From 9776674bffc390b8fbb6133601d781e3e1d08d5e Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <me@jthan.io>
Date: Tue, 3 Mar 2026 18:09:42 -0700
Subject: [PATCH] add cert renewal logic

---
 ansible/roles/lego/tasks/generate_cert.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ansible/roles/lego/tasks/generate_cert.yaml b/ansible/roles/lego/tasks/generate_cert.yaml
index 11f1dac..8f72793 100644
--- a/ansible/roles/lego/tasks/generate_cert.yaml
+++ b/ansible/roles/lego/tasks/generate_cert.yaml
@@ -1,3 +1,8 @@
+- name: Check if SSL cert already exists for domain
+  stat:
+    path: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
+  register: existing_cert_check
+
 - name: Generate initial cert (http)
   command:
     cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
@@ -15,3 +20,13 @@
     LINODE_PROPAGATION_TIMEOUT: 600
     LINODE_TOKEN: "{{ linode_dns_token }}"
   when: lego_method == 'dns'
+
+- name: Renew cert (dns)
+  command:
+    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --dns linode --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} renew
+    chdir: /root
+  environment:
+    LINODE_POLLING_INTERVAL: 120
+    LINODE_PROPAGATION_TIMEOUT: 600
+    LINODE_TOKEN: "{{ linode_dns_token }}"
+  when: lego_method == 'dns' and existing_cert_check.stat.exists