4 files changed, 13 insertions, 2 deletions

diff --git a/roles/nginx/files/nginx.sh b/roles/nginx/files/hooks/deploy/nginx.sh
index ca022f8..ca022f8 100644
--- a/roles/nginx/files/nginx.sh
+++ b/roles/nginx/files/hooks/deploy/nginx.sh
diff --git a/roles/nginx/files/hooks/post/nginx.sh b/roles/nginx/files/hooks/post/nginx.sh
new file mode 100644
index 0000000..84e871d
--- /dev/null
+++ b/roles/nginx/files/hooks/post/nginx.sh
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+systemctl start nginx
diff --git a/roles/nginx/files/hooks/pre/nginx.sh b/roles/nginx/files/hooks/pre/nginx.sh
new file mode 100644
index 0000000..91b7633
--- /dev/null
+++ b/roles/nginx/files/hooks/pre/nginx.sh
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+systemctl stop nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 73cb4ad..8edb7db 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -45,11 +45,16 @@
 
 - name: Copy nginx certificate renewal hook
   ansible.builtin.copy:
-    src: files/nginx.sh
-    dest: /etc/letsencrypt/renewal-hooks/deploy/nginx.sh
+    src: 'files/hooks/{{ item }}/nginx.sh'
+    dest: '/etc/letsencrypt/renewal-hooks/{{ item }}/nginx.sh'
     owner: root
     group: root
     mode: u+rwx,g+r,o+r
+  loop:
+    - pre
+    - post
+    # There is no deploy hook and it is intentional. As we currently stop nginx
+    # before renewal and start it after, so there is no need for reload.
 
 - name: Enable nginx systemd service
   ansible.builtin.service: