Added certificate watcher service.

playbook.yml

@@ -97,6 +97,22 @@
             group: root
             mode: "0644"
 
+        - name: Template nginx watcher configuration
+          ansible.builtin.template:
+            src: nginx.watcher.conf.j2
+            dest: /etc/systemd/system/nginx.watcher.conf
+            owner: root
+            group: root
+            mode: "0644"
+
+        - name: Template nginx watcher path
+          ansible.builtin.template:
+            src: nginx.watcher.path.j2
+            dest: /etc/systemd/system/nginx.watcher.path
+            owner: root
+            group: root
+            mode: "0644"
+
     - name: Stop nginx if configuration has changed
       ansible.builtin.meta: flush_handlers
 
@@ -106,6 +122,11 @@
         state: started
         enabled: true
 
+    - name: Ensure watcher is enabled
+      ansible.builtin.service:
+        name: nginx
+        enabled: true
+
   handlers:
     - name: Stop nginx
       ansible.builtin.service:

templates/nginx.watcher.conf.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl reload nginx.service

templates/nginx.watcher.path.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+[Path]
+# Activates the unit whenever it changes. It is not activated on every write to the
+# watched file but it is activated if the file which was open for writing gets closed.
+PathChanged=/etc/pve/local/pveproxy-ssl.pem
+
+[Install]
+WantedBy=multi-user.target