From b8892ed62c303d189160cc66097f76895c83ad6e Mon Sep 17 00:00:00 2001
From: Lilly <lilly@hibana.me>
Date: Wed, 7 Jan 2026 14:15:56 +0000
Subject: [PATCH] Auto-commit: 2026-01-07 14:15:56

---
 hosts/lillyserver/systemd.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/hosts/lillyserver/systemd.nix b/hosts/lillyserver/systemd.nix
index bcbc423..41d7880 100644
--- a/hosts/lillyserver/systemd.nix
+++ b/hosts/lillyserver/systemd.nix
@@ -25,6 +25,24 @@ in
         ExecStart = "${pkgs.docker}/bin/docker start tailscale-cloudflare-dns-sync";
       };
     };
+
+    ${certbot-generic-cert-service} = {
+      enable = true;
+      description = "Renew Let's Encrypt certificates using Certbot in Docker";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = ''${pkgs.docker}/bin/docker \
+          run --rm --name certbot-renew \
+          -v /mnt/lilly-ssd/secrets/certificates/etc:/etc/letsencrypt \
+          -v /mnt/lilly-ssd/secrets/certificates/var:/var/lib/letsencrypt \
+          -v /mnt/lilly-ssd/secrets/certificates/cf-credentials:/cf-credentials:ro \
+          -v /mnt/lilly-ssd/secrets/certificates/id_ed25519_certshare:/openwrt_private_key:ro \
+          certbot/dns-cloudflare renew \
+          --dns-cloudflare \
+          --dns-cloudflare-credentials /cf-credentials
+        '';
+      };
+    };
   };
 
   systemd.timers = {