optimize renewal-hook creation: run it only once and not per domain

tasks/create-cert-webroot.yml

@@ -4,20 +4,6 @@
     path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
   register: letsencrypt_cert
 
-- name: Ensure deploy hook directory exists
-  file:
-    path: /etc/letsencrypt/renewal-hooks/deploy
-    state: directory
-    mode: 0755
-
-- name: Create deploy hook
-  copy:
-    content: "{{ certbot_deployhook }}"
-    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh
-    mode: u+rwx
-  run_once: true
-  when: certbot_deployhook is defined
-
 - name: Create webroot directory if it doesn't exist yet
   file:
     path: "{{ cert_item.webroot | default(certbot_webroot) }}"

tasks/install-deploy-hook.yml

@@ -0,0 +1,14 @@
+- name: Ensure deploy hook directory exists
+  file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    mode: 0755
+  when: certbot_deployhook is defined
+
+- name: Create deploy hook
+  copy:
+    content: "{{ certbot_deployhook }}"
+    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh
+    mode: u+rwx
+  when: certbot_deployhook is defined
+

tasks/main.yml

@@ -29,5 +29,9 @@
   loop_control:
     loop_var: cert_item
 
+- include_tasks: install-deploy-hook.yml
+  when:
+    - certbot_create_method == 'webroot'
+
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew