rewrite lego role

roles/lego/templates/lego.service.j2

@@ -1,19 +1,31 @@
 ## Managed by Ansible ##
 
 [Unit]
-Description=Run lego renew
+Description=Renew Lets Encrypt certificate for {{ item.0.cn }}
 After=network-online.target
 
 [Service]
 Type=oneshot
+{% if lego_provider == "ionos" %}
 Environment={{ lego_provider|upper }}_API_KEY={{ vault_ionos_token_dns }}
+{% endif %}
 ExecStart={{ lego_install_dir }}/lego \
-    {% for dns in certificate_domains %}
-    --domains="{{ dns }}" \
-    {%   endfor %}
-    {{ lego_cli_params|join(' ') }} \
-    renew 
+    --domains="{{ item.0.cn }}" \
+{% if item.0.sans is defined and item.0.sans %}
+{% for san in item.0.sans %}
+    --domains="{{ san }}" \
+{% endfor %}
+{% endif %}
+    {{ lego_cli_params | join(' ') }} \
+    renew \
+    --renew-hook="{{ lego_config_dir }}/renew-hook.sh {{ item.0.cn }}"
 User=root
 
+# Restart if renewal fails, but not too quickly
+RestartSec=12h
+Restart=on-failure
+StartLimitInterval=72h
+StartLimitBurst=3
+
 [Install]
 WantedBy=multi-user.target