[Unit]
Description=Renew Samba LDAP server certificate
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/lego \
    --path /var/lib/samba/.lego \
    --accept-tos \
    --server {{ samba_cert_acme_server }} \
    --http --http.port :5000 \
    --domains {{ ansible_fqdn }} \
    --domains {{ krb5_realm | lower }} \
    --email {{ samba_cert_acme_email }} \
    renew \
    --renew-hook 'systemctl restart samba'
CapabilityBoundingSet=