diff --git a/ansible/gate.vstill.cz.yml b/ansible/gate.vstill.cz.yml
index f657aa04c88fd56db90d62c0b05aa22e63b74dab..8dc0377077a141eabe6a49290aa5ba0988b6febb 100644
--- a/ansible/gate.vstill.cz.yml
+++ b/ansible/gate.vstill.cz.yml
@@ -279,6 +279,24 @@
         pkg:
           - certbot
 
+    - name: Dir for ZNC drop-in for certbot
+      file:
+        state: directory
+        path: /etc/systemd/system/certbot.service.d
+
+    - name: ZNC drop-in for certbot
+      copy:
+        dest: /etc/systemd/system/certbot.service.d/znc-setfacl.conf
+        content: |
+          [Service]
+          ExecStart=/bin/bash -c '/usr/bin/setfacl -m u:znc:r-- /etc/letsencrypt/archive/msg.vstill.cz/privkey*.pem'
+      register: certbot_znc
+
+    - name: Reload systemd after installing ZNC drop-in
+      systemd:
+        daemon_reload: true
+      when: certbot_znc.changed
+
     - name: Disk utils
       apt:
         pkg: