[Unit]
Description=step cert renew for %i.kosherinata.internal
Documentation=https://smallstep.com/docs/step-ca/renewal

[Service]
Type=oneshot
ExecCondition=/usr/bin/step certificate needs-renewal \
    /etc/nginx/tls/cert/%i.kosherinata.internal.pem
ExecStart=/usr/bin/step ca renew \
    --force \
    --ca-url https://ca.internal \
    --root /etc/pki/ca-trust/source/anchors/root-internal.pem \
    /etc/nginx/tls/cert/%i.kosherinata.internal.pem \
    /etc/nginx/tls/key/%i.kosherinata.internal.pem
ExecStartPost=/usr/bin/systemctl reload nginx.service