diff --git a/ansible/deploy-airflow.yml b/ansible/deploy-airflow.yml
index ebf34e4a..c3168205 100644
--- a/ansible/deploy-airflow.yml
+++ b/ansible/deploy-airflow.yml
@@ -4,6 +4,12 @@
     - data1.htz-fsn.prod.ooni.nu
   become: true
   roles:
+    - nginx
+    - dehydrated
     - oonidata_airflow
   vars:
     airflow_public_fqdn: "airflow.prod.ooni.io"
+    tls_cert_dir: /var/lib/dehydrated/certs
+    ssl_domains:
+      - "data1.htz-fsn.prod.ooni.nu"
+      - "airflow.prod.ooni.io"
diff --git a/ansible/roles/dehydrated/tasks/main.yml b/ansible/roles/dehydrated/tasks/main.yml
index c866a269..f0e5b763 100644
--- a/ansible/roles/dehydrated/tasks/main.yml
+++ b/ansible/roles/dehydrated/tasks/main.yml
@@ -2,7 +2,7 @@
 - name: Installs packages
   tags: dehydrated
   apt:
-    install_recommends: no
+    install_recommends: false
     cache_valid_time: 86400
     name:
       - dehydrated
@@ -24,25 +24,25 @@
 
 - name: Add ACME dedicated sites-enabled file
   tags: dehydrated
-  template:
+  ansible.builtin.template:
     src: templates/letsencrypt-http
     # the server block matches all SSL FQDNs and must be
     # parsed first, hence 00-
     dest: /etc/nginx/sites-enabled/00-letsencrypt-http
-    mode: 0644
+    mode: "0644"
     owner: root
 
 - name: Add canary file to ensure /.well-known/acme-challenge is reachable by let's encrypt
   tags: dehydrated
-  copy:
+  ansible.builtin.copy:
     content: |
       Generated by ansible using ansible/roles/dehydrated/tasks/main.yml.
 
       Also, meow!!!
     dest: /var/lib/dehydrated/acme-challenges/ooni-acme-canary
-    mode: 0644
+    mode: "0644"
     owner: root
-  notify: 
+  notify:
     - reload nginx
 
 - name: reload nftables service
diff --git a/ansible/roles/oonidata_airflow/tasks/main.yml b/ansible/roles/oonidata_airflow/tasks/main.yml
index 625ed6b2..102375b2 100644
--- a/ansible/roles/oonidata_airflow/tasks/main.yml
+++ b/ansible/roles/oonidata_airflow/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Ensure Airflow group
-  group:
+  ansible.builtin.group:
     name: "airflow"
   become: true
 
@@ -7,7 +7,7 @@
 # this was added after the user had already been created by the airflow_role
 # and so it's failing because it's trying to modify the user.
 #- name: Ensure Airflow user
-#  user:
+#  ansible.builtin.user:
 #    name: "airflow"
 #    group: "airflow"
 #    system: true
@@ -18,12 +18,14 @@
 
 - name: Checkout oonidata repo
   become_user: airflow
+  become: true
   ansible.builtin.git:
-    repo: 'https://github.com/ooni/data.git'
+    repo: "https://github.com/ooni/data.git"
     dest: /opt/airflow/oonidata
     version: main
 
-- ansible.builtin.include_role:
+- name: Install airflow
+  ansible.builtin.include_role:
     name: ooni.airflow_role
   tags:
     - oonidata
@@ -58,23 +60,9 @@
   ansible.builtin.file:
     path: /opt/oonidata
     state: directory
-    mode: '0755'
+    mode: "0755"
     owner: airflow
-    recurse: yes
-
-- ansible.builtin.include_role:
-    name: nginx
-  tags:
-    - oonidata
-    - nginx
-
-- ansible.builtin.include_role:
-    name: dehydrated
-  tags:
-    - oonidata
-    - dehydrated
-  vars:
-    ssl_domains: "{{ [ inventory_hostname ] + [ airflow_public_fqdn ] }}"
+    recurse: true
 
 - name: Setup airflow nginx config
   ansible.builtin.template: