## Managed by Ansible ##

[Unit]
Description=Renew Lets Encrypt certificate for {{ item.0.cn }}
After=network-online.target

[Service]
Type=oneshot
{% if lego_provider == "ionos" %}
Environment={{ lego_provider|upper }}_API_KEY={{ vault_ionos_token_dns }}
{% endif %}
ExecStart={{ lego_install_dir }}/lego \
    --domains="{{ item.0.cn }}" \
{% if item.0.sans is defined and item.0.sans %}
{% for san in item.0.sans %}
    --domains="{{ san }}" \
{% endfor %}
{% endif %}
    {{ lego_cli_params | join(' ') }} \
    renew \
    --renew-hook="{{ lego_config_dir }}/renew-hook.sh {{ item.0.cn }}"
User=root

# Restart if renewal fails, but not too quickly
RestartSec=12h
Restart=on-failure
StartLimitInterval=72h
StartLimitBurst=3

[Install]
WantedBy=multi-user.target