc/letsencrypt/live/updates.hamburg.freifunk.net/fullchain.pem
+updates_tls_key: /etc/letsencrypt/live/updates.hamburg.freifunk.net/privkey.pem
diff --git a/host_vars/srv03 b/host_vars/srv03
index ade5936..075ccf1 100644
--- a/host_vars/srv03
+++ b/host_vars/srv03
@@ -1,8 +1,8 @@
 certsync_host: srv01.hamburg.freifunk.net
 nginx_resolver: 80.252.105.162 80.252.105.194
-updates_letsencrypt_srv01: true
-updates_owner: ffupdates
 updates_group: www-data
+updates_letsencrypt: srv01
+updates_owner: ffupdates
 updates_root: /var/www/updates
-updates_ssl_certificate: /etc/ssl/certsync/updates.hamburg.freifunk.net.crt
-updates_ssl_certificate_key: /etc/ssl/certsync/updates.hamburg.freifunk.net.key
+updates_tls_crt: /etc/ssl/certsync/updates.hamburg.freifunk.net.crt
+updates_tls_key: /etc/ssl/certsync/updates.hamburg.freifunk.net.key
diff --git a/production b/production
index 0786974..4f2b0ce 100644
--- a/production
+++ b/production
@@ -4,6 +4,9 @@ srv02 ansible_host=srv02.hamburg.freifunk.net
 srv03 ansible_host=srv03.hamburg.freifunk.net
 srv04 ansible_host=srv04.hamburg.freifunk.net
 
+[certbot]
+srv01
+
 [certsync]
 srv03
 
diff --git a/roles/website/updates/defaults/main.yml b/roles/website/updates/defaults/main.yml
index 3f57e1a..126704f 100644
--- a/roles/website/updates/defaults/main.yml
+++ b/roles/website/updates/defaults/main.yml
@@ -1,8 +1,6 @@
 ---
 site: updates
-updates_letsencrypt_local: false
-updates_letsencrypt_srv01: false
-updates_letsencrypt_srv02: false
-updates_owner: ffupdates
 updates_group: ffupdates
+updates_letsencrypt: local
+updates_owner: ffupdates
 updates_root: /home/ffupdates/updates
diff --git a/roles/website/updates/tasks/main.yml b/roles/website/updates/tasks/main.yml
index 1a018d9..f63afea 100644
--- a/roles/website/updates/tasks/main.yml
+++ b/roles/website/updates/tasks/main.yml
@@ -18,7 +18,7 @@
 
 - name: enable site
   file:
-    src: /etc/nginx/sites-available/{{ site }}
+    src: ../sites-available/{{ site }}
     dest: /etc/nginx/sites-enabled/{{ site }}
     state: link
   notify: reload nginx
diff --git a/roles/website/updates/templates/site.j2 b/roles/website/updates/templates/site.j2
index 497baec..e0733e3 100644
--- a/roles/website/updates/templates/site.j2
+++ b/roles/website/updates/templates/site.j2
@@ -1,51 +1,38 @@
-{% if updates_ssl_certificate is defined %}
+{% if updates_tls_crt is defined %}
 server {
+    server_name updates.hamburg.freifunk.net;
     listen 443 ssl;
     listen [::]:443 ssl;
-
-    server_name updates.hamburg.freifunk.net;
-
-    ssl_certificate {{ updates_ssl_certificate }};
-    ssl_certificate_key {{ updates_ssl_certificate_key }};
+    ssl_certificate {{ updates_tls_crt }};
+    ssl_certificate_key {{ updates_tls_key }};
 
     root {{ updates_root }};
-    include /etc/nginx/include/listing.conf;
-
-    location / {
-        include /etc/nginx/include/headers_hsts.conf;
-    }
+    include snippets/autoindex.conf;
+    include snippets/header-hsts.conf;
 }
 
 {% endif %}
 # Kein HTTPS Redirect wg. Paketinstallation auf Routern
 server {
+    server_name updates.hamburg.freifunk.net;
     listen 80;
     listen [::]:80;
 
-    server_name updates.hamburg.freifunk.net;
-
     root {{ updates_root }};
-    include /etc/nginx/include/listing.conf;
-{% if updates_letsencrypt_local %}
+    include snippets/autoindex.conf;
 
-    include /etc/nginx/include/letsencrypt.conf;
-{% endif %}
-{% if updates_letsencrypt_srv01 %}
-
-    include /etc/nginx/include/letsencrypt_srv01.conf;
-{% endif %}
-{% if updates_letsencrypt_srv02 %}
-
-    include /etc/nginx/include/letsencrypt_srv02.conf;
+{% if updates_letsencrypt == 'local' %}
+    include snippets/location-acme.conf;
+{% elif updates_letsencrypt == 'srv01' %}
+    include snippets/location-acme-srv01.conf;
 {% endif %}
 }
 
 server {
+    server_name *.updates.services.ffhh;
     listen 80;
     listen [::]:80;
 
-    server_name *.updates.services.ffhh;
-
     root {{ updates_root }};
-    include /etc/nginx/include/listing.conf;
+    include snippets/autoindex.conf;
 }