diff --git a/roles/acme.sh/files/acme.sh-reload.path b/roles/acme.sh/files/acme.sh-reload.path
new file mode 100644
index 0000000..a26108f
--- /dev/null
+++ b/roles/acme.sh/files/acme.sh-reload.path
@@ -0,0 +1,6 @@
+[Path]
+PathModified=/srv/acme.sh/.reload 
+TriggerLimitIntervalSec=0
+TriggerLimitBurst=0
+[Install]
+WantedBy=paths.target
diff --git a/roles/acme.sh/files/acme.sh-reload.service b/roles/acme.sh/files/acme.sh-reload.service
new file mode 100644
index 0000000..1e02b99
--- /dev/null
+++ b/roles/acme.sh/files/acme.sh-reload.service
@@ -0,0 +1,7 @@
+# This service cannot and should not be enabled directly.
+[Unit]
+Description=Reload NGINX on command from acme.sh
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl restart nginx
+ExecStart=/usr/bin/rm /srv/acme.sh/.reload
diff --git a/roles/acme.sh/files/acme.sh.container b/roles/acme.sh/files/acme.sh.container
new file mode 100644
index 0000000..16845dc
--- /dev/null
+++ b/roles/acme.sh/files/acme.sh.container
@@ -0,0 +1,20 @@
+[Unit]
+Description=acme.sh container
+
+[Container]
+ContainerName=acme.sh
+Exec=daemon
+Image=ghcr.io/polarix-containers/acme.sh:latest
+EnvironmentFile=/secrets/acme.sh.env
+Volume=/srv/acme.sh:/acme.sh:Z
+Volume=/srv/certs:/certs:z
+PodmanArgs=--runtime runsc --security-opt label:disable
+Label=disable
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target
+
+[Service]
+Restart=always
+
diff --git a/roles/acme.sh/tasks/main.yaml b/roles/acme.sh/tasks/main.yaml
new file mode 100644
index 0000000..d331188
--- /dev/null
+++ b/roles/acme.sh/tasks/main.yaml
@@ -0,0 +1,52 @@
+- name: Create acme.sh dir
+  ansible.builtin.file:
+    path: /srv/acme.sh
+    state: directory
+    mode: '0755'
+
+- name: Create certs dir if it doesn't exist
+  ansible.builtin.file:
+    path: /srv/certs
+    state: directory
+    mode: '0755'
+
+- name: Copy over acme.sh.container file
+  ansible.builtin.copy:
+    src: ./files/acme.sh.container
+    dest: /etc/containers/systemd/acme.sh.container
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Copy over acme.sh reload path file
+  ansible.builtin.copy:
+    src: ./acme.sh-reload.path
+    dest: /etc/systemd/system/acme.sh-reload.path
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Copy over acme.sh reload service file
+  ansible.builtin.copy:
+    src: ./acme.sh-reload.service
+    dest: /etc/systemd/system/acme.sh-reload.service
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Run systemctl daemon-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+
+- name: Start acme.sh container
+  ansible.builtin.systemd_service:
+    name: acme.sh.service
+    state: restarted
+
+- name: Start acme.sh reload service
+  ansible.builtin.systemd_service:
+    name: acme.sh-reload.path
+    state: started
+    enabled: true
+
+