diff --git a/ansible/roles/setup/tasks/main.yml b/ansible/roles/setup/tasks/main.yml
index 0660bbbcab3e8e3a22c44cf011a28d5037711abd..a4dabb93848b01f682dd153f65ba230224d555fa 100644
--- a/ansible/roles/setup/tasks/main.yml
+++ b/ansible/roles/setup/tasks/main.yml
@@ -6,6 +6,7 @@
   tags:
     - ssh
   command: cut -d" " -f 1-2 /etc/ssh/ssh_host_rsa_key.pub
+  changed_when: false
   register: master_rsa_pub_hostkey
 
 - name: Create /oas/config/ssh_known_hosts
@@ -107,6 +108,46 @@
   command: /snap/bin/kubectl rollout status -n kube-system deployment/tiller-deploy
   changed_when: false
 
+- name: Install CRDs for cert-manager
+  tags:
+    - cert-manager
+  command: /snap/bin/kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
+
+- name: Prevent validation deadlock for cert-manager
+  tags:
+    - cert-manager
+  command: /snap/bin/kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"
+  register: cert_manager_label_namespace
+  failed_when:
+    # If the namespace doesn't yet exist, that's OK, we don't need to do anything in that case.
+    - "'NotFound' not in cert_manager_label_namespace.stderr"
+    - "cert_manager_label_namespace.rc != 0"
+
+- name: Install LetsEncrypt {{ item.name }} ClusterIssuer
+  tags:
+    - cert-manager
+  k8s:
+    state: present
+    definition:
+      apiVersion: certmanager.k8s.io/v1alpha1
+      kind: ClusterIssuer
+      metadata:
+        name: letsencrypt-{{ item.name }}
+        spec:
+          acme:
+            email: "{{ admin_email }}"
+            server: "{{ item.server }}"
+            privateKeySecretRef:
+              # Secret resource used to store the account's private key.
+              name: letsencrypt-{{ item.name }}-account-key
+            # Enable the HTTP01 challenge mechanism for this Issuer
+            http01: {}
+  with_items:
+    - name: staging
+      server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+    - name: production
+      server: "https://acme-v02.api.letsencrypt.org/directory"
+
 - name: Clone helmfiles repo
   tags:
     - git
@@ -115,6 +156,7 @@
   git:
     repo: 'https://code.greenhost.net/openappstack/helmfiles'
     dest: '/oas/source/repos/helmfiles'
+    version: "master"
 
 - name: Clone charts repo
   tags:
@@ -161,7 +203,7 @@
     path: "{{ item }}"
     mode: '0600'
   with_items:
-    - /oas/config/values/apps/traefik.yaml
+    - /oas/config/values/apps/nginx.yaml
 
 - name: Apply helmfiles
   tags: