What is the proper way to prevent an Ansible playbook from updating a config file after it has been updated

ansible

Do not use lineinfile. Manage complete files with one or more template tasks.

Should you decide to separate the roles for nginx config and getting certificates, they will need to coordinate somehow. Perhaps the nginx role just assumes Let's Encrypt default cert locations. Or, perhaps you can set variables like nginx_ssl_certificate: /etc/pki/tls/certs/{{ inventory_hostname }}/cert.crt assuming that the domain name is the name in inventory.

If the nginx role runs first, and configures a certificate that does not exist, nginx will not start. Consider using a handler for nginx restart, which will be deferred until a later stage in the play. Or, reorder the roles so the cert exists first.

Idempotent tasks with lineinfile is possible, but it requires understanding lineinfile's various modes, and writing regexes. I don't recommend it, lineinfile confuses everyone.

Related

RAM configuration for Dell PE2950
Is there a Windows 10 equivalent of Apple Configurator for MacOS and iOS?
Is it possible to install Kubernetes manually in my existing GCP VM instance? [closed]
Dell 2950 Disk Partition Format System Install [closed]
How does SAN provides block access to data?
Exchange 2010 Archive to PST
Risks and mitigation when getting a used iPhone
iPadOS Where has Find Friends gone?
Notifications from Apple on MacBook air
Unable to switch input sources after updating macOS to 10.14.6
How to get write access to High Sierra (APFS) drive in Read-Only mode on Macbook with faulty AMD GPU
Recover photos from thumbnails in Photos app