diff --git a/defaults/main.yml b/defaults/main.yml
index 2df3690..0aeb01e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 # webserver_dehydrated_email: "" # required
-webserver_php_enabled: false
+webserver_php_enabled: False
+webserver_tls_enabled: True
diff --git a/tasks/main.yml b/tasks/main.yml
index 2e74dcc..7c86316 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,15 +1,12 @@
 - name: Install
   package:
-    name:
-    - nginx
-    - dehydrated
+    name: nginx
 
 - name: create folders
   file:
     path: "{{ item }}"
     state: directory
   with_items:
-  - /srv/http/.well-known/acme-challenge
   - /etc/nginx/sites.d
   - /etc/nginx/local.d
   - /etc/nginx/snippets
@@ -17,60 +14,22 @@
 - name: templates
   notify: reload nginx
   template:
-    src: "{{ item.file }}"
-    dest: "/etc/nginx/{{ item.path }}"
-  with_items:
-  - file: nginx.conf
-    path: nginx.conf
-  - file: letsencrypt.nginx
-    path: snippets/letsencrypt.conf
-  - file: 00-tls-redirect.nginx
-    path: sites.d/00-tls-redirect.act
+    src: "nginx.conf"
+    dest: "/etc/nginx/nginx.conf"
 
 - name: started
   systemd:
     name: nginx
     state: started
 
-- name: config dehydrated
-  template:
-    src: dehydrated
-    dest: /etc/dehydrated/config
-
-- name: get let's encrypt account 
-  command: /usr/bin/dehydrated --register --accept-terms
-  args:
-    creates: /etc/dehydrated/accounts
-
-- name: get inventory_hostname cert
-  notify: dehydrated
-  lineinfile:
-    path: /etc/dehydrated/domains.txt
-    line: "{{ inventory_hostname }}"
-    create: yes
-
-- name: templates tls
-  notify: reload nginx
-  template:
-    src: "10-tls.nginx"
-    dest: "/etc/nginx/sites.d/10-tls.act"
-
-- name: templates local.d
-  notify: reload nginx
-  template:
-    src: "10-tls.local.nginx"
-    dest: "/etc/nginx/local.d/10-tls.act"
-
-- name: enabled dehydrated
-  systemd:
-    name: dehydrated.timer
-    state: started
-    enabled: yes
-
 - name: php
   import_tasks: php.yml
   when: webserver_php_enabled
 
+- name: tls
+  import_tasks: tls.yml
+  when: webserver_tls_enabled
+
 - name: enabled nginx
   systemd:
     name: nginx
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 0000000..3ee3cd6
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,48 @@
+- name: Install
+  package:
+    name: dehydrated
+
+- name: create folders
+  file:
+    path: "/srv/http/.well-known/acme-challenge"
+    state: directory
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "{{ item.file }}"
+    dest: "/etc/nginx/{{ item.path }}"
+  with_items:
+  - file: letsencrypt.nginx
+    path: snippets/letsencrypt.conf
+  - file: 00-tls-redirect.nginx
+    path: sites.d/00-tls-redirect.act
+
+- name: config dehydrated
+  template:
+    src: dehydrated
+    dest: /etc/dehydrated/config
+
+- name: get let's encrypt account 
+  command: /usr/bin/dehydrated --register --accept-terms
+  args:
+    creates: /etc/dehydrated/accounts
+
+- name: get inventory_hostname cert
+  notify: dehydrated
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ inventory_hostname }}"
+    create: yes
+
+- name: templates tls
+  notify: reload nginx
+  template:
+    src: "10-tls.nginx"
+    dest: "/etc/nginx/sites.d/10-tls.act"
+
+- name: templates local.d
+  notify: reload nginx
+  template:
+    src: "10-tls.local.nginx"
+    dest: "/etc/nginx/local.d/10-tls.act"