diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index e13ae5e..eb98202 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -13,6 +13,25 @@ http {
                     '"$http_user_agent" $host';
     access_log {{ nginx_logdir }}/access.log main;
 
+    proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
+    proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
+    proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt;
+    proxy_ssl_verify on;
+
+{% if plaintext is defined %}
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name {{ inventory_hostname }};
+
+        location /.well-known/acme-challenge/ {
+            proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
+        }
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+{% else %}
     ssl on;
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
@@ -22,11 +41,6 @@ http {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
-    proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
-    proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
-    proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt;
-    proxy_ssl_verify on;
-
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
@@ -45,5 +59,6 @@ http {
 
     include /etc/nginx/mime.types;
     include /etc/nginx/conf.d/*.conf;
+{% endif %}
 
 }